安全研究

安全漏洞
多家厂商C程序库realpath()单字节缓冲区溢出漏洞

发布日期:2003-07-31
更新日期:2003-08-14

受影响系统:
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6.2-RELEASE
FreeBSD FreeBSD 4.6-STABLE
FreeBSD FreeBSD 4.6-RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5-STABLE
FreeBSD FreeBSD 4.5-RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4-STABLE
FreeBSD FreeBSD 4.4-RELENG
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3-STABLE
FreeBSD FreeBSD 4.3-RELENG
FreeBSD FreeBSD 4.3-RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2-STABLEpre122300
FreeBSD FreeBSD 4.2-STABLEpre050201
FreeBSD FreeBSD 4.2-STABLE
FreeBSD FreeBSD 4.2-RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.1.1-STABLE
FreeBSD FreeBSD 4.1.1-RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0.x
FreeBSD FreeBSD 4.0 alpha
FreeBSD FreeBSD 4.0
NetBSD NetBSD 1.6.1
NetBSD NetBSD 1.6
NetBSD NetBSD 1.5.3
NetBSD NetBSD 1.5.2
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5
OpenBSD OpenBSD 3.3
OpenBSD OpenBSD 3.2
OpenBSD OpenBSD 3.1
OpenBSD OpenBSD 3.0
OpenBSD OpenBSD 2.9
OpenBSD OpenBSD 2.8
OpenBSD OpenBSD 2.7
OpenBSD OpenBSD 2.6
OpenBSD OpenBSD 2.5
OpenBSD OpenBSD 2.4
OpenBSD OpenBSD 2.3
OpenBSD OpenBSD 2.2
OpenBSD OpenBSD 2.1
OpenBSD OpenBSD 2.0
Washington University wu-ftpd 2.6.1
Washington University wu-ftpd 2.6.0
Washington University wu-ftpd 2.5.0
Washington University wu-ftpd 2.6.2
    - Conectiva Linux 9.0
    - Debian Linux 3.0
    - Mandrake Linux 8.2
描述:
BUGTRAQ  ID: 8315
CVE(CAN) ID: CVE-2003-0466

realpath(3)函数用于在给出的路径名中判断规则的绝对路径名,给出的路径名可能包含``/''字符, 并涉及到如``/./'' 或``/../''、符号连接等,realpath(3)函数是FreeBSD标准C语言库文件的一部分。

realpath(3)函数在计算解析获得的路径名长度时存在单字节溢出问题,本地或者远程攻击者可以利用这个漏洞对利用此函数的服务进行缓冲区溢出攻击,可以以进程权限在系统上执行任意指令。

如果解析获得的路径名是1024字节长,并包含两个目录分割符,缓冲区传递给realpath(3)函数时就可以被单NUL字节覆盖。一般使用realpath(3)函数的应用程序可产生拒绝服务,或者执行任意代码和权限提升攻击。

在FreeBSD系统中,多个应用程序使用了realpath(3)函数,如:

lukemftpd(8)是一个变种FTP服务器,realpath(3)用于处理MLST和MLSD命令,这个漏洞可被利用以超级用户权限执行任意代码。

sftp-server(8)是OpenSSH的一部分,realpath(3)用于处理chdir命令,这个漏洞可被利用以验证用户权限执行任意代码。

在FreeBSD 4.8-RELEASE的版本中,FreeBSD的PORT集包含如下应用程序使用了realpath(3),不过没有审核是否存在此漏洞,或者可以被利用:

