首页 -> 安全研究
安全研究
安全漏洞
C-Note Squid_Auth_LDAP Pam logging函数远程格式串溢出漏洞
发布日期:2002-05-06
更新日期:2002-05-10
受影响系统:
C-Note Squid_Auth_LDAP 1.0.1描述:
- Caldera Open Linux Workstation 3.1.1
- Caldera Open Linux Workstation 3.1
- Caldera Open Linux Server 3.1.1
- Caldera Open Linux Server 3.1
- Debian Linux 2.3 powerpc
- Debian Linux 2.3 68k
- Debian Linux 2.3 i386
- Debian Linux 2.3 sparc
- Debian Linux 2.3 alpha
- Debian Linux 2.3 IA-32
- Debian Linux 2.3 arm
- Mandrake Linux 8.2
- Mandrake Linux 8.1
- Mandrake Linux 8.0
- RedHat Linux 7.2 alpha
- RedHat Linux 7.2 ia64
- RedHat Linux 7.2 x86
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1
- RedHat Linux 7.1 x86
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 sparc
- RedHat Linux 7.0
- RedHat Linux 7.0 x86
- RedHat Linux 6.2 x86
- RedHat Linux 6.2
- RedHat Linux 6.2 alpha
- RedHat Linux 6.2 sparc
- SuSE Linux 7.3 sparc
- SuSE Linux 7.3 i386
- SuSE Linux 7.3 powerpc
- SuSE Linux 7.2 i386
- SuSE Linux 7.2
- SuSE Linux 7.1 alpha
- SuSE Linux 7.1
- SuSE Linux 7.1 sparc
- SuSE Linux 7.1 i386
- SuSE Linux 7.1 powerpc
- SuSE Linux 7.0 i386
- SuSE Linux 7.0 powerpc
- SuSE Linux 7.0
- SuSE Linux 7.0 alpha
C-Note Squid_Auth_LDAP 1.0.2 -beta
- Caldera Open Linux Workstation 3.1.1
- Caldera Open Linux Workstation 3.1
- Caldera Open Linux Server 3.1.1
- Caldera Open Linux Server 3.1
- Debian Linux 2.3 IA-32
- Debian Linux 2.3 arm
- Debian Linux 2.3 powerpc
- Debian Linux 2.3 68k
- Debian Linux 2.3 i386
- Debian Linux 2.3 sparc
- Debian Linux 2.3 alpha
- Mandrake Linux 8.2
- Mandrake Linux 8.1
- Mandrake Linux 8.0
- RedHat Linux 7.2 x86
- RedHat Linux 7.2 alpha
- RedHat Linux 7.2 ia64
- RedHat Linux 7.1 x86
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1
- RedHat Linux 7.0
- RedHat Linux 7.0 x86
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 sparc
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 x86
- RedHat Linux 6.2
- RedHat Linux 6.2 alpha
- SuSE Linux 8.0 i386
- SuSE Linux 7.3 sparc
- SuSE Linux 7.3 i386
- SuSE Linux 7.3
- SuSE Linux 7.3 powerpc
- SuSE Linux 7.2
- SuSE Linux 7.2 i386
- SuSE Linux 7.1 sparc
- SuSE Linux 7.1 i386
- SuSE Linux 7.1
- SuSE Linux 7.1 powerpc
- SuSE Linux 7.1 alpha
- SuSE Linux 7.0 powerpc
- SuSE Linux 7.0 alpha
- SuSE Linux 7.0
- SuSE Linux 7.0 i386
C-Note Squid_Auth_LDAP 1.2
- Caldera Open Linux Workstation 3.1.1
- Caldera Open Linux Workstation 3.1
- Caldera Open Linux Server 3.1.1
- Caldera Open Linux Server 3.1
- Debian Linux 2.3 i386
- Debian Linux 2.3 sparc
- Debian Linux 2.3 alpha
- Debian Linux 2.3 IA-32
- Debian Linux 2.3 arm
- Debian Linux 2.3 powerpc
- Debian Linux 2.3 68k
- Mandrake Linux 8.2
- Mandrake Linux 8.1
- Mandrake Linux 8.0
- RedHat Linux 7.2 ia64
- RedHat Linux 7.2 x86
- RedHat Linux 7.2 alpha
