MAGIC Enterprise 存在多个安全漏洞发布时间:2001-12-20 更新时间:2001-12-20 严重程度:高 威胁程度:本地管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Magic Enterprise Edition 8.30-5之前详细描述 Magic Enterprise是多平台,可扩展的应用程序,支持多个WEB浏览器,WEB服务 程序,应用服务程序和数据库。可以建立可移植和可扩展的服务器/客户端应用程序。 其中存在多个漏洞如下: a)远程内存破坏漏洞 'mgrqcgi' CGI程序是接口程序处理多个任务,mgrqcgi从QUERY_STRING环境 变量红读不同变量,这些变量名如下: + APPNAME + PRGNAME + ARGUMENTS + PageID + mgaction + H_ShopID + H_SID + H_WID + H_INF 这些变量在拷贝到本地变量的时候没有进行边界检查,可以导致产生缓冲溢出。 下面是ltrace输出: [...] 17:00:03.769509 [08049794] getenv("REQUEST_METHOD") = "GET" 17:00:03.769680 [080497ae] strcmp("GET", "POST") = -9 17:00:03.769817 [080497ce] strcmp("GET", "GET") = 0 [QUERY_STRING read and splitted up] 17:00:03.769942 [08049915] getenv("QUERY_STRING") = "APPNAME=test&PRGNAME=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAA" 17:00:03.770687 [08049b81] strchr("APPNAME=test&PRGNAME=AAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ,'=') = "=test&PRGNAME=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA" 17:00:03.772443 [08049bb7] strchr("test&PRGNAME=AAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", '&') = "&PRGNAME=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA" 17:00:03.773713 [08049df3] malloc(8) = 0x08077458 17:00:03.773811 [08049d30] realloc(NULL, 8) = 0x08077468 17:00:03.773929 [08049df3] malloc(6) = 0x08077478 [variable name seperated from variable data] 17:00:03.774025 [08049b81] strchr("PRGNAME=AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", '=') = "=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AA" 17:00:03.776353 [08049bb7] strchr("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA", '&') = NULL 17:00:03.777015 [08049bf0] strlen(0xbffffa2a, 0x080498f8, 0x40014ce4, 0x08077458, 0x080613d8) = 200 17:00:03.777157 [08049df3] malloc(8) = 0x08077488 17:00:03.777253 [08049d30] realloc(0x08077468, 16) = 0x08077498 17:00:03.777974 [08049df3] malloc(202) = 0x080774b0 17:00:03.778077 [0804acdf] malloc(32) = 0x08077580 17:00:03.778191 [0804acf4] memset(0x08077580, '\000', 32) = 0x08077580 [variable name made upper case] 17:00:03.778302 [0804dcec] toupper('A') = 'A' 17:00:03.778413 [0804dcfd] toupper('C') = 'C' 17:00:03.778521 [0804dd1c] toupper('A') = 'A' 17:00:03.778785 [0804dd2d] toupper('C') = 'C' 17:00:03.778892 [0804dcec] toupper('A') = 'A' 17:00:03.778999 [0804dcfd] toupper('A') = 'A' 17:00:03.779107 [0804dcec] toupper('P') = 'P' 17:00:03.779213 [0804dcfd] toupper('P') = 'P' 17:00:03.779320 [0804dcec] toupper('P') = 'P' 17:00:03.779427 [0804dcfd] toupper('P') = 'P' 17:00:03.779534 [0804dcec] toupper('N') = 'N' 17:00:03.779641 [0804dcfd] toupper('N') = 'N' 17:00:03.779748 [0804dcec] toupper('A') = 'A' 17:00:03.779854 [0804dcfd] toupper('A') = 'A' 17:00:03.779962 [0804dcec] toupper('M') = 'M' 17:00:03.780068 [0804dcfd] toupper('M') = 'M' 17:00:03.780175 [0804dcec] toupper('E') = 'E' 17:00:03.780300 [0804dcfd] toupper('E') = 'E' 17:00:03.780408 [0804dd1c] toupper('\000') = '\000' 17:00:03.780517 [0804dd2d] toupper('\000') = '\000' [APPNAME content copied into stack memory WITHOUT length checking] 17:00:03.780626 [0804ae56] strcpy(0xbfffee68, "test") = 0xbfffee68 [variable name to upper case] 17:00:03.835647 [0804dcec] toupper('P') = 'P' 17:00:03.835828 [0804dcfd] toupper('C') = 'C' 17:00:03.835936 [0804dd1c] toupper('P') = 'P' 17:00:03.836043 [0804dd2d] toupper('C') = 'C' 17:00:03.836150 [0804dcec] toupper('P') = 'P' 17:00:03.836257 [0804dcfd] toupper('P') = 'P' 17:00:03.836364 [0804dcec] toupper('R') = 'R' 17:00:03.836471 [0804dcfd] toupper('R') = 'R' 17:00:03.836577 [0804dcec] toupper('G') = 'G' 17:00:03.836684 [0804dcfd] toupper('G') = 'G' 17:00:03.837645 [0804dcec] toupper('N') = 'N' 17:00:03.837766 [0804dcfd] toupper('N') = 'N' 17:00:03.837873 [0804dcec] toupper('A') = 'A' 17:00:03.837980 [0804dcfd] toupper('A') = 'A' 