LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
查看: 803|回复: 0

哈哈好东西我没看懂是重安全焦点~转个来的

[复制链接]
发表于 2003-8-4 00:08:30 | 显示全部楼层 |阅读模式
创建时间:2003-07-30
文章属性:原创
文章提交:jsk_ (jsk_at_ph4nt0m.net)

========================================
                              Ph4nt0m Security Advisory 2#2003--7-7
                            ========================================

            lockdev in redhat 7.3 ,8.0 ,9.0 possible all linux os  Segmentation fault


By "jsk" (akun), in ph4nt0m.net(c) Security.
BY "nic" 0x333 OUTSIDERS SECURITY LABS
E-mail: jsk@ph4nt0m.net
E-mail: nic0x333@hotmail.com

Advisory Number : pst-2003--7-29-003
程序名          : lockdev
版本            : rpm in redhat 7.3 8.0 possible 9.0 --> all redhat
Vendor          :http://www.hklpg.org/RPM/rawhide ... -1.0.0-21.ia64.html
类型            : 可能Local
影响系统(s)     : *nix
更多信息        : http://packetstorm.icx.fr/filedesc/0x333-lockdexvul.txt.html
*****************************************************************************
Description : 这个漏洞是存在与现有所有的REDHAT系统,LOCKDEV是个+s程序,本来在

未写出EX之前不打算公开,不过,确实最近有其他的东西要学习,所以发出,并给出相应

的出错,和部分调试。
*****************************************************************************
具体漏洞:
*****************************************************************************
看原代码前用的是 -u 参数,因而找出下面的对应-U代码

c/* exported by the interface file lockdev.h */
pid_t
dev_unlock( devname, pid)
    const char * devname;
    const pid_t pid;
{
    const char * p;
    char device[MAXPATHLEN+1];
    char lock0[MAXPATHLEN+1];
    char lock1[MAXPATHLEN+1];
    char lock2[MAXPATHLEN+1];
    struct stat statbuf;
    pid_t wpid;

#if DEBUG
    if ( env_var_debug == -1 ) {
        char *value;
        if ( value=getenv( _env_var ) )
            env_var_debug = liblockdev_debug = atoi( value);
        signal( SIGUSR1, _dl_sig_handler);
        signal( SIGUSR2, _dl_sig_handler);
    }
#endif /* DEBUG */
    _debug( 3, "dev_unlock(%s, %d)\n", devname, (int)pid);
    if (oldmask == -1 )
        oldmask = umask( 0);    /* give full permissions to files created */
    if ( ! (p=_dl_check_devname( devname)) )...........注意,就是这里出错拉。
         close_n_return( -1);
    strcpy( device, DEV_PATH);
    strcat( device, p);    /* now device has a copy of the pathname */
    _debug( 2, "dev_unlock() device = %s\n", device);

    /* check the device name for existence and retrieve the major
     * and minor numbersn
    if ( stat( device, &statbuf) == -1 ) {
        close_n_return( -1);
    }

    /* first remove the FSSTND-1.2 lock, get the pid of the
     * owner of the lock and test for its existence; in case,
     * return the pid of the owner of the lock.
     */
    /* lockfile of type /var/lock/LCK..ttyS2 */
    _dl_filename_2( lock2, p);
    wpid = _dl_check_lock( lock2);
    if ( pid && wpid && pid != wpid )
        close_n_return( wpid);    /* error or locked by someone else */

    /* lockfile of type /var/lock/LCK.004.064 */
    _dl_filename_1( lock1, &statbuf);
    wpid = _dl_check_lock( lock1);
    if ( pid && wpid && pid != wpid )
        close_n_return( wpid);    /* error or locked by someone else */

    _dl_filename_0( lock0, wpid);
    if ( wpid == _dl_check_lock( lock0))
        unlink( lock0);

    /* anyway now we remove the files, in the reversed order than
     * they have been built.
     */
    unlink( lock2);
    unlink( lock1);
    _debug( 2, "dev_unlock() unlocked\n");
    close_n_return( 0);    /* successfully unlocked */
}

..........................................................................

出错信息中,进一步知道,是_dl_check_devname()函数中的m=strrchr( p, '/')) != 0 Segmentation
fault.


