CVE-2001-0717
CVSS10.0
发布时间 :2001-10-30 00:00:00
修订时间 :2008-09-05 16:24:45
NMCOS    

[原文]Format string vulnerability in ToolTalk database server rpc.ttdbserverd allows remote attackers to execute arbitrary commands via format string specifiers that are passed to the syslog function.


[CNNVD]多家厂商CDE ToolTalk数据库服务器rpc.ttdbserverd远程格式串溢出漏洞(CNNVD-200110-128)

        
        rpc.ttdbserverd是与CDE一起发布的ToolTalk数据库服务器,这个数据库程序允许CDE的各个应用程序之间互相通讯。
        对于Solaris 8以及更低版本的系统,rpc.ttdbserverd存在一个格式串溢出漏洞,远程攻击者可能利用此漏洞通过溢出攻击获取主机的root用户权限。
        ToolTalk中包含一个有问题的"syslog()"调用,用来处理用户提供的一些数据。由于不安全地使用这个调用,用户提供的数据将被作为格式串参数对待,攻击者通过提供一些特殊的格式符号和数据可能修改任意内存地址,这可能导致攻击者远程执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0717
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0717
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200110-128
(官方数据源) CNNVD

- 其它链接及资源

http://www.cert.org/advisories/CA-2001-27.html
(UNKNOWN)  CERT  CA-2001-27
http://xforce.iss.net/alerts/advise98.php
(VENDOR_ADVISORY)  ISS  20011002 Multi-Vendor Format String Vulnerability in ToolTalk Service
http://xforce.iss.net/static/7069.php
(UNKNOWN)  XF  tooltalk-ttdbserverd-format-string(7069)
http://www.securityfocus.com/bid/3382
(UNKNOWN)  BID  3382
http://www.ciac.org/ciac/bulletins/m-002.shtml
(UNKNOWN)  CIAC  M-002
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/212
(UNKNOWN)  SUN  00212
http://securitytracker.com/id?1002479
(UNKNOWN)  SECTRACK  1002479
http://online.securityfocus.com/advisories/3584
(UNKNOWN)  HP  HPSBUX0110-168
http://ftp.support.compaq.com/patches/.new/html/SSRT0767U.shtml
(UNKNOWN)  COMPAQ  SSRT0767U
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.28/CSSA-2001-SCO.28.txt
(UNKNOWN)  CALDERA  CSSA-2001-SCO.28

- 漏洞信息

多家厂商CDE ToolTalk数据库服务器rpc.ttdbserverd远程格式串溢出漏洞
危急 输入验证
2001-10-30 00:00:00 2005-05-02 00:00:00
远程  
        
        rpc.ttdbserverd是与CDE一起发布的ToolTalk数据库服务器,这个数据库程序允许CDE的各个应用程序之间互相通讯。
        对于Solaris 8以及更低版本的系统,rpc.ttdbserverd存在一个格式串溢出漏洞,远程攻击者可能利用此漏洞通过溢出攻击获取主机的root用户权限。
        ToolTalk中包含一个有问题的"syslog()"调用,用来处理用户提供的一些数据。由于不安全地使用这个调用,用户提供的数据将被作为格式串参数对待,攻击者通过提供一些特殊的格式符号和数据可能修改任意内存地址,这可能导致攻击者远程执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在没有安装补丁之前,建议您立刻关闭rpc.ttdbserverd程序。
        以Solaris系统为例:
        首先变成root身份,然后使用您熟悉的编辑器打开/etc/inetd.conf文件,找到如下行:
        100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
        在该行的开始处增加"#"号来将其注释:
        #100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
        存盘退出。然后重启inetd:
        # ps -ef|grep inetd
        # kill -HUP
        厂商补丁:
        Caldera
        -------
        Caldera已经为此发布了一个安全公告(CSSA-2001-SCO.28)以及相应补丁:
        CSSA-2001-SCO.28:Open UNIX, UnixWare 7: rpc.ttdbserverd format string vulnerability
        链接:ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.28/
        补丁下载:
        Caldera UnixWare 7:
        Caldera Patch erg711831.Z
        ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.28/erg711831.Z
        Caldera OpenUnix 8.0:
        Caldera Patch erg711831.Z
        ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.28/erg711831.Z
        Compaq
        ------
        Compaq已经为此发布了一个安全公告(SSRT0767U)以及相应补丁:
        SSRT0767U:SSRT0767U Potential rpc.ttdbserverd buffer overflow
        链接:
        http://ftp.support.compaq.com/patches/.new/html/SSRT0767U.shtml?SSRT0767U=

