发布时间 :1999-12-22 00:00:00
修订时间 :2008-09-10 15:02:23

[原文]Solaris dmi_cmd allows local users to crash the dmispd daemon by adding a malformed file to the /var/dmi/db database.

[CNNVD]Solaris DMI的拒绝服务漏洞(CNNVD-199912-071)

        Solaris dmi_cmd中存在漏洞,本地用户利用该漏洞通过增加一个恶意文件到/ var /dmi/ db数据库使得dmispd守护进程崩溃。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

Solaris DMI的拒绝服务漏洞
危急 访问验证错误
1999-12-22 00:00:00 2005-05-02 00:00:00
        Solaris dmi_cmd中存在漏洞,本地用户利用该漏洞通过增加一个恶意文件到/ var /dmi/ db数据库使得dmispd守护进程崩溃。

- 公告与补丁

        Patches are available to all sun customers at
        It is believed patch 107709-04 for sparc, and 107710-04 for x86, will remedy these problems.
        Sun Solaris 7.0 _x86

  •         Sun 107710-04x86


        Sun Solaris 7.0

  •         Sun 107709-04sparc


- 漏洞信息 (19681)

Solaris 7.0 DMI Denial of Service Vulnerabilities (EDBID:19681)
solaris remote
1999-12-22 Verified
0 Brock Tellier
N/A [点击下载]

DMI is the Desktop Management Interface, and is a suite of application management programs shipped with Sun's Solaris. Each application that is managed through DMI has a MIF record (which contains information about its managable components and properties) that can be inserted into the MIF database (/var/dmi/db) through the dmisp (DMI Service Providor) daemon. There is no authentication performed on who submits new MIFs, meaning anybody can do it. This creates two possible denial of service conditions. The first is consumption of disk space in /var. There are no limits (set by default) on how much space the DMI database can use. This may be used in conjunction with other vulnerabilities to prevent logging, etc. A second vulnerability is a buffer overflow condition in dmispd when MIFs are a certain size. It may be exploitable beyond being a simple denial of service (it may be possible to execute arbitrary code as root remotely). 

Buffer Overflow Crash:

echo `perl -e "print 'A' x 1000"` > /usr/home/btellier/my.mif
dmi_cmd -CI ../../../usr/home/btellier/my.mif

(dmispd segfaults) 		

- 漏洞信息

Solaris dmi_cmd Malformed DB Entry dmispd DoS
Local Access Required Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Sun Microsystems Solaris dmispd contains a flaw that may allow a local denial of service. The issue is triggered when dmi_cmd is used to add a file which has more than 1024 characters in the first line to the DMI database, and will result in loss of availability for the DMI service.

- 时间线

1999-12-22 Unknow
1999-12-22 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Sun Microsystems has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者