BitchX-1.0c19_1
Mowitz-0.2.1_1
XFree86-clients-4.3.0_1
abcache-0.14
aim-1.5.234
analog-5.24,1
anjuta-1.0.1_1
aolserver-3.4.2
argus-2.0.5
arm-rtems-gdb-5.2_1
avr-gdb-5.2.1
ccache-2.1.1
cdparanoia-3.9.8_4
cfengine-1.6.3_4
cfengine2-2.0.3
cmake-1.4.7
comserv-1.4.3
criticalmass-0.97
dedit-0.6.2.3_1
drweb_postfix-4.29.10a
drweb-4.29.2
drweb_sendmail-4.29.10a
edonkey-gui-gtk-0.5.0
enca-0.10.7
epic4-1.0.1_2
evolution-1.2.2_1
exim-3.36_1
exim-4.12_5
exim-ldap-4.12_5
exim-ldap2-4.12_5
exim-mysql-4.12_5
exim-postgresql-4.12_5
fam-2.6.9_2
fastdep-0.15
feh-1.2.4_1
ferite-0.99.6
fileutils-4.1_1
finfo-0.1
firebird-1.0.2
firebird-1.0.r2
frontpage-5.0.2.2623_1
galeon-1.2.8
galeon2-1.3.2_1
gdb-5.3_20030311
gdb-5.2.1_1
gdm2-2.4.1.3
gecc-20021119
gentoo-0.11.34
gkrellmvolume-2.1.7
gltron-0.61
global-4.5.1
gnat-3.15p
gnomelibs-1.4.2_1
gprolog-1.2.16
gracula-3.0
gringotts-1.2.3
gtranslator-0.43_1
gvd-1.2.5
hercules-2.16.5
hte-0.7.0
hugs98-200211
i386-rtems-gdb-5.2_1
i960-rtems-gdb-5.2_1
installwatch-0.5.6
ivtools-1.0.6
ja-epic4-1.0.1_2
ja-gnomelibs-1.4.2_1
ja-msdosfs-20001027
ja-samba-2.2.7a.j1.1_1
kdebase-3.1_1
kdelibs-3.1
kermit-8.0.206
ko-BitchX-1.0c16_3
ko-msdosfs-20001027
leocad-0.73
libfpx-1.2.0.4_1
libgnomeui-2.2.0.1
libpdel-0.3.4
librep-0.16.1_1
linux-beonex-0.8.1
linux-divxplayer-0.2.0
linux-edonkey-gui-gtk-0.2.0.a.2002.02.22
linux-gnomelibs-1.2.8_2
linux-mozilla-1.2
linux-netscape-communicator-4.8
linux-netscape-navigator-4.8
linux-phoenix-0.3
linux_base-6.1_4
linux_base-7.1_2
lsh-1.5.1
lukemftpd-1.1_1
m68k-rtems-gdb-5.2_1
mips-rtems-gdb-5.2_1
mod_php4-4.3.1
moscow_ml-2.00_1
mozilla-1.0.2_1
mozilla-1.2.1_1,2
mozilla-1.2.1_2
mozilla-1.3b,1
mozilla-1.3b
mozilla-embedded-1.0.2_1
mozilla-embedded-1.2.1_1,2
mozilla-embedded-1.3b,1
msyslog-1.08f_1
netraider-0.0.2
openag-1.1.1_1
openssh-portable-3.5p1_1
openssh-3.5
p5-PPerl-0.23
paragui-1.0.2_2
powerpc-rtems-gdb-5.2_1
psim-freebsd-5.2.1
ptypes-1.7.4
pure-ftpd-1.0.14
qiv-1.8
readlink-20010616
reed-5.4
rox-1.3.6_1
rox-session-0.1.18_1
rpl-1.4.0
rpm-3.0.6_6
samba-2.2.8
samba-3.0a20
scrollkeeper-0.3.11_8,1
sh-rtems-gdb-5.2_1
sharity-light-1.2_1
siag-3.4.10
skipstone-0.8.3
sparc-rtems-gdb-5.2_1
squeak-2.7
squeak-3.2
swarm-2.1.1
tcl-8.2.3_2
tcl-8.3.5
tcl-8.4.1,1
tcl-thread-8.1.b1
teTeX-2.0.2_1
wine-2003.02.19
wml-2.0.8
worker-2.7.0
xbubble-0.2
xerces-c2-2.1.0_1
xerces_c-1.7.0
xnview-1.50
xscreensaver-gnome-4.08
xscreensaver-4.08
xworld-2.0
yencode-0.46_1
zh-cle_base-0.9p1
zh-tcl-8.3.0
zh-tw-BitchX-1.0c19_3
zh-ve-1.0
zh-xemacs-20.4_1

