CVE-2002-0358
CVSS4.6
发布时间 :2002-07-26 00:00:00
修订时间 :2008-09-05 16:27:49
NMCOP    

[原文]MediaMail and MediaMail Pro in SGI IRIX 6.5.16 and earlier allows local users to force the program to dump core via certain arguments, which could allow the users to read sensitive data or gain privileges.


[CNNVD]SGI IRIX MediaMail本地缓冲区溢出漏洞(CNNVD-200207-104)

        
        IRIX是一款SGI公司发布和维护的一个商业UNIX系统。
        IRIX的"MediaMail"和"MediaMail Pro"(/usr/binX11/MediaMail)存在缓冲区溢出漏洞,本地攻击者可以通过溢出攻击在主机上以mail用户的权限执行任意指令。
        当在处理部分用户提供的参数时没有很好的进行检查,可导致/usr/binX11/MediaMail出现Core dump,由于"MediaMail"和"MediaMail Pro"以setgid mail属性的安装,精心构建用户提供的参数可导致本地攻击者以mail用户的权限在系统上执行任意指令。
        /usr/binX11/MediaMail默认安装在IRIX 6.5系统上。要查看"MediaMail"和"MediaMail Pro"是否安装,执行如下命令:
        # versions -b | mmail
        如果返回类似如下的的信息,就表示安装了此程序并存在漏洞:
         I mmail 10/14/2000 MediaMail
         I mmail 10/14/2000 MediaMail Pro
        要判断IRIX操作系统的版本,运行如下命令:
        # uname -R
        会返回类似如下的信息:
        # 6.5 6.5.15f
        第一个数据表示发行名称,第二个表示扩展发行名称。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:sgi:mediamailSGI MediaMail
cpe:/a:sgi:mediamail:::pro

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0358
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0358
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-104
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20020602-01-I
(VENDOR_ADVISORY)  SGI  20020602-01-I
http://www.securityfocus.com/bid/4959
(UNKNOWN)  BID  4959
http://www.iss.net/security_center/static/9292.php
(UNKNOWN)  XF  irix-mediamail-core-dump(9292)

- 漏洞信息

SGI IRIX MediaMail本地缓冲区溢出漏洞
中危 未知
2002-07-26 00:00:00 2005-05-02 00:00:00
本地  
        
        IRIX是一款SGI公司发布和维护的一个商业UNIX系统。
        IRIX的"MediaMail"和"MediaMail Pro"(/usr/binX11/MediaMail)存在缓冲区溢出漏洞,本地攻击者可以通过溢出攻击在主机上以mail用户的权限执行任意指令。
        当在处理部分用户提供的参数时没有很好的进行检查,可导致/usr/binX11/MediaMail出现Core dump,由于"MediaMail"和"MediaMail Pro"以setgid mail属性的安装,精心构建用户提供的参数可导致本地攻击者以mail用户的权限在系统上执行任意指令。
        /usr/binX11/MediaMail默认安装在IRIX 6.5系统上。要查看"MediaMail"和"MediaMail Pro"是否安装,执行如下命令:
        # versions -b | mmail
        如果返回类似如下的的信息,就表示安装了此程序并存在漏洞:
         I mmail 10/14/2000 MediaMail
         I mmail 10/14/2000 MediaMail Pro
        要判断IRIX操作系统的版本,运行如下命令:
        # uname -R
        会返回类似如下的信息:
        # 6.5 6.5.15f
        第一个数据表示发行名称,第二个表示扩展发行名称。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 加强本地用户管理,只允许可信用户访问。
        厂商补丁:
        SGI
        ---
        SGI已经为此发布了一个安全公告(20020602-01-I)以及相应补丁:
        20020602-01-I:MediaMail vulnerability
        链接:ftp://patches.sgi.com/support/free/security/advisories/20020602-01-I
        不过MediaMail是一款过期的产品,SGI将为这些漏洞提供补丁。SGI建议反安装此程序并使用其他MAIL程序:
        # versions remove mmail*
        补丁情况:
         系统版本 是否受影响 补丁号 备注
         ---------- ----------- ------- -------------
         IRIX 3.x 未知 备注 1
         IRIX 4.x 未知 备注 1
         IRIX 5.x 未知 备注 1
         IRIX 6.0.x 未知 备注 1
         IRIX 6.1 未知 备注 1
         IRIX 6.2 未知 备注 1
         IRIX 6.3 未知 备注 1
         IRIX 6.4 未知 备注 1
         IRIX 6.5 是 备注 2 & 3
         IRIX 6.5.1 是 备注 2 & 3
         IRIX 6.5.2 是 备注 2 & 3
         IRIX 6.5.3 是 备注 2 & 3
         IRIX 6.5.4 是 备注 2 & 3
         IRIX 6.5.5 是 备注 2 & 3
         IRIX 6.5.6 是 备注 2 & 3
         IRIX 6.5.7 是 备注 2 & 3
         IRIX 6.5.8 是 备注 2 & 3
         IRIX 6.5.9 是 备注 2 & 3
         IRIX 6.5.10 是 备注 2 & 3
         IRIX 6.5.11 是 备注 2 & 3
         IRIX 6.5.12 是 备注 2 & 3
         IRIX 6.5.13 是 备注 2 & 3
         IRIX 6.5.14 是 备注 2 & 3
         IRIX 6.5.15 是 备注 2 & 3
         IRIX 6.5.16 是 备注 2 & 3
        备注:
         1) 这个版本的IRIX系统已经不再被维护了,请升级到受支持的版本,参看
        
