OpenBSD是一款开放源代码Unix类操作系统。 OpenBSD系统的DHCP协议实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制服务器。 OpenBSD的options.c文件中的cons_options()函数没有正确地处理DHCP请求。如果远程攻击者所发送的DHCP请求中指定最大消息大小小于最小IP MTU(278)的话,就会在OpenBSD中导致dhcpd(8)覆盖栈缓冲区,执行任意指令。 漏洞存在于负责处理从客户端所接收到的DHCP选项的函数中。在src/usr.sbin/dhcpd/options.c文件中: int cons_options(struct packet *inpacket, struct dhcp_packet *outpacket, int mms, struct tree_cache **options, int overload, /* Overload flags that may be set. */ int terminate, int bootpp, u_int8_t *prl, int prl_len) { unsigned char priority_list[300]; int priority_len; unsigned char buffer[4096]; /* Really big buffer... */ int main_buffer_size; int mainbufix, bufix; int option_size; int length; dhcp.h中定义了DHCP_FIXED_LEN: if (!mms && inpacket && inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data && (inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].len >= sizeof(u_int16_t))) mms = getUShort( inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data); if (mms) main_buffer_size = mms - DHCP_FIXED_LEN; else if (bootpp) main_buffer_size...
OpenBSD是一款开放源代码Unix类操作系统。 OpenBSD系统的DHCP协议实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制服务器。 OpenBSD的options.c文件中的cons_options()函数没有正确地处理DHCP请求。如果远程攻击者所发送的DHCP请求中指定最大消息大小小于最小IP MTU(278)的话,就会在OpenBSD中导致dhcpd(8)覆盖栈缓冲区,执行任意指令。 漏洞存在于负责处理从客户端所接收到的DHCP选项的函数中。在src/usr.sbin/dhcpd/options.c文件中: int cons_options(struct packet *inpacket, struct dhcp_packet *outpacket, int mms, struct tree_cache **options, int overload, /* Overload flags that may be set. */ int terminate, int bootpp, u_int8_t *prl, int prl_len) { unsigned char priority_list[300]; int priority_len; unsigned char buffer[4096]; /* Really big buffer... */ int main_buffer_size; int mainbufix, bufix; int option_size; int length; dhcp.h中定义了DHCP_FIXED_LEN: if (!mms && inpacket && inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data && (inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].len >= sizeof(u_int16_t))) mms = getUShort( inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data); if (mms) main_buffer_size = mms - DHCP_FIXED_LEN; else if (bootpp) main_buffer_size = 64; else main_buffer_size = 576 - DHCP_FIXED_LEN; if (main_buffer_size > sizeof(buffer)) main_buffer_size = sizeof(buffer); main_buffer_size是有符型,可被攻击者控制。只要main_buffer_size是比较小的正整数(<= 4096),执行流就会正常进行: /* Copy the options into the big buffer... */ option_size = store_options( buffer, (main_buffer_size - 7 + ((overload & 1) ? DHCP_FILE_LEN : 0)+ ((overload & 2) ? DHCP_SNAME_LEN : 0)), options, priority_list, priority_len, main_buffer_size, (main_buffer_size + ((overload & 1) ? DHCP_FILE_LEN : 0)), terminate); /* Put the cookie up front... */ memcpy(outpacket->options, DHCP_OPTIONS_COOKIE, 4); mainbufix = 4; 这里如果main_buffer_size为比较小的正值的话(<= 7),就会导致store_options迅速退出,执行流会继续。具体来讲,只要客户端报文中的Maximum Segment Size值(mms)满足(DHCP_FIXED_LEN < mms < DHCP_FIXED_LEN+4)这个条件,main_buffer_size就会为小于4的正数。 if (option_size <= main_buffer_size - mainbufix) { memcpy(&outpacket->options[mainbufix], buffer, option_size); mainbufix += option_size; if (mainbufix < main_buffer_size) outpacket->options[mainbufix++] = DHO_END; length = DHCP_FIXED_NON_UDP + mainbufix; } else { outpacket->options[mainbufix++] = DHO_DHCP_OPTION_OVERLOAD; outpacket->options[mainbufix++] = 1; if (option_size > main_buffer_size - mainbufix + DHCP_FILE_LEN) outpacket->options[mainbufix++] = 3; else outpacket->options[mainbufix++] = 1; memcpy(&outpacket->options[mainbufix], buffer, main_buffer_size - mainbufix); 用负数的第三个参数触发memcpy(3)调用就会导致覆盖大部分的进程内存。