        补丁下载:
        Compaq Tru64 4.0 g:
        Compaq Patch T64V40GAS0003-20010613.tar
        Compaq Digital Unix 4.0 f:
        Compaq Patch DUV40FAS0006-20010620.tar
        Compaq Tru64 5.0 a:
        Compaq Patch T64V50AAS0003-20010523.tar
        Compaq Tru64 5.1:
        Compaq Patch T64V51AS0003-20010413.tar
        HP
        --
        HP已经为此发布了一个安全公告(HPSBUX0110-168)以及相应补丁:
        HPSBUX0110-168:Sec. Vulnerability in rpc.ttbdserverd (rev.3)
        链接:
        补丁下载:
        ftp://us-ffs.external.hp.com/hp-ux_patches
        HP HP-UX 10.10:
        HP Patch PHSS_25136
        HP HP-UX 10.20:
        HP Patch PHSS_25137
        HP HP-UX (VVOS) 10.24:
        HP Patch PHSS_25419
        HP HP-UX (VVOS) 11.0 4:
        HP Patch PHSS_25420
        HP HP-UX 11.0:
        HP Patch PHSS_25138
        HP HP-UX 11.11:
        HP Patch PHSS_25139
        IBM
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        IBM AIX 4.3:
        IBM Hotfix tooltalk_efix.tar.Z
        ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z
        IBM APAR IY24387
        
        http://www.ibm.com

        IBM AIX 4.3.1:
        IBM Hotfix tooltalk_efix.tar.Z
        ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z
        IBM APAR IY24387
        
        http://www.ibm.com

        IBM AIX 4.3.2:
        IBM Hotfix tooltalk_efix.tar.Z
        ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z
        IBM APAR IY24387
        
        http://www.ibm.com

        IBM AIX 4.3.3:
        IBM Hotfix tooltalk_efix.tar.Z
        ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z
        IBM APAR IY24387
        
        http://www.ibm.com

        IBM AIX 5.1:
        IBM Hotfix tooltalk_efix.tar.Z
        ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z
        Sun
        ---
        Sun已经为此发布了一个安全公告(Sun-00212)以及相应补丁:
        Sun-00212:rpc.ttdbserverd
        链接:
        http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/212&type=0&nav=sec.sba

        补丁下载:
         OS Version Patch ID
         __________ _________
         SunOS 5.8 110286-04
         SunOS 5.8_x86 110287-04
         SunOS 5.7 107893-15
         SunOS 5.7_x86 107894-14
         SunOS 5.6 105802-16
         SunOS 5.6_x86 105803-18
         SunOS 5.5.1 104489-14
         SunOS 5.5.1_x86 105496-12
         SunOS 5.5 104428-12
         SunOS 5.5_x86 105495-10
         您可以使用下列链接来下载相应补丁:
        
        http://sunsolve.sun.com/pub-cgi/patchDownload.pl?target=<补丁ID>&method=h

         例如,对于代号为111596-02的补丁,您可以使用下列链接:
        
        http://sunsolve.sun.com/pub-cgi/patchDownload.pl?target=111596&method=h

         补丁安装方法:
         1. 首先用unzip或者uncompress命令将补丁包解压缩
         2. 然后使用patchadd 命令安装补丁,例如:
        
         # patchadd /var/spool/patch/104945-02
        
         假设要安装的补丁号是104945-02, 解压之后的目录在:"/var/spool/patch/104945-02"

- 漏洞信息

4504
CDE ToolTalk rpc.ttdbserverd Syslog Function Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity Patch / RCS
Vendor Verified

- 漏洞描述

- 时间线

2002-09-04 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, multiple vendors have released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple CDE Vendor ToolTalk Database Server Format String Vulnerability
Input Validation Error 3382
Yes No
2001-10-02 12:00:00 2006-04-18 11:36:00
Discovered by ISS X-Force.

