CVE-2002-0218
CVSS7.2
发布时间 :2002-05-16 00:00:00
修订时间 :2008-09-10 20:00:43
NMCOS    

[原文]Format string vulnerability in (1) sastcpd in SAS/Base 8.0 and 8.1 or (2) objspawn in SAS/Integration Technologies 8.0 and 8.1 allows local users to execute arbitrary code via format specifiers in a command line argument.


[CNNVD]SAS SASTCPD本地命令行格式串漏洞(CNNVD-200205-003)

        
        SAS Software提供了数据分析、报告生成、企业级信息传递的工具和解决方案,软件有Unix、Linux及Windows下的版本。sastcpd是SAS Software软件架构中的任务生成程序。
        sastcpd程序存在输入验证漏洞,可以使本地攻击者通过溢出攻击得到主机的管理员权限。
        当sastcpd处理格式串命令行参数时存在问题,导致堆栈变量重写执行攻击者指定的任意指令。因为sastcpd一般是以suid root安装的,指令将以root的身份被执行。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:sas:sas_base:8.1
cpe:/a:sas:sas_base:8.0
cpe:/a:sas:sas_integration_technologies:8.0
cpe:/a:sas:sas_integration_technologies:8.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0218
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0218
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200205-003
(官方数据源) CNNVD

- 其它链接及资源

http://www.sas.com/service/techsup/unotes/SN/004/004201.html
(VENDOR_ADVISORY)  MISC  http://www.sas.com/service/techsup/unotes/SN/004/004201.html
http://www.iss.net/security_center/static/8018.php
(PATCH)  XF  sas-sastcpd-spawner-format-string(8018)
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0032.html
(VENDOR_ADVISORY)  VULNWATCH  20020129 sastcpd Buffer Overflow and Format String Vulnerabilities
http://www.securityfocus.com/bid/3980
(UNKNOWN)  BID  3980

- 漏洞信息

SAS SASTCPD本地命令行格式串漏洞
高危 输入验证
2002-05-16 00:00:00 2005-10-20 00:00:00
本地  
        
        SAS Software提供了数据分析、报告生成、企业级信息传递的工具和解决方案,软件有Unix、Linux及Windows下的版本。sastcpd是SAS Software软件架构中的任务生成程序。
        sastcpd程序存在输入验证漏洞,可以使本地攻击者通过溢出攻击得到主机的管理员权限。
        当sastcpd处理格式串命令行参数时存在问题,导致堆栈变量重写执行攻击者指定的任意指令。因为sastcpd一般是以suid root安装的,指令将以root的身份被执行。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时去掉sastcpd程序的suid root位,可以使用如下命令:
        # chmod a-s sastcpd
        厂商补丁:
        SAS Software
        ------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        SAS Base 8.0:
        SAS Hotfix 82ba10os.exe
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/mvs/82ba10os.exe

        OS/390 Platform
        SAS Hotfix 82ba10cm.vmarc
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/cms/82ba10cm.vmarc

        CMS Platform
        SAS Hotfix 82ba10wn.exe
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/win/82ba10wn.exe

        Windows Platform
        SAS Hotfix 82ba10o2.exe
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/os2/82ba10o2.exe

        OS/2 Platform
        SAS Hotfix 82ba10av.zip
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/alp/82ba10av.zip

        OpenVMS Alpha Platform
        SAS Hotfix 82ba10vm.zip
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/vax/82ba10vm.zip

        OpenVMS VAX Platform
        SAS Hotfix 82ba10s2.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/slx/82ba10s2.tar

        Solaris Platform
        SAS Hotfix 82ba10s6.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/s64/82ba10s6.tar

        Solaris 64bit Platform
        SAS Hotfix 82ba10h8.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/h8x/82ba10h8.tar

        HP-UX Platform
        SAS Hotfix 82ba10h6.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/h64/82ba10h6.tar

