首页 -> 安全研究
安全研究
安全漏洞
ProFTPD SReplace远程单字节溢出漏洞
发布日期:2006-11-10
更新日期:2006-11-28
受影响系统:
ProFTPD Project ProFTPD 1.3描述:
BUGTRAQ ID: 20992
CVE(CAN) ID: CVE-2006-5815
ProFTPD是一款开放源代码FTP服务程序。
ProFTPD的src/support.c文件中的sreplace()函数在处理特制请求时存在单字节溢出漏洞。漏洞分析代码如下:
"""
char *sreplace(pool *p, char *s, ...) {
va_list args;
char *m,*r,*src = s,*cp;
char **mptr,**rptr;
char *marr[33],*rarr[33];
char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL;
size_t mlen = 0, rlen = 0, blen;
int dyn = TRUE;
cp = buf;
*cp = '\0';
memset(marr, '\0', sizeof(marr));
memset(rarr, '\0', sizeof(rarr));
blen = strlen(src) + 1;
va_start(args, s);
while ((m = va_arg(args, char *)) != NULL && mlen < sizeof(marr)-1) {
char *tmp = NULL;
size_t count = 0;
if ((r = va_arg(args, char *)) == NULL)
break;
/* Increase the length of the needed buffer by the difference between
* the given match and replacement strings, multiplied by the number
* of times the match string occurs in the source string.
*/
tmp = strstr(s, m);
while (tmp) {
pr_signals_handle();
count++;
/* Be sure to increment the pointer returned by strstr(3), to
* advance past the beginning of the substring for which we are
* looking. Otherwise, we just loop endlessly, seeing the same
* value for tmp over and over.
*/
tmp += strlen(m);
tmp = strstr(tmp, m);
}
/* We are only concerned about match/replacement strings that actually
* occur in the given string.
*/
if (count) {
blen += count * (strlen(r) - strlen(m));
marr[mlen] = m;
rarr[mlen++] = r;
}
}
va_end(args);
/* Try to handle large buffer situations (i.e. escaping of
* PR_TUNABLE_PATH_MAX
* (>2048) correctly, but do not allow very big buffer sizes, that may
* be dangerous (BUFSIZ may be defined in stdio.h) in some library
* functions.
*/
#ifndef BUFSIZ
# define BUFSIZ 8192
#endif
if (blen < BUFSIZ)
[1] cp = pbuf = (char *) pcalloc(p, ++blen);
if (!pbuf) {
[2] cp = pbuf = buf;
dyn = FALSE;
blen = sizeof(buf);
}
while (*src) {
for (mptr = marr, rptr = rarr; *mptr; mptr++, rptr++) {
mlen = strlen(*mptr);
rlen = strlen(*rptr);
if (strncmp(src, *mptr, mlen) == 0) {
[3] sstrncpy(cp, *rptr, blen - strlen(pbuf));
if (((cp + rlen) - pbuf + 1) > blen) {
pr_log_pri(PR_LOG_ERR,
"WARNING: attempt to overflow internal ProFTPD buffers");
cp = pbuf + blen - 1;
goto done;
} else {
cp += rlen;
}
src += mlen;
break;
}
}
if (!*mptr) {
[4] if ((cp - pbuf + 1) > blen) {
pr_log_pri(PR_LOG_ERR,
"WARNING: attempt to overflow internal ProFTPD buffers");
cp = pbuf + blen - 1;
}
*cp++ = *src++;
}
}
done:
*cp = '\0';
if (dyn)
return pbuf;
return pstrdup(p, buf);
}
"""
blen的值是可控的,如果将其设置为小于BUFSIZ的值的话(见[1])就可以触发堆溢出,否则可以触发栈溢出(见[2])。
由于在[4]行的错误计算,攻击者可以控制pbuf最后的空字节,这样strlen(pbuf)就会大于blen。由于第三个参数为负数时sstrncpy函数仍可运行,因此[3]行的代码会使用攻击者的数据覆盖pbuf缓冲区。
目前已知至少有两种攻击方式:
1. MKD命令
2. pr_display_file
<*来源:Evgeny Legerov (aland@freeradius.org)
链接:http://bugs.proftpd.org/show_bug.cgi?id=2858#c0
http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?view=diff&r1=text&tr1=1.292&r2=text&tr2=
http://secunia.com/advisories/22803
http://gleg.net/proftpd.txt
http://www.debian.org/security/2006/dsa-1218
http://www.debian.org/security/2006/dsa-1222
http://security.gentoo.org/glsa/glsa-200611-26.xml
*>
建议:
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1218-1)以及相应补丁:
DSA-1218-1:New proftpd packages fix denial of service
链接:http://www.debian.org/security/2005/dsa-1218
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge2.dsc
Size/MD5 checksum: 897 fe043ac01a1753ba7d47e169d7863039
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge2.diff.gz
Size/MD5 checksum: 127600 d1611a9db379bee3e1f137c4c09d4b13
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10.orig.tar.gz
Size/MD5 checksum: 920495 7d2bc5b4b1eef459a78e55c027a4f3c4
Architecture independent components:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-doc_1.2.10-15sarge2_all.deb
Size/MD5 checksum: 422520 784f6a1ead480a7198dd0ad7df4c6d7d
Alpha architecture:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge2_alpha.deb
