漏洞信息详情
多家厂商XDR实现远程缓冲区溢出漏洞
- CNNVD编号:CNNVD-200303-077
- 危害等级: 高危
![图片[1]-多家厂商XDR实现远程缓冲区溢出漏洞-一一网](https://www.proyy.com/skycj/data/images/2021-05-12/bbdd3e8868c10d22861b2275d65f4500.png)
- CVE编号:
CVE-2003-0028
- 漏洞类型:
设计错误
- 发布时间:
2003-03-25
- 威胁类型:
远程
- 更新时间:
2006-01-30
- 厂 商:
sun - 漏洞来源:
Marc Maiffret※ mar… -
漏洞简介
XDR(外部数据表示)库用来提供一种平台无关的方法来将数据从一个系统进程发送给其他系统进程。
Sun Microsystems提供的XDR库中包含的xdrmem_getbytes()函数存在一个整数溢出 ,远程攻击者利用这个漏洞对使用XDR库的应用程序进行攻击,可能以应用程序进程权限在系统上执行任意指令。
问题存在于\’\’usr/src/lib/libnsl/rpc/xdr_mem.c\’\’的168行的xdrmem_getbytes()函数:
static bool_t
xdrmem_getbytes(XDR *xdrs, caddr_t addr, int len)
{
int tmp;
trace2(TR_xdrmem_getbytes, 0, len);
if ((tmp = (xdrs->x_handy – len)) < 0) { <— VULNERABILITY
syslog(LOG_WARNING,
…..
…..
return (FALSE);
}
xdrs->x_handy = tmp;
(void) memcpy(addr, xdrs->x_private, len); <— VULNERABILITY
xdrs->x_private += len;
trace1(TR_xdrmem_getbytes, 1);
return (TRUE);
}
上面代码中\”len\”是有符号整数,因此如果\”len\”为负数就会导致缓冲区溢出:
if ((tmp = (xdrs->x_handy – len)) < 0) { –>这个检查会绕过
但是在memcpy(addr, xdrs->x_private, len);处理时就会导致溢出。攻击者可以构造一个特殊的XDR编码来触发整数溢出,依赖于使用者如何调用xdrmem_getbytes()函数,攻击者可能覆盖一个已经分配的堆区缓冲区,造成堆缓冲区溢出。攻击者可能造成远程服务崩溃或者利用memcpy()实现的一些特点来改变内存数据并执行任意代码。
漏洞公告
厂商补丁:
FreeBSD
——-
FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-03:05)以及相应补丁:
FreeBSD-SA-03:05:remote denial-of-service in XDR encoder/decoder
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:05.xdr.asc
补丁下载:
one of the following:
1) Upgrade your vulnerable system to the FreeBSD 4-STABLE branch; or
to the RELENG_4_7 (4.7-RELEASE-p8), RELENG_4_6 (4.6-RELEASE-p11), or
RELENG_5_0 (5.0-RELEASE-p5) security branch dated after the correction
date.
2) To patch your present system:
The following patch has been verified to apply to FreeBSD 4.6, and 4.7
systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-4.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-4.patch.asc
The following patch has been verified to apply to FreeBSD 5.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-5.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-5.patch.asc
b) 请以root身份执行下列命令:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system as described in
http://www.freebsd.org/doc/handbook/makeworld.html>.
Note that any statically linked applications that are not part of
the base system (i.e. from the Ports Collection or other 3rd-party
sources) must be recompiled.
All affected applications must be restarted for them to use the
corrected library. Though not required, rebooting may be the easiest
way to accomplish this.
GNU
—
GNU glibc
GNU C库2.3.1版本存在此漏洞,早期版本也受此漏洞影响,下面的补丁已经安装在CVS源代码中,在下一个版本的GNU C库中也应该包含,补丁地址为:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/rpc/xdr.h.diff?r1=1.26&r2=1.27&cvsroot=glibc” target=”_blank”>
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/rpc/xdr.h.diff?r1=1.26&r2=1.27&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_mem.c.diff?r1=1.13&r2=1.15&cvsroot=glibc” target=”_blank”>
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_mem.c.diff?r1=1.13&r2=1.15&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_rec.c.diff?r1=1.26&r2=1.27&cvsroot=glibc” target=”_blank”>
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_rec.c.diff?r1=1.26&r2=1.27&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_sizeof.c.diff?r1=1.5&r2=1.6&cvsroot=glibc” target=”_blank”>
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_sizeof.c.diff?r1=1.5&r2=1.6&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_stdio.c.diff?r1=1.15&r2=1.16&cvsroot=glibc” target=”_blank”>
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_stdio.c.diff?r1=1.15&r2=1.16&cvsroot=glibc
2002-12-16 Roland McGrath
* sunrpc/xdr_mem.c (xdrmem_inline): Fix argument type.
* sunrpc/xdr_rec.c (xdrrec_inline): Likewise.
* sunrpc/xdr_stdio.c (xdrstdio_inline): Likewise.
2002-12-13 Paul Eggert
* sunrpc/rpc/xdr.h (struct XDR.xdr_ops.x_inline): 2nd arg
is now u_int, not int.
(struct XDR.x_handy): Now u_int, not int.
* sunrpc/xdr_mem.c: Include .
(xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes, xdrmem_putbytes,
xdrmem_inline, xdrmem_getint32, xdrmem_putint32):
x_handy is now unsigned, not signed.
Do not decrement x_handy if no change is made.
(xdrmem_setpos): Check for int overflow.
* sunrpc/xdr_sizeof.c (x_inline): 2nd arg is now unsigned.
