tags: Solaris elfsign vulnerability CVE-2015-0471
It was irksomely easy to make Solaris 10
elfsign(1) fall over on
untrusted input. Since its raison d'être in the "verify"
mode is precisely to check untrusted input this is problematic.
I used good old
zzuf and just fuzzed
elfsign verify on the first binary that came to mind (
ls) to find
martin@sol10 $ zzuf -qcs: -- elfsign verify /bin/ls zzuf[s=578,r=0.004]: signal 11 (SIGSEGV)
This says: quietly fuzz the command line arguments with an infinite
number of seeds.
zzuf reports a crash at seed 578. (If this had run
for more than a couple of seconds I might have considered using a more
tuned binary but as you can see there was no need for that).
Then to grab that sample fuzzed file we can just use
cat(1) in place
elfsign(1) with problematic seed 578 and redirect the results
to a file:
martin@sol10 $ zzuf -cs578 -- cat /bin/ls > boom
(This works because
zzuf is deterministic across runs).
This was fixed in patches 150400-23 (SPARC) and 150401-23 (x86).