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1
- RedHat Linux 7.1 x86
- RedHat Linux 7.0 sparc
- RedHat Linux 7.0
- RedHat Linux 7.0 x86
- RedHat Linux 7.0 alpha
- RedHat Linux 6.2 alpha
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 x86
- RedHat Linux 6.2
- SuSE Linux 8.0 i386
- SuSE Linux 7.3
- SuSE Linux 7.3 powerpc
- SuSE Linux 7.3 sparc
- SuSE Linux 7.3 i386
- SuSE Linux 7.2
- SuSE Linux 7.2 i386
- SuSE Linux 7.1 powerpc
- SuSE Linux 7.1 alpha
- SuSE Linux 7.1 sparc
- SuSE Linux 7.1 i386
- SuSE Linux 7.1
- SuSE Linux 7.0
- SuSE Linux 7.0 i386
- SuSE Linux 7.0 powerpc
- SuSE Linux 7.0 alpha
C-Note Squid_Auth_LDAP 1.2 b1
- Caldera Open Linux Workstation 3.1.1
- Caldera Open Linux Workstation 3.1
- Caldera Open Linux Server 3.1.1
- Caldera Open Linux Server 3.1
- Debian Linux 2.3 sparc
- Debian Linux 2.3 alpha
- Debian Linux 2.3 IA-32
- Debian Linux 2.3 arm
- Debian Linux 2.3 powerpc
- Debian Linux 2.3 68k
- Debian Linux 2.3 i386
- Mandrake Linux 8.2
- Mandrake Linux 8.1
- Mandrake Linux 8.0
- RedHat Linux 7.2 ia64
- RedHat Linux 7.2 x86
- RedHat Linux 7.2 alpha
- RedHat Linux 7.1 x86
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1
- RedHat Linux 7.0 sparc
- RedHat Linux 7.0
- RedHat Linux 7.0 x86
- RedHat Linux 7.0 alpha
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 x86
- RedHat Linux 6.2
- RedHat Linux 6.2 alpha
- SuSE Linux 8.0 i386
- SuSE Linux 7.3 sparc
- SuSE Linux 7.3 i386
- SuSE Linux 7.3
- SuSE Linux 7.3 powerpc
- SuSE Linux 7.2
- SuSE Linux 7.2 i386
- SuSE Linux 7.1 alpha
- SuSE Linux 7.1 sparc
- SuSE Linux 7.1 i386
- SuSE Linux 7.1
- SuSE Linux 7.1 powerpc
- SuSE Linux 7.0
- SuSE Linux 7.0 i386
- SuSE Linux 7.0 powerpc
- SuSE Linux 7.0 alpha
C-Note Squid_Auth_LDAP 2.0
- Caldera Open Linux Workstation 3.1.1
- Caldera Open Linux Workstation 3.1
- Caldera Open Linux Server 3.1.1
- Caldera Open Linux Server 3.1
- Debian Linux 2.3 sparc
- Debian Linux 2.3 alpha
- Debian Linux 2.3 IA-32
- Debian Linux 2.3 arm
- Debian Linux 2.3 powerpc
- Debian Linux 2.3 68k
- Debian Linux 2.3 i386
- Mandrake Linux 8.2
- Mandrake Linux 8.1
- Mandrake Linux 8.0
- RedHat Linux 7.2 ia64
- RedHat Linux 7.2 x86
- RedHat Linux 7.2 alpha
- RedHat Linux 7.1 x86
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1
- RedHat Linux 7.0
- RedHat Linux 7.0 x86
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 sparc
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 x86
- RedHat Linux 6.2
- RedHat Linux 6.2 alpha
- SuSE Linux 8.0 i386
- SuSE Linux 7.3 sparc
- SuSE Linux 7.3 i386
- SuSE Linux 7.3
- SuSE Linux 7.3 powerpc
- SuSE Linux 7.2
- SuSE Linux 7.2 i386
- SuSE Linux 7.1 alpha
- SuSE Linux 7.1 sparc
- SuSE Linux 7.1 i386
- SuSE Linux 7.1
- SuSE Linux 7.1 powerpc
- SuSE Linux 7.0 i386
- SuSE Linux 7.0 powerpc
