发布时间 :2003-12-01 00:00:00
修订时间 :2008-09-10 15:20:57

[原文]Buffer overflow in conquest 7.2 and earlier may allow a local user to execute arbitrary code via a long environment variable.



- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

中危 边界条件错误
2003-12-01 00:00:00 2005-10-20 00:00:00

- 公告与补丁

        DSA-398-1:New conquest packages fix local conquest exploit

        Source archives:

        Size/MD5 checksum: 606 89c7be20d34d9176d18eb51f28c7806e

        Size/MD5 checksum: 32749 27d90e0b6719579833cb064a2b70dcdb

        Size/MD5 checksum: 255029 c02891f6c0c4b8c73a82c1c8185e3025
        Alpha architecture:

        Size/MD5 checksum: 366064 b6d212bd4a4880488195d47002e66981
        ARM architecture:

        Size/MD5 checksum: 227160 42399fea69c68ce63890e63b1b6c00ef
        Intel IA-32 architecture:

        Size/MD5 checksum: 228846 f03fd6daf700e6f3bf8def68eff30d72
        Intel IA-64 architecture:

        Size/MD5 checksum: 402110 ffbff5ca106ee2d41b28aa15e61f74ce
        HP Precision architecture:

        Size/MD5 checksum: 260870 1348a3b191e52a84302ee6304654007f
        Motorola 680x0 architecture:

        Size/MD5 checksum: 215282 02fc3e118af479c039dde99cf400dac7
        Big endian MIPS architecture:

        Size/MD5 checksum: 277570 a538cc763893262f56dbcc247d63f75f
        Little endian MIPS architecture:

        Size/MD5 checksum: 275324 ca3d4e2831592b7a0a9b302845895699
        PowerPC architecture:

        Size/MD5 checksum: 267460 6c14f9505b9a70a26b251086fb0a4283
        IBM S/390 architecture:

        Size/MD5 checksum: 241432 f427b9ce0febfe66370b773c84e30a2e
        Sun Sparc architecture:

        Size/MD5 checksum: 302096 50f45c32dc171f547ade2d0439e3ebe0
        1. 手工安装补丁包:
         # wget url (url是补丁下载链接地址)
         # dpkg -i file.deb (file是相应的补丁名)
        2. 使用apt-get自动安装补丁包:
         # apt-get update
         # apt-get upgrade

- 漏洞信息

Conquest Environment Variable Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

A local overflow exists in Conquest. In conf.c and conqlb.c there are several sprintf calls that read data from the HOME variable without checking the length resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code as the group that owns the conquest executable (conquest is installed SGID) resulting in a loss of integrity, and/or availability.

- 时间线

1998-03-16 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 8.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): apply the patch from the Debian project to 7.1.

- 相关参考

- 漏洞作者

- 漏洞信息

Conquest Unspecified Local Environment Variable Buffer Overflow Vulnerability
Boundary Condition Error 8996
No Yes
2003-11-10 12:00:00 2009-07-12 12:56:00
Discovery of this vulnerability has been credited to Steve Kemp.

- 受影响的程序版本

Conquest Conquest 7.1.1 -6
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha

- 漏洞讨论

A local buffer overrun vulnerability has been reported for conquest. The problem occurs due to insufficient bounds checking when parsing data contained in the user's environment. As a result, an attacker may be capable of controlling the execution flow of the conquest program and effectively executing arbitrary code with elevated privileges.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 解决方案

Debian has released an advisory (DSA 398-1) and fixes to address this issue. Affected users are advised to apply these fixes as soon as possible. Further information regarding obtaining and applying these fixes is available in the referenced advisory.

- 相关参考