VeriSign, Inc.® US Home | Worldwide Sites | Site Map
Products & Services Solutions Support About VeriSign Login for existing VeriSign customers
You Are Here: US Home > VeriSign iDefense Security Intelligence Service > Current Intelligence > Vulnerability Advisories > 2003 > 07.29.03

Buffer Overflow in Sun Solaris Runtime Linker

I. BACKGROUND

 

The Solaris runtime linker, ld.so.1(1), processes dynamic executables and shared objects at runtime, binding them to create a run-able process. When LD_PRELOAD is set, the dynamic linker will use the specified library before any other when searching for shared libraries.

 

II. DESCRIPTION

 

A locally exploitable buffer overflow exists in the ld.so.1 dynamic runtime linker in Sun's Solaris operating system. The LD_PRELOAD variable can be passed a large value, which will cause the runtime linker to overflow a stack-based buffer. The overflow occurs on a non-executable stack making command execution more difficult than normal, but not impossible.

 

III. ANALYSIS

 

iDEFENSE has proof of concept exploit code allowing local attackers to gain root privileges by exploiting the /usr/bin/passwd command on Solaris 9. A "return to libc" method is utilized to circumvent the safeguards of the non-executable stack. It is feasible for a local attacker to exploit this vulnerability to gain root privileges if at least one setuid root dynamically linked program exists on the system. Virtually all default implementations of Solaris 8 and 9 fulfill this criterion.

 

IV. DETECTION

 

The following operating system configurations are vulnerable:

 

SPARC Platform

     * Solaris 2.6 with patch 107733-10 and without patch 107733-11

     * Solaris 7 with patches 106950-14 through 106950-22 and without patch 106950-23

     * Solaris 8 with patches 109147-07 through 109147-24 and without patch 109147-25

     * Solaris 9 without patch 112963-09

 

   x86 Platform

     * Solaris 2.6 with patch 107734-10 and without patch 107734-11

     * Solaris 7 with patches 106951-14 through 106951-22 and without patch 106951-23

     * Solaris 8 with patches 109148-07 through 109148-24 and without patch 109148-25

     * Solaris 9 without patch 113986-05

 

V. VENDOR FIX

 

Sun has provided a fix for this issue. It is available at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680.

 

VI. CVE INFORMATION

 

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0609 to this issue.

 

VII. DISCLOSURE TIMELINE

 

01 JUN 2003                  Issue disclosed to security-alert@sun.com

02 JUN 2003                  Response from Sun Security Coordination Team

03 JUN 2003                  E-mail to Sun Security Coordination Team

04 JUN 2003                  Issue disclosed to iDEFENSE

16 JUL 2003                   Status Request to Sun Security Coordination Team

22 JUL 2003                   Response from Sun Security Coordination Team

28 JUL 2003                   iDEFENSE clients notified

29 JUL 2003                   Coordinated Public Disclosure

 

VIII. CREDIT

 

Jouko Pynnonen (jouko@iki.fi) discovered this vulnerability.



Need more information?
Speak with a service representative at 650-426-5310 Request information online


Contact Us
Please contact sales at
650-426-5310 or
submit your inquiry online.
VeriSign iDefense Security Intelligence Service
Security Intelligence Service Levels
Alerts, Reports, and Briefings
Methodology
Research and Response Teams
Current Intelligence
Topical Research Reports
Vulnerability Advisories
Malicious Code Advisories
Information Center
Security Intelligence Webcasts
Proactive Security Intelligence
Intelligence for Patch Management
Early Threat Warning
Contact Us Careers Legal Notices Privacy Repository ©1995-2007 VeriSign, Inc. All rights reserved.
Products & Services  :  Solutions  :  Support  :  About VeriSign  :  Existing Customers
US Home  :  Worldwide Sites  :  Site Map  :  Search
VeriSign (Nasdaq: VRSN) operates intelligent infrastructure services that enable and protect billions of interactions across the world's voice and data networks. VeriSign offerings include SSL Certificates, two-factor authentication, identity protection, managed network security, public key infrastructure (PKI), security consulting, information management, as well as solutions for intelligent communications, commerce, and content. VeriSign is also building next-generation service offerings for emerging opportunities such as RFID-enabled supply chains, VoIP technology, and digital-content distribution over mobile and broadband networks.