Borland InterBase是跨平台的高性能商业数据库。 Borland Interbase数据库在处理发送给默认TCP 3050端口的畸形报文时存在整数溢出漏洞,最终可能导致栈溢出,允许以系统权限执行任意指令。 Solaris版本中的漏洞代码段: /----------- inet_accept_connection+0x164: srl %o5, 0x10, %o7 inet_accept_connection+0x168: ld[%l0 + 0xcc], %l1 inet_accept_connection+0x16c: sth %o7, [%l1 + 8] inet_accept_connection+0x170: ba+0x3a0 <inet_accept_connection+0x510> inet_accept_connection+0x174: ld[%fp - 0x8c], %g2 inet_accept_connection+0x178: ld[%fp - 0x88], %g3 inet_accept_connection+0x17c: add %fp, -0x84, %g2 inet_accept_connection+0x180: st%g2, [%fp - 0x90] inet_accept_connection+0x184: ldsb[%g3], %g4 inet_accept_connection+0x188: st%g4, [%fp - 0xa0] inet_accept_connection+0x18c: ld[%fp - 0x88], %o5 inet_accept_connection+0x190: add %o5, 1, %o7 inet_accept_connection+0x194: st%o7, [%fp - 0x88] inet_accept_connection+0x198: ld[%fp - 0xa0], %o4 inet_accept_connection+0x19c: st%o4, [%fp - 0x304] inet_accept_connection+0x1a0: ld[%fp - 0x304], %l0 inet_accept_connection+0x1a4: st%l0, [%fp -...
Borland InterBase是跨平台的高性能商业数据库。 Borland Interbase数据库在处理发送给默认TCP 3050端口的畸形报文时存在整数溢出漏洞,最终可能导致栈溢出,允许以系统权限执行任意指令。 Solaris版本中的漏洞代码段: /----------- inet_accept_connection+0x164: srl %o5, 0x10, %o7 inet_accept_connection+0x168: ld[%l0 + 0xcc], %l1 inet_accept_connection+0x16c: sth %o7, [%l1 + 8] inet_accept_connection+0x170: ba+0x3a0 <inet_accept_connection+0x510> inet_accept_connection+0x174: ld[%fp - 0x8c], %g2 inet_accept_connection+0x178: ld[%fp - 0x88], %g3 inet_accept_connection+0x17c: add %fp, -0x84, %g2 inet_accept_connection+0x180: st%g2, [%fp - 0x90] inet_accept_connection+0x184: ldsb[%g3], %g4 inet_accept_connection+0x188: st%g4, [%fp - 0xa0] inet_accept_connection+0x18c: ld[%fp - 0x88], %o5 inet_accept_connection+0x190: add %o5, 1, %o7 inet_accept_connection+0x194: st%o7, [%fp - 0x88] inet_accept_connection+0x198: ld[%fp - 0xa0], %o4 inet_accept_connection+0x19c: st%o4, [%fp - 0x304] inet_accept_connection+0x1a0: ld[%fp - 0x304], %l0 inet_accept_connection+0x1a4: st%l0, [%fp - 0x308] inet_accept_connection+0x1a8: ld[%fp - 0x308], %l1 inet_accept_connection+0x1ac: cmp %l1, 0 inet_accept_connection+0x1b0: be,a+0x50 <inet_accept_connection+0x200> inet_accept_connection+0x1b4: clr %g2. - -----------/ 在加载以下报文的有符字节时会出现整数溢出: /----------- inet_accept_connection+0x184: ldsb[%g3], %g4 g4 = 0xffffff80 - -----------/ 然后将溢出g4的值移到l3用作计数器: /----------- inet_accept_connection+0x1b8: ld[%fp - 0x88], %g2 inet_accept_connection+0x1bc: ld[%fp - 0x90], %g4 inet_accept_connection+0x1c0: ldsb[%g2], %g3* inet_accept_connection+0x1c4: stb %g3, [%g4]** inet_accept_connection+0x1c8: ld[%fp - 0xa0], %l1 inet_accept_connection+0x1cc: ld[%fp - 0x88], %o4 inet_accept_connection+0x1d0: sub %l1, 1, %l2 inet_accept_connection+0x1d4: st%l2, [%fp - 0xa0] inet_accept_connection+0x1d8: add %o4, 1, %o5 inet_accept_connection+0x1dc: st%o5, [%fp - 0x88] inet_accept_connection+0x1e0: ld[%fp - 0xa0], %l3 inet_accept_connection+0x1e4: cmp %l3, 0 *** inet_accept_connection+0x1e8: ld[%fp - 0x90], %o7 inet_accept_connection+0x1ec: add %o7, 1, %l0 inet_accept_connection+0x1f0: st%l0, [%fp - 0x90] inet_accept_connection+0x1f4: bne,a -0x38 <inet_accept_connection+0x1bc> * g3指向报文字节 ** 将报文字节拷贝到g4所指向的栈地址 *** 循环直至l3 = 0 - -----------/ 对于Windows版本,以下位置出现整数溢出: /----------- 0040F6050FBE11MOVSX EDX,BYTE PTR DS:[ECX] - -----------/ 这里将报文数据拷贝到栈: /----------- 0040F62C880AMOV BYTE PTR DS:[EDX],CL - -----------/ 在栈中源字符串指针后跟随0x40字节大小缓冲区: /----------- 00ECF6CC 0000000 00ECF6D0 00000000 00ECF6D4 00000000 00ECF6D8 00000000 00ECF6DC 00000000 00ECF6E0 00000000 00ECF6E400000000 00ECF6E800000000 00ECF6EC 00000000 00ECF6F0 00000000 00ECF6F4 00000000 00ECF6F800000000 00ECF6FC 00000000 00ECF700 00000000 00ECF70400000000 00ECF708 00000000 00ECF70C00A9636D* * 源字符串指针
