CVE-2003-1247
published 2003-12-31CVE-2003-1247: Multiple buffer overflows in H-Sphere WebShell 2.3 allow remote attackers to execute arbitrary code via (1) a long URL content type in CGI::readFile, (2) a…
PriorityP339high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
9.95%
95.0th percentile
Multiple buffer overflows in H-Sphere WebShell 2.3 allow remote attackers to execute arbitrary code via (1) a long URL content type in CGI::readFile, (2) a long path in diskusage, and (3) a long fname in flist.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| positive_software | h-sphere | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80\x89\xc7\x52\x66\x68
bytes↗
\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff
- →The remote exploit delivers shellcode via the HTTP Accept-Encoding header in a POST request to the webshell CGI path; detect oversized or binary-content Accept-Encoding headers in POST requests targeting webshell endpoints. ↗
- →The overflow is triggered via a long Content-Type multipart boundary value; monitor for HTTP requests where the Content-Type multipart/form-data boundary parameter is abnormally long (>256 bytes). ↗
- →Successful exploitation of the remote variant binds a root shell to TCP port 10000 on the victim; monitor for unexpected listening services on port 10000 following webshell CGI access. ↗
- →The local exploit drops artefacts at /tmp/.webshell.txt, /tmp/zz, and /tmp/rs; alert on creation of these specific files, especially /tmp/rs with SUID bit set. ↗
- →The local exploit requires the webshell binary to be SUID root; audit for SUID/SGID binaries named 'webshell' in web-accessible directories. ↗
- →The exploit uses a bruteforce loop forking the webshell process repeatedly with varying EGG_SIZE (257–291) and RET_ADDR values; detect rapid repeated process spawning of the webshell binary from a single parent process. ↗
- →The exploit sets environment variables CONTENT_LENGTH=261, REQUEST_METHOD=POST, and a large 'S=' NOP-sled variable; inspect CGI environment for anomalously large environment variable values, particularly 'S='. ↗
- ·The vulnerability was confirmed in H-Sphere 2.3 RC3 and WebShell 2.4; whether earlier versions are affected is unknown per the advisory. ↗
- ·The port-binding shellcode has the target port (10000 by default) embedded as a runtime-patched 2-byte value at offsets 33–34; the bound port can be changed by the attacker at compile time. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gfmm-7mpj-4hr2: Multiple buffer overflows in H-Sphere WebShell 2
ghsa_unreviewed·2022-04-29
CVE-2003-1247 [HIGH] GHSA-gfmm-7mpj-4hr2: Multiple buffer overflows in H-Sphere WebShell 2
Multiple buffer overflows in H-Sphere WebShell 2.3 allow remote attackers to execute arbitrary code via (1) a long URL content type in CGI::readFile, (2) a long path in diskusage, and (3) a long fname in flist.
Cisco
SSL Implementation Vulnerabilities
vendor_cisco
CVE-2005-1247 SSL Implementation Vulnerabilities
CVE-2005-1247: SSL Implementation Vulnerabilities
On September 30, 2003, new vulnerabilities in the OpenSSL implementation for SSL were announced. This is referred to as the "first" vulnerability in this document. On November 4, 2003, another vulnerability in the OpenSSL implementation for SSL, version 0.9.6, was announced. This is referred to as the "second" vulnerability in this document. An affected network device running an SSL server based on an affected OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client. The network device may be vulnerable to this vulnerability even if it is configured to not authenticate certificates from the client. There are
CWE: CWE-399, CWE-399
Bug IDs: CSCec46274, CSCec31274, CSC
No detection rules found.
Exploit-DB
H-Sphere WebShell 2.4 - Local Privilege Escalation
exploitdb·2003-01-06
CVE-2003-1247 H-Sphere WebShell 2.4 - Local Privilege Escalation
H-Sphere WebShell 2.4 - Local Privilege Escalation
---
// source: https://www.securityfocus.com/bid/6527/info
A vulnerability has been discovered in H-Sphere Webshell. During the pre-authentication phase Webshell fails to perform sufficient bounds checking on user-supplied HTTP parameters. As a result, a malicious attacker may be able to trigger a buffer overrun.
Successful exploitation of this issue would allow an attacker to overwrite the vulnerable function's instruction pointer. By causing the program to return to attacker-supplied instructions, it may be possible to execute arbitrary code with the privileges of the target process.
It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It is not yet known whether earlier versions are also vulnerable.
/*
* Local r0
Exploit-DB
H-Sphere WebShell 2.4 - Remote Command Execution
exploitdb·2003-01-06
CVE-2003-1247 H-Sphere WebShell 2.4 - Remote Command Execution
H-Sphere WebShell 2.4 - Remote Command Execution
---
/*
source: https://www.securityfocus.com/bid/6527/info
A vulnerability has been discovered in H-Sphere Webshell. During the pre-authentication phase Webshell fails to perform sufficient bounds checking on user-supplied HTTP parameters. As a result, a malicious attacker may be able to trigger a buffer overrun.
Successful exploitation of this issue would allow an attacker to overwrite the vulnerable function's instruction pointer. By causing the program to return to attacker-supplied instructions, it may be possible to execute arbitrary code with the privileges of the target process.
It should be noted that this issue was discovered in H-Sphere 2.3 RC3. It is not yet known whether earlier versions are also vulnerable.
*/
/*
* Remote
No writeups or analysis indexed.
http://psoft.net/misc/webshell_patch.htmlhttp://secunia.com/advisories/7832http://www.iss.net/security_center/static/10999.phphttp://www.iss.net/security_center/static/11002.phphttp://www.iss.net/security_center/static/11003.phphttp://www.securityfocus.com/archive/1/305313http://www.securityfocus.com/bid/6527http://www.securityfocus.com/bid/6537http://www.securityfocus.com/bid/6538http://www.securityfocus.com/bid/6540http://www.securitytracker.com/id?1005893http://psoft.net/misc/webshell_patch.htmlhttp://secunia.com/advisories/7832http://www.iss.net/security_center/static/10999.phphttp://www.iss.net/security_center/static/11002.phphttp://www.iss.net/security_center/static/11003.phphttp://www.securityfocus.com/archive/1/305313http://www.securityfocus.com/bid/6527http://www.securityfocus.com/bid/6537http://www.securityfocus.com/bid/6538http://www.securityfocus.com/bid/6540http://www.securitytracker.com/id?1005893
2003-12-31
Published