_dl_check_devname( devname)
    const char * devname;
{
    int l;
    const char * p;
    char *m;

    /* devname can be absolute, relative to PWD or a single
     * filename, in any case we assume that the file is in /dev;
     * maybe we should check it and do something if not?
     */
    p = devname;    /* only a filename */
    while ( (m=strrchr( p, '/')) != 0 ) {                     ..................就是这里
        p = m+1;    /* was pointing to the slash */
.....................................................................................

.................................................................................................
初步调试:

bash-2.05a$ gdb ./lockdev
GNU gdb Red Hat Linux (5.1.90CVS-5)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) r -u
Starting program: /usr/sbin/lockdev -u
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x42080f33 in strrchr () from /lib/i686/libc.so.6
(gdb) disas dev_unlock
Dump of assembler code for function dev_unlock:
0x8049b80 <dev_unlock>: push   %ebp
0x8049b81 <dev_unlock+1>:       mov    %esp,%ebp
0x8049b83 <dev_unlock+3>:       push   %edi
0x8049b84 <dev_unlock+4>:       push   %esi
0x8049b85 <dev_unlock+5>:       push   %ebx
0x8049b86 <dev_unlock+6>:       sub    $0x407c,%esp
0x8049b8c <dev_unlock+12>:      call   0x8048d10 <main+528>
0x8049b91 <dev_unlock+17>:      add    $0x56f,%ebx
0x8049b97 <dev_unlock+23>:      cmpl   $0xffffffff,0xffffff1c(%ebx)
0x8049b9e <dev_unlock+30>:      jne    0x8049bb3 <dev_unlock+51>
0x8049ba0 <dev_unlock+32>:      sub    $0xc,%esp
0x8049ba3 <dev_unlock+35>:      push   $0x2
0x8049ba5 <dev_unlock+37>:      call   0x804882c <umask>
0x8049baa <dev_unlock+42>:      mov    %eax,0xffffff1c(%ebx)
0x8049bb0 <dev_unlock+48>:      add    $0x10,%esp
0x8049bb3 <dev_unlock+51>:      mov    0x8(%ebp),%eax
0x8049bb6 <dev_unlock+54>:      sub    $0xc,%esp
0x8049bb9 <dev_unlock+57>:      push   %eax
0x8049bba <dev_unlock+58>:      call   0x8049110 <_dl_check_devname>
0x8049bbf <dev_unlock+63>:      mov    %eax,%edi
0x8049bc1 <dev_unlock+65>:      add    $0x10,%esp
0x8049bc4 <dev_unlock+68>:      test   %edi,%edi
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) b *0x8049bba
Breakpoint 1 at 0x8049bba
(gdb) r -u
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/sbin/lockdev -u
(no debugging symbols found)...(no debugging symbols found)...
Breakpoint 1, 0x08049bba in dev_unlock ()
(gdb) b *0x8049bbf
Breakpoint 2 at 0x8049bbf
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/sbin/lockdev -u
(no debugging symbols found)...(no debugging symbols found)...
Breakpoint 1, 0x08049bba in dev_unlock ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x42080f33 in strrchr () from /lib/i686/libc.so.6
(gdb)