(xdr_sizeof): Remove cast that is now unnecessary, now that
x_handy is unsigned.
IBM
—
AIX系统4.3.3, 5.1.0和5.2.0存在此漏洞,IBM已经提供如下官方补丁:
APAR number for AIX 4.3.3: IY38524
APAR number for AIX 5.1.0: IY38434
APAR number for AIX 5.2.0: IY39231
请联系供应商获得相关补丁。
MIT
—
MIT Kerberos Development Team
利用这个漏洞可使kadmind server进程崩溃,或读取一些敏感信息,如密钥等。相关补丁下载:
http://web.mit.edu/kerberos/www/advisories/2003-003-xdr_patch.txt” target=”_blank”>
http://web.mit.edu/kerberos/www/advisories/2003-003-xdr_patch.txt
RedHat
——
RedHat已经为此发布了一个安全公告(RHSA-2003:089-00)以及相应补丁:
RHSA-2003:089-00:Updated glibc packages fix vulnerabilities in RPC XDR decoder
链接:https://www.redhat.com/support/errata/RHSA-2003-089.html” target=”_blank”>https://www.redhat.com/support/errata/RHSA-2003-089.html
补丁下载:
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/glibc-2.1.3-29.src.rpm
i386:
ftp://updates.redhat.com/6.2/en/os/i386/glibc-2.1.3-29.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/glibc-devel-2.1.3-29.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/glibc-profile-2.1.3-29.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/nscd-2.1.3-29.i386.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/glibc-2.2.4-18.7.0.9.src.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/glibc-2.2.4-18.7.0.9.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/glibc-common-2.2.4-18.7.0.9.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/glibc-devel-2.2.4-18.7.0.9.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/glibc-profile-2.2.4-18.7.0.9.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/nscd-2.2.4-18.7.0.9.i386.rpm
i686:
ftp://updates.redhat.com/7.0/en/os/i686/glibc-2.2.4-18.7.0.9.i686.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/glibc-2.2.4-32.src.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/glibc-2.2.4-32.i386.rpm
来源:CERT/CC Advisory: CA-2003-10
名称: CA-2003-10
链接:http://www.cert.org/advisories/CA-2003-10.html
来源:US-CERT Vulnerability Note: VU#516825
名称: VU#516825
链接:http://www.kb.cert.org/vuls/id/516825
来源: BUGTRAQ
名称: 20030522 [slackware-security] glibc XDR overflow fix (SSA:2003-141-03)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105362148313082&w=2
来源: REDHAT
名称: RHSA-2003:091
链接:http://www.redhat.com/support/errata/RHSA-2003-091.html
来源: REDHAT
名称: RHSA-2003:089
链接:http://www.redhat.com/support/errata/RHSA-2003-089.html
来源: REDHAT
名称: RHSA-2003:052
链接:http://www.redhat.com/support/errata/RHSA-2003-052.html
来源: REDHAT
名称: RHSA-2003:051
链接:http://www.redhat.com/support/errata/RHSA-2003-051.html
来源: SUSE
名称: SuSE-SA:2003:027
链接:http://www.novell.com/linux/security/advisories/2003_027_glibc.html
来源: ENGARDE
名称: ESA-20030321-010
链接:http://www.linuxsecurity.com/advisories/engarde_advisory-3024.html
来源: EEYE
名称: AD20030318
链接:http://www.eeye.com/html/Research/Advisories/AD20030318.html
来源: DEBIAN
名称: DSA-282
链接:http://www.debian.org/security/2003/dsa-282
来源: DEBIAN
名称: DSA-272
链接:http://www.debian.org/security/2003/dsa-272
来源: DEBIAN
名称: DSA-266
链接:http://www.debian.org/security/2003/dsa-266
来源: BUGTRAQ
名称: 20030522 [slackware-security] glibc XDR overflow fix (SSA:2003-141-03)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105362148313082&w=2
来源: TRUSTIX
名称: 2003-0014
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104878237121402&w=2
来源: BUGTRAQ
名称: 20030325 GLSA: glibc (200303-22)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104860855114117&w=2
来源: BUGTRAQ
名称: 20030319 MITKRB5-SA-2003-003: faulty length checks in xdrmem_getbytes
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104811415301340&w=2
来源: BUGTRAQ
名称: 20030319 EEYE: XDR Integer Overflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104810574423662&w=2
来源: VULNWATCH
名称: 20030319 EEYE: XDR Integer Overflow
链接:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0140.html
来源: NETBSD
名称: NetBSD-SA2003-008
链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-008.txt.asc
来源: BUGTRAQ
名称: 20030331 GLSA: krb5 & mit-krb5 (200303-28)
链接:http://www.securityfocus.com/archive/1/archive/1/316960/30/25250/threaded
来源: BUGTRAQ
名称: 20030331 GLSA: dietlibc (200303-29)
链接:http://www.securityfocus.com/archive/1/archive/1/316931/30/25250/threaded
来源: BUGTRAQ
名称: 20030319 RE: EEYE: XDR Integer Overflow
链接:http://www.securityfocus.com/archive/1/archive/1/315638/30/25430/threaded
来源: MANDRAKE
名称: MDKSA-2003:037
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2003:037
来源: US Government Resource: oval:org.mitre.oval:def:230
名称: oval:org.mitre.oval:def:230
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:230
![[桜井宁宁]COS和泉纱雾超可爱写真福利集-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/4d3cf227a85d7e79f5d6b4efb6bde3e8.jpg)
![[桜井宁宁] 爆乳奶牛少女cos写真-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/d40483e126fcf567894e89c65eaca655.jpg)