17:00:03.838103 [0804dcec] toupper('M') = 'M' 17:00:03.838210 [0804dcfd] toupper('M') = 'M' 17:00:03.838317 [0804dcec] toupper('E') = 'E' 17:00:03.838423 [0804dcfd] toupper('E') = 'E' 17:00:03.838530 [0804dd1c] toupper('\000') = '\000' 17:00:03.838639 [0804dd2d] toupper('\000') = '\000' [PRGNAME content copied into stack memory WITHOUT length checking] [BUFFER OVERFLOW triggered here] 17:00:03.838748 [0804ae70] strcpy(0xbfffee48, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") = 0xbfffee48 [segmentation fault occuring] 17:00:03.839409 [080497f5] getenv("HTTP_COOKIE") = NULL 17:00:03.839545 [08049ac0] getenv("REMOTE_ADDR") = NULL 17:00:03.839687 [0805aff4] memset(0x08076e68, '\000', 120) = 0x08076e68 17:00:03.839801 [08053971] strcpy(0x08077334, "otaku") = 0x08077334 17:00:03.839920 [0804cdb7] malloc(1508) = 0x080775a8 17:00:03.840018 [0804cad0] memcpy(0x080775b0, "\001\001", 1500) = 0x080775b0 17:00:03.840160 [08052f00] strlen(0xbfffedc8, 0x08049ab4, 0xbfffee00, 0xbfffedc8, 0x080775b0) = 0 17:00:03.840308 [08052f5b] strlen(0xbfffed48, 0x08049ab4, 0xbfffee00, 0xbfffed48, 0x080775b0) = 0 17:00:03.840440 [080519d5] memcpy(0x08076e60, "\001\001", 1500) = 0x08076e60 17:00:03.840577 [0804cef0] free(0x080775a8) = <void> 17:00:03.840672 [0804b52c] memset(0xbfffeef8, '\000', 16) = 0xbfffeef8 17:00:03.840782 [0804b54c] malloc(200) = 0x080775a8 17:00:03.841364 [0804afe6] --- SIGSEGV (Segmentation fault) --- 17:00:03.841890 [ffffffff] +++ killed by SIGSEGV +++ 下面是GDB输出: : [...] Starting program: /usr/local/httpd/cgi-bin/mgrqcgi (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x0804b103 in strcpy () (gdb) info stack #0 0x0804b103 in strcpy () #1 0x41414141 in ?? () #2 0x0804a440 in strcpy () #3 0x08049b18 in strcpy () #4 0x41414141 in ?? () [...] b)本地内存破坏漏洞 LINUX RPM下存在一个SETUID ROOT应用程序: + /usr/magicadm/servers/mgdispatch 其中此程序存在缓冲溢出 ,如MGDISPATCH_LOG环境变量就存在没有很好的检查 边界问题: : [...] getenv("MGDISPATCH_LOG") = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"... strcpy(0xbfffd87c, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...) = 0xbfffd87c getenv("MG_DOS_CLIENTS" <unfinished ...> --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ c)不正确处理临时文件漏洞 一些LINUX RPM下的脚本没有安全的处理临时文件,可以产生符号连接攻击: + /usr/magicadm/api/mkuserproc:40:tmpfile=/tmp/mg.$$ + /usr/magicadm/sbin/mgrnt:42:$AWK -F= '/^[^#]/ {if (NF > 0) print "export " $1}' $MAGIC_HOME/etc/mgenv > /tmp/mg$$ + /usr/magicadm/sbin/mgrnt:43:. /tmp/mg$$ + /usr/magicadm/sbin/mgrnt:44:rm -f /tmp/mg$$ + /usr/magicadm/sbin/mgrnt:63:$AWK -F= '/^[^#]/ {if (NF > 0) print "export " $1}' $EnvUserFile > /tmp/mgu$$ + /usr/magicadm/sbin/mgrnt:64:. /tmp/mgu$$ + /usr/magicadm/sbin/mgrnt:65:rm /tmp/mgu$$ + /usr/magicadm/servers/mgdatasrvr.sc:51:$AWK -F= '/^[^#]/ {if (NF > 0) print "export " $1}' $MAGIC_HOME/etc/mgenv > /tmp/mg$$ + /usr/magicadm/servers/mgdatasrvr.sc:52:. /tmp/mg$$ + /usr/magicadm/servers/mgdatasrvr.sc:53:rm -f /tmp/mg$$ + /usr/magicadm/servers/mgdatasrvr.sc:75:$AWK -F= '/^[^#]/ {if (NF > 0) print "export " $1}' $EnvUserFile > /tmp/mgu$$ + /usr/magicadm/servers/mgdatasrvr.sc:76:. /tmp/mgu$$ + /usr/magicadm/servers/mgdatasrvr.sc:77:rm /tmp/mgu$$ d)权限错误问题 一些RPM文件安装文件和目录使用组"users'可写,包括Magic 管理员目录: /usr/magicadm,许可证目录: + /usr/magicadm/bin/magicrnt + /usr/magicadm/bin/mdinformix + /usr/magicadm/bin/mdmssql + /usr/magicadm/bin/mdoracle + /usr/magicadm/bin/mgcircvr + /usr/magicadm/bin/mgcisam + /usr/magicadm/bin/mginformix + /usr/magicadm/bin/mgmemory + /usr/magicadm/bin/mgoracle + /usr/magicadm/bin/mgtcp + /usr/magicadm/broker/mgrqcmdl + /usr/magicadm/broker/mgrqmrb + /usr/magicadm/cgibin/mgrqcgi + /usr/magicadm/servers/mgdatasrvr 可导致攻击者代替这些程序以获得权限提升。 测试代码 见描述部分 解决方案 尚无 相关信息 Thomas Biege <tb@immutec.com> Stephan Holtwisch <sh@immutec.com> 参考:http://archives.neohapsis.com/archives/bugtraq/2001-12/0197.html |
