+设为首页 +添加到收藏夹
信息提供: 【扩展信息:Kerberos 5 su权限提升漏洞】
安全公告(或线索)提供热线:51cto.editor@gmail.com漏洞类别:
设计错误攻击类型:
嵌入恶意代码发布日期:
2003-11-04更新日期:
2003-11-17受影响系统:
openbsd openbsd 3.4 openbsd openbsd 3.3 openbsd openbsd 3.2 openbsd openbsd 3.1 openbsd openbsd 3.0 openbsd openbsd 2.9 openbsd openbsd 2.8安全系统:
无
漏洞报告人:
georgi guninski (guninski@guninski.com)漏洞描述:
bugtraq id: 8978 openbsd是一款开放源代码操作系统. openbsd在处理部分可执行文件时存在问题,本地攻击者可以利用这个漏洞可能以内核权限执行任意恶意指令. 漏洞问题是由于执行二进制程序时没有对程序头字段值进行完整性检查,攻击者构建恶意二进制程序并执行,可导致内核崩溃.根据目前调查情况,此漏洞看起来可以以内核上下文执行任意指令. 问题存在于"ibcs2_exec.c" line 619 of 738 --83%-- col 1-8: /* read in segment table */ xs = (struct xseg *)malloc(xep->xe_segsize, m_temp, m_waitok); error = vn_rdwr(uio_read, epp->ep_vp, (caddr_t)xs, 从上看来malloc会返回null,另一个额外难题是: "exec_elf.c" line 792 of 827 --95%-- col 6-20 np = (elf_note *)malloc(ph->p_filesz, m_temp, m_waitok);测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用.使用者风险自负!georgi guninski(guninski@guninski.com) 提供了如下测试程序: #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <stdio.h> /* $openbsd: ibcs2_exec.h,v 1.3 2002/03/14 01:26:50 millert exp $ */ /* $netbsd: ibcs2_exec.h,v 1.4 1995/03/14 15:12:24 scottb exp $ */ /* * copyright (c) 1994, 1995 scott bartram * all rights reserved. * * adapted from sys/sys/exec_ecoff.h * based on intel ibcs2 * * redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. the name of the author may not be used to endorse or promote products ... 下一页