        HP-UX 64bit Platform
        SAS Hotfix 82ba10ar.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/r6x/82ba10ar.tar

        AIX Platform
        SAS Hotfix 82ba10r6.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/r64/82ba10r6.tar

        AIX 64bit Platform
        SAS Hotfix 82ba10ap.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/alx/82ba10ap.tar

        Tru64 Platform
        SAS Hotfix 82ba10lx.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/lnx/82ba10lx.tar

        Linux Platform
        SAS Hotfix 82ba10sg.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/sgi/82ba10sg.tar

        IRIX Platform
        SAS Hotfix 82ba10ia.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/iab/82ba10ia.tar

        ABI+ Intel Platform
        SAS Integration Technologies 8.0:
        SAS Integration Technologies 8.1:
        SAS Base 8.1:
        SAS Hotfix 82ba10os.exe
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/mvs/82ba10os.exe

        OS/390 Platform
        SAS Hotfix 82ba10cm.vmarc
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/cms/82ba10cm.vmarc

        CMS Platform
        SAS Hotfix 82ba10wn.exe
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/win/82ba10wn.exe

        Windows Platform
        SAS Hotfix 82ba10o2.exe
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/os2/82ba10o2.exe

        OS/2 Platform
        SAS Hotfix 82ba10av.zip
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/alp/82ba10av.zip

        OpenVMS Alpha Platform
        SAS Hotfix 82ba10vm.zip
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/vax/82ba10vm.zip

        OpenVMS VAX Platform
        SAS Hotfix 82ba10s2.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/slx/82ba10s2.tar

        Solaris Platform
        SAS Hotfix 82ba10s6.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/s64/82ba10s6.tar

        Solaris 64bit Platform
        SAS Hotfix 82ba10h8.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/h8x/82ba10h8.tar

        HP-UX Platform
        SAS Hotfix 82ba10h6.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/h64/82ba10h6.tar

        HP-UX 64bit Platform
        SAS Hotfix 82ba10ar.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/r6x/82ba10ar.tar

        AIX Platform
        SAS Hotfix 82ba10r6.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/r64/82ba10r6.tar

        AIX 64bit Platform
        SAS Hotfix 82ba10ap.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/alx/82ba10ap.tar

        Tru64 Platform
        SAS Hotfix 82ba10lx.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/lnx/82ba10lx.tar

        Linux Platform
        SAS Hotfix 82ba10sg.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/sgi/82ba10sg.tar

        IRIX Platform
        SAS Hotfix 82ba10ia.tar
        
        http://ftp.sas.com/techsup/download/hotfix/v82/base/82ba10/iab/82ba10ia.tar

- 漏洞信息

14330
SAS/Base sastcpd Command Line Format String
Local Access Required, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2002-01-29 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 8.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

SAS SASTCPD Command Format String Vulnerability
Input Validation Error 3980
No Yes
2002-01-29 12:00:00 2009-07-11 09:56:00
This vulnerability was originally announced by Wodahs Latigid <wodahs@mail.com> in a Ministry-of-Peace on January 29, 2002.

- 受影响的程序版本

SAS Base 8.1
SAS Base 8.0
SAS Base 8.2

- 不受影响的程序版本

SAS Base 8.2

- 漏洞讨论

sastcpd is a "Job Spawner" included with the base installation of the SAS Software infrastructure. It is available for various platforms. This issue affects systems running the Unix, Linux, and Microsoft operating systems.

A problem has been discovered in the sastcpd program. sastcpd is a job spawning program included with the SAS Base product. By default, it is installed setuid root. sastcpd is vulnerable to a format string attack. When executed with a command line argument of a format string, it is possible to overwrite arbitrary addresses in memory. This can result in the execution of arbitrary code. As the sastcpd program is installed setuid root, the code will be executed with administrative privileges.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

This problem has been fixed in version 8.2.

Patches available:


SAS Base 8.0

SAS Base 8.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站