// back

Buffer Overflow in Sun Solaris Runtime Linker

07.29.03

BACKGROUND

The Solaris runtime linker, ld.so.1(1), processes dynamic executables and shared objects at runtime, binding them to create a run-able process. When LD_PRELOAD is set, the dynamic linker will use the specified library before any other when searching for shared libraries.

DESCRIPTION

A locally exploitable buffer overflow exists in the ld.so.1 dynamic runtime linker in Sun's Solaris operating system. The LD_PRELOAD variable can be passed a large value, which will cause the runtime linker to overflow a stack-based buffer. The overflow occurs on a non-executable stack making command execution more difficult than normal, but not impossible.

ANALYSIS

iDEFENSE has proof of concept exploit code allowing local attackers to gain root privileges by exploiting the /usr/bin/passwd command on Solaris 9. A "return to libc" method is utilized to circumvent the safeguards of the non-executable stack. It is feasible for a local attacker to exploit this vulnerability to gain root privileges if at least one setuid root dynamically linked program exists on the system. Virtually all default implementations of Solaris 8 and 9 fulfill this criterion.

DETECTION

The following operating system configurations are vulnerable: SPARC Platform * Solaris 2.6 with patch 107733-10 and without patch 107733-11 * Solaris 7 with patches 106950-14 through 106950-22 and without patch 106950-23 * Solaris 8 with patches 109147-07 through 109147-24 and without patch 109147-25 * Solaris 9 without patch 112963-09 x86 Platform * Solaris 2.6 with patch 107734-10 and without patch 107734-11 * Solaris 7 with patches 106951-14 through 106951-22 and without patch 106951-23 * Solaris 8 with patches 109148-07 through 109148-24 and without patch 109148-25 * Solaris 9 without patch 113986-05

VENDOR RESPONSE

Sun has provided a fix for this issue. It is available at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680.

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0609 to this issue.

CREDIT

Jouko Pynnonen (jouko@iki.fi) discovered this vulnerability.