首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第40期->最新漏洞
日期:2003-04-02
发布日期:2003-03-19
更新日期:2003-03-21
受影响系统:
GNU glibc
MIT kadmind server
Multiple Vendor RPC XDR library
- Debian Linux 3.0
- FreeBSD 5.0
- FreeBSD 4.7
- FreeBSD 4.6
- HP HP-UX 11.22
- HP HP-UX 11.20
- HP HP-UX 11.11
- IBM AIX 5.1
- IBM AIX 4.3.3
- RedHat Linux 8.0
- RedHat Linux 7.3
- RedHat Linux 7.2
- RedHat Linux 7.1
- RedHat Linux 7.0
- RedHat Linux 6.2
- Sun Solaris 9.0
- Sun Solaris 8.0
- Sun Solaris 7.0
- Sun Solaris 2.6
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 7123
CVE(CAN) ID: CAN-2003-0028
XDR(外部数据表示)库用来提供一种平台无关的方法来将数据从一个系统进程发送给其他系统进程。
Sun Microsystems提供的XDR库中包含的xdrmem_getbytes()函数存在一个整数溢出 ,远程攻击者利用这个漏洞对使用XDR库的应用程序进行攻击,可能以应用程序进程权限在系统上执行任意指令。
问题存在于'usr/src/lib/libnsl/rpc/xdr_mem.c'的168行的xdrmem_putbytes()函数:
static bool_t
xdrmem_getbytes(XDR *xdrs, caddr_t addr, int len)
{
int tmp;
trace2(TR_xdrmem_getbytes, 0, len);
if ((tmp = (xdrs->x_handy - len)) < 0) { <--- VULNERABILITY
syslog(LOG_WARNING,
.....
.....
return (FALSE);
}
xdrs->x_handy = tmp;
(void) memcpy(addr, xdrs->x_private, len); <--- VULNERABILITY
xdrs->x_private += len;
trace1(TR_xdrmem_getbytes, 1);
return (TRUE);
}
上面代码中"len"是有符号整数,因此如果"len"为负数就会导致缓冲区溢出:
if ((tmp = (xdrs->x_handy - len)) < 0) { -->这个检查会绕过
但是在memcpy(addr, xdrs->x_private, len);处理时就会导致溢出。攻击者可以构造一个特殊的XDR编码来触发整数溢出,依赖于使用者如何调用xdrmem_getbytes()函数,攻击者可能覆盖一个已经分配的堆区缓冲区,造成堆缓冲区溢出。攻击者可能造成远程服务崩溃或者利用memcpy()实现的一些特点来改变内存数据并执行任意代码。
<*来源:Marc Maiffret (marc@eeye.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104810574423662&w=2
http://marc.theaimsgroup.com/?l=bugtraq&m=104811387401008&w=2
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-003-xdr.txt
http://www.cert.org/advisories/CA-2003-10.html
https://www.redhat.com/support/errata/RHSA-2003-089.html
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:05.xdr.asc
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
EYEE提供如下的数据可触发整数溢出:
char evil_rpc[] =
"\x23\x0D\xF6\xD2\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86"
"\xA0\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00"
"\x00\x20\x3D\xD2\xC9\x9F\x00\x00\x00\x09\x6C\x6F\x63\x61\x6C"
"\x68\x6F\x73\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86"
"\xa0\x00\x00\x00\x02\x00\x00\x00\x04"
"\xFF\xFF\xFF\xFF" // RPC argument length
"EEYECLIPSE2003";
建议:
--------------------------------------------------------------------------------
厂商补丁:
FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-03:05)以及相应补丁:
FreeBSD-SA-03:05:remote denial-of-service in XDR encoder/decoder
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:05.xdr.asc
补丁下载:
one of the following:
1) Upgrade your vulnerable system to the FreeBSD 4-STABLE branch; or
to the RELENG_4_7 (4.7-RELEASE-p8), RELENG_4_6 (4.6-RELEASE-p11), or
RELENG_5_0 (5.0-RELEASE-p5) security branch dated after the correction
date.
2) To patch your present system:
The following patch has been verified to apply to FreeBSD 4.6, and 4.7
systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-4.patch.asc
The following patch has been verified to apply to FreeBSD 5.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-5.patch.asc
b) 请以root身份执行下列命令:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system as described in
<URL:http://www.freebsd.org/doc/handbook/makeworld.html>.
Note that any statically linked applications that are not part of
the base system (i.e. from the Ports Collection or other 3rd-party
sources) must be recompiled.
All affected applications must be restarted for them to use the
corrected library. Though not required, rebooting may be the easiest
way to accomplish this.
GNU
---
GNU glibc
GNU C库2.3.1版本存在此漏洞,早期版本也受此漏洞影响,下面的补丁已经安装在CVS源代码中,在下一个版本的GNU C库中也应该包含,补丁地址为:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/rpc/xdr.h.diff?r1=1.26&r2=1.27&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_mem.c.diff?r1=1.13&r2=1.15&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_rec.c.diff?r1=1.26&r2=1.27&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_sizeof.c.diff?r1=1.5&r2=1.6&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_stdio.c.diff?r1=1.15&r2=1.16&cvsroot=glibc
2002-12-16 Roland McGrath
* sunrpc/xdr_mem.c (xdrmem_inline): Fix argument type.
