Solaris ufsrestore Buffer Overflow Vulnerability

BID:1348

Info

Solaris ufsrestore Buffer Overflow Vulnerability

Bugtraq ID: 1348
Class: Boundary Condition Error
CVE:
Remote: No
Local: Yes
Published: Jun 14 2000 12:00AM
Updated: Jun 14 2000 12:00AM
Credit: First posted to Bugtraq by Job de Haas <[email protected]> on June 14, 2000.
Vulnerable: Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
Sun Solaris 2.5_x86
Sun Solaris 2.5
Not Vulnerable:

Discussion

Solaris ufsrestore Buffer Overflow Vulnerability

Solaris is a version of the UNIX Operating System distributed by Sun Microsystems.

Solaris ships with a filesystem utility called ufsrestore that is used for archive/backup retrieval. A problem with the utility could allow a local user to gain elevated privileges.

The ufsrestore utility is setuid root by default, and vulnerable to a buffer overflow attack. The problem is an oversight in code that was put in place to try and correct/prevent this very type of vulnerability. In a function in ufsrestore, two strncat calls (libc functions that are used to concatenate two NULL terminated arrays) are used to construct a string. The programmer made an effort to prevent a buffer overflow by using the strncat functions, which allow you to specify a maximum byte length. The error is that an incorrect number of bytes are passed to the strncat calls as length. The number of bytes (the maximum that the function should copy) that are passed to the strncats are the size of the entire buffer (the one being constructed), meaning it is possible to overflow it via strncat.

This problem makes it possible for a local user execute arbitrary code, and gain root priviliges.

Exploit / POC

Solaris ufsrestore Buffer Overflow Vulnerability

Solution / Fix

Solaris ufsrestore Buffer Overflow Vulnerability

Solution:
A good work-around is to remove the setuid bit from ufsrestore.

Vendor fixes are available:


Sun Solaris 2.6

Sun Solaris 7.0

Sun Solaris 8_x86

Sun Solaris 2.6_x86

Sun Solaris 8_sparc

Sun Solaris 2.5

Sun Solaris 7.0_x86

Sun Solaris 2.5_x86

Sun Solaris 2.5.1 _x86

Sun Solaris 2.5.1

References

Solaris ufsrestore Buffer Overflow Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report