Re: Possibly exploitable buffer overflow in Solaris 2.5.1 ps

Geoffrey KEATING (geoffk@DISCUS.ANU.EDU.AU)
Tue, 29 Apr 1997 18:09:22 +1000

> Date: Mon, 28 Apr 1997 03:54:33 -0500
> From: Joe Zbiciak <jzbiciak@MICRO.TI.COM>

> In poking around, I discovered it's possible to bus-error /usr/bin/ps
> on Solaris 2.5.1. (Not certain if any patches affecting ps have been
> applied to the system I discovered this on.)
>
> Giving "-u" a suitably large argument produces the bus error. I've not
> yet managed to exploit it. Here's my analysis so far:
>
> user arg >9 chars: null termination lost, extra garbage in error msg.
> user arg >32 chars: ps gets completely confused about commandline and
> prints generic usage information.
> user arg >95 chars: ps starts segmentation faulting.
> user arg >100 chars: ps starts bus-erroring.
>
> (This is using a commandline of the form 'ps -u aaaaa....aaaa'.)
>
> It appears from this that the return address is at offset 96. Now it's
> just a matter of someone digging out the generic Solaris 'sploit and
> tuning 'er up.

Actually, the thing at offset 96 is `environ'. What's happening is
that there's a routine in ps that (basically) tries to parse the
parameter into comma-separated usernames, and copies the usernames
into a statically-allocated buffer without checking their length. It's
a bug, but not an obviously exploitable one.

The reason for the bus error compared to segv is that 'a' is odd.

There is an upper limit of 30 on the number of user IDs you can pass
to 'ps -u'; uids after that are silently ignored :-(.

--
Geoff Keating <Geoff.Keating@anu.edu.au>