CVE-2002-0913
CVSS7.5
发布时间 :2002-10-04 00:00:00
修订时间 :2016-10-17 22:22:59
NMCOES    

[原文]Format string vulnerability in log_doit function of Slurp NNTP client 1.1.0 allows a malicious news server to execute arbitrary code on the client via format strings in a server response.


[CNNVD]Slurp SysLog远程格式化字符串漏洞(CNNVD-200210-021)

        Slurp NNTP client 1.1.0版本的log_doit函数存在格式化字符串漏洞。恶意消息服务器可以借助服务器响应的格式化字符,在客户端串执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0913
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0913
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-021
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2002-06/0014.html
(UNKNOWN)  BUGTRAQ  20020604 SRT Security Advisory (SRT2002-06-04-1011): slurp
http://marc.info/?l=vuln-dev&m=102323341407280&w=2
(UNKNOWN)  VULN-DEV  20020604 SRT Security Advisory (SRT2002-06-04-1011): slurp
http://www.iss.net/security_center/static/9270.php
(VENDOR_ADVISORY)  XF  slurp-syslog-format-string(9270)
http://www.securityfocus.com/bid/4935
(VENDOR_ADVISORY)  BID  4935

- 漏洞信息

Slurp SysLog远程格式化字符串漏洞
高危 格式化字符串
2002-10-04 00:00:00 2005-10-20 00:00:00
远程  
        Slurp NNTP client 1.1.0版本的log_doit函数存在格式化字符串漏洞。恶意消息服务器可以借助服务器响应的格式化字符,在客户端串执行任意代码。

- 公告与补丁

        This package was last maintained on February of 1995. A vendor-supplied fix is unlikely.
        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (21512)

Slurp 1.10 SysLog Remote Format String Vulnerability (EDBID:21512)
freebsd dos
2002-06-04 Verified
0 zillion
N/A [点击下载]
source: http://www.securityfocus.com/bid/4935/info

slurp is a freely available, open source NNTP client. It is designed for use on most Unix and Linux operating systems.

It may be possible for a remote server to execute code on a vulnerable client. slurp offers functionality that allows the software to write messages to the system log. A format string vulnerability in the syslog function may allow a malicious server to supply a custom format string that writes to an arbitrary address in memory.

perl -e 'print "200 Hello brother \n666 %x%x%x\n'" | nc -l -p 119

Then check /var/log/messages for something like:

Jun 5 05:10:22 yada slurp[39926]: do_newnews: NNTP protocol error: got '666 bfbff4f8804bc1bbfbff51c'

		

- 漏洞信息

14456
Slurp NNTP Client log_doit Function Format String
Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity Solution Unknown

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-06-04 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Slurp SysLog Remote Format String Vulnerability
Input Validation Error 4935
Yes No
2002-06-04 12:00:00 2009-07-11 01:56:00
Vulnerability discovery credited to zillion <zillion@snosoft.com>.

- 受影响的程序版本

Stephen Hebditch slurp 1.10
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 4.1.1

- 漏洞讨论

slurp is a freely available, open source NNTP client. It is designed for use on most Unix and Linux operating systems.

It may be possible for a remote server to execute code on a vulnerable client. slurp offers functionality that allows the software to write messages to the system log. A format string vulnerability in the syslog function may allow a malicious server to supply a custom format string that writes to an arbitrary address in memory.

- 漏洞利用

This proof of concept was made available by zillion &lt;zillion@snosoft.com&gt;:

To find out you have a vulnerable slurp, connect to this:

perl -e 'print "200 Hello brother \n666 %x%x%x\n'" | nc -l -p 119

Then check /var/log/messages for something like:

Jun 5 05:10:22 yada slurp[39926]: do_newnews: NNTP protocol error: got '666 bfbff4f8804bc1bbfbff51c'

- 解决方案

This package was last maintained on February of 1995. A vendor-supplied fix is unlikely.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站