Sun Solstice AdminSuite sadmind adm_build_path()Buffer Overflow Vulnerability

Advisory Content :

RISE-2008001
Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow
Vulnerability

http://risesecurity.org/advisories/RISE-2008001.txt
Published: October 14, 2008
Updated: October 14, 2008

INTRODUCTION

There exists a vulnerability within a function of the Sun Solstice
AdminSuite
sadmind, which when properly exploited can lead to remote compromise of the

vulnerable system.
This vulnerability was confirmed by us in the following versions of the Sun

operating system, other versions may be also affected.

Sun Solaris 9 SPARC
Sun Solaris 9 x86
Sun Solaris 8 SPARC
Sun Solaris 8 x86

DETAILS

Solstice AdminSuite is a collection of graphical user interface tools and
commands used to perform administrative tasks such as managing users,
groups,
hosts, system files, printers, disks, file systems, terminals, and modems.

The distributed system administration daemon (sadmind) is the daemon used
by
Solstice AdminSuite applications to perform distributed system
administration
operations.

The sadmind daemon is started automatically by the inetd daemon whenever a

request to invoke an operation is received. The sadmind daemon process
continues to run for 15 minutes after the last request is completed, unless
a
different idle-time is specified with the -i command line option. The
sadmind
daemon may be started independently from the command line, for example, at

system boot time. In this case, the -i option has no effect; sadmind
continues
to run, even if there are no active requests.

The vulnerable function adm_build_path() does does not validate user
supplied
data when appending it to a stack-based buffer using strcat(), resulting in
a
stack-based buffer overflow. The exploitation of this vulnerability is
trivial
and results in remote compromise of the vulnerable system.
This is the debug information about this vulnerability (from Sun Solaris 9
x86).

Breakpoint 1, 0xd330e5b0 in adm_build_path ()
from /usr/snadm/lib/libadmapm.so.2
(gdb) until *adm_build_path+38
0xd330e5c6 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
(gdb) x/i $pc
0xd330e5c6 <adm_build_path+38>: call 0xd3304fa8 <strcat@plt>
(gdb) x/x $esp+4
0x80411e4: 0x080b7cd0
(gdb) x/x $esp
0x80411e0: 0x08041208
(gdb) x/s 0x080b7cd0
0x80b7cd0: 'A' <repeats 200 times>...
(gdb) x/s 0x08041208
0x8041208: "system.2.1/"
(gdb) where
#0 0xd330e5c6 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
#1 0xd330eaa7 in adm_find_method () from /usr/snadm/lib/libadmapm.so.2
#2 0xd335326b in verify_vers_1 () from /usr/snadm/lib/libadmagt.so.2
#3 0xd3352e88 in verify_validate () from /usr/snadm/lib/libadmagt.so.2
#4 0xd3352cf8 in amsl_verify () from /usr/snadm/lib/libadmagt.so.2
#5 0xd32c8a85 in
__0fQNetmgtDispatcherPdispatchRequestP6Hsvc_reqP6J__svcxprt
() from /usr/snadm/lib/libadmcom.so.2
#6 0xd32c8656 in
__0fQNetmgtDispatcherOreceiveRequestP6Hsvc_reqP6J__svcxprt ()
from /usr/snadm/lib/libadmcom.so.2
#7 0xd32c837c in _netmgt_receiveRequest () from
/usr/snadm/lib/libadmcom.so.2
#8 0xd311d4a3 in _svc_prog_dispatch () from /usr/lib/libnsl.so.1
#9 0xd311d24e in svc_getreq_common () from /usr/lib/libnsl.so.1
#10 0xd311d130 in svc_getreq_poll () from /usr/lib/libnsl.so.1
#11 0xd3121550 in _svc_run () from /usr/lib/libnsl.so.1
#12 0xd3121293 in svc_run () from /usr/lib/libnsl.so.1
#13 0xd32cd165 in __0fQNetmgtDispatcherNstartupServerv ()
from /usr/snadm/lib/libadmcom.so.2
#14 0xd32cd13b in netmgt_start_agent () from /usr/snadm/lib/libadmcom.so.2
#15 0x0805168f in main ()
(gdb) stepi
0xd3304fa8 in strcat@plt () from /usr/snadm/lib/libadmapm.so.2
(gdb) step
Single stepping until exit from function strcat@plt,
which has no line number information.
0xd330e5cb in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
(gdb) x/i $pc
0xd330e5cb <adm_build_path+43>: add $0x8,%esp
(gdb) where
#0 0xd330e5cb in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
#1 0xd330eaa7 in adm_find_method () from /usr/snadm/lib/libadmapm.so.2
#2 0xaabbccdd in ?? ()
#3 0x08063000 in ?? ()
#4 0x08063128 in ?? ()
#5 0x080b7cd0 in ?? ()
#6 0x08041730 in ?? ()
#7 0x00000400 in ?? ()
#8 0x00000001 in ?? ()
#9 0xd336ac8c in ?? () from /usr/snadm/lib/libadmagt.so.2
#10 0x00000000 in ?? ()
(gdb) c
Continuing.

Breakpoint 1, 0xd330e5b0 in adm_build_path ()
from /usr/snadm/lib/libadmapm.so.2
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xaabbccdd in ?? ()
(gdb)

A proof of concept code for this vulnerability can be downloaded from our
website http://risesecurity.org/.

VENDOR

Sun Security Coordination Team was notified of this issue, proper
corrections
should be available soon. Meanwhile, we recommend disabling the
distributed
system administration daemon (sadmind).

CREDITS

This vulnerability was discovered by Adriano Lima <adriano (at)
risesecurity (dot) org [email concealed]>.

DISCLAIMER

The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in this
document. Liability claims regarding damage caused by the use of any
information provided, including any kind of information which is incomplete
or
incorrect, will therefore be rejected.

$Id: RISE-2008001.txt 2 2008-10-14 14:40:53Z ramon $

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Sun Solstice AdminSuite sadmind adm_build_path()Buffer Overflow Vulnerability