发布日期：2008-10-14
更新日期：2009-05-22

受影响系统：

Sun Solstice AdminSuite 2.2_x86
Sun Solstice AdminSuite 2.2
Sun Solstice AdminSuite 2.1_x86
Sun Solstice AdminSuite 2.1

描述：

---

BUGTRAQ  ID: 31751
CVE(CAN) ID: CVE-2008-4556

Solstice AdminSuite是用于执行管理任务的图形用户接口工具和命令集。

Solstice AdminSuite使用sadmind执行分布式系统管理操作。如果接收到了调用操作的请求，inetd守护程序会自动启动sadmind。

sadmind的adm_build_path()函数未经验证用户提供的数据便使用strcat()将其附加到了栈缓冲区。如果远程攻击者提交了恶意的RPC请求的话，就可以触发栈溢出，导致执行任意代码。

以下是Sun Solaris 9 x86上的调试信息：

Breakpoint 1, 0xd330e5b0 in adm_build_path ()
   from /usr/snadm/lib/libadmapm.so.2
(gdb) until *adm_build_path+38
0xd330e5c6 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
(gdb) x/i $pc
0xd330e5c6 <adm_build_path+38>: call   0xd3304fa8 <strcat@plt>
(gdb) x/x $esp+4
0x80411e4:      0x080b7cd0
(gdb) x/x $esp  
0x80411e0:      0x08041208
(gdb) x/s 0x080b7cd0
0x80b7cd0:       'A' <repeats 200 times>...
(gdb) x/s 0x08041208
0x8041208:       "system.2.1/"
(gdb) where
#0  0xd330e5c6 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
#1  0xd330eaa7 in adm_find_method () from /usr/snadm/lib/libadmapm.so.2
#2  0xd335326b in verify_vers_1 () from /usr/snadm/lib/libadmagt.so.2
#3  0xd3352e88 in verify_validate () from /usr/snadm/lib/libadmagt.so.2
#4  0xd3352cf8 in amsl_verify () from /usr/snadm/lib/libadmagt.so.2
#5  0xd32c8a85 in __0fQNetmgtDispatcherPdispatchRequestP6Hsvc_reqP6J__svcxprt
    () from /usr/snadm/lib/libadmcom.so.2
#6  0xd32c8656 in __0fQNetmgtDispatcherOreceiveRequestP6Hsvc_reqP6J__svcxprt ()
   from /usr/snadm/lib/libadmcom.so.2
#7  0xd32c837c in _netmgt_receiveRequest () from /usr/snadm/lib/libadmcom.so.2
#8  0xd311d4a3 in _svc_prog_dispatch () from /usr/lib/libnsl.so.1
#9  0xd311d24e in svc_getreq_common () from /usr/lib/libnsl.so.1
#10 0xd311d130 in svc_getreq_poll () from /usr/lib/libnsl.so.1
#11 0xd3121550 in _svc_run () from /usr/lib/libnsl.so.1
#12 0xd3121293 in svc_run () from /usr/lib/libnsl.so.1
#13 0xd32cd165 in __0fQNetmgtDispatcherNstartupServerv ()
   from /usr/snadm/lib/libadmcom.so.2
#14 0xd32cd13b in netmgt_start_agent () from /usr/snadm/lib/libadmcom.so.2
#15 0x0805168f in main ()
(gdb) stepi
0xd3304fa8 in strcat@plt () from /usr/snadm/lib/libadmapm.so.2
(gdb) step
Single stepping until exit from function strcat@plt,
which has no line number information.
0xd330e5cb in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
(gdb) x/i $pc
0xd330e5cb <adm_build_path+43>: add    $0x8,%esp
(gdb) where
#0  0xd330e5cb in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
#1  0xd330eaa7 in adm_find_method () from /usr/snadm/lib/libadmapm.so.2
#2  0xaabbccdd in ?? ()
#3  0x08063000 in ?? ()
#4  0x08063128 in ?? ()
#5  0x080b7cd0 in ?? ()
#6  0x08041730 in ?? ()
#7  0x00000400 in ?? ()
#8  0x00000001 in ?? ()
#9  0xd336ac8c in ?? () from /usr/snadm/lib/libadmagt.so.2
#10 0x00000000 in ?? ()
(gdb) c
Continuing.

Breakpoint 1, 0xd330e5b0 in adm_build_path ()
   from /usr/snadm/lib/libadmapm.so.2
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xaabbccdd in ?? ()
(gdb)

<*来源：Adriano Lima （adriano@risesecurity.org）
  
  链接：http://secunia.com/advisories/32283/
        http://marc.info/?l=bugtraq&m=122399854121801&w=2
        http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-245806-1
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

http://risesecurity.org/framework3/modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb

建议：

---

厂商补丁：

Sun
---
Sun已经为此发布了一个安全公告（Sun-Alert-245806）以及相应补丁:
Sun-Alert-245806：A Buffer Overflow Security Vulnerability in the Solaris sadmind(1M) Daemon May Lead to Execution of Arbitrary Code
链接：http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-245806-1

浏览次数：3260
严重程度：0（网友投票）