Solaris exrecover heap缓冲区溢出漏洞
发布日期:2001-01-10
更新日期:2001-01-10
受影响系统:
Sun Solaris 2.4
Sun Solaris 2.5
Sun Solaris 2.6
不受影响系统:
Sun Solaris 2.7
Sun Solaris 2.8
描述:
Solaris所带的/usr/lib/exrecover存在一个缓冲区溢出问题。当它接受第二个
参数的时候,没有检查参数长度。如果用户输入一个很长的字符串,将导致一
个缓冲区溢出,溢出可能发生在heap区。
在Solaris 2.4/2.5/2.6中,exrecover被设置了setuid root位,因此如果攻击
者能够利用此漏洞,就可能获取root权限(目前未经证实)。
Solaris 2.7以后的系统中,此程序没有被设置setuid位。
<*来源:Pablo Sor (
psor@afip.gov.ar) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
$ /usr/lib/exrecover hola `perl -e 'printf "A"x50000'`
Segmentation Fault (core dumped)
$ gdb /usr/lib/exrecover --core=core
GNU gdb 4.17
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "sparc-sun-solaris2.6"...
(no debugging symbols found)...
Core was generated by `/usr/lib/exrecover hola
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation Fault.
Reading symbols from /usr/lib/libmapmalloc.so.1...
(no debugging symbols found)...done.
Reading symbols from /usr/lib/libc.so.1...(no debugging symbols
found)...done.
Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols
found)...done.
Reading symbols from /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1...
(no debugging symbols found)...done.
#0 0xef6a44d8 in strcpy ()
建议:
临时解决方法:
NSFOCUS建议您去掉exrecover的suid属性,这不会影响程序的正常工作。
chmod u-s /usr/lib/exrecover
厂商补丁:
暂无。
浏览次数:4071
严重程度:0(网友投票)