contents
2022/01/31solaris elfsign vulnerability
2015/06/24
tags: Solaris elfsign vulnerability CVE-2015-0471
It was irksomely easy to make Solaris 10 elfsign(1) fall over on
untrusted input. Since its raison d'être in the "verify"
mode is precisely to check untrusted input this is problematic.
I used good old zzuf and just fuzzed
elfsign verify on the first binary that came to mind (ls) to find
this.
martin@sol10 $ zzuf -qcs: -- elfsign verify /bin/ls zzuf[s=578,r=0.004]: signal 11 (SIGSEGV)
This says: quietly fuzz the command line arguments with an infinite
number of seeds. zzuf reports a crash at seed 578. (If this had run
for more than a couple of seconds I might have considered using a more
tuned binary but as you can see there was no need for that).
Then to grab that sample fuzzed file we can just use cat(1) in place
of elfsign(1) with problematic seed 578 and redirect the results
to a file:
martin@sol10 $ zzuf -cs578 -- cat /bin/ls > boom
(This works because zzuf is deterministic across runs).
This was fixed in patches 150400-23 (SPARC) and 150401-23 (x86).
Timeline
- 2014/12/01 Reported to Oracle security
- 2015/04/10 Confirmed presence in next Oracle CPU
- 2014/04/24 Patch released, CVE-2015-0471
- 2015/06/02 Courtesy note to Illumos sec