安全研究
安全漏洞
NSS库证书正则表达式解析堆溢出漏洞
发布日期:2009-07-30
更新日期:2009-08-03
受影响系统:
Mozilla Firefox 3.5描述:
Mozilla NSS 3.12.3
BUGTRAQ ID: 35891
CVE(CAN) ID: CVE-2009-2404
网络安全服务(NSS)是一套用于跨平台开发启用了安全功能的客户端和服务器应用的库,用NSS编译的应用可以支持SSLv2、SSLv3、TLS等安全标准。
Firefox等浏览器所使用的用于匹配证书中公用名的NSS库正则表达式解析器中存在堆溢出。恶意网站可以提供特制的证书触发堆溢出,导致崩溃或以运行浏览器用户的权限执行任意指令。
以下是NSS库中的有漏洞代码段:
security/nss/lib/util/portreg.c:
141 static int
142 _handle_union(const char *str, const char *exp, PRBool case_insensitive)
143 {
144 char *e2 = (char *) PORT_Alloc(sizeof(char)*strlen(exp));
145 register int t,p2,p1 = 1;
146 int cp;
147
148 while(1) {
149 for(cp=1;exp[cp] != ')';cp++)
150 if(exp[cp] == '\\')
151 ++cp;
152 for(p2 = 0;(exp[p1] != '|') && (p1 != cp);p1++,p2++) {
153 if(exp[p1] == '\\')
154 e2[p2++] = exp[p1++];
155 e2[p2] = exp[p1];
156 }
157 for (t=cp+1; ((e2[p2] = exp[t]) != 0); ++t,++p2) {}
158 if(_shexp_match(str,e2, case_insensitive) == MATCH) {
159 PORT_Free(e2);
160 return MATCH;
161 }
162 if(p1 == cp) {
163 PORT_Free(e2);
164 return NOMATCH;
165 }
166 else ++p1;
167 }
168 }
基于144行的strlen()执行malloc,但在154行“)”之前一直进行拷贝。可通过在传送给两级之上父函数的字符串中包含“~”来替换这个字符串中的“\0”字符:
263 static int
264 port_RegExpMatch(const char *str, const char *xp, PRBool case_insensitive)
{
265 register int x;
266 char *exp = 0;
267
268 exp = PORT_Strdup(xp);
269
270 if(!exp)
271 return 1;
272
273 for(x=strlen(exp)-1;x;--x) {
274 if((exp[x] == '~') && (exp[x-1] != '\\')) {
275 exp[x] = '\0';
276 if(_shexp_match(str,&exp[++x], case_insensitive) == MATCH)
277 goto punt;
278 break;
279 }
280 }
281 if(_shexp_match(str,exp, case_insensitive) == MATCH) {
282 PORT_Free(exp);
283 return 0;
284 }
285
286 punt:
287 PORT_Free(exp);
288 return 1;
289 }
类似于(foo~bar)的字符串会分配strlen(foo),然后在所分配的内存后覆盖bar个字节。
<*来源:Moxie Marlinspike
链接:http://secunia.com/advisories/36093/
https://bugzilla.mozilla.org/show_bug.cgi?format=multiple&id=504456
http://www.mozilla.org/security/announce/2009/mfsa2009-43.html
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=512912
https://www.redhat.com/support/errata/RHSA-2009-1190.html
https://www.redhat.com/support/errata/RHSA-2009-1185.html
https://www.redhat.com/support/errata/RHSA-2009-1184.html
https://www.redhat.com/support/errata/RHSA-2009-1186.html
http://www.debian.org/security/2009/dsa-1874
http://sunsolve.sun.com/search/document.do?assetkey=1-66-267031-1
*>
建议:
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1874-1)以及相应补丁:
DSA-1874-1:New nss packages fix several vulnerabilities
链接:http://www.debian.org/security/2009/dsa-1874
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/n/nss/nss_3.12.3.1-0lenny1.dsc
Size/MD5 checksum: 1401 1dbc1107598064214fa689733495c56c
http://security.debian.org/pool/updates/main/n/nss/nss_3.12.3.1.orig.tar.gz
Size/MD5 checksum: 5320607 750839c9c018a0984fd94f7a9cc3dd7f
http://security.debian.org/pool/updates/main/n/nss/nss_3.12.3.1-0lenny1.diff.gz
Size/MD5 checksum: 52489 96f62370296f7d18a9748429ac99525f
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_alpha.deb
Size/MD5 checksum: 3048842 6b764e28ae56542572a4275e50c4d303
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_alpha.deb
Size/MD5 checksum: 267250 b00f4c63a8d27a54fb562029411daf0e
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_alpha.deb
Size/MD5 checksum: 1204106 c8ba098d6cc0af39ab93cd728ca7bb19
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_alpha.deb
Size/MD5 checksum: 342544 2191bbcd5708f719392c8489bde7a0c6
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_amd64.deb
Size/MD5 checksum: 256944 7a31770b748ff56ba45ac55044960b6d
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_amd64.deb
Size/MD5 checksum: 1069628 eea22c2ccef5375689fe581de8152a61
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_amd64.deb
Size/MD5 checksum: 321374 1b86ac1f27fee3287f1418973595a4e9
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_amd64.deb
Size/MD5 checksum: 3099080 f4112f9f06d87e6139097a27e1419664
arm architecture (ARM)
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_arm.deb
Size/MD5 checksum: 2900162 21604ffa61b7f5049f0f919030fec0f0
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_arm.deb
Size/MD5 checksum: 1011344 78bc0d853274ca2fc9f36752ed9f9c51
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_arm.deb
Size/MD5 checksum: 308766 e7547e80f6726b91611f9b92d83aa6b3
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_arm.deb
Size/MD5 checksum: 254374 ead00e7f25c47cc4b8b1ed99801c4ab9
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_armel.deb
Size/MD5 checksum: 257820 a17086cca6fdaf26e5a6b3fb84ae476d
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_armel.deb
Size/MD5 checksum: 308198 f24e01f4b2396193a314a965555374e8
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_armel.deb
Size/MD5 checksum: 1017054 d1086599e6a1904548804d538f90c810
