首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第43期->最新漏洞
日期:2003-08-06
发布日期:2003-07-31
更新日期:2003-08-04
受影响系统:
Washington University wu-ftpd 2.6.2
Washington University wu-ftpd 2.6.1
Washington University wu-ftpd 2.6.0
Washington University wu-ftpd 2.5.0
描述:
--------------------------------------------------------------------------------
Wu-ftpd是一款流行的开放源码的全功能的FTP服务器程序。
Wu-ftpd FTP服务程序实现上存在远程单字节溢出问题,本地或远程攻击者可能利用这个漏洞以root用户权限在系统上执行任意指令。
问题存在于fb_realpath()函数,当构建路径的长度等于MAXPATHLEN+1长度时就会触发溢出。漏洞是由于在连接字符串长度计算中错误的使用rootd变量造成的:
------8<------cut-here------8<------
/*
* Join the two strings together, ensuring that the right thing
* happens if the last component is empty, or the dirname is root.
*/
if (resolved[0] == '/' && resolved[1] == '\0')
rootd = 1;
else
rootd = 0;
if (*wbuf) {
if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) {
errno = ENAMETOOLONG;
goto err1;
}
if (rootd == 0)
(void) strcat(resolved, "/");
(void) strcat(resolved, wbuf);
}
------8<------cut-here------8<------
由于路径是由当前工作目录和各个FTP命令参数指定的文件名构建,因此攻击者需要创建深层目录结构。
下面的FTP命令可以用来造成缓冲区溢出:
STOR
RETR
APPE
DELE
MKD
RMD
STOU
RNTO
如果缓冲区大小超过MAXPATHLEN字符,就不能利用这个漏洞,因此如果wu-ftpd在部分Linux内核下(如PATH_MAX超过4095字节)编译,就不存在这个漏洞。
Linux 2.2.x和部分早期的2.4.x内核定义的PATH_MAX为4095字符,因此只有编译在2.0.x或者后期的2.4.x内核上的wu-ftpd存在此漏洞。
<*来源:Janusz Niewiadomski (funkysh@isec.pl)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105967516807664&w=2
https://www.redhat.com/support/errata/RHSA-2003-245.html
http://www.linux-mandrake.com/en/security/2003/2003-080.php
http://www.debian.org/security/2002/dsa-357
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt.asc
*>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-357-1)以及相应补丁:
DSA-357-1:New wu-ftpd packages fix buffer overflow
链接:http://www.debian.org/security/2002/dsa-357
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2.orig.tar.gz
Size/MD5 checksum: 354784 b3c271f02aadf663b8811d1bff9da3f6
http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody1.dsc
Size/MD5 checksum: 713 0e7285b9fd050b4e8a30aa21d62f44d8
http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody1.diff.gz
Size/MD5 checksum: 99967 88c990894af29cce4d14ee6822069542
Architecture independent packages:
http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd-academ_2.6.2-3woody1_all.deb
Size/MD5 checksum: 3476 79da608623ce421a11c568e97565f537
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody1_alpha.deb
Size/MD5 checksum: 291540 20b379bd4495f8d810cc75f4188e0f94
arm architecture (ARM)
http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody1_arm.deb
Size/MD5 checksum: 265158 f5d590b10861f6f355d40d501cf35e75
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody1_hppa.deb
Size/MD5 checksum: 275684 4cc9e3eb212401091d4f51ddf54dd771
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody1_i386.deb
Size/MD5 checksum: 255102 f79202c825c979fafd8de828401a8179
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/w/wu-ftpd/wu-ftpd_2.6.2-3woody1_ia64.deb
Size/MD5 checksum: 321168 30d2ce430f8ae75eabf76d9f2427f6cb
m68k architecture (Motorola Mc680x0)
http://security.debian.org/pool/updates/main/w/wu-ftpd/wu
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
MandrakeSoft
------------
MandrakeSoft已经为此发布了一个安全公告(MDKSA-2003:080)以及相应补丁:
MDKSA-2003:080:Updated wu-ftpd packages fix remote root vulnerability
链接:http://www.linux-mandrake.com/en/security/2003/2003-080.php
补丁下载:
Updated Packages:
Mandrake Linux 8.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/wu-ftpd-2.6.2-1.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/SRPMS/wu-ftpd-2.6.2-1.1mdk.src.rpm
Mandrake Linux 8.2/PPC:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/wu-ftpd-2.6.2-1.1mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/SRPMS/wu-ftpd-2.6.2-1.1mdk.src.rpm
上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
http://www.mandrakesecure.net/en/ftp.php
NetBSD
------
NetBSD已经为此发布了一个安全公告(NetBSD-SA2003-011)以及相应补丁:
NetBSD-SA2003-011:off-by-one error in realpath(3)
链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt.asc
执行如下操作:
# cd src
# cvs update -d -P lib/libc
# cd lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../rescue
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2003:245-01)以及相应补丁:
RHSA-2003:245-01:Updated wu-ftpd packages fix remote vulnerability.
链接:https://www.redhat.com/support/errata/RHSA-2003-245.html
补丁下载:
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/wu-ftpd-2.6.2-11.71.1.src.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.2-11.71.1.i386.rpm
Red Hat Linux 7.1 for iSeries (64 bit):
SRPMS:
ftp://updates.redhat.com/7.1/en/os/iSeries/SRPMS/wu-ftpd-2.6.2-11.71.1.src.rpm
ppc:
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/wu-ftpd-2.6.2-11.71.1.ppc.rpm
Red Hat Linux 7.1 for pSeries (64 bit):
SRPMS:
ftp://updates.redhat.com/7.1/en/os/pSeries/SRPMS/wu-ftpd-2.6.2-11.71.1.src.rpm
ppc:
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/wu-ftpd-2.6.2-11.71.1.ppc.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/wu-ftpd-2.6.2-11.72.1.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.2-11.72.1.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/wu-ftpd-2.6.2-11.72.1.ia64.rpm
Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/wu-ftpd-2.6.2-11.73.1.src.rpm
i386:
ftp://updates.redhat.com/7.3/en/os/i386/wu-ftpd-2.6.2-11.73.1.i386.rpm
Red Hat Linux 8.0:
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/wu-ftpd-2.6.2-12.src.rpm
i386:
ftp://updates.redhat.com/8.0/en/os/i386/wu-ftpd-2.6.2-12.i386.rpm
版权所有,未经许可,不得转载