COMMAND

    /usr/bin/ps

SYSTEMS AFFECTED

    Solaris 2.5.1

PROBLEM

    Joe  Zbiciak  reported  about  following  behaviour  of  ps  under
    Solaris.  He discovered it's possible to bus-error /usr/bin/ps  on
    Solaris 2.5.1.  There is no knowledge if any patches affecting  ps
    have been applied to the system he discovered this on.

    Giving  "-u"  a  suitably  large  argument produces the bus error.
    There is no exploit for it yet.  His analysis has come so far:

    user arg >9 chars:   null termination lost, extra garbage in error msg
    user arg >32 chars:  ps gets completely confused about commandline and
                         prints generic usage information
    user arg >95 chars:  ps starts segmentation faulting
    user arg >100 chars: ps starts bus-erroring

    You can get this by using a commandline of the form:

        ps -u aaaaa....aaaa

    What's happening is that there's a routine in ps that  (basically)
    tries to parse the  parameter into comma-separated usernames,  and
    copies the  usernames into  a statically-allocated  buffer without
    checking  their  length.  It's  a   bug,  but  not  an   obviously
    exploitable one.

    There is an upper  limit of 30 on  the number of user  IDs you can
    pass to 'ps -u'; uids after that are silently ignored.

SOLUTION

    There is no exploit for this  yet, but it gives a lot  of material
    to think about.  There is no reason for panic for now, but if  you
    feel you should  take precaution, remove  suid bit of  ps command.
    This  will  keep  you  safe  enough  for  this  even  this  is not
    solution.   Anyway, if  something pop  up (eg.  exploit), patch or
    new ps will be served.