CVE-2002-2257
CVSS10.0
发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:32:44
NMCO    

[原文]Stack-based buffer overflow in the parse_field function in cgi_lib.c for LIBCGI 1.0.2 and 1.0.3 allows remote attackers to execute arbitrary code via a long argument.


[CNNVD]TuxBR LIBCGI远程缓冲区溢出漏洞(CNNVD-200212-235)

        LIBCGI是一款由C编写的CGI程序,提供GET和POST请求模式,具有URL解码,访问MySQL等功能。
        LIBCGI中'cgi_lib.c'脚本中的'parse_field()'函数对输入检查不正确,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,以LIBCGI进程权限在系统上执行任意指令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:tuxbr:libcgi:1.0.3
cpe:/a:tuxbr:libcgi:1.0.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2257
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-2257
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-235
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/10722
(UNKNOWN)  XF  libcgi-cgilibc-parsefield-bo(10722)
http://www.securityfocus.com/bid/6270
(UNKNOWN)  BID  6270
http://archives.neohapsis.com/archives/bugtraq/2002-11/0346.html
(UNKNOWN)  BUGTRAQ  20021128 Remote Multiple Buffer Overflow(s) vulnerability in Libcgi-tuxbr.

- 漏洞信息

TuxBR LIBCGI远程缓冲区溢出漏洞
危急 边界条件错误
2002-12-31 00:00:00 2012-11-30 00:00:00
远程  
        LIBCGI是一款由C编写的CGI程序,提供GET和POST请求模式,具有URL解码,访问MySQL等功能。
        LIBCGI中'cgi_lib.c'脚本中的'parse_field()'函数对输入检查不正确,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,以LIBCGI进程权限在系统上执行任意指令。

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * dong-h0un U <xploit@hackermail.com>提供如下第三方补丁:
        === libcgi.patch ===
        --- cgi_lib.c Sat Dec 29 07:10:47 2001
        +++ cgi_lib.patch.c Thu Nov 21 23:47:13 2002
        @@ -126,7 +126,7 @@
        
        
         //Faz o parse buscando pelo campo na string de request HTTP
        -void parse_field(char *field, char *rtnfield)
        +void parse_field(char *field, char *rtnfield, int size)
         {
        
         char *ptr,
        @@ -142,12 +142,12 @@
        
         if((endptr=strchr(ptr,'&'))!=NULL)
         {
        - memmove(rtnfield, ptr, (endptr - ptr)+1);
        + memmove(rtnfield, ptr, size-1);//(endptr - ptr)+1);
         rtnfield[(endptr - ptr)]='\0';
         }
         else
         {
        - memmove(rtnfield, ptr, (strlen(ptr))+1);
        + memmove(rtnfield, ptr, size-1);//(strlen(ptr))+1);
         rtnfield[(strlen(ptr))+1]='\0';
         }
        
        --- cgi_lib.h Sun Jan 20 06:58:34 2002
        +++ cgi_lib.patch.h Thu Nov 21 23:47:05 2002
        @@ -37,7 +37,7 @@
         /*********************/
        
         void SwapChar(char *pOriginal, char cBad, char cGood);
        -void parse_field(char *field, char *rtnfield);
        +void parse_field(char *field, char *rtnfield, int size);
         void get_request(unsigned int method, char *request);
         void URLDecode(unsigned char *pEncoded);
         void vExiterr();
        --- samples/sample3.c Thu Dec 27 05:52:12 2001
        +++ samples/sample3.patch.c Thu Nov 21 23:51:14 2002
        @@ -9,9 +9,9 @@
        
         get_request(1,req_http);
        
        - parse_field("name",name);
        - parse_field("address",address);
        - parse_field("telephone",tel);
        + parse_field("name",name,(int)sizeof(name));
        + parse_field("address",address,(int)sizeof(address));
        + parse_field("telephone",tel,(int)sizeof(tel));
        
         URLDecode(name);
         URLDecode(address);
        === eof ===
        厂商补丁:
        TuxBR
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.tuxbr.com.br

- 漏洞信息

59568
LIBCGI cgi_lib.c parse_field Function Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Third-Party Solution
Exploit Public Uncoordinated Disclosure

- 漏洞描述

LIBCGI is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With a specially crafted request which exploits inadequate bounds check in 'parse_field()' function in the 'cgi_lib.c', a remote attacker can potentially cause corrupt memory.

- 时间线

2002-11-28 Unknow
2002-11-28 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, dong-h0un U has released an unofficial patch to address this vulnerability. As with all third-party solutions, ensure they come from a reliable source and are permitted under your company's security policy.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站