OpenSSH Kerberos 4 TGT/AFS令牌缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106692 漏洞类型 未知
发布时间 2002-04-19 更新时间 2006-03-28
CVE编号 CVE-2002-0575 CNNVD-ID CNNVD-200206-029
漏洞平台 Linux CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/21402
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200206-029
|漏洞详情
OpenSSH是一种开放源码的SSH协议的实现,初始版本用于OpenBSD平台,现在已经被移植到多种Unix/Linux类操作系统下。OpenSSH服务器程序实现存在缓冲区溢出漏洞,远程或本地攻击者可以得到主机的root权限。问题在于程序对于客户端提交过来的Kerberos4TGT/AFS令牌处理有误,如果TGT令牌数据是畸形的,一个对边界不加检查的串拷贝会导致缓冲区溢出。要利用此漏洞,在2.9.9及以上版本的OpenSSH中,攻击者需要有效用户的登录认证,在2.9.9以下版本攻击者则不需要经过有效用户的认证。
|漏洞EXP
source: http://www.securityfocus.com/bid/4560/info

A buffer overflow condition exists in the OpenSSH server. The condition is exploitable by attackers with valid user credentials in versions 2.9.9 and higher. Exploitation does not require valid user credentials in versions prior to 2.9.9.

The vulnerability is related to the handling of Kerberos 4 TGT/AFS tokens passed by the client. An unbounded string copy operation may result in a stack overflow if the TGT/token data is malformed. 

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/21402.tar
|参考资料

来源:BID
名称:4560
链接:http://www.securityfocus.com/bid/4560
来源:XF
名称:openssh-sshd-kerberos-bo(8896)
链接:http://www.iss.net/security_center/static/8896.php
来源:BUGTRAQ
名称:20020429TSLSA-2002-0047-openssh
链接:http://archives.neohapsis.com/archives/bugtraq/2002-04/0394.html
来源:OSVDB
名称:781
链接:http://www.osvdb.org/781
来源:BUGTRAQ
名称:20020426RevisedOpenSSHSecurityAdvisory(adv.token)
链接:http://online.securityfocus.com/archive/1/269701
来源:BUGTRAQ
名称:20020419OpenSSH2.2.0-3.1.0servercontainsalocallyexploitablebufferoverflow
链接:http://online.securityfocus.com/archive/1/268718
来源:VULN-DEV
名称:20020419OpenSSH2.2.0-3.1.0servercontainsalocallyexploitablebufferoverflow
链接:http://marc.theaimsgroup.com/?l=vuln-dev&m=101924296115863&w=2
来源:BUGTRAQ
名称:20020517OpenSSH3.2.2released(fwd)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=102167972421837&w=2
来源:BUGTRAQ
名称:20020420OpenSSHSecurityAdvisory(adv.token)
链接:http://archives.neohapsis.com/archives/bugtraq/2002-04/0298.html
来源:CALDERA
名称:CSSA-2002-022.2
链接:ftp://ftp