- SuSE Linux 7.0 alpha
- SuSE Linux 7.0
C-Note Squid_Auth_LDAP 2.0 b1
- Caldera Open Linux Workstation 3.1.1
- Caldera Open Linux Workstation 3.1
- Caldera Open Linux Server 3.1.1
- Caldera Open Linux Server 3.1
- Debian Linux 2.3 powerpc
- Debian Linux 2.3 68k
- Debian Linux 2.3 i386
- Debian Linux 2.3 sparc
- Debian Linux 2.3 alpha
- Debian Linux 2.3 IA-32
- Debian Linux 2.3 arm
- Mandrake Linux 8.2
- Mandrake Linux 8.1
- Mandrake Linux 8.0
- RedHat Linux 7.2 alpha
- RedHat Linux 7.2 ia64
- RedHat Linux 7.2 x86
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1
- RedHat Linux 7.1 x86
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 sparc
- RedHat Linux 7.0
- RedHat Linux 7.0 x86
- RedHat Linux 6.2
- RedHat Linux 6.2 alpha
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 x86
- SuSE Linux 8.0 i386
- SuSE Linux 7.3
- SuSE Linux 7.3 powerpc
- SuSE Linux 7.3 sparc
- SuSE Linux 7.3 i386
- SuSE Linux 7.2 i386
- SuSE Linux 7.2
- SuSE Linux 7.1
- SuSE Linux 7.1 powerpc
- SuSE Linux 7.1 alpha
- SuSE Linux 7.1 sparc
- SuSE Linux 7.1 i386
- SuSE Linux 7.0 alpha
- SuSE Linux 7.0
- SuSE Linux 7.0 i386
- SuSE Linux 7.0 powerpc
C-Note Squid_Auth_LDAP 2.0 b3
- Caldera Open Linux Workstation 3.1.1
- Caldera Open Linux Workstation 3.1
- Caldera Open Linux Server 3.1.1
- Caldera Open Linux Server 3.1
- Debian Linux 2.3 arm
- Debian Linux 2.3 powerpc
- Debian Linux 2.3 68k
- Debian Linux 2.3 i386
- Debian Linux 2.3 sparc
- Debian Linux 2.3 alpha
- Debian Linux 2.3 IA-32
- Mandrake Linux 8.2
- Mandrake Linux 8.1
- Mandrake Linux 8.0
- RedHat Linux 7.2 x86
- RedHat Linux 7.2 alpha
- RedHat Linux 7.2 ia64
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1
- RedHat Linux 7.1 x86
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 sparc
- RedHat Linux 7.0
- RedHat Linux 7.0 x86
- RedHat Linux 6.2 x86
- RedHat Linux 6.2
- RedHat Linux 6.2 alpha
- RedHat Linux 6.2 sparc
- SuSE Linux 8.0 i386
- SuSE Linux 7.3 i386
- SuSE Linux 7.3
- SuSE Linux 7.3 powerpc
- SuSE Linux 7.3 sparc
- SuSE Linux 7.2 i386
- SuSE Linux 7.2
- SuSE Linux 7.1 i386
- SuSE Linux 7.1
- SuSE Linux 7.1 powerpc
- SuSE Linux 7.1 alpha
- SuSE Linux 7.1 sparc
- SuSE Linux 7.0 powerpc
- SuSE Linux 7.0 alpha
- SuSE Linux 7.0
- SuSE Linux 7.0 i386
C-Note Squid_Auth_LDAP 2.0 b4
- Caldera Open Linux Workstation 3.1.1
- Caldera Open Linux Workstation 3.1
- Caldera Open Linux Server 3.1.1
- Caldera Open Linux Server 3.1
- Debian Linux 2.3 IA-32
- Debian Linux 2.3 arm
- Debian Linux 2.3 powerpc
- Debian Linux 2.3 68k
- Debian Linux 2.3 i386
- Debian Linux 2.3 sparc
- Debian Linux 2.3 alpha
- Mandrake Linux 8.2
- Mandrake Linux 8.1
- Mandrake Linux 8.0
- RedHat Linux 7.2 x86
- RedHat Linux 7.2 alpha
- RedHat Linux 7.2 ia64
- RedHat Linux 7.1 x86
