首页 -> 安全研究
安全研究
安全漏洞
Mailman 格式化串本地安全漏洞
发布日期:2000-08-10
更新日期:2000-08-10
受影响系统:
不受影响系统:
GNU Mailman 2.0beta3
GNU Mailman 2.0beta4
- Connectiva Linux 5.1
Connectiva Linux 5.0
Connectiva Linux 4.2
Connectiva Linux 4.1
Red Hat Secure Web Server 3.0 - i386
Red Hat Secure Web Server 3.1 - i386, alpha, sparc
Red Hat Secure Web Server 3.2 - i386
描述:
GNU Mailman 2.0beta5
GNU Mailman 1.1
+ Debian Linux 2.2
GNU Mailman 1.0
+ Debian Linux 2.1
MandrakeSoft Linux Mandrake 7.1
MandrakeSoft Linux Mandrake 6.1
MandrakeSoft Linux Mandrake 6.0
GNU mailman 2.0beta3和2.0beta4中存在一个安全漏洞。允许本地用户获得mailman组的权限。
mailman的一个wrapper程序被设置了setgid mailman权限。它在处理用户输入数据中包含的格
式化串时存在安全问题,可能覆盖正在运行的进程堆栈中的返回地址,从而执行任意命令,攻击
者获得mailman组权限后,可以修改某些mailman包中的二进制或者脚本文件,可能进一步获得更
高权限。
<* 来源:Stan Bubrouski (secnet@crosswinds.net) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
[user@king user]$ ls -al /usr/share/mailman/mail/wrapper
-rwxr-sr-x 1 mailman mailman 36290 Jul 1 06:48
/usr/share/mailman/mail/wrapper
[user@king user]$ cd /usr/share/mailman/mail
[user@king mail]$ ls -al
total 39
drwxrwsr-x 2 mailman mailman 1024 Jul 12 19:29 .
drwxrwsr-x 16 mailman mailman 1024 Jul 27 20:13 ..
-rwxr-sr-x 1 mailman mailman 36290 Jul 1 06:48 wrapper
[user@king mail]$ ./wrapper
Usage: ./wrapper program [args...]
[user@king mail]$ ./wrapper %s
Illegal command: Illegal command: %s[user@king mail]$ ./wrapper %s%s
Illegal command: Illegal command: %s%s朂
建议:
更新到Mailman 2.0beta5:
http://www.gnu.org/software/mailman/mailman.html
[ debian ]
源码包:
ftp://ftp.debian.org/debian/dists/woody/main/source/mail/mailman_2.0beta5-1.diff.gz
MD5 checksum: 177e666144c35d6b945b30dddf567fef
ftp://ftp.debian.org/debian/dists/woody/main/source/mail/mailman_2.0beta5-1.dsc
MD5 checksum: 431d66e4ef496ce48463ed55193d375c
ftp://ftp.debian.org/debian/dists/woody/main/source/mail/mailman_2.0beta5.orig.tar.gz
MD5 checksum: 2c2602b7745a56adecd4f24fdd6d446f
Intel ia32 architecture:
ftp://ftp.debian.org/debian/dists/woody/main/binary-i386/mail/mailman_2.0beta5-1.deb
MD5 checksum: e2a071bf4a9a3be02978df47ed58acb6
Motorola 680x0 architecture:
ftp://ftp.debian.org/debian/dists/woody/main/binary-m68k/mail/mailman_2.0beta5-1.deb
MD5 checksum: 8bb6367c1e249beaaaa8eb3b7fc71c27
[ RedHat ]
需要安装Red Hat Secure Web Server 3.2:
i386:
ftp://updates.redhat.com/secureweb/3.2/i386/mailman-2.0beta5-1.i386.rpm
源码:
ftp://updates.redhat.com/secureweb/3.2/SRPMS/mailman-2.0beta5-1.src.rpm
[ CONECTIVA LINUX ]
二进制包:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/mailman-2.0beta5-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/mailman-2.0beta5-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/mailman-2.0beta5-1cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/i386/mailman-2.0beta5-1cl.i386.rpm
源码包:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/SRPMS/mailman-2.0beta5-1cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/SRPMS/mailman-2.0beta5-1cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/mailman-2.0beta5-1cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.1/SRPMS/mailman-2.0beta5-1cl.src.rpm
浏览次数:6284
严重程度:0(网友投票)
绿盟科技给您安全的保障