Solaris Xlock Heap Overflow Vulnerability allows local Root compromise

posted onAugust 12, 2001

by hitbsecnews

The NSFOCUS Security Team reported on August 10th that they had found a heap buffer overflow vulnerability in the xlock shipped in Solaris system when handling some environment variables. Exploitation of it was reported to allow a local attacker to obtain root privilege

Xlock is a screen-locking tool of Solaris OpenView. It locks the X server until a password is entered. It is installed suid root by default. It has an invalid boundary check in some environment variable handling. As the result, an attacker could overwrite dynamic memory boundary of heap area, run arbitrary code as root with carefully constructed overflow data. Exploiting this vulnerability successfully would give an attacker root privilege....

NSFOCUS Security Advisory(SA2001-05)

Topic: Solaris Xlock Heap Overflow Vulnerability

Release Date£º 2001-08-10

CVE CAN ID : CAN-2001-0652
BUGTRAQ ID : 3160

Affected system:
================

Sun Solaris 2.6 (SPARC/x86)
Sun Solaris 7 (SPARC/x86)
Sun Solaris 8 (SPARC/x86)

Impact:
=========

NSFOCUS Security Team has found a heap buffer overflow vulnerability in the
xlock shipped in Solaris system when handling some environment variables.
Exploitation of it would allow a local attacker to obtain root privilege.

Description£º
============

Xlock is a screen-locking tool of Solaris OpenView. It locks the X server until
a password is entered. It is installed suid root by default.

It has an invalid boundary check in some environment variable handling. As the
result, an attacker could overwrite dynamic memory boundary of heap area,
run arbitrary code as root with carefully constructed overflow data.

The problem is within these two environment variables: "XFILESEARCHPATH" and
"XUSERFILESEARCHPATH". Xlock calls malloc() to allocate 1024 bytes memory and
save the environment variable value in this dynamic memory. But xlock does not
provide length check of environment variable when copying. In case that these
two environment variables are set to be a string longer than 1024 bytes, a heap
overflow might occur. Adjacent dynamic memory boundary tags could be
overwritten, and segment fault would occur when malloc() is called next time.
Some special "feature" of libc malloc()/free() implementation could be used to
rewrite arbitrary memory like saved returned address and function pointer or
other important data with carefully formed overflow data.

Exploiting this vulnerability successfully would give an attacker root privilege.

Exploit:
==========

bash-2.03$ uname -a
SunOS sun8 5.8 Generic sun4u sparc SUNW,Ultra-5_10
bash-2.03$ cp /usr/openwin/bin/xlock /tmp/xlock
bash-2.03$ export XFILESEARCHPATH=`perl -e 'print "A"x1028'`
bash-2.03$ /tmp/xlock
Segmentation Fault
bash-2.03$ truss -u libc:malloc,free /tmp/xlock
<...snip...>
<- libc:malloc() = 0x1135d0
-> libc:malloc(0x400, 0xffbefa8d, 0xffffffff, 0x1b648)
<- libc:malloc() = 0x1139d0
open("AAAAAAA...AAAAAAAAAAAAAAA", O_RDONLY) Err#78 ENAMETOOLONG
-> libc:free(0x1139d0, 0x0, 0xff31c000, 0x1b648)
<- libc:free() = 0
-> libc:malloc(0x400, 0x12, 0x0, 0x10ed49)
<- libc:malloc() = 0x1139d0
open("/export/home/test/XLock", O_RDONLY) Err#2 ENOENT
-> libc:free(0x1139d0, 0x0, 0xff31c000, 0x7efefeff)
<- libc:free() = 0
-> libc:malloc(0x3, 0x3073b, 0xffffffff, 0x3a300000)
<- libc:malloc() = 0x1135e0
Incurred fault #6, FLTBOUNDS %pc = 0xFF0C0F4C
siginfo: SIGSEGV SEGV_MAPERR addr=0x41527F18
Received signal #11, SIGSEGV [default]
siginfo: SIGSEGV SEGV_MAPERR addr=0x41527F18
*** process killed ***

Proof of concept codes for this issue will be available at:
http://www.nsfocus.com/proof/sol_sparc_xlockex.c
http://www.nsfocus.com/proof/sol_x86_xlockex.c

Workaround:
===================

Drop the suid root attribute of xlock:

# chmod a-s /usr/openwin/bin/xlock

Vendor Status:
==============

2001.6.11 We informed Sun of this problem.
2001.6.14 Sun replied that the problem had been reproduced and they
had started to develop relevant patches.
2001.8.8 Sun informed us that the development of patches had finished and
would be released at the end of the month.
2001.8.9 Sun provided us with IDs of the patches to be released.

Sun's patches to be released for this vulnerability:

SPARC x86
--------- ---------
Solaris 8 108652-38 108653-33
Solaris 7 108376-30 108377-26
Solaris 2.6 105633-60 106248-45

Security patches of Sun Inc. are available at:

http://sunsolve.sun.com/securitypatch

Additional Information:
========================

The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2001-0652 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems. Candidates
may change significantly before they become official CVE entries.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)