        http://support.sgi.com/irix/news/index.html#policy
来获得更多的信息。
         2) 如果你还未收到一张IRIX 6.5.x for IRIX 6.5的CD,请联系SGI的支持
         部门,访问:
        http://support.sgi.com/irix/swupdates/

         3) 反安装mmail或者mmailp子系统,并使用不同的MAIL客户端。MAIL客户端推荐使用Netscape Communicator,可在如下地址下载
        http://freeware.sgi.com/。

- 漏洞信息 (F26251)

HexView Security Advisory 2002-06-02.01 (PacketStormID:F26251)
2002-06-10 00:00:00
HexView  sgi.com
CVE-2002-0358
[点击下载]

SGI Security Advisory 20020602-01-I - "MediaMail" and "MediaMail Pro (/usr/binX11/MediaMail) can be caused to dump core when passed certain user-supplied arguments. Since it is setgid mail, the core dump can be exploited in several ways.

-----BEGIN PGP SIGNED MESSAGE-----

_____________________________________________________________________________

                          SGI Security Advisory

        Title:      MediaMail vulnerability
        Number:     20020602-01-I
        Date:       June 6, 2002
        Reference:  CAN-2002-0358
_____________________________________________________________________________

- -----------------------
- --- Issue Specifics ---
- -----------------------

It's been reported that the "MediaMail" and "MediaMail Pro" (the binary is
"/usr/binX11/MediaMail") mail applications can be caused to dump core when
passed certain user-supplied arguments. Since MediaMail and MediaMail Pro
are setgid to group "mail", they are considered to be privileged programs,
and this core dumping can be used in a variety of ways to exploit the
system.

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.


- --------------
- --- Impact ---
- --------------

The MediaMail binary is installed by default on IRIX 6.2 and earlier systems
as part of eoe.sw.base.  MediaMail was not shipped starting with IRIX 6.5,
but "MediaMail Pro" was shipped with IRIX 6.5 on the Applications CD, and is
not installed by default.

To determine the version of IRIX you are running, execute the following
command:

  # uname -R

That will return a result similar to the following:

  # 6.5 6.5.15f

The first number ("6.5") is the release name, the second ("6.5.15f" in this
case) is the extended release name.  The extended release name is the
"version" we refer to throughout this document.

To see if MediaMail or MediaMail Pro is installed, execute the following
command:

  # versions -b | mmail

If lines similar to either of the following lines are returned, then it is
installed, and the system is vulnerable.

  I  mmail          10/14/2000    MediaMail
  I  mmail          10/14/2000    MediaMail Pro


This vulnerability was assigned the following CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0358


- ----------------------------
- --- Temporary Workaround ---
- ----------------------------

There is no effective workaround available for these problems.


- ----------------
- --- Solution ---
- ----------------

MediaMail is an expired product, therefore SGI has not provided patches for
these vulnerabilities. SGI recommends uninstalling the program and switching
to a different mail program.

See the following URL for details about the expired status of the product:

http://support.sgi.com/spk/index.cgi?whichPage%3AResults%7CsearchText=mediamail&compat=All+Operating+Systems&ptype=All+Product+Types&status=All+Support+Policies&sort=Product+Name&columns=pn%7Clv%7Csp%7Csa%7Cmc%7Cos%7Clk%7Cno

To remove the MediaMail or MediaMail subsystem, depending on which is
installed, execute the following command:

  # versions remove mmail*

It is not necessary to reboot after removing the program from your system.

