安全研究
安全漏洞
mtr本地单字节溢出漏洞
发布日期:2004-12-11
更新日期:2004-12-13
受影响系统:
MTR MTR 0.65描述:
MTR MTR 0.64
MTR MTR 0.63
MTR MTR 0.62
MTR MTR 0.61
MTR MTR 0.60
MTR MTR 0.59
MTR MTR 0.58
MTR MTR 0.57
MTR MTR 0.56
MTR MTR 0.55
mtr是组合'traceroute'和'ping'程序的网络诊断工具。
mtr mtr_curses_keyaction()函数存在单字节溢出问题,本地攻击者可以利用这个漏洞劫持原始套接口,发送伪造数据。
问题存在于mtr_curses_keyaction()函数处理's'键绑定时存在问题:
#define MAXFLD 20
[...]
char buf[MAXFLD];
[...]
if (tolower(c) == 's') {
[...]
while ( (c=getch ()) != '\n' && i<MAXFLD ) {
attron(A_BOLD); printw("%c", c); attroff(A_BOLD); refresh;
buf[i++] = c; /* need more checking on 'c' */
}
buf[i] = '\0';
[...]
}
(i < MAXFLD)条件没有为buf[]的NULL字符遗留空间,可能导致以单字节覆盖%ebp寄存器。但是mtr在打开原始套接口后丢弃了特权,因此这个问题只能允许劫持原始套接口,伪造ICMP包。
<*来源:venglin (venglin@freebsd.lublin.pl)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110279034910663&w=2
*>
建议:
厂商补丁:
MTR
---
补丁下载:
- --- mtr-0.65/curses.c.old Sat Dec 11 18:00:37 2004
+++ mtr-0.65/curses.c Sat Dec 11 18:01:18 2004
@@ -119,7 +119,7 @@
mvprintw(3, 0, "Size Range: %d-%d, <0 random.\n", MINPACKET, MAXPACKET);
move(2,20);
refresh();
- - while ( (c=getch ()) != '\n' && i<MAXFLD ) {
+ while ( (c=getch ()) != '\n' && i<MAXFLD-1 ) {
attron(A_BOLD); printw("%c", c); attroff(A_BOLD); refresh ();
buf[i++] = c; /* need more checking on 'c' */
}
@@ -140,7 +140,7 @@
mvprintw(3, 0, "Pattern Range: 0(0x00)-255(0xff), <0 random.\n");
move(2,18);
refresh();
- - while ( (c=getch ()) != '\n' && i<MAXFLD ) {
+ while ( (c=getch ()) != '\n' && i<MAXFLD-1 ) {
attron(A_BOLD); printw("%c", c); attroff(A_BOLD); refresh ();
buf[i++] = c; /* need more checking on 'c' */
}
@@ -154,7 +154,7 @@
mvprintw(3, 0, "default 0x00, min cost 0x02, rel 0x04,, thr 0x08, low del \
0x10...\n"); move(2,22);
refresh();
- - while ( (c=getch ()) != '\n' && i<MAXFLD ) {
+ while ( (c=getch ()) != '\n' && i<MAXFLD-1 ) {
attron(A_BOLD); printw("%c", c); attroff(A_BOLD); refresh();
buf[i++] = c; /* need more checking on 'c' */
}
@@ -169,7 +169,7 @@
mvprintw(2, 0, "Interval : %0.0f\n\n", WaitTime );
move(2,11);
refresh();
- - while ( (c=getch ()) != '\n' && i<MAXFLD ) {
+ while ( (c=getch ()) != '\n' && i<MAXFLD-1 ) {
attron(A_BOLD); printw("%c", c); attroff(A_BOLD); refresh();
buf[i++] = c; /* need more checking on 'c' */
}
@@ -185,7 +185,7 @@
mvprintw(2, 0, "First TTL: %d\n\n", fstTTL );
move(2,11);
refresh();
- - while ( (c=getch ()) != '\n' && i<MAXFLD ) {
+ while ( (c=getch ()) != '\n' && i<MAXFLD-1 ) {
attron(A_BOLD); printw("%c", c); attroff(A_BOLD); refresh();
buf[i++] = c; /* need more checking on 'c' */
}
@@ -201,7 +201,7 @@
mvprintw(2, 0, "Max TTL: %d\n\n", maxTTL );
move(2,9);
refresh();
- - while ( (c=getch ()) != '\n' && i<MAXFLD ) {
+ while ( (c=getch ()) != '\n' && i<MAXFLD-1 ) {
attron(A_BOLD); printw("%c", c); attroff(A_BOLD); refresh();
buf[i++] = c; /* need more checking on 'c' */
}
@@ -226,7 +226,7 @@
refresh();
i = 0;
- - while ( (c=getch ()) != '\n' && i < MAXFLD ) {
+ while ( (c=getch ()) != '\n' && i < MAXFLD-1 ) {
if( strchr(available_options, c) ) {
attron(A_BOLD); printw("%c", c); attroff(A_BOLD); refresh();
buf[i++] = c; /* Only permit values in "available_options" be entered */
浏览次数:3351
严重程度:0(网友投票)
绿盟科技给您安全的保障