RISE-2008001 Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability http://risesecurity.org/advisories/RISE-2008001.txt Published: October 14, 2008 Updated: October 14, 2008 INTRODUCTION There exists a vulnerability within a function of the Sun Solstice AdminSuite sadmind, which when properly exploited can lead to remote compromise of the vulnerable system. This vulnerability was confirmed by us in the following versions of the Sun operating system, other versions may be also affected. Sun Solaris 9 SPARC Sun Solaris 9 x86 Sun Solaris 8 SPARC Sun Solaris 8 x86 DETAILS Solstice AdminSuite is a collection of graphical user interface tools and commands used to perform administrative tasks such as managing users, groups, hosts, system files, printers, disks, file systems, terminals, and modems. The distributed system administration daemon (sadmind) is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. The sadmind daemon process continues to run for 15 minutes after the last request is completed, unless a different idle-time is specified with the -i command line option. The sadmind daemon may be started independently from the command line, for example, at system boot time. In this case, the -i option has no effect; sadmind continues to run, even if there are no active requests. The vulnerable function adm_build_path() does does not validate user supplied data when appending it to a stack-based buffer using strcat(), resulting in a stack-based buffer overflow. The exploitation of this vulnerability is trivial and results in remote compromise of the vulnerable system. This is the debug information about this vulnerability (from Sun Solaris 9 x86). Breakpoint 1, 0xd330e5b0 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 (gdb) until *adm_build_path+38 0xd330e5c6 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 (gdb) x/i $pc 0xd330e5c6 : call 0xd3304fa8 (gdb) x/x $esp+4 0x80411e4: 0x080b7cd0 (gdb) x/x $esp 0x80411e0: 0x08041208 (gdb) x/s 0x080b7cd0 0x80b7cd0: 'A' ... (gdb) x/s 0x08041208 0x8041208: "system.2.1/" (gdb) where #0 0xd330e5c6 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 #1 0xd330eaa7 in adm_find_method () from /usr/snadm/lib/libadmapm.so.2 #2 0xd335326b in verify_vers_1 () from /usr/snadm/lib/libadmagt.so.2 #3 0xd3352e88 in verify_validate () from /usr/snadm/lib/libadmagt.so.2 #4 0xd3352cf8 in amsl_verify () from /usr/snadm/lib/libadmagt.so.2 #5 0xd32c8a85 in __0fQNetmgtDispatcherPdispatchRequestP6Hsvc_reqP6J__svcxprt () from /usr/snadm/lib/libadmcom.so.2 #6 0xd32c8656 in __0fQNetmgtDispatcherOreceiveRequestP6Hsvc_reqP6J__svcxprt () from /usr/snadm/lib/libadmcom.so.2 #7 0xd32c837c in _netmgt_receiveRequest () from /usr/snadm/lib/libadmcom.so.2 #8 0xd311d4a3 in _svc_prog_dispatch () from /usr/lib/libnsl.so.1 #9 0xd311d24e in svc_getreq_common () from /usr/lib/libnsl.so.1 #10 0xd311d130 in svc_getreq_poll () from /usr/lib/libnsl.so.1 #11 0xd3121550 in _svc_run () from /usr/lib/libnsl.so.1 #12 0xd3121293 in svc_run () from /usr/lib/libnsl.so.1 #13 0xd32cd165 in __0fQNetmgtDispatcherNstartupServerv () from /usr/snadm/lib/libadmcom.so.2 #14 0xd32cd13b in netmgt_start_agent () from /usr/snadm/lib/libadmcom.so.2 #15 0x0805168f in main () (gdb) stepi 0xd3304fa8 in strcat@plt () from /usr/snadm/lib/libadmapm.so.2 (gdb) step Single stepping until exit from function strcat@plt, which has no line number information. 0xd330e5cb in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 (gdb) x/i $pc 0xd330e5cb : add $0x8,%esp (gdb) where #0 0xd330e5cb in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 #1 0xd330eaa7 in adm_find_method () from /usr/snadm/lib/libadmapm.so.2 #2 0xaabbccdd in ?? () #3 0x08063000 in ?? () #4 0x08063128 in ?? () #5 0x080b7cd0 in ?? () #6 0x08041730 in ?? () #7 0x00000400 in ?? () #8 0x00000001 in ?? () #9 0xd336ac8c in ?? () from /usr/snadm/lib/libadmagt.so.2 #10 0x00000000 in ?? () (gdb) c Continuing. Breakpoint 1, 0xd330e5b0 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0xaabbccdd in ?? () (gdb) A proof of concept code for this vulnerability can be downloaded from our website http://risesecurity.org/. VENDOR Sun Security Coordination Team was notified of this issue, proper corrections should be available soon. Meanwhile, we recommend disabling the distributed system administration daemon (sadmind). CREDITS This vulnerability was discovered by Adriano Lima . DISCLAIMER The authors reserve the right not to be responsible for the topicality, correctness, completeness or quality of the information provided in this document. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect, will therefore be rejected. $Id: RISE-2008001.txt 2 2008-10-14 14:40:53Z ramon $