发布时间 :2000-12-19 00:00:00
修订时间 :2008-09-05 16:22:23

[原文]Format string vulnerabilities in eeprom program in OpenBSD, NetBSD, and possibly other operating systems allows local attackers to gain root privileges.

[CNNVD]Multiple Vendor BSD eeprom格式字符串漏洞(CNNVD-200012-140)

        OpenBSD, NetBSD,和可能其他操作系统中eeprom程序存在格式字符串漏洞。本地攻击者提升根目录特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:openbsd:openbsd:2.4OpenBSD 2.4
cpe:/o:openbsd:openbsd:2.3OpenBSD 2.3
cpe:/o:netbsd:netbsd:1.4.1NetBSD 1.4.1
cpe:/o:openbsd:openbsd:2.5OpenBSD 2.5
cpe:/o:openbsd:openbsd:2.6OpenBSD 2.6
cpe:/o:openbsd:openbsd:2.7OpenBSD 2.7
cpe:/o:netbsd:netbsd:1.4NetBSD 1.4
cpe:/o:netbsd:netbsd:1.4.2NetBSD 1.4.2

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  XF  bsd-eeprom-format

- 漏洞信息

Multiple Vendor BSD eeprom格式字符串漏洞
高危 格式化字符串
2000-12-19 00:00:00 2005-10-20 00:00:00
        OpenBSD, NetBSD,和可能其他操作系统中eeprom程序存在格式字符串漏洞。本地攻击者提升根目录特权。

- 公告与补丁

        Upgrade to OpenBSD 2.8. NetBSD has patched this vulnerability and the changes/new version of eeprom are available via anonymous CVS.

- 漏洞信息

BSD eeprom Program Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity Patch / RCS, Upgrade
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-10-04 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor BSD eeprom Format String vulnerability
Input Validation Error 1752
No Yes
2000-10-04 12:00:00 2009-07-11 03:56:00
First posted to Bugtraq by K2 <> on October 4, 2000.

- 受影响的程序版本

OpenBSD OpenBSD 2.7
OpenBSD OpenBSD 2.6
OpenBSD OpenBSD 2.5
OpenBSD OpenBSD 2.4
OpenBSD OpenBSD 2.3
NetBSD NetBSD 1.4.2
NetBSD NetBSD 1.4.1
NetBSD NetBSD 1.4
OpenBSD OpenBSD 2.8

- 不受影响的程序版本

OpenBSD OpenBSD 2.8

- 漏洞讨论

eeprom is a utility used for displaying and writing to a sparc system's hardware EEPROM. Since it reads from and writes to kernel memory structures, eeprom is often installed setgid kmem. The versions of eeprom shipped with (sparc) versions of NetBSD and OpenBSD (derived from NetBSD eeprom) are vulnerable to a locally exploitable format string attack.

The problem occurs when outputting an error message after a failure to read or write to an eeprom field. A string partially composed of user input is passed to a *printf function (the user input is the "field name" argument, supplied to eeprom at the command line). As a result, it is possible for the user to insert format specifiers in the format-field to write to aribtrary locations on the stack. If data on the stack can be overwritten to by regular users, the flow of execution can be altered so that machine code supplied by the user is run.

It may be possible for attackers to obtain privileges of group kmem through exploitation of this vulnerability. Further compromise (eg, full root access) if gid kmem is obtained is trivial.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at:

- 解决方案

Upgrade to OpenBSD 2.8. NetBSD has patched this vulnerability and the changes/new version of eeprom are available via anonymous CVS.

- 相关参考