Root privileges from vulnerabilities in Solaris loader
Sun has fixed two vulnerabilities identified by security services provider iDefense. Both are in the dynamic linker/loader Id.so and can only be exploited in combination. Id.so uses the environment variable $LANG to deliver error messages in the appropriate language. Since $LANG can be specified by the user, it's possible, for example, by directory traversing, to divert this call to other files. Setting $LANG to ../../../../../home/user, for example, would be sufficient.
According to iDefense this permits arbitrary format strings to be passed to vulnerable print and formatting functions in Id.so. This is where the second vulnerability comes into play - a buffer overflow in the formatting function doprf which can be used to write code to the stack and execute this code with the privileges of Id.so, i.e. kernel privileges. Interestingly, the bug only occurs comes into play for non-root users - if the user has root privileges the function is not used. According to Sun, Solaris 8, 9 and 10 on SPARC and x86 are affected.
- Security Vulnerabilities in Solaris ld.so.1(1) may Lead to Execution of Arbitrary Code with Elevated Privileges, alert notification from Sun
- Sun Microsystems Solaris ld.so 'doprf()' Buffer Overflow Vulnerability, vulnerability advisory from iDefense
- Sun Microsystems Solaris ld.so Directory Traversal Vulnerability, vulnerability advisory from iDefense