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1
- RedHat Linux 7.0
- RedHat Linux 7.0 x86
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 sparc
- RedHat Linux 6.2 x86
- RedHat Linux 6.2
- RedHat Linux 6.2 alpha
- RedHat Linux 6.2 sparc
- SuSE Linux 8.0 i386
- SuSE Linux 7.3 sparc
- SuSE Linux 7.3 i386
- SuSE Linux 7.3
- SuSE Linux 7.3 powerpc
- SuSE Linux 7.2 i386
- SuSE Linux 7.2
- SuSE Linux 7.1 sparc
- SuSE Linux 7.1 i386
- SuSE Linux 7.1
- SuSE Linux 7.1 powerpc
- SuSE Linux 7.1 alpha
- SuSE Linux 7.0 powerpc
- SuSE Linux 7.0 alpha
- SuSE Linux 7.0
- SuSE Linux 7.0 i386
C-Note Squid_Auth_LDAP 2.0.1
- Caldera Open Linux Workstation 3.1.1
- Caldera Open Linux Workstation 3.1
- Caldera Open Linux Server 3.1.1
- Caldera Open Linux Server 3.1
- Debian Linux 2.3 i386
- Debian Linux 2.3 sparc
- Debian Linux 2.3 alpha
- Debian Linux 2.3 IA-32
- Debian Linux 2.3 arm
- Debian Linux 2.3 powerpc
- Debian Linux 2.3 68k
- Mandrake Linux 8.2
- Mandrake Linux 8.1
- Mandrake Linux 8.0
- RedHat Linux 7.2 x86
- RedHat Linux 7.2 alpha
- RedHat Linux 7.2 ia64
- RedHat Linux 7.1 x86
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1
- RedHat Linux 7.0
- RedHat Linux 7.0 x86
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0 sparc
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 x86
- RedHat Linux 6.2
- RedHat Linux 6.2 alpha
- SuSE Linux 8.0 i386
- SuSE Linux 7.3 sparc
- SuSE Linux 7.3 i386
- SuSE Linux 7.3
- SuSE Linux 7.3 powerpc
- SuSE Linux 7.2
- SuSE Linux 7.2 i386
- SuSE Linux 7.1 sparc
- SuSE Linux 7.1 i386
- SuSE Linux 7.1
- SuSE Linux 7.1 powerpc
- SuSE Linux 7.1 alpha
- SuSE Linux 7.0 powerpc
- SuSE Linux 7.0 alpha
- SuSE Linux 7.0
- SuSE Linux 7.0 i386
BUGTRAQ ID: 4679
CVE(CAN) ID: CVE-2002-0374
Squid_Auth_LDAP是一款免费开放源代码的验证模块,由C-note分发和维护,可使用于Linux操作系统下。
Squid_Auth_LDAP存在设计问题,可导致远程攻击者进行格式串溢出攻击,以使用Squid_Auth_LDAP模块进程的权限在目标系统中执行任意指令。
由于在Squid_Auth_LDAP模块中程序不安全地调用了logging()函数,攻击者可以连接系统并提供精心构建的格式串,溢出攻击覆盖内存任意位置,并以调用Squid_Auth_LDAP模块进程的权限在目标系统中执行任意指令。
Squid认证模块允许用户通过squid caching服务程序连接外部服务,在squid服务中增加ldap://功能:
--在pam_ldap中--
fp = fopen (configFile, "r");
if (fp == NULL)
{
/*
* According to PAM Documentation, such an error in a config file
* SHOULD be logged at LOG_ALERT level
*/
snprintf (errmsg, sizeof (errmsg), "pam_ldap: missing file \"%s\"",
configFile);
syslog (LOG_ALERT, errmsg);
return PAM_SERVICE_ERR;
}
configfile文件如下定义:
else if (!strncmp (argv[i], "config=", 7))
configFile = argv[i] + 7;
在main函数中:
- --- 在squid_auth_ldap中---
void logging( int ll, const char* fmt, ... )
{
char buffer[1024];
va_list ap;
va_start( ap, fmt );
vsnprintf( buffer, 1024, fmt, ap );
if( ll == DEBUG && _logLevel >= DEBUG )
{
syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
printf("DEBUG\n");
#endif*/
}
else
if( ll == WARN && _logLevel >= WARN )
