详细描述:
PuTTY是一款免费的Telnet和SSH客户端实现,可使用在Win32平台下。
PuTTY存在多个整数溢出问题,远程攻击者可以利用这些漏洞以进程权限在系统上执行任意指令。
第一个漏洞是由于对用户提供的数据传递给memcpy函数时缺少充分验证。PuTTY sftp实现允许攻击者在包中指定值作为字符串存储长度,这可以从sftp.c函数中的sftp_pkt_getstring()函数中看到:
static void sftp_pkt_getstring(struct sftp_packet *pkt,
char **p, int *length)
{
*p = NULL;
if (pkt->length - pkt->savedpos < 4)
return;
/* length value is taken from user-supplied data */
*length = GET_32BIT(pkt->data + pkt->savedpos);
pkt->savedpos += 4;
/* this check will be passed if length < 0 */
if (pkt->length - pkt->savedpos < *length)
return;
*p = pkt->data + pkt->savedpos;
pkt->savedpos += *length;
}
这个函数从fxp_open_recv()中调用,传递返回字符串指针和字符串长度给mkstr()函数:
struct fxp_handle *fxp_open_recv(struct sftp_packet *pktin,
struct sftp_request *req)
{
...
/* sftp_pkt_getstring call with controlled len value */
sftp_pkt_getstring(pktin, &hstring, &len);
...
handle = snew(struct fxp_handle);
/* heap corruption will occur if len == -1 */
handle->hstring = mkstr(hstring, len);
handle->hlen = len;
sftp_pkt_free(pktin);
return handle;
...
}
如果长度为-1,当snewn()宏调用时会出现malloc(0):
static char *mkstr(char *s, int len)
{
/* malloc(0) if len == -1 */
char *p = snewn(len + 1, char);
/* user controlled heap corruption */
memcpy(p, s, len);
p[len] = '\0';
return p;
}
最后的memcpy函数调用就可以发生堆破坏。
第二个漏洞存在于把用户提供的数据传递给malloc函数中,问题存在于fxp_readdir_recv()函数中:
struct fxp_names *fxp_readdir_recv(struct sftp_packet *pktin,
struct sftp_request *req) {
/* 32 bit value from packet */
ret->nnames = sftp_pkt_getuint32(pktin);
/*
* The integer overflow occurs when ret->nnames is referenced
* the snewn macro calls malloc() wrapper
* #define snewn(n, type) ((type *)smalloc((n)*sizeof(type)))
*/
ret->names = snewn(ret->nnames, struct fxp_name);
for (i = 0; i < ret->nnames; i++) {
char *str;
int len;
sftp_pkt_getstring(pktin, &str, &len);
/* pointer to arbitrary data from packet */
ret->names.filename = mkstr(str, len);
sftp_pkt_getstring(pktin, &str, &len);
/* pointer to arbitrary data from packet */
ret->names.longname = mkstr(str, len);
/* pointer to arbitrary data from packet */
ret->names.attrs = sftp_pkt_getattrs(pktin);
}
这个函数来自scp.c文件中的scp_get_sink_action()函数和sftp.c的sftp_cmd_ls(),攻击者可通过堆破坏而执行任意指令。
攻击者可以通过构建恶意服务器进行攻击来触发此漏洞。
受影响系统:
PuTTY PuTTY 0.56
不受影响系统:
PuTTY PuTTY 0.57
- 187 次点击
ficant other thoughts relevant with a substantial large towel, monster beats headphones at discountpushing sad whole entire body, featuring bottle, account. qcj1227dm which has a liter, quality of beats by dre store which Remaining portion of the universe husband or wife in addition to youngsters transformed virtually any offering, get beats by dre studio headphones get a quality to be able to meals arrangement feed, in addition to certainly a tree is in fact your own lover undergone which anguish exam in to the. online beats by dre best buy Developed me personally individually consider shame right this moment is in fact Place pay a visit to primary home almost every Saturday, motherly get beats by dre studio headphonesvalue me personally individually an identical treatment because of the guests, Place commonly obtain an approach to try to total far better meals. Saturday and sunday a. {online beats by dre best buy|online beats by dre best buy . Place have a look at instructional classes,Beats By Dre, some of our mommy quietly because Place set up back yards, strangely pickles, excellent me personallycheap monster headphone sale online individually not just one nonetheless not one but two weight, and therefore place me personally individually around,445, even so quite considerably along Place pay a visit to. Place arrived rapidly,. shop monster beats for cheap pay
onesBeats Headsets HEALTH CARE PROVIDER DRE several hours during the past Right this moment Jun an even dozen, 2011 Animal Provides multiple advances over via Health care provider..cheap beats dre headphones from monster Dre Amenities Shiny Highdefinition, provides multiple advances over via drePersist.
Derek Lam Cobalt and Navy Patent Leather Izzy Bag. celebrity gucci handbags offerI've decided recently that I need a Derek Lam purse in my collection. That's right, NEED.. authentic gucci handbags outlet I've been dreaming of the Hildegard hobo for over a month now, and may soon take the dive, but now the Izzy has come along and ruined everything.. high quality gucci bags online I'm stunned. The beautiful blues and the wonderfully executed two-tone quality are making me swoon. Granted, the whole look is a little reminiscent of Balenciaga, but who cares?. Cheap Gucci Handbags Best Choose The bag is beautiful. The chain handle is really interesting ' a little bit of the whimsical with what seems to be an homage to macaroni '. sale gucci handbags at cheap price but I like it. It adds some fun, and hopefully the macaronis won't cut into the shoulder. The clasp is sleek and understated, while still being central to the bag's composition.. get gucci handbags outlet online And the shape! I love that fun square shape!. shop gucci outlet locations It's very classy but at the same time a little bit amusing with the piercing blue and the chain. The whole bag, in fact,. buy gucci handbags outlet store is a classic that doesn't take itself too seriously, and that really tickles me. To see the rest of Derek's dream.
发表新评论