资源描述
CVE-2014-1912漏洞介绍与简单分析
标 题: 【原创】CVE-2014-1912漏洞介绍与简单分析
作 者: cumirror
前段时间,CVE上收录了Python缓冲区溢出漏洞CVE-2014-1912。正好自己在学Pyhon,于是跟踪分析了下。自己是个新手,对于shellcode编写还没掌握,所以这里侧重于漏洞的原理介绍和溢出点的定位,如有不足和错误之处还请大家指点,谢谢。
1.漏洞介绍
这个漏洞产生于Python socket模块中的recvfrom_into函数,该函数在处理过程中,对recvlen和buf.len的判断存在问题。
该漏洞会影响Python 2.7.7/3.4.4之前的版本。
你也可以运行如下脚本进行检查,如果产生段错误,则说明存在这个漏洞。
代码:
import socket
r, w = socket.socketpair()
w.send(b'X' * 1024)
r.recvfrom_into(bytearray(), 1024)
2.漏洞溢出点分析
a)调试环境
系统:Ubuntu 13.04
Python:2.7.4
调试器:GDB (安装python的扩展:sudo apt-get install gdb python2.7-dbg)
b)demo
serve.py
代码:
import socket, array
host = socket.gethostname()
port = 40000
s = socket.socket()
s.bind((host, port))
#mybuf = bytearray(b'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB')
#print hex(id(mybuf))
mybuf = array.array('c', 'B'*5)
print len(mybuf)
print hex(id(mybuf))
s.listen(5)
while True:
c, addr = s.accept()
nbytes, c_addr = c.recvfrom_into(mybuf, 1024)
print 'recv ', nbytes, ' bytes: ', mybuf
c.close()
client.py
代码:
import socket
host = socket.gethostname()
port = 40000
s = socket.socket()
s.connect((host, port))
buf = 'AAAAAAA'
s.send(buf)
为了方便定位,使用了hex(id(obj))来获取Python中对象的内存地址,适用于CPython(默认的Python解析器)。
c)gdb调试
1)python server.py,运行server
代码:
5
0xb74d5a00L
recv 7 bytes: array('c', 'AAAAA')
2)gdb attach到进程上,设置断点。(我尝试过设置watchpoint,但没断住,比较奇怪)
代码:
$ ps -ef | grep server
$ sudo gdb a 3735
(gdb) x /10xg 0xb74bba00
0xb74bba00: 0x0827b56000000001 0x0a1c190800000005
0xb74bba10: 0x0827e2a000000005 0x0000000000000000
0xb74bba20: 0x08290160b74bba40 0x7957ad8700000006
0xb74bba30: 0x6f64747300000000 0x0000000000007475
0xb74bba40: 0x0000000000000000 0x0000000000000000
(gdb) x /10xg 0x0a1c1908
0xa1c1908: 0x726f724242424242 0x00000039b7533000
0xa1c1918: 0x0000000200000000 0x0000000600000001
0xa1c1928: 0x0a1c193800000010 0x0a1c195000000000
0xa1c1938: 0x0101007f00000002 0x0000000000000000
0xa1c1948: 0x000000390000038e 0x000000020a1c1910
(gdb) x /10c 0x0a1c1908
0xa1c1908: 66 'B' 66 'B' 66 'B' 66 'B' 66 'B' 114 'r' 111 'o' 114 'r'
0xa1c1910: 0 '\000' 48 '0'
(gdb) break if ((char*)0x0a1c1908)[0] != 'B'
Breakpoint 1 at 0xb77a2424
(gdb) break sock_recvfrom_into.64651
Breakpoint 2 at 0x806e4d3: file ../Modules/socketmodule.c, line 2720.
(gdb) c
Continuing.
3)python client.py,发送超长的数据。
4)查看溢出点
代码:
Breakpoint 2, sock_recvfrom_into.64651 (s=0xb74b2610, args=(<array.array at remote 0xb74bba00>, 1024), kwds=0x0)
at ../Modules/socketmodule.c:2720
2720 ../Modules/socketmodule.c: No such file or directory.