{
syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
printf("WARN\n");
#endif*/
}
else
if( ll == INFO && _logLevel >= INFO )
{
syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
printf("INFO\n");
#endif*/
}
else
if( ll == RUN && _logLevel >= RUN )
{
syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
printf("RUN\n");
#endif*/
}
}
而调用loggin()函数有问题的包括如下:
ldap_utils.c: logging( INFO, "- password check for %s", dn );
ldap_utils.c: logging( DEBUG, "- (%d) %s", i, val[i] );
ldap_utils.c: logging( DEBUG, "- open connection to ldapserver: %s:%d", ldapServer, ldapPort);
ldap_utils.c: logging( WARN, "- cannot login to: %s:%d", ldapServer, ldapPort);
ldap_utils.c: logging( DEBUG, "- search for: %s", searchStr );
ldap_utils.c: logging( DEBUG, "- entry found: %s", grpDN );
ldap_utils.c: logging( DEBUG, "- searchstr: %s", searchStr );
ldap_utils.c: logging( DEBUG, "- start searching for uid: %s", uid );
ldap_utils.c: logging( WARN, "- user \"%s\", not found!\n", uid);
ldap_utils.c: logging( DEBUG, "- DN found: %s", udn );
ldap_utils.c: logging( DEBUG, "- is user %s in %s\n", dn, gdn );
ldap_utils.c: logging( DEBUG, "- user \"%s\" is in Group \"%s\"", dn, gdn );
ldap_utils.c: logging( DEBUG, "- user \"%s\" is NOT in Group \"%s\"", dn, gdn );
main.c: logging( RUN, "%s - %s - starting", PROG, VERS );
main.c: logging( RUN, "- find DN for group %s\n", conf.pxyGroup );
main.c: logging( WARN, "- unable to find group: %s", conf.pxyGroup );
main.c: logging( DEBUG, "- group DN: %s", dnGrp );
main.c: logging( RUN, "%s - %s - ready", PROG, VERS );
main.c: logging( RUN, "- unable to connect to LDAP server: %s:%d", conf.ldapServer, conf.ldapPort);
main.c: logging( DEBUG, "- connected to ldapServer %s:%d", conf.ldapServer, conf.ldapPort);
main.c: logging( RUN, "- unable to connect to LDAP server: %s:%d", conf.ldapServer, conf.ldapPort);
main.c: logging( DEBUG, "- connected to ldapServer %s:%d", conf.ldapServer, conf.ldapPort);
main.c: logging( RUN, "%s - %s - stopping", PROG, VERS );
main.c: logging( DEBUG, "- user string: |%s|", buf);
main.c: logging( DEBUG, "- got User: %s", user );
main.c: logging( DEBUG, "- got Password: %s", crypt (pass, "42") );
options.c: logging(DEBUG,"- ldapServer: %s ", conf->ldapServer );
options.c: logging(DEBUG,"- searchBase: %s ", conf->searchBase );
options.c: logging(DEBUG,"- pxyGroup: %s ", conf->pxyGroup );
options.c: logging(DEBUG,"- confFile: %s ", conf->confFile );
<*来源:blackshell@hushmail.com (blackshell@hushmail.com)
链接:http://archives.neohapsis.com/archives/bugtraq/2002-05/0029.html
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 暂时没有合适的临时解决方法。
厂商补丁:
C-Note
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.c-note.dk/software/
浏览次数:3336
严重程度:0(网友投票)
绿盟科技给您安全的保障