Size/MD5 checksum: 444406 dd457de80a77a65ea56f917ed8503641
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge2_alpha.deb
Size/MD5 checksum: 200788 0d3e2ba8ea9082b304a2c7f4d6af8df9
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge2_alpha.deb
Size/MD5 checksum: 457204 17af0e330f48108785aa9d00507c5291
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge2_alpha.deb
Size/MD5 checksum: 476800 dffaa2aad3f25eb2887005c27059b241
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge2_alpha.deb
Size/MD5 checksum: 476468 0c7be08d97b11f187c39f8a965b9e3c6
AMD64 architecture:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge2_amd64.deb
Size/MD5 checksum: 389010 2fd7461b794783671e641d72488c4585
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge2_amd64.deb
Size/MD5 checksum: 194562 3113db8aa6ba8e67dcea03632cf6fe67
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge2_amd64.deb
Size/MD5 checksum: 400008 3a89749eb456ea237ca4d82ae18e4beb
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge2_amd64.deb
Size/MD5 checksum: 415382 302debcfd6ff112e7294959addcdc1d6
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge2_amd64.deb
Size/MD5 checksum: 415174 51c2c6374d0483191874f96dd7318a27
ARM architecture:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge2_arm.deb
Size/MD5 checksum: 373836 b740b9aa079946e4d2cbf323ae72a978
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge2_arm.deb
Size/MD5 checksum: 188754 5ffae3af9d619b301595ea9b1175ef37
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge2_arm.deb
Size/MD5 checksum: 384048 8beac5c897580847d39427097efd5116
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge2_arm.deb
Size/MD5 checksum: 398914 5470be96f5ad34f83d1042139c6a639e
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge2_arm.deb
Size/MD5 checksum: 398778 ae4abd419715b09b9a7bcc1f3e23eb96
HP Precision architecture:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge2_hppa.deb
Size/MD5 checksum: 403664 e19be25ea86f75de8fb0015837e47e57
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge2_hppa.deb
Size/MD5 checksum: 194452 65616d5eed9a3270e0df3086ad87a8a7
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge2_hppa.deb
Size/MD5 checksum: 414846 5ce90027122e3a27646cc314854ea37e
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge2_hppa.deb
Size/MD5 checksum: 431778 5deb145cbaacd0cbee298a0f6a02f6d2
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge2_hppa.deb
Size/MD5 checksum: 431492 9b950e59b183a6795d5eacb2002bf03c
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge2_i386.deb
Size/MD5 checksum: 371202 efa3cca67db44225ecf7990ee8b76808
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge2_i386.deb
Size/MD5 checksum: 188864 6129e4a1b65440c57e6e76e104025cf4
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge2_i386.deb
Size/MD5 checksum: 380918 2de20dc3d336007347871007ad2aa9b6
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge2_i386.deb
Size/MD5 checksum: 396670 2b6a3833f37f256ac0268bf03d25dfd8
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge2_i386.deb
Size/MD5 checksum: 396432 ba26cbd5cfa7cd9d06c94baad26864b3
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge2_ia64.deb
Size/MD5 checksum: 519710 30aa10cfda1d97d81772d9a9fff3ef4c
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge2_ia64.deb
Size/MD5 checksum: 206994 1eefe822ebe9df3b584f719db1e6e263
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge2_ia64.deb
Size/MD5 checksum: 535338 4108fe33e7d1e6827e1545ea6ebfff7e
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge2_ia64.deb
Size/MD5 checksum: 562320 0ee714edb0c79544904c0db855daf174
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge2_ia64.deb
Size/MD5 checksum: 562214 4714a62fff2346f1d376f4306e0c6974
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge2_m68k.deb
Size/MD5 checksum: 332528 3ad435ced0a1492fd61ae55c90204ad1
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge2_m68k.deb