* sunrpc/xdr_rec.c (xdrrec_inline): Likewise.
* sunrpc/xdr_stdio.c (xdrstdio_inline): Likewise.
2002-12-13 Paul Eggert
* sunrpc/rpc/xdr.h (struct XDR.xdr_ops.x_inline): 2nd arg
is now u_int, not int.
(struct XDR.x_handy): Now u_int, not int.
* sunrpc/xdr_mem.c: Include .
(xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes, xdrmem_putbytes,
xdrmem_inline, xdrmem_getint32, xdrmem_putint32):
x_handy is now unsigned, not signed.
Do not decrement x_handy if no change is made.
(xdrmem_setpos): Check for int overflow.
* sunrpc/xdr_sizeof.c (x_inline): 2nd arg is now unsigned.
(xdr_sizeof): Remove cast that is now unnecessary, now that
x_handy is unsigned.
IBM
---
AIX系统4.3.3, 5.1.0和5.2.0存在此漏洞,IBM已经提供如下官方补丁:
APAR number for AIX 4.3.3: IY38524
APAR number for AIX 5.1.0: IY38434
APAR number for AIX 5.2.0: IY39231
请联系供应商获得相关补丁。
MIT
---
MIT Kerberos Development Team
利用这个漏洞可使kadmind server进程崩溃,或读取一些敏感信息,如密钥等。相关补丁下载:
http://web.mit.edu/kerberos/www/advisories/2003-003-xdr_patch.txt
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2003:089-00)以及相应补丁:
RHSA-2003:089-00:Updated glibc packages fix vulnerabilities in RPC XDR decoder
链接:https://www.redhat.com/support/errata/RHSA-2003-089.html
补丁下载:
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/glibc-2.1.3-29.src.rpm
i386:
ftp://updates.redhat.com/6.2/en/os/i386/glibc-2.1.3-29.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/glibc-devel-2.1.3-29.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/glibc-profile-2.1.3-29.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/nscd-2.1.3-29.i386.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/glibc-2.2.4-18.7.0.9.src.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/glibc-2.2.4-18.7.0.9.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/glibc-common-2.2.4-18.7.0.9.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/glibc-devel-2.2.4-18.7.0.9.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/glibc-profile-2.2.4-18.7.0.9.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/nscd-2.2.4-18.7.0.9.i386.rpm
i686:
ftp://updates.redhat.com/7.0/en/os/i686/glibc-2.2.4-18.7.0.9.i686.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/glibc-2.2.4-32.src.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/glibc-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/glibc-common-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/glibc-devel-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/glibc-profile-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/nscd-2.2.4-32.i386.rpm
i686:
ftp://updates.redhat.com/7.1/en/os/i686/glibc-2.2.4-32.i686.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/glibc-2.2.4-32.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/glibc-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/glibc-common-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/glibc-devel-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/glibc-profile-2.2.4-32.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/nscd-2.2.4-32.i386.rpm
i686:
ftp://updates.redhat.com/7.2/en/os/i686/glibc-2.2.4-32.i686.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/glibc-2.2.4-32.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/glibc-common-2.2.4-32.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/glibc-devel-2.2.4-32.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/glibc-profile-2.2.4-32.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/nscd-2.2.4-32.ia64.rpm
Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/glibc-2.2.5-43.src.rpm
i386:
ftp://updates.redhat.com/7.3/en/os/i386/glibc-2.2.5-43.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/glibc-common-2.2.5-43.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/glibc-debug-2.2.5-43.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/glibc-debug-static-2.2.5-43.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/glibc-devel-2.2.5-43.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/glibc-profile-2.2.5-43.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/glibc-utils-2.2.5-43.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/nscd-2.2.5-43.i386.rpm
i686:
ftp://updates.redhat.com/7.3/en/os/i686/glibc-2.2.5-43.i686.rpm
ftp://updates.redhat.com/7.3/en/os/i686/glibc-debug-2.2.5-43.i686.rpm
Red Hat Linux 8.0:
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/glibc-2.3.2-4.80.src.rpm
i386:
ftp://updates.redhat.com/8.0/en/os/i386/glibc-2.3.2-4.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/glibc-common-2.3.2-4.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/glibc-devel-2.3.2-4.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/glibc-debug-2.3.2-4.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/glibc-profile-2.3.2-4.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/glibc-debug-static-2.3.2-4.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/nscd-2.3.2-4.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/glibc-utils-2.3.2-4.80.i386.rpm
i686:
ftp://updates.redhat.com/8.0/en/os/i686/glibc-2.3.2-4.80.i686.rpm
ftp://updates.redhat.com/8.0/en/os/i686/glibc-debug-2.3.2-4.80.i686.rpm
可使用下列命令安装补丁:
rpm -Fvh [文件名]
Sun
---
Solaris 2.6, 7, 8和9受此漏洞影响,Sun会在如下地址公布Sun Alert公告并提供补丁信息:
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/51884
版权所有,未经许可,不得转载