(gdb) bt
#0 sock_recvfrom_into.64651 (s=0xb74b2610, args=(<array.array at remote 0xb74bba00>, 1024), kwds=0x0)
at ../Modules/socketmodule.c:2720
#1 0x080b6bde in call_function (oparg=<optimized out>, pp_stack=0xbfb2a58c) at ../Python/ceval.c:4021
#2 PyEval_EvalFrameEx (f=f@entry=Frame 0xa1be5c4, for file server.py, line 18, in <module> (), throwflag=throwflag@entry=0)
at ../Python/ceval.c:2666
#3 0x0811fae9 in PyEval_EvalCodeEx (co=co@entry=0xb750ecc8,
globals=globals@entry={'c': <_socketobject at remote 0xb74a9294>, 'socket': <module at remote 0xb74a0bcc>, '__builtins__': <module at remote 0xb751311c>, '__file__': 'server.py', 's': <_socketobject at remote 0xb74a92cc>, '__package__': None, 'port': 40000, 'host': 'cumirror', 'mybuf': <array.array at remote 0xb74bba00>, '__name__': '__main__', 'array': <module at remote 0xb74a0a1c>, '__doc__': None, 'addr': ('127.0.0.1', 50195)},
locals=locals@entry={'c': <_socketobject at remote 0xb74a9294>, 'socket': <module at remote 0xb74a0bcc>, '__builtins__': <module at remote 0xb751311c>, '__file__': 'server.py', 's': <_socketobject at remote 0xb74a92cc>, '__package__': None, 'port': 40000, 'host': 'cumirror', 'mybuf': <array.array at remote 0xb74bba00>, '__name__': '__main__', 'array': <module at remote 0xb74a0a1c>, '__doc__': None, 'addr': ('127.0.0.1', 50195)}, args=args@entry=0x0, argcount=argcount@entry=0, kws=kws@entry=0x0, kwcount=kwcount@entry=0,
defs=defs@entry=0x0, defcount=defcount@entry=0, closure=closure@entry=0x0) at ../Python/ceval.c:3253
#4 0x081836c7 in PyEval_EvalCode (co=co@entry=0xb750ecc8,
globals=globals@entry={'c': <_socketobject at remote 0xb74a9294>, 'socket': <module at remote 0xb74a0bcc>, '__builtins__': <module at remote 0xb751311c>, '__file__': 'server.py', 's': <_socketobject at remote 0xb74a92cc>, '__package__': None, 'port': 40000, 'host': 'cumirror', 'mybuf': <array.array at remote 0xb74bba00>, '__name__': '__main__', 'array': <module at remote 0xb74a0a1c>, '__doc__': None, 'addr': ('127.0.0.1', 50195)},
locals=locals@entry={'c': <_socketobject at remote 0xb74a9294>, 'socket': <module at remote 0xb74a0bcc>, '__builtins__': <module at remote 0xb751311c>, '__file__': 'server.py', 's': <_socketobject at remote 0xb74a92cc>, '__package__': None, 'port': 40000, 'host': 'cumirror', 'mybuf': <array.array at remote 0xb74bba00>, '__name__': '__main__', 'array': <module at remote 0xb74a0a1c>, '__doc__': None, 'addr': ('127.0.0.1', 50195)}) at ../Python/ceval.c:667
#5 0x08183b7d in run_mod.42872 (mod=mod@entry=0xa1c01f0, filename=filename@entry=0xbfb2c35e "server.py",
globals=globals@entry={'c': <_socketobject at remote 0xb74a9294>, 'socket': <module at remote 0xb74a0bcc>, '__builtins__': <module at remote 0xb751311c>, '__file__': 'server.py', 's': <_socketobject at remote 0xb74a92cc>, '__package__': None, 'port': 40000, 'host': 'cumirror', 'mybuf': <array.array at remote 0xb74bba00>, '__name__': '__main__', 'array': <module at remote 0xb74a0a1c>, '__doc__': None, 'addr': ('127.0.0.1', 50195)},
locals=locals@entry={'c': <_socketobject at remote 0xb74a9294>, 'socket': <module at remote 0xb74a0bcc>, '__builtins__': <module at remote 0xb751311c>, '__file__': 'server.py', 's': <_socketobject at remote 0xb74a92cc>, '__package__': None, 'port': 40000, 'host': 'cumirror', 'mybuf': <array.array at remote 0xb74bba00>, '__name__': '__main__', 'array': <module at remote 0xb74a0a1c>, '__doc__': None, 'addr': ('127.0.0.1', 50195)}, flags=flags@entry=0xbfb2a79c, arena=arena@entry=0xa1d1398) at ../Python/pythonrun.c:1365
#6 0x080a6029 in PyRun_FileExFlags (fp=fp@entry=0xa1be5b8, filename=filename@entry=0xbfb2c35e "server.py", start=start@entry=257,
globals=globals@entry={'c': <_socketobject at remote 0xb74a9294>, 'socket': <module at remote 0xb74a0bcc>, '__builtins__': <module at remote 0xb751311c>, '__file__': 'server.py', 's': <_socketobject at remote 0xb74a92cc>, '__package__': None, 'port': 40000, 'host': 'cumirror', 'mybuf': <array.array at remote 0xb74bba00>, '__name__': '__main__', 'array': <module at remote 0xb74a0a1c>, '__doc__': None, 'addr': ('127.0.0.1', 50195)},
locals=locals@entry={'c': <_socketobject at remote 0xb74a9294>, 'socket': <module at remote 0xb74a0bcc>, '__builtins__': <module at remote 0xb751311c>, '__file__': 'server.py', 's': <_socketobject at remote 0xb74a92cc>, '__package__': None, 'port': 40000, 'host': ---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) c
Continuing.
