BlueZ SDP负载处理多个缓冲区溢出漏洞
受影响系统:
BlueZ BlueZ 3.34
不受影响系统:
BlueZ BlueZ 3.35
描述:BUGTRAQ ID: 30105
CVE(CAN) ID: CVE-2008-2374
BlueZ是官方的Linux蓝牙协议栈。
BlueZ的SDP解析代码盲目地信任了入站SDP报文中的字符串长度字段,如果远程攻击者向SDP查询发送了恶意响应的话,就可以触发缓冲区溢出,导致拒绝服务或执行任意代码。
以下是bluez-libs-3.30/src/sdp.c文件中的漏洞代码段:
972 static sdp_data_t *extract_str(const void *p, int *len)
973 {
974 *s;
975 int n;
976 sdp_data_t *d = malloc(sizeof(sdp_data_t));
977
978 mem(d, 0, sizeof(sdp_data_t));
979 d->dtd = *(uint8_t *) p;
980 p += sizeof(uint8_t);
981 *len += sizeof(uint8_t);
982
983 switch (d->dtd) {
984 case SDP_TEXT_STR8:
985 case SDP_URL_STR8:
986 n = *(uint8_t *) p; // <– the incoming packet
987 p += sizeof(uint8_t);
988 *len += sizeof(uint8_t) + n; // <– blindly
trusted here, may advance parser past end of packet
989 break;
990 case SDP_TEXT_STR16:
991 case SDP_URL_STR16:
992 n = ntohs(bt_get_unaligned((uint16_t *) p)); //
<– the incoming packet
993 p += sizeof(uint16_t);
994 *len += sizeof(uint16_t) + n; // <– blindly
trusted here, may advance parser past end of packet
995 break;
996 default:
997 SDPERR(”Sizeof text string > UINT16_MAX\n”);
998 free(d);
999 return 0;
1000 }
1001
1002 s = malloc(n + 1); // <– really blindly trusted here,
also no NULL checking
1003 mem(s, 0, n + 1);
1004 memcpy(s, p, n);
1005
1006 SDPDBG(”Len : %d\n”, n);
1007 SDPDBG(”Str : %s\n”, s);
1008
1009 d->val.str = s;
1010 d->unitSize = n + sizeof(uint8_t); // <– more blind trust
1011 return d;
1012 }
漏洞的起因在1125行,sdp_extract_pdu()函数没有对长度字段执行正确的检查,导致了上述漏洞。
<*来源:Glenn Durfee (gdurfee@google.com)
链接:http://secunia.com/advisories/30957/
http://article.gmane.org/gmane.linux.bluez.devel/15809/
*>
建议:
——————————————————————————–
厂商补丁:
BlueZ
—–
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.bluez.org/
Subscribe Feed
Contact Us