Public Vulnerability Reports

Solaris uucp Buffer Overflow Vulnerability

05.15.03

BACKGROUND

uucp, otherwise known as Unix to Unix copy, is a utility used by many flavors of Unix to copy a given file from one system to another. This utility is by default included with all Solaris versions.

DESCRIPTION

Sun Microsystems Inc.'s uucp (Unix to Unix Copy) utility contains a locally exploitable buffer overflow allowing an attacker to execute arbitrary code under the privileges of the uucp user.

The vulnerability lies in the command line parsing of overly long values when using the -s switch. When provided with an argument greater then 1,024 characters a buffer overflow occurs allowing an attacker to overwrite the proceeding _iob structures. Arbitrary code execution is possible in a two-step approach:

    Overwriting the address of stderr to point into the Procedure Linkage Table (PLT).
    Generating a printed error that contains user provided input thereby allowing the attack to overwrite the PLT with arbitrary machine instructions.

An improper system name can be use to generate such an error message and is used in our proof of concept code. Upon successful corruption of the PLT a call is made into the PLT that in turn executes the inserted instructions. The storage and execution of assembly code in the PLT allows for successful exploitation even on systems with a non-executable stack.

The existence of the buffer overflow was previously discovered by hipnosis (hipnosis@softhome.net) on January 14th, 2003. However, the likelihood of exploitation was unknown and only assumed possible.

The following is an example snapshot of the exploit in action against SunOS 5.8:

$ uname -srp
SunOS 5.8 sparc

$ id
uid=999(user) gid=999(group)

$ ls -l /usr/bin/uucp
---s--x--x 1 uucp uucp 66940 Jan 5 2000 /usr/bin/uucp

$ ./uucp_sploit -vb

Bruteforce mode enabled
Finding correct offset....
Trying offset 1025..
Trying offset 1026..
Trying offset 1027..
...
Trying offset 1049..
Trying offset 1050..
Trying offset 1051..
Offset found. Injecting our fake _iob at offset 1043.

Retloc: 0xff33d004
Offset: 1043
Bruteforce mode enabled

bad system:
...

$ id
uid=5(uucp) gid=999(group)

ANALYSIS

An attacker with local access to a vulnerable system can exploit the above-described vulnerability to gain the privileges of the uucp user. The uucp binary is by default installed set user id (setuid) uucp. Upon successful exploitation the attacker can replace any or all of the following uucp owned binaries with trojan horses:

    /usr/bin/tip
    /usr/bin/cu
    /usr/bin/uucp
    /usr/bin/uuglist
    /usr/bin/uuname
    /usr/bin/uustat
    /usr/bin/uux

Further compromise can occur if any of these overwritten binaries are executed, including a full system compromise if execute by the super-user (root).


iDEFENSE has proof of concept exploit code demonstrating the impact of this vulnerability.

DETECTION

iDEFENSE has confirmed that the latest versions of Solaris, SunOS 5.8 and SunOS 5.9, ship with a vulnerable version of uucp. It is suspected that all Solaris versions shipped with the uucp utility are vulnerable.

WORKAROUND

If unneeded, either relinquish set user id permissions from the uucp binary or remove the binary itself.

CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned to this issue.

DISCLOSURE TIMELINE

03/20/2003   Exploit acquired by iDEFENSE
04/16/2003   Initial vendor notification
04/16/2003   iDEFENSE Clients notified
05/15/2003   Public Disclosure

CREDIT

This vulnerability is credited to Gloomy.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

LEGAL NOTICES

Copyright © 2004 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.