- 受影响的程序版本

Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1 _ppc
Sun Solaris 2.5.1
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
Sun Solaris 2.5_x86
Sun Solaris 2.5
SGI IRIX 6.5.17
SGI IRIX 6.5.16
SGI IRIX 6.5.15
SGI IRIX 6.5.14
SGI IRIX 6.5.13
SGI IRIX 6.4
SGI IRIX 6.3
SGI IRIX 6.2
SGI IRIX 6.1
SGI IRIX 6.0.1
SGI IRIX 6.0
SGI IRIX 5.3
SGI IRIX 5.2
IBM AIX 4.3.3
IBM AIX 4.3.2
IBM AIX 4.3.1
IBM AIX 4.3
IBM AIX 5.1
HP HP-UX (VVOS) 11.0 4
HP HP-UX (VVOS) 10.24
HP HP-UX 11.11
HP HP-UX 11.0
HP HP-UX 10.20
HP HP-UX 10.10
Compaq Tru64 5.1
Compaq Tru64 5.0 a
Compaq Tru64 4.0 g
Compaq Digital Unix 4.0 f
Caldera UnixWare 7
Caldera OpenUnix 8.0
SGI IRIX 6.5.19
SGI IRIX 6.5.18

- 不受影响的程序版本

SGI IRIX 6.5.19
SGI IRIX 6.5.18

- 漏洞讨论

CDE ships with a daemon called the ToolTalk database server, which allows programs designed for use in CDE to communicate with each other. The server is enabled by default on most systems shipped with CDE.

ToolTalk database server contains a remotely exploitable format-string vulnerability.

Remote attackers may be able to cause a denial of service or gain root access on the target host.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

Administrators are highly advised to disable the service until fixes are available. This may involve renaming/removing the startup script in the appropriate directory. Administrators should also ensure that the service is not running and should kill the process if it is.

HP has released fixes for some versions of HP-UX.

IBM has released a temporary hotfix.

Compaq has released fixes for Digital Unix/Tru64.

Sun has released fixes.

Caldera has released a fix for OpenUnix and Unixware.

SGI has released an updated advisory (Security Bulletin 20021102-02-P) and fixes that address an issue discovered in the fixes found in Security Bulletin 20021102-01-P.


Sun Solaris 2.5_x86
  • Sun 105495-10


Caldera UnixWare 7

Sun Solaris 8_sparc
  • Sun 110286-04


Sun Solaris 2.6_x86
  • Sun 105803-18


Sun Solaris 2.5
  • Sun 104428-12


Sun Solaris 7.0
  • Sun 107893-15


IBM AIX 5.1

Sun Solaris 7.0_x86
  • Sun 107894-14


Sun Solaris 2.6
  • Sun 105802-16


Sun Solaris 8_x86
  • Sun 110287-04


HP HP-UX 10.10
  • HP PHSS_25136


HP HP-UX 10.20
  • HP PHSS_25137


HP HP-UX (VVOS) 10.24
  • HP PHSS_25419


HP HP-UX 11.0
  • HP PHSS_25138


HP HP-UX (VVOS) 11.0 4
  • HP PHSS_25420


HP HP-UX 11.11

Sun Solaris 2.5.1
  • Sun 104489-14


Sun Solaris 2.5.1 _x86
  • Sun 105496-12


Compaq Tru64 4.0 g
  • Compaq T64V40GAS0003-20010613.tar


Compaq Digital Unix 4.0 f
  • Compaq DUV40FAS0006-20010620.tar


IBM AIX 4.3

IBM AIX 4.3.1

IBM AIX 4.3.2

IBM AIX 4.3.3

Compaq Tru64 5.0 a
  • Compaq T64V50AAS0003-20010523.tar


Compaq Tru64 5.1
  • Compaq T64V51AS0003-20010413.tar


SGI IRIX 6.5.13

SGI IRIX 6.5.14

SGI IRIX 6.5.15

SGI IRIX 6.5.16

SGI IRIX 6.5.17

Caldera OpenUnix 8.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站