Size/MD5 checksum: 187148 312a33fd15cfc35bd182d84ea847c852
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge2_m68k.deb
Size/MD5 checksum: 340916 adf942ec807fd5a39fdb9707226921bc
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge2_m68k.deb
Size/MD5 checksum: 353106 d724b6da9758c7bd3c4a4dfee4411306
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge2_m68k.deb
Size/MD5 checksum: 352830 5a090fa4b611c42a907919a88861eb9a
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge2_mips.deb
Size/MD5 checksum: 382394 7e6c7b8b92827f3a6644689b0d06ef4e
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge2_mips.deb
Size/MD5 checksum: 201616 fb61630fd14f0520518f78d198b15480
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge2_mips.deb
Size/MD5 checksum: 391986 0ffbc86ea82bd910466c367f156af4be
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge2_mips.deb
Size/MD5 checksum: 406488 2dff85fe8dc813c5be15780765a90a74
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge2_mips.deb
Size/MD5 checksum: 406238 1d658816888f361611ef7c7a41062f62
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge2_mipsel.deb
Size/MD5 checksum: 384334 ea408f73dd5288c3dbdd15556cb4c884
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge2_mipsel.deb
Size/MD5 checksum: 201838 a2c8ed17d8c6dbfe3ff0a359ec8402fd
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge2_mipsel.deb
Size/MD5 checksum: 393390 f6396ba4684fec2a4bd2b8a156c617a8
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge2_mipsel.deb
Size/MD5 checksum: 409460 403eb9064b44dfb5c4f5c64e3d11b43e
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge2_mipsel.deb
Size/MD5 checksum: 409212 e1226c8b018ced87ad77118c660d0361
PowerPC architecture:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge2_powerpc.deb
Size/MD5 checksum: 384414 3cc172a7ddaf95a37905ce0ca2fc340f
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge2_powerpc.deb
Size/MD5 checksum: 195366 d3db9b92cf67136399f153e804a168bd
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge2_powerpc.deb
Size/MD5 checksum: 395170 9f26106f211808f807bfde1c2911629a
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge2_powerpc.deb
Size/MD5 checksum: 412014 3a0d74322ba454ee72e0925cb871c3f5
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge2_powerpc.deb
Size/MD5 checksum: 411760 2611181a4d8cb329bea9d9d0db130b31
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge2_s390.deb
Size/MD5 checksum: 379686 06371d89be06ba9c16152ef8d0164f9b
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge2_s390.deb
Size/MD5 checksum: 192976 5a2c80cb11cd89c008a978b2e235bd45
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge2_s390.deb
Size/MD5 checksum: 390112 ee494ba31925ba491ba72152a7fd0a88
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge2_s390.deb
Size/MD5 checksum: 403944 c38a72652bef06f11e87fa28ab48d86c
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge2_s390.deb
Size/MD5 checksum: 403734 2af77df7a25f5f5ed2b2d06c6fcd6ae3
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.10-15sarge2_sparc.deb
Size/MD5 checksum: 369674 8dd5a9ec08ae54bcbc89ba8b6d695c87
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-common_1.2.10-15sarge2_sparc.deb
Size/MD5 checksum: 188988 03998811bf00f61f9c52f79ee5150978
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-ldap_1.2.10-15sarge2_sparc.deb
Size/MD5 checksum: 379464 fefd89407a8e0fdbc50a5398820aaa3c
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-mysql_1.2.10-15sarge2_sparc.deb
Size/MD5 checksum: 394890 6d62112d1257db0c993e33d075f7adb3
http://security.debian.org/pool/updates/main/p/proftpd/proftpd-pgsql_1.2.10-15sarge2_sparc.deb
Size/MD5 checksum: 394654 ada057a72951b1aa06d599b6e41bc503
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
ProFTPD Project
---------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=text&r2=text&tr1=1.292&tr2=1.294&view=patch
Gentoo
------
http://www.debian.org/security/2006/dsa-1222
浏览次数:5315
严重程度:0(网友投票)
绿盟科技给您安全的保障