CVE-2000-0963
CVSS7.2
发布时间 :2000-12-19 00:00:00
修订时间 :2008-09-05 16:22:18
NMCOS    

[原文]Buffer overflow in ncurses library allows local users to execute arbitrary commands via long environmental information such as TERM or TERMINFO_DIRS.


[CNNVD]ncurses TERMCAP Buffer缓冲区溢出漏洞(CNNVD-200012-115)

        ncurses库存在缓冲区溢出漏洞。本地用户借助超长环境信息如TERM或者TERMINFO_DIRS执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:redhat:linux:6.2::alpha
cpe:/o:freebsd:freebsd:3.4FreeBSD 3.4
cpe:/o:redhat:linux:6.2::sparc
cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/a:immunix:immunix:6.2
cpe:/o:redhat:linux:6.2::i386
cpe:/o:freebsd:freebsd:3.5.1FreeBSD 3.5.1
cpe:/o:freebsd:freebsd:4.1.1:stable
cpe:/a:immunix:immunix:7.0_beta
cpe:/o:redhat:linux:7.0Red Hat Linux 7.0
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0
cpe:/o:freebsd:freebsd:4.1FreeBSD 4.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0963
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0963
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200012-115
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1142
(VENDOR_ADVISORY)  BID  1142
http://www.calderasystems.com/support/security/advisories/CSSA-2000-036.0.txt
(VENDOR_ADVISORY)  CALDERA  CSSA-2000-036.0
http://www.securityfocus.com/archive/1/138550
(UNKNOWN)  BUGTRAQ  20001009 ncurses buffer overflows
http://xforce.iss.net/xforce/xfdb/44487
(UNKNOWN)  XF  gnu-ncurses-term-terminfodirs-bo(44487)

- 漏洞信息

ncurses TERMCAP Buffer缓冲区溢出漏洞
高危 缓冲区溢出
2000-12-19 00:00:00 2006-09-15 00:00:00
本地  
        ncurses库存在缓冲区溢出漏洞。本地用户借助超长环境信息如TERM或者TERMINFO_DIRS执行任意命令。

- 公告与补丁

        RedHat has released patches to fix this vulnerability.
        FreeBSD has provided an ncurses upgrade but advises that users do the following to make sure they are vulnerable before upgrading:
        1) Download the 'scan_ncurses.sh' and 'test_ncurses.sh' scripts from
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh
        e.g. with the fetch(1) command:
        # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh
        Receiving scan_ncurses.sh (381 bytes): 100%
        381 bytes transferred in 0.1 seconds (7.03 kBps)
        # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh
        Receiving test_ncurses.sh (604 bytes): 100%
        604 bytes transferred in 0.1 seconds (6.55 kBps)
        2) Verify the md5 checksums and compare to the value below:
        # md5 scan_ncurses.sh
        MD5 (scan_ncurses.sh) = 597f63af701253f053581aa1821cbac1
        # md5 test_ncurses.sh
        MD5 (test_ncurses.sh) = 12491ceb15415df7682e3797de53223e
        3) Run the scan_ncurses.sh script against your system:
        # chmod a+x ./test_ncurses.sh
        # sh scan_ncurses.sh ./test_ncurses.sh /
        Caldera:
        The proper solution is to upgrade to the fixed packages.
        OpenLinux Desktop 2.3
        Location of Fixed Packages
        The upgrade packages can be found on Caldera's FTP site at:
         ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
         The corresponding source code package can be found at:
         ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
        RedHat ncurses-5.0-11.i386.rpm
        
        RedHat ncurses-devel-5.0-11.i386.rpm
        
        RedHat ncurses-5.1-2.i386.rpm
        
        FreeBSD FreeBSD 3.5.1
        
        FreeBSD FreeBSD 4.0
        
        FreeBSD FreeBSD 4.1
        
        FreeBSD FreeBSD 4.1.1 -STABLE
        
        FreeBSD FreeBSD 4.1.1
        
        Wirex Immunix OS 6.2
        
        RedHat Linux 6.2 sparc
        
        RedHat Linux 6.2 alpha
        
        RedHat Linux 6.2 i386
        
        RedHat Linux 7.0
        
        Wirex Immunix OS 7.0 -Beta
        

- 漏洞信息

6142
Multiple Vendor libncurses TERM / TERMINFO_DIRS Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local overflow exists in the ncurses library. It fails to validate the input of the TERM and TERMINFO_DIRS environmental variables resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.