<*来源:Janusz Niewiadomski (funkysh@isec.pl
        Wojciech Purczynski (cliph@isec.pl
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=106002488209129&w=2
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:08.realpath.asc
*>

建议:
厂商补丁:

FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-03:08)以及相应补丁:
FreeBSD-SA-03:08:Single byte buffer overflow in realpath(3)
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:08.realpath.asc

补丁下载:

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc

MandrakeSoft
------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

Mandrake Upgrade wu-ftpd-2.6.2-1.1mdk.i586.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.2 Directory: 8.2/RPMS/

Mandrake Upgrade wu-ftpd-2.6.2-1.1mdk.src.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.2 Directory: 8.2/SRPMS/

Mandrake Upgrade wu-ftpd-2.6.2-1.1mdk.ppc.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.2/PPC Directory: ppc/8.2/RPMS/

Mandrake Upgrade wu-ftpd-2.6.2-1.1mdk.src.rpm
http://www.mandrakesecure.net/en/ftp.php
Mandrake Linux 8.2/PPC Directory: ppc/8.2/SRPMS/

NetBSD
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

NetBSD Patch SA2003-011-realpath.patch
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-011-realpath.patch

OpenBSD
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

OpenBSD Patch 015_realpath.patch
ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.2/common/015_realpath.patch

RedHat
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

RedHat Upgrade wu-ftpd-2.6.2-11.71.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.2-11.71.1.i386.rpm

RedHat wu-ftpd-2.6.1-18.i386.rpm :

RedHat Upgrade wu-ftpd-2.6.2-11.72.1.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.2-11.72.1.i386.rpm

RedHat wu-ftpd-2.6.2-5.i386.rpm :

RedHat Upgrade wu-ftpd-2.6.2-11.73.1.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/wu-ftpd-2.6.2-11.73.1.i386.rpm

RedHat wu-ftpd-2.6.2-8.i386.rpm :

RedHat Upgrade wu-ftpd-2.6.2-12.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/wu-ftpd-2.6.2-12.i386.rpm

RedHat wu-ftpd-2.6.1-18.ia64.rpm :

RedHat Upgrade wu-ftpd-2.6.2-11.72.1.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/wu-ftpd-2.6.2-11.72.1.ia64.rpm

RedHat wu-ftpd-2.6.1-16.ppc.rpm :

RedHat Upgrade wu-ftpd-2.6.2-11.71.1.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/wu-ftpd-2.6.2-11.71.1.ppc.rpm

RedHat Upgrade wu-ftpd-2.6.2-11.71.1.ppc.rpm
ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/wu-ftpd-2.6.2-11.71.1.ppc.rpm

S.u.S.E.
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

SuSE Upgrade wuftpd-2.6.0-403.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/wuftpd-2.6.0-403.i386.rpm
SuSE-7.3 Intel

SuSE Upgrade wuftpd-2.6.0-403.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/wuftpd-2.6.0-403.src.rpm
SuSE-7.3 Intel

SuSE Upgrade wuftpd-2.6.0-403.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/wuftpd-2.6.0-403.i386.rpm
SuSE-7.2 Intel

SuSE Upgrade wuftpd-2.6.0-403.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/wuftpd-2.6.0-403.src.rpm
SuSE-7.2 Intel

SuSE Upgrade wuftpd-2.6.0-260.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/wuftpd-2.6.0-260.sparc.rpm
SuSE-7.3 Sparc

SuSE Upgrade wuftpd-2.6.0-260.src.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/wuftpd-2.6.0-260.src.rpm
SuSE-7.3 Sparc

SuSE Upgrade wuftpd-2.6.0-328.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/wuftpd-2.6.0-328.ppc.rpm
SuSE-7.3 PPC

SuSE Upgrade wuftpd-2.6.0-328.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/wuftpd-2.6.0-328.src.rpm
SuSE-7.3 PPC

浏览次数:5704
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障