安全研究
安全漏洞
Network Audio System本地权限提升及拒绝服务漏洞
发布日期:2006-09-25
更新日期:2007-04-24
受影响系统:
RADSCAN Network Audio System <= 1.8a描述:
BUGTRAQ ID: 23017
CVE(CAN) ID: CVE-2007-1543,CVE-2007-1544,CVE-2007-1545,CVE-2007-1546,CVE-2007-1547
Network Audio System是一款网络音频传输系统。
Network Audio System中存在多个安全漏洞,允许远程攻击者获得权限提升或导致拒绝服务。
具体如下:
----------------------------------------------------------
A] accept_att_local缓冲区溢出
----------------------------------------------------------
通过USL套接字接受连接的函数允许在64字节的路径缓冲区中写入255字节,导致栈溢出,但套接字不是默认启用的。
server/os/connection.c中漏洞代码:
static int
accept_att_local(void)
{
int newconn;
int read_in;
char length;
char path[64];
/*
* first get device-name
*/
if ((read_in = read(ptsFd, &length, 1)) <= 0) {
Error("audio server: Can't read slave name length from USL client connection");
return (-1);
}
if ((read_in = read(ptsFd, path, length)) <= 0) {
Error("audio server: Can't read slave name from USL client connection");
return (-1);
}
path[length] = '\0';
...
----------------------------------------------------------
B] AddResource中通过不存在的ID导致服务器终止
----------------------------------------------------------
不存在的客户端ID强制终止服务器。
server/dia/resource.c文件中的漏洞代码:
Bool
AddResource(AuID id, RESTYPE type, pointer value)
{
int client;
register ClientResourceRec *rrec;
register ResourcePtr res, *head;
client = CLIENT_ID(id);
rrec = &clientTable[client];
if (!rrec->buckets) {
ErrorF("AddResource(%x, %x, %x), client=%d \n",
id, type, (unsigned long) value, client);
FatalError("client not in use\n");
}
...
---------------------------------------------------------------
C] ProcAuWriteElement中的整数溢出导致bcopy崩溃
---------------------------------------------------------------
ProcAuWriteElement中的整数溢出允许客户端在连接期间设置超长的max_samples值,然后向目标缓冲区写入过多字节,导致NAS服务器崩溃。
server/dia/audispatch.c文件中的漏洞代码:
int
ProcAuWriteElement(ClientPtr client)
{
...
if (stuff->num_bytes > c->dataSize - currentSize)
AU_ERROR(AuBadValue, stuff->num_bytes);
if (stuff->num_bytes) {
s = (AuUint8 *) & stuff[1];
d = c->write;
n = aumin(stuff->num_bytes, c->dataEnd - d);
bcopy(s, d, n);
/* wrap if necessary */
if (n != stuff->num_bytes)
bcopy(s + n, c->data, stuff->num_bytes - n);
...
----------------------------------------------------------------------
D] ProcAuSetElements中过大的num_actions导致无效的内存指针
----------------------------------------------------------------------
在ProcAuSetElements中num_actions用于增量stuff缓冲区中el架构的指针。如果客户端发送了一个或多个很大的num_action值的话,就会强制服务器使用stuff缓冲区外的数据,导致崩溃。
server/dia/audispatch.c文件中的漏洞代码:
#define ADD_VAR(n) \
{ \
AuUint8 *_t = (AuUint8 *) el; \
\
varLen += (n); \
_t += (n); \
el = (auElement *) _t; \
}
#define COMP_ACTIONS(num) \
{ \
numActions += (num) ? (num) : numDefaultActions[el->type]; \
ADD_VAR((num) * sizeof(auElementAction)); \
}
...
int
ProcAuSetElements(ClientPtr client)
{
fprintf(stderr, "XXX ProcAuSetElements\n");
REQUEST(auSetElementsReq);
FlowPtr flow;
int len, i, varLen, numActions, status;
auElement *el;
...
el = (auElement *) & stuff[1];
/* compute length of variable data and do some error checking */
for (i = varLen = numActions = 0; i < stuff->numElements; i++, el++)
switch (el->type) {
case AuElementTypeImportClient:
COMP_ACTIONS(el->importclient.actions.num_actions);
...
------------------------------------------
E] compileInputs中无效内存指针
------------------------------------------
AuCompileFlow函数使用了过大的输入值,然后传送给了compileInputs做为inputNum参数,导致无效的内存指针。
server/dia/auutil.c文件中的漏洞代码:
static int
compileInputs(ClientPtr client, FlowElementPtr elements,
CompiledFlowOutputPtr output, AuUint32 inputNum,
AuFixedPoint multiplyConstant, AuFixedPoint addConstant,
AuUint8 numTracks, AuUint8 * inTracks, AuUint8 firstOutTrack,
AuBool recompile, AuUint32 * inputCnt)
{
auElement *el = elements[inputNum].raw;
int status = AuSuccess;
AuBool compiled = elements[inputNum].compiled, compileInput = AuFalse;
AuUint32 nextInput;
AuUint8 inputTracks[auMaxTracks];
/* XXX - need to check for loops */
/* indicate that we've compiled this element */
elements[inputNum].compiled = AuTrue;
...
----------------------------------------------
F] 过多连接导致空指针
----------------------------------------------
如果通过本地或远程套接字同时并发了超过120个连接的话,就会导致空指针崩溃。
server/os/io.c文件中的漏洞代码:
int
ReadRequestFromClient(client)
ClientPtr client;
{
OsCommPtr oc = (OsCommPtr) client->osPrivate;
register ConnectionInputPtr oci = oc->input;
...
<*来源:Luigi Auriemma (aluigi@pivx.com)
链接:http://secunia.com/advisories/24527/
http://aluigi.altervista.org/adv/nasbugs-adv.txt
http://security.gentoo.org/glsa/glsa-200704-20.xml
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
建议:
厂商补丁:
Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200704-20)以及相应补丁:
GLSA-200704-20:NAS: Multiple vulnerabilities
链接:http://security.gentoo.org/glsa/glsa-200704-20.xml
所有NAS用户都应升级到最新版本:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/nas-1.8b"
RADSCAN
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.radscan.com/nas.html
浏览次数:2988
严重程度:0(网友投票)
绿盟科技给您安全的保障