CVE-2001-0734
CVSS7.2
发布时间 :2001-10-18 00:00:00
修订时间 :2008-09-05 16:24:48
NMCOS    

[原文]Hitachi Super-H architecture in NetBSD 1.5 and 1.4.1 allows a local user to gain privileges via modified Status Register contents, which are not properly handled by (1) the sigreturn system call or (2) the process_write_regs kernel routine.


[CNNVD]NetBSD Super-H Port sigreturn()输入验证漏洞(CNNVD-200110-053)

        CVE(CAN) ID: CAN-2001-0734
        
        
        
        sh3平台上的NetBSD系统存在漏洞,它对用户提供的一个系统调用参数缺少适当的
        
        检查,本地用户利用这个漏洞能以超级用户权限执行任意代码。
        
        
        
        问题在于"sigreturn"系统调用和"process_write_regs"内核子程序对用户提供的
        
        "Status Register"内容没做适当的检查造成的。
        
        
        
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:netbsd:netbsd:1.5::sh3
cpe:/o:netbsd:netbsd:1.4.1::sh3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0734
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0734
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200110-053
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6637.php
(VENDOR_ADVISORY)  XF  bsd-sh3-sigreturn-privileges(6637)
http://www.securityfocus.com/bid/2810
(VENDOR_ADVISORY)  BID  2810
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-008.txt.asc
(VENDOR_ADVISORY)  NETBSD  NetBSD-SA2001-008

- 漏洞信息

NetBSD Super-H Port sigreturn()输入验证漏洞
高危 输入验证
2001-10-18 00:00:00 2005-10-20 00:00:00
本地  
        CVE(CAN) ID: CAN-2001-0734
        
        
        
        sh3平台上的NetBSD系统存在漏洞,它对用户提供的一个系统调用参数缺少适当的
        
        检查,本地用户利用这个漏洞能以超级用户权限执行任意代码。
        
        
        
        问题在于"sigreturn"系统调用和"process_write_regs"内核子程序对用户提供的
        
        "Status Register"内容没做适当的检查造成的。
        
        
        
        

- 公告与补丁

        
        
        正在运行2001/5/16以前版本的NetBSD-current用户应该升级到这个日期以后的版本。
        
        
        
        正在运行2001/5/27以前版本的NetBSD-release 1.5用户应该升级到这个日期以后的版本。
        
        
        
        NetBSD也提供了补丁程序:
        
        
        
        Index: include/psl.h
        
        ===================================================================
        
        RCS file: /cvsroot/syssrc/sys/arch/sh3/include/psl.h,v
        
        retrieving revision 1.1
        
        retrieving revision 1.2
        
        diff -u -r1.1 -r1.2
        
        - --- include/psl.h 1999/09/13 10:31:21 1.1
        
        +++ include/psl.h 2001/05/16 12:42:38 1.2
        
        @@ -57,8 +57,8 @@
        
         #define PSL_MBO 0x00000000 /* must be one bits */
        
         #define PSL_MBZ 0x8ffffc0c /* must be zero bits */
        
        
        
        - -#define PSL_USERSET 0
        
        - -#define PSL_USERSTATIC (PSL_BL|PSL_RB|PSL_MD|PSL_IMASK)
        
        +#define PSL_USERSET 0
        
        +#define PSL_USERSTATIC (PSL_BL|PSL_RB|PSL_MD|PSL_IMASK|PSL_MBO|PSL_MBZ)
        
        
        
         #ifdef _KERNEL
        
         #include
        
        Index: sh3/compat_13_machdep.c
        
        ===================================================================
        
        RCS file: /cvsroot/syssrc/sys/arch/sh3/sh3/compat_13_machdep.c,v
        
        retrieving revision 1.2
        
        retrieving revision 1.3
        
        diff -u -r1.2 -r1.3
        
        - --- sh3/compat_13_machdep.c 2000/12/22 22:58:55 1.2
        
        +++ sh3/compat_13_machdep.c 2001/05/16 12:42:38 1.3
        
        @@ -71,16 +71,9 @@
        
         /* Restore register context. */
        
         tf = p->p_md.md_regs;
        
        
        
        - - /*
        
        - - * Check for security violations. If we're returning to
        
        - - * protected mode, the CPU will validate the segment registers
        
        - - * automatically and generate a trap on violations. We handle
        
        - - * the trap, rather than doing all of the checking here.
        
