首页 -> 安全研究
安全研究
安全漏洞
Linux系统LPRng远程格式化串溢出漏洞
发布日期:2000-09-25
更新日期:2000-09-25
受影响系统:
AStArt Technologies LPRng描述:
- Caldera eDesktop 2.4
- Caldera eServer 2.3
- Caldera OpenLinux eBuilder 3.0
- Caldera OpenLinux Desktop 2.3
- RedHat Linux 7.0
- Trustix Secure Linux 1.01
- Trustix Secure Linux 1.0
BUGTRAQ ID: 1712
CVE(CAN) ID: CVE-2000-0917
LPRng是Berkeley lpr打印工具的一种实现。
某些Linux系统附带的LPRng程序存在一个格式化串溢出漏洞,远程攻击者可以利用此漏洞通过溢出攻击在主机上以root用户权限执行任意指令。
LPRng编程实现中有一个函数use_syslog(),此函数把用户的输入未加检查就作为一个格式化串传给syslog()函数。远程攻击者可以通过输入一个恶意的格式化串来破坏程序执行流程。在测试中,这个漏洞可被攻击者利用来从远程在主机上以root用户的权限执行任意指令。
有问题的代码部分在:
/LPRng-3.6.22/src/common/errormsg.c, use_syslog()
---
static void use_syslog(int kind, char *msg)
...
# ifdef HAVE_OPENLOG
/* use the openlog facility */
openlog(Name, LOG_PID | LOG_NOWAIT, SYSLOG_FACILITY );
syslog(kind, msg);
closelog();
# else
(void) syslog(SYSLOG_FACILITY | kind, msg);
# endif /* HAVE_OPENLOG */
...
<*来源:Chris Evans (chris@ferret.lmh.ox.ac.uk)
链接:http://www.cert.org/advisories/CA-2000-22.html
http://www.caldera.com/support/security/advisories/CSSA-2000-033.0.txt
http://www.turbolinux.com/pipermail/tl-security-announce/2001-January/000406.html
https://www.redhat.com/support/errata/RHSA-2000-065.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Client:
[chris@localhost chris]$ telnet localhost printer
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
%s%s%s%s%s%s%s%s%s%s
Server:
Program received signal SIGSEGV, Segmentation fault.
0x400f7c66 in _IO_vfprintf (s=0x80c53a0,
format=0xbffff190 "Dispatch_input: bad request line
'%s%s%s%s%s%s%s%s%s%s^M'", ap=0xbfffed0c) at
../sysdeps/i386/i486/bits/string.h:529
(gdb) bt
#0 0x400f7c66 in _IO_vfprintf (s=0x80c53a0,
format=0xbffff190 "Dispatch_input: bad request line
'%s%s%s%s%s%s%s%s%s%s^M'", ap=0xbfffed0c) at
../sysdeps/i386/i486/bits/string.h:529
#1 0x4017d60b in vsyslog (pri=6,
fmt=0xbffff190 "Dispatch_input: bad request line
'%s%s%s%s%s%s%s%s%s%s'", ap=0xbfffed08) at syslog.c:193
#2 0x4017d447 in syslog (pri=6,
fmt=0xbffff190 "Dispatch_input: bad request line
'%s%s%s%s%s%s%s%s%s%s^M'")
at syslog.c:102
...
此时,程序还没有丢弃root权限;
(gdb) print geteuid()
$1 = 4 <-- initially encouraging
(gdb) print getuid()
$2 = 0 <-- depressing
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 修改源码,增加"%s"选项,如下所示:
syslog(kind, msg);
---> syslog(kind, "%s", msg);
(void) syslog(SYSLOG_FACILITY | kind, msg);
---> (void) syslog(SYSLOG_FACILITY | kind, "%s", msg);
然后重新编译。
* 您也可以停止此服务或在防火墙上过滤掉打印服务端口。
厂商补丁:
Caldera
-------
Caldera已经为此发布了一个安全公告(CSSA-2000-033.0)以及相应补丁:
CSSA-2000-033.0:format bug in LPRng
链接:http://www.caldera.com/support/security/advisories/CSSA-2000-033.0.txt
补丁下载:
OpenLinux Desktop 2.3
Location of Fixed Packages:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
3ad5e8e8ab42d2ed1cce0627ca2a0f45 RPMS/LPRng-3.5.3-3.i386.rpm
61f4d3aef6757c68ba73cc1cc8bbcf27 RPMS/LPRng-doc-3.5.3-3.i386.rpm
ebd7e8ec09ef4d92397f608b1125ff82 RPMS/LPRng-doc-ps-3.5.3-3.i386.rpm
c53c9a83c0791030297b6079d7b9fcd9 RPMS/LPRng-lpd-3.5.3-3.i386.rpm
d266aed344873c9ff6aab2a409d760b4 SRPMS/LPRng-3.5.3-3.src.rpm
OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
Location of Fixed Packages:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
9cb7089adcadcf29ee2cb8268acc46c1 RPMS/LPRng-3.5.3-3.i386.rpm
77e9edbf336837a9957c3fc62167aee4 RPMS/LPRng-doc-3.5.3-3.i386.rpm
558a98c48558538bc15f86ca9a555e68 RPMS/LPRng-doc-ps-3.5.3-3.i386.rpm
62c39c60197447be1b4de85f81bcd5a0 RPMS/LPRng-lpd-3.5.3-3.i386.rpm
d266aed344873c9ff6aab2a409d760b4 SRPMS/LPRng-3.5.3-3.src.rpm
OpenLinux eDesktop 2.4
Location of Fixed Packages:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
7ec1973e306bbcaa3e27b770b463e6fe RPMS/LPRng-3.5.3-3.i386.rpm
f373e0a2389c64e207b84293d2afc177 RPMS/LPRng-doc-3.5.3-3.i386.rpm
4560b0415dc7dbf7bde284173a49c6f6 RPMS/LPRng-doc-ps-3.5.3-3.i386.rpm
994f2204ba1e743725fe69cecb47dac5 RPMS/LPRng-lpd-3.5.3-3.i386.rpm
d266aed344873c9ff6aab2a409d760b4 SRPMS/LPRng-3.5.3-3.src.rpm
Caldera eServer 2.3:
Caldera RPM eDesktop 2.4 current LPRng-3.5.3-3.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/LPRng-3.5.3-3.i386.rpm
Caldera RPM eServer 2.3/ eBuilder 3.0 current LPRng-3.5.3-3.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/LPRng-3.5.3-3.i386.rpm
Caldera OpenLinux Desktop 2.3:
Caldera eDesktop 2.4:
Caldera OpenLinux eBuilder 3.0:
Caldera RPM eDesktop 2.4 current LPRng-3.5.3-3.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/LPRng-3.5.3-3.i386.rpm
Caldera RPM eServer 2.3/ eBuilder 3.0 current LPRng-3.5.3-3.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/LPRng-3.5.3-3.i386.rpm
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2000:065-04)以及相应补丁:
RHSA-2000:065-04:LPRng contains a critical string format bug
链接:https://www.redhat.com/support/errata/RHSA-2000-065.html
补丁下载:
Red Hat Linux 7.0:
i386:
ftp://updates.redhat.com/7.0/i386/LPRng-3.6.24-2.i386.rpm
sources:
ftp://updates.redhat.com/7.0/SRPMS/LPRng-3.6.24-2.src.rpm
可使用下列命令安装补丁:
rpm -Fvh [文件名]
浏览次数:6879
严重程度:0(网友投票)
绿盟科技给您安全的保障