Title: Solaris libsldap Buffer Overflow Vulnerability
Severity: MODERATE
Description:
Solaris 8 ships with a shared library that implements LDAP functionality called 'libsldap'. This library is linked to by a number of system utilities, many of them installed setuid or setgid.
Libsldap contains a buffer overflow vulnerability in it's handling of the 'LDAP_OPTIONS' environment variable.
When a program linked to libsldap executes, the initialization code in the library performs an unbounded string copy of the environment variable 'LDAP_OPTIONS' to a locally allocated buffer. If the length of the null terminated environment variable exceeds the size of the local buffer, the excessive data overwrites neighboring data on the stack (such as the function's stack frame).
Attackers may be able to construct a value for 'LDAP_OPTIONS' that replaces the executing function's return address in the stack frame with a pointer to instructions or 'shellcode' placed in the stack by the attacker. When the function returns, the process will begin executing the shellcode with the setuid/setgid privileges.
Local attackers can exploit this vulnerability in setuid/setgid programs linked to libsldap to elevate privileges. One such utility that is installed setuid root is 'passwd'.
Affected Products:
- Sun Solaris 8
- Sun Solaris 8_x86
References:
- CORE Security: Solaris LIBSLDAP Local Exploit
- CORE Security: Solaris LIBSLDAP Local Exploit
- Sun Microsystems: Sunsolve Online(tm)
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