Breakpoint 1, 0xb77a2424 in __kernel_vsyscall ()
(gdb) bt
#0 0xb77a2424 in __kernel_vsyscall ()
#1 0xb777cc91 in recvfrom () from /lib/i386-linux-gnu/libpthread.so.0
#2 0x0806e2fb in sock_recvfrom_guts (s=0xb77a2424 <__kernel_vsyscall+16>, s@entry=0xb74b2610, cbuf=0xa1c1908 "AAAAAAAr", len=1024,
flags=0, addr=addr@entry=0xbfb2a478) at /usr/include/i386-linux-gnu/bits/socket2.h:76
#3 0x0806e57f in sock_recvfrom_into.64651 (s=0xb74b2610, args=(<array.array at remote 0xb74bba00>, 1024), kwds=0x0)
at ../Modules/socketmodule.c:2747
#4 0x080b6bde in call_function (oparg=<optimized out>, pp_stack=0xbfb2a58c) at ../Python/ceval.c:4021
#5 PyEval_EvalFrameEx (f=f@entry=Frame 0xa1be5c4, for file server.py, line 18, in <module> (), throwflag=throwflag@entry=0)
at ../Python/ceval.c:2666
#6 0x0811fae9 in PyEval_EvalCodeEx (co=co@entry=0xb750ecc8,
globals=globals@entry={'c': <_socketobject at remote 0xb74a9294>, 'socket': <module at remote 0xb74a0bcc>, '__builtins__': <module at remote 0xb751311c>, '__file__': 'server.py', 's': <_socketobject at remote 0xb74a92cc>, '__package__': None, 'port': 40000, 'host': 'cumirror', 'mybuf': <array.array at remote 0xb74bba00>, '__name__': '__main__', 'array': <module at remote 0xb74a0a1c>, '__doc__': None, 'addr': ('127.0.0.1', 50195)},
locals=locals@entry={'c': <_socketobject at remote 0xb74a9294>, 'socket': <module at remote 0xb74a0bcc>, '__builtins__': <module at remote 0xb751311c>, '__file__': 'server.py', 's': <_socketobject at remote 0xb74a92cc>, '__package__': None, 'port': 40000, 'host': 'cumirror', 'mybuf': <array.array at remote 0xb74bba00>, '__name__': '__main__', 'array': <module at remote 0xb74a0a1c>, '__doc__': None, 'addr': ('127.0.0.1', 50195)}, args=args@entry=0x0, argcount=argcount@entry=0, kws=kws@entry=0x0, kwcount=kwcount@entry=0,
defs=defs@entry=0x0, defcount=defcount@entry=0, closure=closure@entry=0x0) at ../Python/ceval.c:3253
#7 0x081836c7 in PyEval_EvalCode (co=co@entry=0xb750ecc8,
globals=globals@entry={'c': <_socketobject at remote 0xb74a9294>, 'socket': <module at remote 0xb74a0bcc>, '__builtins__': <module at remote 0xb751311c>, '__file__': 'server.py', 's': <_socketobject at remote 0xb74a92cc>, '__package__': None, 'port': 40000, 'host': 'cumirror', 'mybuf': <array.array at remote 0xb74bba00>, '__name__': '__main__', 'array': <module at remote 0xb74a0a1c>, '__doc__': None, 'addr': ('127.0.0.1', 50195)},
locals=locals@entry={'c': <_socketobject at remote 0xb74a9294>, 'socket': <module at remote 0xb74a0bcc>, '__builtins__': <module at remote 0xb751311c>, '__file__': 'server.py', 's': <_socketobject at remote 0xb74a92cc>, '__package__': None, 'port': 40000, 'host': 'cumirror', 'mybuf': <array.array at remote 0xb74bba00>, '__name__': '__main__', 'array': <module at remote 0xb74a0a1c>, '__doc__': None, 'addr': ('127.0.0.1', 50195)}) at ../Python/ceval.c:667
