CVE-2004-0453
CVSS7.2
发布时间 :2004-08-06 00:00:00
修订时间 :2016-10-17 22:45:27
NMCOPS    

[原文]Format string vulnerability in the monitor "memory dump" command in VICE 1.6 to 1.14 allows local users to cause a denial of service (emulator crash) and possibly execute arbitrary code via format string specifiers in an output string.


[CNNVD]VICE监视内存转储文件格式串漏洞(CNNVD-200408-026)

        VICE 1.6到1.14版本的显示器“内存转储”命令存在格式化字符串漏洞。本地用户借助输出字符串里的格式字符串说明符导致服务拒绝(仿真器崩溃)和可能执行任意代码。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:vice:vice:1.14
cpe:/a:vice:vice:1.13
cpe:/a:vice:vice:1.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0453
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0453
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-026
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=108723630730487&w=2
(UNKNOWN)  BUGTRAQ  20040614 VICE emulator format string vulnerability
http://www.securityfocus.com/bid/10543
(VENDOR_ADVISORY)  BID  10543
http://xforce.iss.net/xforce/xfdb/16404
(VENDOR_ADVISORY)  XF  vice-memory-dump-format-string(16404)

- 漏洞信息

VICE监视内存转储文件格式串漏洞
高危 格式化字符串
2004-08-06 00:00:00 2005-10-20 00:00:00
本地  
        VICE 1.6到1.14版本的显示器“内存转储”命令存在格式化字符串漏洞。本地用户借助输出字符串里的格式字符串说明符导致服务拒绝(仿真器崩溃)和可能执行任意代码。
        

- 公告与补丁

        Spiro Trikaliotis , a developer for the VICE project, supplied the following supported patch:
        http://downloads.securityfocus.com/vulnerabilities/patches/vice-1.14-mon-vuln.patch
        VICE version 1.15 has been released and resolves this issue.
        VICE VICE 1.10
        
        VICE VICE 1.11
        
        VICE VICE 1.12
        
        VICE VICE 1.13
        
        VICE VICE 1.14
        
        VICE VICE 1.6
        
        VICE VICE 1.7
        
        VICE VICE 1.8
        
        VICE VICE 1.9
        

- 漏洞信息 (F33561)

VSA-2004-1.txt (PacketStormID:F33561)
2004-06-18 00:00:00
Spiro Trikaliotis  viceteam.org
advisory
CVE-2004-0453
[点击下载]

VICE Security Advisory VSA-2004-1 - VICE versions 1.6 through 1.14 on all platforms are vulnerable to a format string vulnerability in the handling of the monitor memory dump command.

------------------------------------------------------------------------
VICE Security Advisory                                        VSA-2004-1
------------------------------------------------------------------------

Summary:

           Severity: Low
              Title: VICE monitor memory dump format string vulnerability
               Date: June 14, 2004
            Version: 1
                 ID: VSA-2004-01
             Impact: Could allow arbitrary code execution
       Project site: http://www.viceteam.org/
  Affected Versions: VICE 1.6 up to 1.14 on all plattforms
           Revision: 1
          CVE Names: CAN-2004-0453

------------------------------------------------------------------------

What is VICE?

  VICE is a program that runs on a Unix, MS-DOS, Win32, OS/2, Acorn RISC
  OS or BeOS machine and executes programs intended for the old 8-bit
  Commodore computers. The current version emulates the C64, the C128,
  the VIC20, all the PET models (except the SuperPET 9000, which is out
  of line anyway), the PLUS4 and the CBM-II (aka C610).

  More information can be found on the VICE homepage:
  http://www.viceteam.org/


Affected VICE versions:

  At least VICE 1.6 up to VICE 1.14 on all plattforms are affected. The
  VICE team has not checked if older version are affected, too.


Description:

  There is a format string vulnerability in the handling of the monitor
  "memory dump" command. If the string to be output contains any % sign,
  it is interpreted as a command for the output, normally resulting in a
  crash. Even more sophisticated exploits, like arbitrary code execution
  on the host machine, are possible.


Impact:

  It is possible to crash the emulator or even execute arbitrary code on
  the host machine from the inside of the emulated machine. For this, an
  attacker needs to fill up parts of the memory with a specific value
  and wheedle the user to enter the monitor and type in a specific
  command.

  Without the user being wheedled to enter the monitor and type in that
  specific command, this vulnerability is not exploitable.


Proof-of-Concept:

  The VICE team will not publish exploit code.


Severity rating:

  This vulnerability can be used to execute arbitrary code on the host
  machine out of the emulated machine. Anyway, since it requires the
  user to enter the monitor and type a specific command, we find the
  risk low of exploiting this. It should be hard to wheedle the user to
  press exact this sequence.


Workaround:

  Don't use the VICE monitor.


Solution:

  Upgrade to a newer version of VICE as soon as it becomes available, or
  use the attached security patch at [2].


Updates:

  An online version of this document can be found at [3].


References:

  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0453
  [2] http://www.trikaliotis.net/vicekb/vice-1.14-mon-vuln.diff.gz
  [3] http://www.trikaliotis.net/vicekb/vsa-2004-1


Date line:

  June  8, 2004: The VICE team has been informed about this vulnerability
  June  8, 2004: The VICE team releases an internal patch the fix this
                 vulnerability
  June 10, 2004: First Linux distributors are being contacted.
  June 14, 2004: Publication of this flaw


------------------------------------------------------------------------

June 14, 2004                                              The VICE team

Regards,
   Spiro Trikaliotis.
    

- 漏洞信息

7083
VICE Monitor Memory Dump Command Execution

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-06-16 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

VICE Monitor Memory Dump Format String Vulnerability
Input Validation Error 10543
No Yes
2004-06-14 12:00:00 2009-07-12 05:16:00
Discovery of this vulnerability is credited to Spiro Trikaliotis <trik-news@gmx.de>.

- 受影响的程序版本

VICE VICE 1.14
VICE VICE 1.13
VICE VICE 1.12
VICE VICE 1.11
VICE VICE 1.10
VICE VICE 1.9
VICE VICE 1.8
VICE VICE 1.7
VICE VICE 1.6
VICE VICE 1.15

- 不受影响的程序版本

VICE VICE 1.15

- 漏洞讨论

VICE monitor is reported prone to a format string vulnerability. The issue is reported to exist when output from the monitor "memory dump" command is displayed. Memory contents are used without sanitization as the format string for a print formatted function. As a result, malicious memory contents containing format specifiers will be interpreted literally when a memory dump is performed; this may result in attacker-specified memory being corrupted in the context of the user who is running the VICE monitor memory dump command.

- 漏洞利用

It has been reported that this issue is being exploited in the wild, although at this time these exploits are not publically available.

- 解决方案

Spiro Trikaliotis <trik-news@gmx.de>, a developer for the VICE project, supplied the following supported patch:

http://downloads.securityfocus.com/vulnerabilities/patches/vice-1.14-mon-vuln.patch

VICE version 1.15 has been released and resolves this issue.


VICE VICE 1.10

VICE VICE 1.11

VICE VICE 1.12

VICE VICE 1.13

VICE VICE 1.14

VICE VICE 1.6

VICE VICE 1.7

VICE VICE 1.8

VICE VICE 1.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站