BUGTRAQ ID: 35076 CVE(CAN) ID: CVE-2009-1476 IPFilter是一款免费的开放源代码的防火墙程序,由Darren Reed编写,可使用在多种Unix和Linux操作系统平台下。 Ippool用于管理IPFilter的IP池子系统中所储存的信息。在IPFilter的lib/load_http.c文件中(char buffer[1024]): - --- ... alist_t * load_http(char *url) { int fd, len, left, port, endhdr, removed; char *s, *t, *u, buffer[1024], *myurl; alist_t *a, *rtop, *rbot; struct sockaddr_in sin; struct hostent *host; /* * More than this would just be absurd. */ if (strlen(url) > 512) { fprintf(stderr, "load_http has a URL > 512 bytes?!\n"); return NULL; } fd = -1; rtop = NULL; rbot = NULL; sprintf(buffer, "GET %s HTTP/1.0\r\n", url); myurl = strdup(url); if (myurl == NULL) goto done; s = myurl + 7; /* http:// */ t = strchr(s, '/'); if (t == NULL) { fprintf(stderr, "load_http has a malformed URL '%s'\n", url); free(myurl); return NULL; } *t++ = '\0'; u = strchr(s, '@'); if (u != NULL) s = u + 1; /* AUTH */ sprintf(buffer + strlen(buffer), "Host: %s\r\n\r\n", s); ... -...
BUGTRAQ ID: 35076 CVE(CAN) ID: CVE-2009-1476 IPFilter是一款免费的开放源代码的防火墙程序,由Darren Reed编写,可使用在多种Unix和Linux操作系统平台下。 Ippool用于管理IPFilter的IP池子系统中所储存的信息。在IPFilter的lib/load_http.c文件中(char buffer[1024]): - --- ... alist_t * load_http(char *url) { int fd, len, left, port, endhdr, removed; char *s, *t, *u, buffer[1024], *myurl; alist_t *a, *rtop, *rbot; struct sockaddr_in sin; struct hostent *host; /* * More than this would just be absurd. */ if (strlen(url) > 512) { fprintf(stderr, "load_http has a URL > 512 bytes?!\n"); return NULL; } fd = -1; rtop = NULL; rbot = NULL; sprintf(buffer, "GET %s HTTP/1.0\r\n", url); myurl = strdup(url); if (myurl == NULL) goto done; s = myurl + 7; /* http:// */ t = strchr(s, '/'); if (t == NULL) { fprintf(stderr, "load_http has a malformed URL '%s'\n", url); free(myurl); return NULL; } *t++ = '\0'; u = strchr(s, '@'); if (u != NULL) s = u + 1; /* AUTH */ sprintf(buffer + strlen(buffer), "Host: %s\r\n\r\n", s); ... - --- 0. buffer[]仅有1024字节 1. url不能大于512字节 2. url会被拷贝到以下缓冲区: sprintf(buffer, "GET %s HTTP/1.0\r\n", url); 在这里(s是主机): sprintf(buffer + strlen(buffer), "Host: %s\r\n\r\n", s); 如果url包含有: 512 = strlen(http:// A x504 /) 则在缓冲区中: strlen(GET HTTP/1.0\r\n) = 15 strlen(url) = 512 strlen(Host: \r\n\r\n)= 10 strlen(A x504) = 504 总计为1041字节,因此使用这个功能可能会触发缓冲区溢出。 Darren Reed IPFilter 4.1.31 厂商补丁: Darren Reed ----------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://cvsweb.netbsd.org/bsdweb.cgi/src/dist/ipf/lib/load_http.c?rev=1.2&content-type=text/x-cvsweb-markup&only_with_tag=MAIN" target="_blank" rel=external nofollow>http://cvsweb.netbsd.org/bsdweb.cgi/src/dist/ipf/lib/load_http.c?rev=1.2&content-type=text/x-cvsweb-markup&only_with_tag=MAIN</a>
