zkfingerd-2.0.2 Format String Vulnerabilities创建时间:2003-07-08 更新时间:2003-07-08 文章属性:原创 文章提交:jsk_ (jsk_at_ph4nt0m.net) 中文: ======================================== Ph4nt0m Security Advisory 2#2003--7-7 ======================================== zkfingerd-2.0.2 Format String Vulnerabilities Advisory Number : SRT-2003--7-7-002 程序名 : zkfingerd 版本 : 最新版2.0.2 (possibility All versions ) Vendor : http://sourceforge.net/projects/zkfingerd 类型 : 可能Local&remote 危害级别 : high 影响系统(s) : *nix ***************************************************************************** high Level Description : Format String Vulnerabilities in syslog() fprintf() ***************************************************************************** 具体漏洞: ***************************************************************************** zkfingerd-r3-0.9 在去年12月发现有Format漏洞并且可以远程利用,今年7月4 最新版本2.0.2 仍然存在一个Format漏洞。 code find in src/die.c(_finger_error):107 ......................................... #ifdef DEBUG if(options & DEBUG_ERROR) fprintf(stdout, "DBG %s:%s:%d: ", function, file, line); else #endif if(!(options & QUIET_ERROR)) fprintf(stdout, "< "); if(strchr(msg, '%') != NULL && !ap) { if(!(options & QUIET_ERROR)) fprintf(stdout, msg); .....................point(msg could be provided by us) #ifndef NO_SYSLOG syslog(LOG_CRIT, msg); .............................possible #endif } else { if(!(options & QUIET_ERROR)) vfprintf(stdout, msg, ap); 在这里,由于MSG是由我们控制的,所以可以利用格式化漏洞覆盖一个返回函数,从而可执行我们自己的SHELLCODE,EXPLOIT?:) ======================================== Ph4nt0m Security Advisory 2#2003--7-7 ======================================== Title: zkfingerd-2.0.2 Format String Vulnerabilities Advisory Number : SRT-2003--7-7-002 Product : zkfingerd Version : the last 2.0.2 versions (possibility All versions ) Vendor : http://sourceforge.net/projects/zkfingerd Class : Local&remote Criticality : high Operating System(s) : *nix ************************************************************************************************ high Level Description : Format String Vulnerabilities in syslog() fprintf() ************************************************************************************************ Technical Details ************************************************************************************************ zkfingerd-r3-0.9 could be remote exploitable,the last versions 2.0.2 also has a bug for Format String Vulnerabilities code find in src/die.c(_finger_error):107 ......................................... #ifdef DEBUG if(options & DEBUG_ERROR) fprintf(stdout, "DBG %s:%s:%d: ", function, file, line); else #endif if(!(options & QUIET_ERROR)) fprintf(stdout, "< "); if(strchr(msg, '%') != NULL && !ap) { if(!(options & QUIET_ERROR)) fprintf(stdout, msg); .....................point(msg could be provided by us) #ifndef NO_SYSLOG syslog(LOG_CRIT, msg); .............................possible #endif } else { if(!(options & QUIET_ERROR)) vfprintf(stdout, msg, ap); so it could allows us to control the pointer, allowing us to execute code. I am studying codes ,i will prodive how to attack &exploit...... ................................................................................................. ************************************************************************************************* By "jsk" (akun), in ph4nt0m.net(c) Security. E-mail:jsk@ph4nt0m.net ph4nt0m Security Home: http://www.ph4nt0m.net My World: http://jsk.njsafe.com MY GnuPG Public Key: http://202.119.104.82/webeq/app/jsk/jsk.asc |
