Vulnerability Development: Solaris 7 /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr "-f" option buffer overflow

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Solaris 7 /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr "-f" option buffer overflow

From: ARAI Yuu <y.arai () lac co jp>
Date: Fri, 09 Nov 2001 15:20:31 +0900

Hi there,

I've found /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr will cause buffer
overflow on Solaris 7. /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr are
installed as SGID mail. Unfortunately, these are NOT exploitable.
Because it seems that /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr
drops privilege before the overflow occurs.


bash-2.03$ ls -la /usr/dt/bin/dtmail /usr/dt/bin/dtmailpr
-r-xr-sr-x   1 bin      mail     1490924 Oct 31 08:59 /usr/dt/bin/dtmail
-r-xr-sr-x   1 bin      mail      531732 Oct 31 08:59 /usr/dt/bin/dtmailpr
bash-2.03$ uname -a
SunOS puppet 5.7 Generic_106542-18 i86pc i386 i86pc
bash-2.03$ /usr/dt/bin/dtmail -f `perl -e 'print "A"x1200'`
Segmentation Fault
bash-2.03$ cp /usr/dt/bin/dtmail ./
bash-2.03$ ./dtmail -f `perl -e 'print "A"x1200'`
Segmentation Fault (core dumped)
bash-2.03$ gdb ./dtmail --core=core
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-pc-solaris2.7"...
(no debugging symbols found)...
Core was generated by `./dtmail -f AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 9, Killed.
Reading symbols from /usr/dt/lib/libSDtMail.so.2...
(no debugging symbols found)...done.
Reading symbols from /usr/lib/libnsl.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libsocket.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/dt/lib/libDtSvc.so.1...
(no debugging symbols found)...done.
Reading symbols from /usr/dt/lib/libtt.so.2...(no debugging symbols found)...
done.
Reading symbols from /usr/dt/lib/libDtWidget.so.2...
(no debugging symbols found)...done.
---Type <return> to continue, or q <return> to quit---
Reading symbols from /usr/dt/lib/libXm.so.4...(no debugging symbols found)...
done.
Reading symbols from /usr/openwin/lib/libXt.so.4...
(no debugging symbols found)...done.
Reading symbols from /usr/openwin/lib/libX11.so.4...
(no debugging symbols found)...done.
Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libC.so.5...(no debugging symbols found)...done.
Reading symbols from /usr/dt/lib/libSDtFwa.so.1...
(no debugging symbols found)...done.
Reading symbols from /usr/lib/libm.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libw.so.1...
warning: Lowest section in /usr/lib/libw.so.1 is .hash at 0x74
(no debugging symbols found)...done.
Reading symbols from /usr/lib/libthread.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libmp.so.2...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libgen.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/openwin/lib/libSM.so.6...
(no debugging symbols found)...done.
Reading symbols from /usr/openwin/lib/libICE.so.6...
(no debugging symbols found)...done.
Reading symbols from /usr/openwin/lib/libXext.so.0...
---Type <return> to continue, or q <return> to quit---
(no debugging symbols found)...done.
#0  0x41414141 in ?? ()
(gdb) info r
eax            0x0      0
ecx            0x4e     78
edx            0x0      0
ebx            0x81e2688        136193672
esp            0x8045c84        0x8045c84
ebp            0x41414141       0x41414141
esi            0x8162d88        135671176
edi            0x81e1990        136190352
eip            0x41414141       0x41414141
eflags         0x10286  66182
cs             0x17     23
ss             0x1f     31
ds             0x1f     31
es             0x1f     31
fs             0x0      0
gs             0x10f    271
(gdb) q
bash-2.03$ su
Password:
# truss -t'!all' -u libc:getgid,setgid /usr/dt/bin/dtmail -f \
`/usr/local/bin/perl -e 'print "A"x1200'`
/1:     -> libc:getgid()
/1:     <- libc:getgid() = 1
/1:     -> libc:setgid(0x1)
/1:     <- libc:setgid() = 0
/1:     -> libc:setgid(0x6)
/1:     <- libc:setgid() = 0
/1:     -> libc:setgid(0x1)
/1:     <- libc:setgid() = 0
    Incurred fault #6, FLTBOUNDS  %pc = 0x41414141
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
    Received signal #11, SIGSEGV [default]
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
        *** process killed ***

You'll see same result in dtmailpr.
It should be noted that dtmail and dtmailpr on Solaris 8 will not
cause this overflow.

Regards,
-----------------------------------------------
ARAI Yuu <y.arai () lac co jp>
Network Security Specialist / LAC Computer Security Laboratory
http://www.lac.co.jp/security/

By Date By Thread

Current thread:

Solaris 7 /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr "-f" option buffer overflow ARAI Yuu (Nov 09)
- Re: Solaris 7 /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr "-f" option buffer overflow Walter Park (Nov 09)
  - Re: Solaris 7 dtmailpr buffer overflow - word too long terminal freeze dotslash (Nov 09)