#8 0x08183b7d in run_mod.42872 (mod=mod@entry=0xa1c01f0, filename=filename@entry=0xbfb2c35e "server.py",
globals=globals@entry={'c': <_socketobject at remote 0xb74a9294>, 'socket': <module at remote 0xb74a0bcc>, '__builtins__': <module at remote 0xb751311c>, '__file__': 'server.py', 's': <_socketobject at remote 0xb74a92cc>, '__package__': None, 'port': 40000, 'host': 'cumirror', 'mybuf': <array.array at remote 0xb74bba00>, '__name__': '__main__', 'array': <module at remote 0xb74a0a1c>, '__doc__': None, 'addr': ('127.0.0.1', 50195)},
locals=locals@entry={'c': <_socketobject at remote 0xb74a9294>, 'socket': <module at remote 0xb74a0bcc>, '__builtins__': <module at remote 0xb751311c>, '__file__': 'server.py', 's': <_socketobject at remote 0xb74a92cc>, '__package__': None, 'port': 40000, 'host': 'cumirror', 'mybuf': <array.array at remote 0xb74bba00>, '__name__': '__main__', 'array': <module at remote 0xb74a0a1c>, '__doc__': None, 'addr': ('127.0.0.1', 50195)}, flags=flags@entry=0xbfb2a79c, arena=arena@entry=0xa1d1398) at ../Python/pythonrun.c:1365
#9 0x080a6029 in PyRun_FileExFlags (fp=fp@entry=0xa1be5b8, filename=filename@entry=0xbfb2c35e "server.py", start=start@entry=257,
globals=globals@entry={'c': <_socketobject at remote 0xb74a9294>, 'socket': <module at remote 0xb74a0bcc>, '__builtins__': <module at remote 0xb751311c>, '__file__': 'server.py', 's': <_socketobject at remote 0xb74a92cc>, '__package__': None, 'port': 40000, 'host'---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x /10c 0x0a1c1908
0xa1c1908: 65 'A' 65 'A' 65 'A' 65 'A' 65 'A' 65 'A' 65 'A' 114 'r'
0xa1c1910: 0 '\000' 48 '0'
3.漏洞原因与patch
通过上面的调试信息观察到:mybuf对象地址为 0xb74bba00,在栈上创建,但其指向的buf则在堆上分配,初始值为"BBBBB",大小5Bytes,地址0x0a1c1908。client向server发送7字节的数据("AAAAAA")后,server端因为sock_recvfrom_into中处理不当,设置sock_recvfrom_guts的入参为cbuf=0xa1c1908&len=1024,从而导致了buf的溢出。
如果mybuf对象中的buf分配在栈上,则会造成栈溢出,这里则为堆溢出。
client连接后,server“正常”输出,但其实其堆已经被破坏。如果client发送的数据够长或server端处理流程更复杂,则很可能会报malloc或free错误。(malloc管理的内存数据被踩坏)
下面是python社区打的patch,添加了对buflen与recvlen的判断。
代码:
diff -r 40fb60df4755 Modules/socketmodule.c
--- a/Modules/socketmodule.c Sun Jan 12 12:11:47 2014 +0200
+++ b/Modules/socketmodule.c Mon Jan 13 16:36:35 2014 -0800
@@ -2744,6 +2744,13 @@
recvlen = buflen;
}
+ /* Check if the buffer is large enough */
+ if (buflen < recvlen) {
+ PyErr_SetString(PyExc_ValueError,
+ "buffer too small for requested bytes");
+ goto error;
+ }
+
readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr);
if (readlen < 0) {
/* Return an error */
4.漏洞利用思路
a)上述例子中是一处堆溢出,现在malloc分配器中应该能检查出double-shooting这种攻击吧,那这种漏洞还能利用不。
b)如果buf分配在栈上,则是一处栈溢出,采用rop的方式绕过nx,进行系统调用,这个应该能实现吧。
参考:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1912
http://bugs.python.org/issue20246
http://svn.python.org/projects/python/trunk/Modules/socketmodule.c
展开阅读全文
浙ICP备2021020529号-1 | 浙B2-20240490 