- 时间线

2000-10-09 Unknow
Unknow Unknow

- 解决方案

Upgrade to an unaffected version. It is also possible to correct the flaw by implementing the following workaround: Remove the setuid/setgid bits of programs using ncurses.

- 相关参考

- 漏洞作者

- 漏洞信息

ncurses TERMCAP Buffer Overflow Vulnerability
Boundary Condition Error 1142
No Yes
2000-04-23 12:00:00 2009-07-11 01:56:00
Posted to Bugtraq by Przemyslaw Frasunek <venglin@freebsd.lublin.pl> on April 23, 2000.

- 受影响的程序版本

Wirex Immunix OS 7.0 -Beta
Wirex Immunix OS 6.2
RedHat ncurses-devel-5.0-11.i386.rpm
+ Red Hat Linux 6.2
RedHat ncurses-5.1-2.i386.rpm
+ RedHat Linux 7.0
RedHat ncurses-5.0-11.i386.rpm
+ Red Hat Linux 6.2
RedHat Linux 7.0
RedHat Linux 6.2 sparc
RedHat Linux 6.2 i386
RedHat Linux 6.2 alpha
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 3.5.1
FreeBSD FreeBSD 3.4
NetBSD NetBSD 1.4.2
FreeBSD FreeBSD 5.0

- 不受影响的程序版本

NetBSD NetBSD 1.4.2
FreeBSD FreeBSD 5.0

- 漏洞讨论

The port of ncurses (a high-level terminal manipulation library) for FreeBSD (and quite likely other operating systems) included in earlier releases is vulnerable to a buffer overflow attack. If the TERMCAP environment variable contains more data than the maximum amount predefined in the library source, unchecked operations on it can result in the stack being overrun. The result is that any setuid programs linked to ncurses can be exploited via this vulnerability. Version 1.8.6 of ncurses (which shipped with FreeBSD 3.4-RELEASE is known to be vulnerable.

It has been confirmed that NetBSD is not vulnerable.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

RedHat has released patches to fix this vulnerability.

FreeBSD has provided an ncurses upgrade but advises that users do the following to make sure they are vulnerable before upgrading:

1) Download the 'scan_ncurses.sh' and 'test_ncurses.sh' scripts from

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh

e.g. with the fetch(1) command:

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh
Receiving scan_ncurses.sh (381 bytes): 100%
381 bytes transferred in 0.1 seconds (7.03 kBps)
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh
Receiving test_ncurses.sh (604 bytes): 100%
604 bytes transferred in 0.1 seconds (6.55 kBps)

2) Verify the md5 checksums and compare to the value below:

# md5 scan_ncurses.sh
MD5 (scan_ncurses.sh) = 597f63af701253f053581aa1821cbac1
# md5 test_ncurses.sh
MD5 (test_ncurses.sh) = 12491ceb15415df7682e3797de53223e

3) Run the scan_ncurses.sh script against your system:

# chmod a+x ./test_ncurses.sh
# sh scan_ncurses.sh ./test_ncurses.sh /

Caldera:

The proper solution is to upgrade to the fixed packages.

OpenLinux Desktop 2.3

Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS


RedHat ncurses-5.0-11.i386.rpm

RedHat ncurses-devel-5.0-11.i386.rpm

RedHat ncurses-5.1-2.i386.rpm

FreeBSD FreeBSD 3.5.1

FreeBSD FreeBSD 4.0

FreeBSD FreeBSD 4.1

FreeBSD FreeBSD 4.1.1 -STABLE

FreeBSD FreeBSD 4.1.1

Wirex Immunix OS 6.2

RedHat Linux 6.2 sparc

RedHat Linux 6.2 alpha

RedHat Linux 6.2 i386

RedHat Linux 7.0

Wirex Immunix OS 7.0 -Beta

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站