libgtop_daemon 存在远程格式化字符串漏洞发布时间:2001-11-28 更新时间:2001-11-28 严重程度:高 威胁程度:普通用户访问权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 libgtop_daemon <= 1.0.12详细描述 libgtop_daemon 是GNOME守护程序用来监视远程系统中的进程。 syslog_message() 和syslog_io_message()函数中存在漏洞,其格式化串可以 直接有客户端来提供。通过发送特殊构造的格式化字符串可以导致远程用户 以守护程序权限执行任意命令。 测试代码 Client side : ~ % telnet 127.0.0.1 42800 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. %p%p Connection closed by foreign host. ~ % telnet 127.0.0.1 42800 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. %n%n Connection closed by foreign host. Server side : ~/# libgtop_daemon -f ' from clientn[3877]: Invalid authentication protocol '0xbffff46c0x804b2ae libgtop-daemon[3877]: Refused connection from 127.0.0.1. Segmentation fault 解决方案 临时方法: 修改'src/daemon/gnuserv.c' : syslog_message(), 把 : syslog (priority, buffer); 改成 : syslog (priority, "%s", buffer); syslog_io_message()中,把 syslog (priority, buffer2); 改为 : syslog (priority, "%s", buffer2); diff -dru libgtop-1.0.12/src/daemon/gnuserv.c libgtop-1.0.12-patched/src/daemon/gnuserv.c --- libgtop-1.0.12/src/daemon/gnuserv.c Mon Nov 26 13:48:14 2001 +++ libgtop-1.0.12-patched/src/daemon/gnuserv.c Mon Nov 26 13:49:26 2001 @@ -93,7 +93,7 @@ vsnprintf (buffer, BUFSIZ-1, format, ap); va_end (ap); - syslog (priority, buffer); + syslog (priority, "%s", buffer); } void @@ -108,7 +108,7 @@ va_end (ap); snprintf (buffer2, BUFSIZ-1, "%s: %s", buffer, strerror (errno)); - syslog (priority, buffer2); + syslog (priority, "%s", buffer2); } /* 建议升级程序: ftp://ftp.gnome.org/pub/GNOME/stable/sources/libgtop/libgtop-1.0.13.tar.gz 相关信息 Benoît Roussel (benoit.roussel@intexxia.com) 参考:http://archives.neohapsis.com/archives/bugtraq/2001-11/0218.html |
