BID:30556

Sun Solaris 'snoop(1M)' Utility Multiple Remote Vulnerabilities

Info

Sun Solaris 'snoop(1M)' Utility Multiple Remote Vulnerabilities

Bugtraq ID:	30556
Class:	Design Error
CVE:	CVE-2008-0964 CVE-2008-0965
Remote:	Yes
Local:	No
Published:	Aug 05 2008 12:00AM
Updated:	Sep 15 2008 02:40PM
Credit:	Gael Delalleau
Vulnerable:	Sun Solaris 9_x86 Sun Solaris 9 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 10_x86 Sun Solaris 10 Sun OpenSolaris build snv_95 Sun OpenSolaris build snv_92 Sun OpenSolaris build snv_91 Sun OpenSolaris build snv_89 Sun OpenSolaris build snv_88 Sun OpenSolaris build snv_64 Sun OpenSolaris build snv_22 Sun OpenSolaris build snv_19 Sun OpenSolaris build snv_13 Sun OpenSolaris build snv_02 Sun OpenSolaris build snv_01 Nortel Networks Self-Service Speech Server 0 Nortel Networks Self-Service Peri Workstation 0 Nortel Networks Self-Service Peri CTX 0 Nortel Networks Self-Service Peri Application 0 Nortel Networks Self-Service MPS 500 0 Nortel Networks Self-Service MPS 1000 0 Nortel Networks Self-Service MPS 100 0 Nortel Networks Self-Service - CCSS7 0 Avaya Interactive Response 3.0 Avaya Interactive Response 2.0 Avaya CMS Server 13.0 Avaya CMS Server 14.1 Avaya CMS Server 14.0 Avaya CMS Server 13.1

Not Vulnerable:	Sun OpenSolaris build snv_96

Discussion

Sun Solaris 'snoop(1M)' Utility Multiple Remote Vulnerabilities

The Solaris 'snoop(1M)' network utility is prone to multiple remote vulnerabilities:

- Multiple stack-based buffer-overflow vulnerabilities
- Multiple format-string vulnerabilities

Exploiting these issues will allow attackers to execute arbitrary code with the privileges of the 'nobody' user. Attackers may also exploit these issues to capture network traffic that is visible to the network interface. Since the 'snoop(1M)' utility handles segmentation faults, repeated exploit attempts are also possible.

These issues affect the following versions for SPARC and x86 platforms:

Solaris 10
Solaris 9
Solaris 8
OpenSolaris builds snv_01 to snv_95

Exploit / POC

Sun Solaris 'snoop(1M)' Utility Multiple Remote Vulnerabilities

To exploit this issue, attackers can use readily available network tools.

The following exploit code is available:

/data/vulnerabilities/exploits/30556.c

Solution / Fix

Sun Solaris 'snoop(1M)' Utility Multiple Remote Vulnerabilities

Solution:
The vendor has released fixes. Please see the references for more information.

References

Sun Solaris 'snoop(1M)' Utility Multiple Remote Vulnerabilities

References:

Solaris snoop SMB Decoding Multiple Stack Buffer Overflow Vulnerabilities (iDefense Labs)
Sun Homepage (Sun Microsystems )
iDefense Security Advisory 08.04.08: Solaris snoop SMB Decoding Multiple Stack (iDefense Labs )
ASA-2008-355 - Security Vulnerability in Solaris snoop(1M) when Displaying SMB T (Avaya)
Nortel Response to Sun Alert 240101 - Vulnerability in Solaris snoop(1M) when Di (Nortel Networks)
Solaris snoop SMB Decoding Multiple Stack Buffer Overflow Vulnerabilities (iDefense Labs)
Solution 240101: Security Vulnerability in Solaris snoop(1M) when Displaying SMB (Sun)