header-logo
Suggest Exploit
vendor:
Solaris
by:
SecurityFocus
7.2
CVSS
HIGH
Buffer Overflow
120
CWE
Product Name: Solaris
Affected Version From: Solaris 7 Sparc, Solaris 8 Sparc, Solaris x86
Affected Version To: Solaris 7 Sparc, Solaris 8 Sparc, Solaris x86
Patch Exists: YES
Related CWE: CVE-2001-0206
CPE: o:sun:solaris
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Sparc, x86
2001

Solaris SGID sys ipcs Buffer Overflow Vulnerability

A problem in the handling of environment variables by the SGID sys program ipcs could lead to local users gaining elevated privileges. Improper bounds checking of the buffer holding the TIMEZONE environment variable by the program could lead to a buffer overflow, and the overwriting of stack variables including the return address. Therefore, it is possible for a local user to execute arbitrary code with the EUID of sys, and potentially gain further elevated privileges.

Mitigation:

Upgrade to the latest version of Solaris or apply the appropriate patch.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/2581/info

Solaris is the variant of the UNIX Operating System distributed by Sun Microsystems. Solaris is designed as a scalable operating system for the Intel x86 and Sun Sparc platforms, and operates on machines varying from desktop to enterprise server.

A problem in the handling of environment variables by the SGID sys program ipcs could lead to local users gaining elevated privileges. Improper bounds checking of the buffer holding the TIMEZONE environment variable by the program could lead to a buffer overflow, and the overwriting of stack variables including the return address.

Therefore, it is possible for a local user to execute arbitrary code with the EUID of sys, and potentially gain further elevated privileges. 

Solaris 7 Sparc:
$ TZ=`perl -e 'print "A"x1107'`
$ /usr/bin/ipcs

Solaris 8 Sparc:
$ TZ=`perl -e 'print "A"x1199'`
$ /usr/bin/ipcs

Solaris x86:
$ TZ=`perl -e 'print "A"x1035'`
$ /usr/bin/i86/ipcs

Navigation

Suggest Exploit

Services By CQR