martin carpenter

contents

most popular
2012/05/05, updated 2012/12/15
ubuntu unity lens for vim
2010/04/14
ckwtmpx

solaris elfsign vulnerability

2015/06/24

tags: Solaris elfsign vulnerability CVE-2015-0471

It was irksomely easy to make Solaris 10 elfsign(1) fall over on untrusted input. Since its raison d'être in the "verify" mode is precisely to check untrusted input this is problematic.

I used good old zzuf and just fuzzed elfsign verify on the first binary that came to mind (ls) to find this.

martin@sol10 $ zzuf -qcs: -- elfsign verify /bin/ls
zzuf[s=578,r=0.004]: signal 11 (SIGSEGV)

This says: quietly fuzz the command line arguments with an infinite number of seeds. zzuf reports a crash at seed 578. (If this had run for more than a couple of seconds I might have considered using a more tuned binary but as you can see there was no need for that).

Then to grab that sample fuzzed file we can just use cat(1) in place of elfsign(1) with problematic seed 578 and redirect the results to a file:

martin@sol10 $ zzuf -cs578 -- cat /bin/ls > boom

(This works because zzuf is deterministic across runs).

This was fixed in patches 150400-23 (SPARC) and 150401-23 (x86).

Timeline