so i can deside  bug is in  <0x8049bbf <dev_unlock+63>:      mov    %eax,%edi>
(gdb) disas strrchr
Dump of assembler code for function strrchr:
0x42080e90 <strrchr>:   push   %edi
0x42080e91 <strrchr+1>: push   %esi
0x42080e92 <strrchr+2>: xor    %eax,%eax
0x42080e94 <strrchr+4>: mov    0xc(%esp,1),%esi
0x42080e98 <strrchr+8>: mov    0x10(%esp,1),%ecx
0x42080e9c <strrchr+12>:        mov    %cl,%ch
0x42080e9e <strrchr+14>:        mov    %ecx,%edx
0x42080ea0 <strrchr+16>:        shl    $0x10,%ecx
0x42080ea3 <strrchr+19>:        mov    %dx,%cx
0x42080ea6 <strrchr+22>:        test   $0x3,%esi
0x42080eac <strrchr+28>:        je     0x42080f33 <strrchr+163>
0x42080eb2 <strrchr+34>:        mov    (%esi),%dl
0x42080eb4 <strrchr+36>:        cmp    %dl,%cl
0x42080eb6 <strrchr+38>:        jne    0x42080eba <strrchr+42>
0x42080eb8 <strrchr+40>:        mov    %esi,%eax
0x42080eba <strrchr+42>:        or     %dl,%dl
0x42080ebc <strrchr+44>:        je     0x42081046 <strrchr+438>
0x42080ec2 <strrchr+50>:        inc    %esi
0x42080ec3 <strrchr+51>:        test   $0x3,%esi
0x42080ec9 <strrchr+57>:        je     0x42080f33 <strrchr+163>
0x42080ecb <strrchr+59>:        mov    (%esi),%dl
0x42080ecd <strrchr+61>:        cmp    %dl,%cl
---Type <return> to continue, or q <return> to quit---
0x42080ecf <strrchr+63>:        jne    0x42080ed3 <strrchr+67>
0x42080ed1 <strrchr+65>:        mov    %esi,%eax
0x42080ed3 <strrchr+67>:        or     %dl,%dl
0x42080ed5 <strrchr+69>:        je     0x42081046 <strrchr+438>
0x42080edb <strrchr+75>:        inc    %esi
0x42080edc <strrchr+76>:        test   $0x3,%esi
0x42080ee2 <strrchr+82>:        je     0x42080f33 <strrchr+163>
0x42080ee4 <strrchr+84>:        mov    (%esi),%dl
0x42080ee6 <strrchr+86>:        cmp    %dl,%cl
0x42080ee8 <strrchr+88>:        jne    0x42080eec <strrchr+92>
0x42080eea <strrchr+90>:        mov    %esi,%eax
0x42080eec <strrchr+92>:        or     %dl,%dl
0x42080eee <strrchr+94>:        je     0x42081046 <strrchr+438>
0x42080ef4 <strrchr+100>:       inc    %esi
0x42080ef5 <strrchr+101>:       jmp    0x42080f33 <strrchr+163>
0x42080ef7 <strrchr+103>:       add    %al,(%eax)
0x42080ef9 <strrchr+105>:       add    %al,0xee8304ee(%ebx)
0x42080eff <strrchr+111>:       add    $0x83,%al
0x42080f01 <strrchr+113>:       out    %al,(%dx)
0x42080f02 <strrchr+114>:       add    $0xf7,%al
0x42080f04 <strrchr+116>:       ret    $0x0
0x42080f07 <strrchr+119>:       add    %bh,%bh
0x42080f09 <strrchr+121>:       jne    0x42080f19 <strrchr+137>
---Type <return> to continue, or q <return> to quit---
0x42080f0b <strrchr+123>:       lea    0xf(%esi),%eax
0x42080f0e <strrchr+126>:       jmp    0x42080f30 <strrchr+160>
0x42080f10 <strrchr+128>:       sub    $0x4,%esi
0x42080f13 <strrchr+131>:       sub    $0x4,%esi
0x42080f16 <strrchr+134>:       sub    $0x4,%esi
0x42080f19 <strrchr+137>:       test   $0xff0000,%edx
0x42080f1f <strrchr+143>:       jne    0x42080f26 <strrchr+150>
0x42080f21 <strrchr+145>:       lea    0xe(%esi),%eax
0x42080f24 <strrchr+148>:       jmp    0x42080f30 <strrchr+160>
0x42080f26 <strrchr+150>:       lea    0xc(%esi),%eax
0x42080f29 <strrchr+153>:       test   %dh,%dh
0x42080f2b <strrchr+155>:       jne    0x42080f30 <strrchr+160>
0x42080f2d <strrchr+157>:       lea    0xd(%esi),%eax
0x42080f30 <strrchr+160>:       add    $0x10,%esi
0x42080f33 <strrchr+163>:       mov    (%esi),%edx。。。。。。。。。。。。。。。就是这里出错
                                         0x00  0x00            
(gdb)


.......................................


*************************************************************************************************
By "jsk" (akun), in ph4nt0m.net(c) Security.
BY "nic" 0x333 OUTSIDERS SECURITY LABS
E-mail:jsk@ph4nt0m.net
E-mail:nic0x333@hotmail.com
ph4nt0m Security Home: http://www.ph4nt0m.net
My World: http://jsk.njsafe.com
MY GnuPG Public Key: http://202.119.104.82/webeq/app/jsk/jsk.asc
您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表