Skip to content
Permalink
Browse files

add info of two CVEs

  • Loading branch information...
mudongliang committed May 23, 2018
1 parent e548ca0 commit 415e99b947703bc20ebc2ee0ab13cb6cd6a0ebd2
Showing with 563 additions and 3 deletions.
  1. +39 −0 CVE-2006-0539/README.md
  2. +109 −1 CVE-2006-1148/README.md
  3. +281 −0 CVE-2006-1148/poc1.c
  4. +132 −0 CVE-2006-1148/poc2.c
  5. +2 −2 README.md
@@ -2,14 +2,53 @@

## Experiment Environment

Ubuntu 8.10

## INSTALL & Configuration

```
wget https://github.com/mudongliang/source-packages/raw/master/CVE-2006-0539/fcron-3.0.0.src.tar.gz
tar -xvf fcron-3.0.0.src.tar.gz
cd fcron-3.0.0
./configure
make
```

## Problems in Installation & Configuration


## How to trigger vulnerability

```
./convert-fcrontab `perl -e 'print "pi3"x600'`
```

## PoCs

[Fcron Convert-FCronTab Local Buffer Overflow Vulnerability](https://www.securityfocus.com/bid/16467/exploit)

[Fcron 3.0 - Convert-FCronTab Local Buffer Overflow](https://www.exploit-db.com/exploits/27159/)

## Vulnerability Patch

### Root Cause

See [Fcron (convert-fcrontab) allow users to corruption on heap section.](https://www.securityfocus.com/archive/1/archive/1/423697/100/0/threaded) for details.

### Stack Trace

```
......
#9 0x40111caf in syslog () from /lib/libc.so.6
#10 0x0804a5d8 in log_syslog_str (priority=3, msg=0x804ee08 "Could not read ", 'A' <repeats 146 times>, " (truncated)")
at log.c:102
#11 0x0804a739 in log_e (priority=3, fmt=0x804abcf "Could not read %s", args=0xbffff014 "ĐČ\004\bpz\006@0l\001@áŘ")
at log.c:165
#12 0x0804a90c in die_e (fmt=0x804abcf "Could not read %s") at log.c:339
#13 0x0804923a in convert_file (file_name=0x804c8d0 'A' <repeats 200 times>...) at convert-fcrontab.c:153
#14 0x0804936d in main (argc=134523688, argv=0xbffff677) at convert-fcrontab.c:276
```

### Patch

## References
@@ -1,19 +1,127 @@
# CVE/EDB ID
# CVE-2006-1148

## Experiment Environment

Ubuntu 10.04 LTS

## INSTALL & Configuration

```
wget https://github.com/mudongliang/source-packages/raw/master/CVE-2006-1148/peercast-0.1214.tar.gz
tar -xvf peercast-0.1214.tar.gz
cd peercast-0.1214
./configure
make
sudo make install
```

## Problems in Installation & Configuration


## How to trigger vulnerability

Server:

```
/usr/local/bin/peercast -d
```

Client:

```
gcc -o exploit1 poc1.c
./exploit1 -s 127.0.0.1 -c 0 -t 1 -x 31337
gcc -o exploit2 poc2.c
./exploit2 127.0.0.1 7144
visit http://www.example.com/stream/?AAAAAAAAAAAAAAAAAAAAAAA....(800)
```

## PoCs

[PeerCast 0.1216 - 'nextCGIarg' Remote Buffer Overflow (2)](https://www.exploit-db.com/exploits/1578/)

[PeerCast 0.1216 - 'nextCGIarg' Remote Buffer Overflow (1)](https://www.exploit-db.com/exploits/1574/)

[Peercast.org PeerCast Remote Buffer Overflow Vulnerability](https://www.securityfocus.com/bid/17040/exploit)

## Vulnerability Details & Patch

### Root Cause

After short research, high-risk vulnerability was discovered in PeerCast
Streaming server. Unauthenticated remote user can send specially crafted
request to the HTTP server that will cause stack overflow, what can be
easily exploited for remote code execution. The problem is present in URL
handling code. When user requests special URL on the server (like
'stream'), arguments are processed with procConnectArgs() function.

Vulnerable code in /code/common/servmgr.cpp
```
void ServMgr::procConnectArgs(char *str,ChanInfo &info)
{
char arg[512];
char curr[256];
char *args = strstr(str,"?");
if (args)
*args++=0;
info.initNameID(str);
if (args)
{
while (args=nextCGIarg(args,curr,arg))
{
...
...
...
```

Function procConnectArgs() will process arguments (char *str) passed to
the server script. Both buffers (arg[512] and curr[256]) allocated on the
stack can be overflowed inside of nextCGIarg() function in while() loop if
too long string is passed after '?' character in URL.
Vulnerable code in /code/common/servhs.cpp:
```
char *nextCGIarg(char *cp, char *cmd, char *arg)
{
if (!*cp)
return NULL;
// fetch command
while (*cp)
{
char c = *cp++;
if (c == '=')
break;
else
*cmd++ = c;
}
*cmd = 0;
// fetch arg
while (*cp)
{
char c = *cp++;
if (c == '&')
break;
else
*arg++ = c;
}
*arg = 0;
return cp;
}
```
### Stack Trace
### Patch
## References
Oops, something went wrong.

0 comments on commit 415e99b

Please sign in to comment.
You can’t perform that action at this time.