BUGTRAQ ID: 29302 Borland InterBase是跨平台的高性能商业数据库。 Borland Interbase数据库在处理发送给默认TCP 3050端口的畸形报文时存在整数溢出漏洞,最终可能导致栈溢出,允许以系统权限执行任意指令。 Solaris版本中的漏洞代码段: /----------- inet_accept_connection+0x164: srl %o5, 0x10, %o7 inet_accept_connection+0x168: ld [%l0 + 0xcc], %l1 inet_accept_connection+0x16c: sth %o7, [%l1 + 8] inet_accept_connection+0x170: ba +0x3a0 <inet_accept_connection+0x510> inet_accept_connection+0x174: ld [%fp - 0x8c], %g2 inet_accept_connection+0x178: ld [%fp - 0x88], %g3 inet_accept_connection+0x17c: add %fp, -0x84, %g2 inet_accept_connection+0x180: st %g2, [%fp - 0x90] inet_accept_connection+0x184: ldsb [%g3], %g4 inet_accept_connection+0x188: st %g4, [%fp - 0xa0] inet_accept_connection+0x18c: ld [%fp - 0x88], %o5 inet_accept_connection+0x190: add %o5, 1, %o7 inet_accept_connection+0x194: st %o7, [%fp - 0x88] inet_accept_connection+0x198: ld [%fp - 0xa0], %o4 inet_accept_connection+0x19c: st %o4, [%fp - 0x304] inet_accept_connection+0x1a0: ld [%fp - 0x304], %l0...
BUGTRAQ ID: 29302 Borland InterBase是跨平台的高性能商业数据库。 Borland Interbase数据库在处理发送给默认TCP 3050端口的畸形报文时存在整数溢出漏洞,最终可能导致栈溢出,允许以系统权限执行任意指令。 Solaris版本中的漏洞代码段: /----------- inet_accept_connection+0x164: srl %o5, 0x10, %o7 inet_accept_connection+0x168: ld [%l0 + 0xcc], %l1 inet_accept_connection+0x16c: sth %o7, [%l1 + 8] inet_accept_connection+0x170: ba +0x3a0 <inet_accept_connection+0x510> inet_accept_connection+0x174: ld [%fp - 0x8c], %g2 inet_accept_connection+0x178: ld [%fp - 0x88], %g3 inet_accept_connection+0x17c: add %fp, -0x84, %g2 inet_accept_connection+0x180: st %g2, [%fp - 0x90] inet_accept_connection+0x184: ldsb [%g3], %g4 inet_accept_connection+0x188: st %g4, [%fp - 0xa0] inet_accept_connection+0x18c: ld [%fp - 0x88], %o5 inet_accept_connection+0x190: add %o5, 1, %o7 inet_accept_connection+0x194: st %o7, [%fp - 0x88] inet_accept_connection+0x198: ld [%fp - 0xa0], %o4 inet_accept_connection+0x19c: st %o4, [%fp - 0x304] inet_accept_connection+0x1a0: ld [%fp - 0x304], %l0 inet_accept_connection+0x1a4: st %l0, [%fp - 0x308] inet_accept_connection+0x1a8: ld [%fp - 0x308], %l1 inet_accept_connection+0x1ac: cmp %l1, 0 inet_accept_connection+0x1b0: be,a +0x50 <inet_accept_connection+0x200> inet_accept_connection+0x1b4: clr %g2. - -----------/ 在加载以下报文的有符字节时会出现整数溢出: /----------- inet_accept_connection+0x184: ldsb [%g3], %g4 g4 = 0xffffff80 - -----------/ 然后将溢出g4的值移到l3用作计数器: /----------- inet_accept_connection+0x1b8: ld [%fp - 0x88], %g2 inet_accept_connection+0x1bc: ld [%fp - 0x90], %g4 inet_accept_connection+0x1c0: ldsb [%g2], %g3 * inet_accept_connection+0x1c4: stb %g3, [%g4] ** inet_accept_connection+0x1c8: ld [%fp - 0xa0], %l1 inet_accept_connection+0x1cc: ld [%fp - 0x88], %o4 inet_accept_connection+0x1d0: sub %l1, 1, %l2 inet_accept_connection+0x1d4: st %l2, [%fp - 0xa0] inet_accept_connection+0x1d8: add %o4, 1, %o5 inet_accept_connection+0x1dc: st %o5, [%fp - 0x88] inet_accept_connection+0x1e0: ld [%fp - 0xa0], %l3 inet_accept_connection+0x1e4: cmp %l3, 0 *** inet_accept_connection+0x1e8: ld [%fp - 0x90], %o7 inet_accept_connection+0x1ec: add %o7, 1, %l0 inet_accept_connection+0x1f0: st %l0, [%fp - 0x90] inet_accept_connection+0x1f4: bne,a -0x38 <inet_accept_connection+0x1bc> * g3指向报文字节 ** 将报文字节拷贝到g4所指向的栈地址 *** 循环直至l3 = 0 - -----------/ 对于Windows版本,以下位置出现整数溢出: /----------- 0040F605 0FBE11 MOVSX EDX,BYTE PTR DS:[ECX] - -----------/ 这里将报文数据拷贝到栈: /----------- 0040F62C 880A MOV BYTE PTR DS:[EDX],CL - -----------/ 在栈中源字符串指针后跟随0x40字节大小缓冲区: /----------- 00ECF6CC 0000000 00ECF6D0 00000000 00ECF6D4 00000000 00ECF6D8 00000000 00ECF6DC 00000000 00ECF6E0 00000000 00ECF6E4 00000000 00ECF6E8 00000000 00ECF6EC 00000000 00ECF6F0 00000000 00ECF6F4 00000000 00ECF6F8 00000000 00ECF6FC 00000000 00ECF700 00000000 00ECF704 00000000 00ECF708 00000000 00ECF70C 00A9636D * * 源字符串指针 - -----------/ 如果在循环写入源指针时设置到受控数据的指针,就可以通过写入SEH完全控制程序流。 Borland InterBase 2007 SP2 Borland ------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href=http://www.borland.com/ target=_blank>http://www.borland.com/</a>