        - - */
        
        - -#ifdef TODO
        
        + /* Check for security violations. */
        
         if (((context.sc_ssr ^ tf->tf_ssr) & PSL_USERSTATIC) != 0)
        
         return (EINVAL);
        
        - -#endif
        
        
        
         tf->tf_ssr = context.sc_ssr;
        
        
        
        Index: sh3/sh3_machdep.c
        
        ===================================================================
        
        RCS file: /cvsroot/syssrc/sys/arch/sh3/sh3/sh3_machdep.c,v
        
        retrieving revision 1.12
        
        retrieving revision 1.13
        
        diff -u -r1.12 -r1.13
        
        - --- sh3/sh3_machdep.c 2001/04/24 04:31:09 1.12
        
        +++ sh3/sh3_machdep.c 2001/05/16 12:42:38 1.13
        
        @@ -350,21 +350,13 @@
        
        
        
         /* Restore signal context. */
        
         tf = p->p_md.md_regs;
        
        - - {
        
        - - /*
        
        - - * Check for security violations. If we're returning to
        
        - - * protected mode, the CPU will validate the segment registers
        
        - - * automatically and generate a trap on violations. We handle
        
        - - * the trap, rather than doing all of the checking here.
        
        - - */
        
        - -#ifdef TODO
        
        - - if (((context.sc_ssr ^ tf->tf_ssr) & PSL_USERSTATIC) != 0) {
        
        - - return (EINVAL);
        
        - - }
        
        - -#endif
        
        
        
        - - tf->tf_ssr = context.sc_ssr;
        
        - - }
        
        + /* Check for security violations. */
        
        + if (((context.sc_ssr ^ tf->tf_ssr) & PSL_USERSTATIC) != 0)
        
        + return (EINVAL);
        
        +
        
        + tf->tf_ssr = context.sc_ssr;
        
        +
        
         tf->tf_r0 = context.sc_r0;
        
         tf->tf_r1 = context.sc_r1;
        
         tf->tf_r2 = context.sc_r2;
        
        
        

- 漏洞信息

7560
NetBSD Hitachi Super-H Architecture (sh3) process_write_regs Privilege Elevation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

NetBSD on Hitachi Super-H Architecture contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the "process_write_regs" kernel routine, which is used by the procfs and ptrace(2) facilities, fails to validate user-supplied Status Register contents, allowing a malicious user to execute code with elevated privileges. This flaw may lead to a loss of integrity.

- 时间线

2001-05-29 Unknow
Unknow Unknow

- 解决方案

Upgrade to version NetBSD-release-1-5 dated May 27, 2001 or later or NetBSD-current dated May 16, 2001 or later, as it has been reported to fix this vulnerability. Also, NetBSD has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

NetBSD Super-H Port sigreturn() Input Validation Vulnerability
Input Validation Error 2810
No Yes
2001-05-30 12:00:00 2009-07-11 06:06:00
This vulnerability was reportedly discovered by Klaus Klein.

- 受影响的程序版本

NetBSD NetBSD 1.5 sh3
NetBSD NetBSD 1.4.1 sh3

- 漏洞讨论

Ports of NetBSD for the Hitachi SuperH architecture contain a vulnerability in their implementation of sigreturn().

Sigreturn() is a system call that is used to resume process execution when the signal handler is finished executing.

This vulnerability could allow for a user-process to resume execution in privileged execution mode after a signal handler has returned.

Exploitation of this vulnerability could lead to a root compromise.

Note: A very similar bug exists in the kernel function 'process_write_regs()'. This function is used internally by the ptrace()/procfs implementations, though it may be passed data that is originally user-supplied. If this is the case, then this vulnerability may be exploitable in the same manner as the sigreturn() vulnerability.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

NetBSD has released source-code patches for this vulnerability.


NetBSD NetBSD 1.5 sh3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站