Full Report
Oracle CDE (Common Data Environment) is a tool to collect all project information into a single platform. This is done via cloud syncing, I presume. The authors of this post had recently found vulnerabilities in the application but decided to hunt for issues in dtprintinfo since it had a track record of bad bugs. They spent a few days looking for bugs in it manually to no avail. So, they wrote a sophisticated fuzzer. Whoops, sorry. They wrote cat /dev/urandom > ~/.printers as their fuzzer! By doing, they immediately found a bunch of crashes. So, what happened? Setting fake printers via the configuration file for dtprintinfo caused a bunch of problems. By manipulating the contents with fake printers, it was possible to read heap memory of the setuid root binary. Additionally, being able to pass in printers is NOT something that should be possible as a lower privileged user and opens up a new attack surface. The authors decided to target the parsing of printer icons in the XPM format. They wrote a simple mutation based fuzzer and found some bugs in the libXm library used by the application. The app was opened in Ghidra with the script Rhabdomancer to find known bad code syncs. They found a trivial buffer overflow via strcat that was triggering a crash. The exploit code for the Solaris OS is very well commented and nice to look at! A few interesting notes: The shellcode is put into a environment variable. This indicates a lack of Nx on the binary. The location of the shellcode is dynamically calculated. This is done because of environment variable padding. It appears there is no other leak to break ASLR though. Contains a bunch of file manipulation. Since the input for exploitation is within a file, this makes sense. They have code for checking for bad characters, such as nullbytes, HT and space. This is to make the exploit more consistent. The article shows a GIF of a POC as well. Pretty neat to see everything come together, even if modern binary protections aren't enabled. Overall, a fun article on finding a bug, finding more bugs then exploiting the bugs!
Analysis Summary
# Vulnerability: Local Privilege Escalation via dtprintinfo Bug Chain
## CVE Details
- **CVE ID**: Not explicitly cited in the article text (Note: Historically linked to the "nothing new under the Sun" disclosure, typical of legacy Oracle Solaris CDE vulnerabilities).
- **CVSS Score**: N/A (Estimated High for Local Privilege Escalation).
- **CWE**: CWE-120 (Buffer Copy without Checking Size), CWE-125 (Out-of-bounds Read).
## Affected Systems
- **Products**: Oracle Solaris / Common Desktop Environment (CDE).
- **Versions**: Solaris 10 (including fully patched systems through CPU Jan 2021).
- **Configurations**: Systems running the `dtprintinfo` setuid-root binary.
## Vulnerability Description
Researchers identified a bug chain involving the `dtprintinfo` utility and the `libXm` (Motif) library:
1. **Printer Name Injection**: The parser for the `lpstat` command and the `$HOME/.printers` configuration file fails to properly sanitize input. A low-privileged user can inject arbitrary printer names.
2. **Information Disclosure**: Manipulating injected printer names allows for an out-of-bounds read, enabling the disclosure of heap memory from the setuid-root process.
3. **Buffer Overflow in libXm**: By directing the application to load a malicious printer icon in XPM format from `$HOME/.dt/icons`, researchers triggered a stack-based buffer overflow (via `strcat`) in the `libXm` library used for icon parsing.
## Exploitation
- **Status**: PoC available. A fully functional exploit (`raptor_dtprintlibXmas.c`) was developed to gain root access.
- **Complexity**: Low to Medium (Relies on legacy environment lack of modern protections like NX).
- **Attack Vector**: Local.
## Impact
- **Confidentiality**: High (Memory disclosure and full system access).
- **Integrity**: High (Ability to modify any system file as root).
- **Availability**: High (Ability to crash the system or delete files).
## Remediation
### Patches
- Users should refer to the Oracle Critical Patch Update (CPU) for the latest Solaris 10 security fixes. However, the researchers noted the exploit worked on a "fully-patched" Solaris 10 system at the time of discovery.
### Workarounds
- **Remove setuid bit**: Remove the setuid permissions from the `dtprintinfo` binary if printing management is not required for non-privileged users:
`chmod -s /usr/dt/bin/dtprintinfo`
- **Restrict Access**: Limit execution permissions for `dtprintinfo` to administrative groups.
## Detection
- **Indicators of Compromise**:
- Presence of suspicious or malformed `.XPM` files in `$HOME/.dt/icons`.
- Unexpected content or symbol-heavy strings in `$HOME/.printers`.
- Crashes of the `dtprintinfo` process logged in system error logs.
- **Detection methods**: Audit setuid binaries for unexpected execution by non-privileged users using tools like `auditd`.
## References
- HN Security Advisory: hxxps[://]github[.]com/hnsecurity/vulns/blob/main/HNS-2022-01-dtprintinfo.txt
- Proof of Concept: hxxps[://]github[.]com/0xdea/exploits/blob/master/solaris/raptor_dtprintlibXmas.c
- Original Article: hxxps[://]hnsecurity[.]it/blog/nothing-new-under-the-sun/