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_armel.deb
Size/MD5 checksum: 2923084 b5e1d56b749941124c8b91f063d44c19
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_hppa.deb
Size/MD5 checksum: 263122 b611c51dae677b42befac5f2e638d941
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_hppa.deb
Size/MD5 checksum: 347148 c725c156c6cd17d09421e066548c673d
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_hppa.deb
Size/MD5 checksum: 1169014 d5858e4c11ca0b88f59c24af1a251eea
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_hppa.deb
Size/MD5 checksum: 2948790 92a46a3cd9b2db3c7f0d07d817a03ba4
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_i386.deb
Size/MD5 checksum: 957706 21a666157a0a208d8405df062b3276d2
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_i386.deb
Size/MD5 checksum: 304016 9771905fcb4acd6855158c8645722762
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_i386.deb
Size/MD5 checksum: 2913468 89b7116120a075a7795615d062bd7450
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_i386.deb
Size/MD5 checksum: 254478 7747ea82c2d9e93c6a610d60094fb316
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_ia64.deb
Size/MD5 checksum: 267008 94a0fe98c183a728df7e64826f8b2c46
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_ia64.deb
Size/MD5 checksum: 410780 a834a4f57ddc003570c6eaaafbc87032
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_ia64.deb
Size/MD5 checksum: 2797788 1a1f375f7713f69acdf01e77f779b28b
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_ia64.deb
Size/MD5 checksum: 1489492 a468da7ac4219e564793d06978a6be07
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_mips.deb
Size/MD5 checksum: 257808 fc1a4db95e71876cf0ffbe0b49327148
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_mips.deb
Size/MD5 checksum: 3049346 fc35475e7157e1859c154556ecb648b3
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_mips.deb
Size/MD5 checksum: 318740 fbafbce5a6d9498d8cd1fe1d8f1eaebc
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_mips.deb
Size/MD5 checksum: 1038702 0723e7d8621b7d65517cc3945a9790be
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_mipsel.deb
Size/MD5 checksum: 1028286 81e4bcd025b2ee3996de08b9fdb0b23a
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_mipsel.deb
Size/MD5 checksum: 317082 8b16e198a97ffb60df698767fef8cc35
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_mipsel.deb
Size/MD5 checksum: 2999704 d1f9bf1211ec7aa9458dcdd673a4a709
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_mipsel.deb
Size/MD5 checksum: 257740 82ed6773d6e942a70f1274e4a241bdd9
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_powerpc.deb
Size/MD5 checksum: 255174 6abcf8f6d427c29f704ca156dc201113
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_powerpc.deb
Size/MD5 checksum: 1029684 997fec6bb01c10e9e3c6aa15f0f78386
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_powerpc.deb
Size/MD5 checksum: 334590 1c8056037d5bccdad7977b49d3910065
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_powerpc.deb
Size/MD5 checksum: 2946754 1739d7e55a79d8e85dc5e668180846ae
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_s390.deb
Size/MD5 checksum: 1178522 0e72b044e78bca218a8d55c20c16e8d5
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_s390.deb
Size/MD5 checksum: 3020690 7115f25dbf7c31c55e768d48a29c8b46
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_s390.deb
Size/MD5 checksum: 258572 f8bf00777c295c76b0071a1354b011fa
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_s390.deb
Size/MD5 checksum: 346234 accf6855c0b8ea6d087bf062b2ac1d7b
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_sparc.deb
Size/MD5 checksum: 317482 f2f321d58890c1edb386ebc224ac052e
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_sparc.deb
Size/MD5 checksum: 996192 cf17776aa8674a8c7e71527b6534b0e2
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_sparc.deb
Size/MD5 checksum: 257464 2452b9eef9a3c0b786d4dc4afc2d16ae
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_sparc.deb
Size/MD5 checksum: 2712012 910e98017dabb5adcc109f05f94b1a56
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
Mozilla
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
https://bugzilla.mozilla.org/show_bug.cgi?format=multiple&id=504456
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2009:1186-01)以及相应补丁:
RHSA-2009:1186-01:Critical: nspr and nss security, bug fix, and enhancement update
链接:https://www.redhat.com/support/errata/RHSA-2009-1186.html
Sun
---
Sun已经为此发布了一个安全公告(Sun-Alert-267031)以及相应补丁:
Sun-Alert-267031:Heap Overflow in a Regular Expression Parser in Network Security Services (NSS) may Affect SSL Clients (CVE-2009-2404)
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-66-267031-1
浏览次数:3179
严重程度:0(网友投票)
绿盟科技给您安全的保障