• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Solaris IPCS Timezone Buffer Overflow Vulnerability

Severity: MODERATE

Description:

Solaris is the variant of the UNIX Operating System distributed by Sun Microsystems. Solaris is designed as a scalable operating system for the Intel x86 and Sun Sparc platforms, and operates on machines varying from desktop to enterprise server.

A problem in the handling of the TIMEZONE environment variable by the ipcs program could lead to arbitrary command execution, and elevated privileges. The program is located in /usr/bin/i86/ipcs (x86) or /usr/bin/ipcs (Sparc), and is in the SUNWipc package.

The ipcs program is designed to report on the inter-process communications facilities status. This means the program generates reports on things such as message queues, shared memory, and semaphores that are currently being used within the system, and gives statistics about their use.

Upon executing, the ipcs program checks the TIMEZONE environment variable for a value, and stores it in a buffer. However, the contents of this environment variable are not validated prior to storing.

Because of an insufficient check of the contents of the TIMEZONE environment variable, a buffer overflow can occur during the execution of the program. Upon buffer overflow, it is possible to overwrite variables on the stack, including the return address. This would lead to the execution of commands with an EUID of sys, as the ipcs program is SGID sys.

The buffer overflow occurs at 1036 characters on x86 versions of Solaris. It is reported to occur at 1107 and 1199 characters respectively on Sparc Solaris 7 and 8.

Affected Products:

• Sun Solaris 7.0
• Sun Solaris 7.0_x86
• Sun Solaris 8
• Sun Solaris 8_x86

References:

• Sun: Sun Alert ID: 27600 Buffer Overflow in "ipcs" Command Might Allow Unauthorized s

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.