MediaMail was shipped on the following IRIX Operating Systems:

   OS Version     Vulnerable?     Patch #      Other Actions
   ----------     -----------     -------      -------------
   IRIX 3.x        unknown                     Note 1
   IRIX 4.x        unknown                     Note 1
   IRIX 5.x          yes                       Notes 1 & 3
   IRIX 6.0.x        yes                       Notes 1 & 3
   IRIX 6.1          yes                       Notes 1 & 3
   IRIX 6.2          yes                       Notes 1 & 3
   IRIX 6.3          yes                       Notes 1 & 3
   IRIX 6.4          yes                       Notes 1 & 3
   IRIX 6.5          yes                       Notes 2 & 3
   IRIX 6.5.1        yes                       Notes 2 & 3
   IRIX 6.5.2        yes                       Notes 2 & 3
   IRIX 6.5.3        yes                       Notes 2 & 3
   IRIX 6.5.4        yes                       Notes 2 & 3
   IRIX 6.5.5        yes                       Notes 2 & 3
   IRIX 6.5.6        yes                       Notes 2 & 3
   IRIX 6.5.7        yes                       Notes 2 & 3
   IRIX 6.5.8        yes                       Notes 2 & 3
   IRIX 6.5.9        yes                       Notes 2 & 3
   IRIX 6.5.10       yes                       Notes 2 & 3
   IRIX 6.5.11       yes                       Notes 2 & 3
   IRIX 6.5.12       yes                       Notes 2 & 3
   IRIX 6.5.13       yes                       Notes 2 & 3
   IRIX 6.5.14       yes                       Notes 2 & 3
   IRIX 6.5.15       yes                       Notes 2 & 3
   IRIX 6.5.16       yes                       Notes 2 & 3

   NOTES

     1) This version of the IRIX operating has been retired. Upgrade to an
        actively supported IRIX operating system.  See
        http://support.sgi.com/irix/news/index.html#policy for more
        information.

     2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
        SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/

     3) Uninstall the mmail or mmailp subsystem and use a different mail
        client.  The mail client in Netscape Communicator is suggested.
        Other mail clients can be found on http://freeware.sgi.com/


- ------------------------
- --- Acknowledgments ----
- ------------------------

SGI wishes to thank users of the Internet Community at large for their
assistance in this matter.


- -------------
- --- Links ---
- -------------

SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/

SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/

SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/

SGI freeware updates for IRIX can be found at:
http://freeware.sgi.com/

SGI fixes for SGI open sourced code can be found on:
http://oss.sgi.com/projects/

SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/linux/ or
http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/

SGI patches for Windows NT or 2000 can be found at:
http://support.sgi.com/nt/

IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/

IRIX 6.5 Maintenance Release Streams can be found at:
http://support.sgi.com/colls/patches/tools/relstream/index.html

IRIX 6.5 Software Update CDs can be obtained from:
http://support.sgi.com/irix/swupdates/

The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211).  Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/

For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update.


- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------

If there are questions about this document, email can be sent to
security-info@sgi.com.

                      ------oOo------

SGI provides security information and patches for use by the entire SGI
community.  This information is freely available to any person needing the
information and is available via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211).  Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/

The SGI Security Headquarters Web page is accessible at the URL:
http://www.sgi.com/support/security/

For issues with the patches on the FTP sites, email can be sent to
security-info@sgi.com.

For assistance obtaining or working with security patches, please
contact your SGI support provider.

                      ------oOo------

SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(http://www.sgi.com/support/security/wiretap.html) or by sending email to
SGI as outlined below.

% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress>
end
^d

In the example above, <YourEmailAddress> is the email address that you wish
the mailing list information sent to.  The word end must be on a separate
line to indicate the end of the body of the message. The control-d (^d) is
used to indicate to the mail program that you are finished composing the
mail message.


                      ------oOo------

SGI provides a comprehensive customer World Wide Web site. This site is
located at http://www.sgi.com/support/security/ .

                      ------oOo------

If there are general security questions on SGI systems, email can be sent to
security-info@sgi.com.

For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider.  A support
contract is not required for submitting a security report.

______________________________________________________________________________
      This information is provided freely to all interested parties
      and may be redistributed provided that it is not altered in any
      way, SGI is appropriately credited and the document retains and
      includes its valid PGP signature.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPP/RbrQ4cFApAP75AQHwjwQAtCFaVWDx2yQlVw+eTfY/LIDbUOHYzSkg
/EDxcBEYcf29jn5nzLs/AmV1ilXLs9c2xuAoXDYg4MAnKREZTCPeKAAE5KfTzADY
GZr2knHX+PoYKrW/dm23AfFE7Ryttr6PiqkLLP6YG6oOhyOwdwWuahhFfmHo0Mxm
qc9sZOghI6g=
=dxO+
-----END PGP SIGNATURE-----
    

- 漏洞信息

15972
IRIX MediaMail Forced Core Dump Local Information Disclosure
Local Access Required Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity

- 漏洞描述

IRIX contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user passes certain command line arguments that cause MediaMail and MediaMail Pro to dump core. This flaw may lead to a loss of integrity.

- 时间线

2002-06-06 Unknow
Unknow Unknow

- 解决方案

The vendor has discontinued this product and therefore has no patch or upgrade that mitigates this problem. It is recommended that an alternate software package be used in its place. In the alternative, it is possible to correct the flaw by implementing the following workaround: remove the program from the system. #versions remove mmail*

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站