安全研究
安全漏洞
mtr split.c文件远程栈溢出漏洞
发布日期:2008-05-20
更新日期:2008-05-21
受影响系统:
MTR MTR 0.72不受影响系统:
MTR MTR 0.73描述:
BUGTRAQ ID: 29290
CVE(CAN) ID: CVE-2008-2357
mtr是结合了traceroute和ping程序的网络诊断工具。
mtr的split.c文件的split_redraw()函数在处理特制的主机名时存在栈溢出漏洞,远程攻击者可能利用此漏洞控制用户系统。
以下是有漏洞部分的代码段:
"split.c"
#define MAX_LINE_SIZE 256
void split_redraw(void)
{
int max;
int at;
ip_t *addr;
char *name;
char newLine[MAX_LINE_SIZE];
int i;
...
for(at = 0; at < max; at++) {
addr = net_addr(at);
if( addrcmp( (void *) addr, (void *) &unspec_addr, af ) != 0 ) {
name = dns_lookup(addr); [1]
if(name != NULL) {
/* May be we should test name's length */ [!!]
sprintf(newLine, "%s %d %d %d %d %d %d", name, [2]
net_loss(at),
net_returned(at), net_xmit(at),
net_best(at) /1000, net_avg(at)/1000,
net_worst(at)/1000);
} else {
...
sprintf(newLine, "???");
}
...
...
}
}
在[2]处没有安全的调用sprintf()函数,name参数为IP地址的RevDNS。如果用户受骗访问了恶意的DNS服务器,则在使用-p或--split命令行选项时就会触发这个溢出,导致执行任意指令。
<*来源:Adam Zabrocki (pi3ki31ny@wp.pl)
链接:http://secunia.com/advisories/30312/
http://marc.info/?l=full-disclosure&m=121127354517855&w=2#-2
http://www.debian.org/security/2008/dsa-1587
http://security.gentoo.org/glsa/glsa-200806-01.xml
*>
建议:
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1587-1)以及相应补丁:
DSA-1587-1:New mtr packages fix execution of arbitrary code
链接:http://www.debian.org/security/2008/dsa-1587
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1.diff.gz
Size/MD5 checksum: 49648 1f32f54087c5cab59d13418277c33959
http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1.dsc
Size/MD5 checksum: 594 4dae747ffc1de0170d2578b1b09261ed
http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71.orig.tar.gz
Size/MD5 checksum: 205442 8c1c9f5db2c599eea3b12bfed8b80618
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_alpha.deb
Size/MD5 checksum: 42128 48a8e95d395b07e57852b0005e5225ff
http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_alpha.deb
Size/MD5 checksum: 57194 bd922b8c1a5891f71abbb4777faf4e63
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_amd64.deb
Size/MD5 checksum: 52320 0d2aa3398184633044d21bdd70e23073
http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_amd64.deb
Size/MD5 checksum: 37766 7513344c840d47a8dca23e1e51d6a0cc
arm architecture (ARM)
http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_arm.deb
Size/MD5 checksum: 49510 a361681ebc93d48e24d7cca0086b6090
http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_arm.deb
Size/MD5 checksum: 35560 69a3c71e6471813882c63e8201c34b80
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_hppa.deb
Size/MD5 checksum: 54772 4c92f110415d9ef79b54fe91624d892c
http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_hppa.deb
Size/MD5 checksum: 39920 fff799aabfd4b1fbd313f6512e02f765
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_i386.deb
Size/MD5 checksum: 34832 46c37b88fbaead1b97685aef100bdff3
http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_i386.deb
Size/MD5 checksum: 49498 429bf4027e3adc7a6c65739972f3637e
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_ia64.deb
Size/MD5 checksum: 51828 52fa9d983e98c382259f844869ce2a9c
http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_ia64.deb
Size/MD5 checksum: 68066 389cccac0ec00cbd3e1b32b8372f299b
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_mips.deb
Size/MD5 checksum: 56592 a4706a9a26ded557a35179be774cc4c2
http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_mips.deb
Size/MD5 checksum: 42158 40220a8cc23ea78e02e63899379d9211
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_mipsel.deb
Size/MD5 checksum: 56468 e422aaae12583d2213208ea93bbf789b
http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_mipsel.deb
Size/MD5 checksum: 42014 8965536180263c10a21cd19f621c2f67
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_powerpc.deb
Size/MD5 checksum: 39388 40bfc501ea9369f583d17094e5afe106
http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_powerpc.deb
Size/MD5 checksum: 53204 084b6accfd9f629b940b3100329e9569
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_s390.deb
Size/MD5 checksum: 38036 f4f59a3761e2bbc202471ad64f4aa479
http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_s390.deb
Size/MD5 checksum: 52968 23670acdeae3170a5c9d9041b9785f32
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/m/mtr/mtr_0.71-2etch1_sparc.deb
Size/MD5 checksum: 49746 ccfde335d99f424062f5594160c7c584
http://security.debian.org/pool/updates/main/m/mtr/mtr-tiny_0.71-2etch1_sparc.deb
Size/MD5 checksum: 35560 0e8e7a514058ec63dc283d4bb13b67cb
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
MTR
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.bitwizard.nl/mtr
Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200806-01)以及相应补丁:
GLSA-200806-01:mtr: Stack-based buffer overflow
链接:http://security.gentoo.org/glsa/glsa-200806-01.xml
所有mtr用户都应升级到最新版本:
# emerge --sync
# emerge --ask --oneshot --verbose ">=3Dnet-analyzer/mtr-0.73-r1"
浏览次数:3149
严重程度:0(网友投票)
绿盟科技给您安全的保障