CVE-2002-1233
CVSS2.6
发布时间 :2002-11-04 00:00:00
修订时间 :2016-10-17 22:25:03
NMCS    

[原文]A regression error in the Debian distributions of the apache-ssl package (before 1.3.9 on Debian 2.2, and before 1.3.26 on Debian 3.0), for Apache 1.3.27 and earlier, allows local users to read or modify the Apache password file via a symlink attack on temporary files when the administrator runs (1) htpasswd or (2) htdigest, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2001-0131.


[CNNVD]Apahce HTDigest和HTPasssWD组件多个本地漏洞(CNNVD-200211-006)

        
        Apache是一款免费开放源代码的WEB服务程序。
        Apache存在多个漏洞可以导致安全问题,本地攻击者可以利用这些漏洞进行修改Apache密码文件内容等攻击。
        1、support/htpasswd.c中存在竞争条件漏洞:
         main()
         tempfilename = tmpnam(tname_buf);
         ftemp = fopen(tempfilename, "w+");
         ...
         copy_file(ftemp, fpw);
        当管理员运行htpasswd时攻击者利用这个漏洞可导致任意本地用户可以读取、修改Apache密码文件内容。
        2、support/htdigest.c存在竞争条件漏洞:
         main()
         tn = tmpnam(NULL);
         if (!(tfp = fopen(tn, "w"))) ...
         ...
         sprintf(command, "cp 厂商补丁:
        Apache Group
        ------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.apache.org
", tn, argv[1]);
         system(command);
        当管理员运行htpasswd时攻击者利用这个漏洞可导致任意本地用户可以读,修改Apache密码文件内容。
        3、support/htdigest.c:main()中包含多个不安全system()调用,不过htdigest不能从任何CGI脚本中调用。
        4、support/htdigest.c存在缓冲区溢出问题:
         main()
        缓冲区溢出存在多处,下面就是一个例子:
         #define MAX_STRING_LEN 256
         int main(int argc, char *argv[]) {
         char user[MAX_STRING_LEN];
         strcpy(user, argv[3]);
        不过htdigest不能从任何CGI脚本中调用,所以不存在远程缓冲区溢出利用的可能。
        

- CVSS (基础分值)

CVSS分值: 2.6 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:apache:http_server:1.3.26Apache Software Foundation Apache HTTP Server 1.3.26
cpe:/a:apache:http_server:1.3.27Apache Software Foundation Apache HTTP Server 1.3.27
cpe:/a:apache:http_server:1.3.17Apache Software Foundation Apache HTTP Server 1.3.17
cpe:/a:apache:http_server:1.3.18Apache Software Foundation Apache HTTP Server 1.3.18
cpe:/a:apache:http_server:1.3.22Apache Software Foundation Apache HTTP Server 1.3.22
cpe:/a:apache:http_server:1.3.23Apache Software Foundation Apache HTTP Server 1.3.23
cpe:/a:apache:http_server:1.3.24Apache Software Foundation Apache HTTP Server 1.3.24
cpe:/a:apache:http_server:1.3.25Apache Software Foundation Apache HTTP Server 1.3.25
cpe:/a:apache:http_server:1.3.19Apache Software Foundation Apache HTTP Server 1.3.19
cpe:/a:apache:http_server:1.3.19::win32
cpe:/a:apache:http_server:1.3.26::win32
cpe:/a:apache:http_server:1.3.18::win32
cpe:/a:apache:http_server:1.3.17::win32
cpe:/a:apache:http_server:1.3.23::win32
cpe:/a:apache:http_server:1.3.22::win32
cpe:/a:apache:http_server:1.3.25::win32
cpe:/a:apache:http_server:1.3.24::win32
cpe:/a:apache:http_server:1.3.20Apache Software Foundation Apache HTTP Server 1.3.20
cpe:/a:apache:http_server:1.3.20::win32

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1233
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1233
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200211-006
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=103480856102007&w=2
(UNKNOWN)  BUGTRAQ  20021016 Apache 1.3.26
http://www.debian.org/security/2002/dsa-187
(UNKNOWN)  DEBIAN  DSA-187
http://www.debian.org/security/2002/dsa-188
(UNKNOWN)  DEBIAN  DSA-188
http://www.debian.org/security/2002/dsa-195
(UNKNOWN)  DEBIAN  DSA-195
http://www.iss.net/security_center/static/10412.php
(UNKNOWN)  XF  apache-htpasswd-tmpfile-race(10412)
http://www.iss.net/security_center/static/10413.php
(VENDOR_ADVISORY)  XF  apache-htdigest-tmpfile-race(10413)
http://www.securityfocus.com/bid/5981
(UNKNOWN)  BID  5981
http://www.securityfocus.com/bid/5990
(UNKNOWN)  BID  5990

- 漏洞信息

Apahce HTDigest和HTPasssWD组件多个本地漏洞
低危 访问验证错误
2002-11-04 00:00:00 2005-10-31 00:00:00
本地  
        
        Apache是一款免费开放源代码的WEB服务程序。
        Apache存在多个漏洞可以导致安全问题,本地攻击者可以利用这些漏洞进行修改Apache密码文件内容等攻击。
        1、support/htpasswd.c中存在竞争条件漏洞:
         main()
         tempfilename = tmpnam(tname_buf);
         ftemp = fopen(tempfilename, "w+");
         ...
         copy_file(ftemp, fpw);
        当管理员运行htpasswd时攻击者利用这个漏洞可导致任意本地用户可以读取、修改Apache密码文件内容。
        2、support/htdigest.c存在竞争条件漏洞:
         main()
         tn = tmpnam(NULL);
         if (!(tfp = fopen(tn, "w"))) ...
         ...
         sprintf(command, "cp 厂商补丁:
        Apache Group
        ------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.apache.org
", tn, argv[1]);
         system(command);
        当管理员运行htpasswd时攻击者利用这个漏洞可导致任意本地用户可以读,修改Apache密码文件内容。
        3、support/htdigest.c:main()中包含多个不安全system()调用,不过htdigest不能从任何CGI脚本中调用。
        4、support/htdigest.c存在缓冲区溢出问题:
         main()
        缓冲区溢出存在多处,下面就是一个例子:
         #define MAX_STRING_LEN 256
         int main(int argc, char *argv[]) {
         char user[MAX_STRING_LEN];
         strcpy(user, argv[3]);
        不过htdigest不能从任何CGI脚本中调用,所以不存在远程缓冲区溢出利用的可能。
        

- 公告与补丁

        

- 漏洞信息

Apache HTDigest Insecure Temporary File Vulnerability
Access Validation Error 5992
No Yes
2002-10-17 12:00:00 2009-07-11 06:06:00
Vulnerability discovery credited to David Wagner <daw@cs.berkeley.edu>.

- 受影响的程序版本

IBM HTTP Server 1.3.19
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- RedHat Linux 7.1
- S.u.S.E. Linux 7.1
- Sun Solaris 7.0
- Sun Solaris 2.6
Apache Software Foundation Apache 1.3.27
+ HP HP-UX (VVOS) 11.0 4
+ HP VirtualVault 4.6
+ HP VirtualVault 4.5
+ HP Webproxy 2.0
+ Immunix Immunix OS 7+
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ OpenBSD OpenBSD 3.3
+ OpenPKG OpenPKG Current
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux Advanced Work Station 2.1
+ SGI IRIX 6.5.19
Apache Software Foundation Apache 1.3.26
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ OpenPKG OpenPKG 1.1
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
Apache Software Foundation Apache 1.3.25
Apache Software Foundation Apache 1.3.24
+ OpenBSD OpenBSD 3.1
+ Oracle Oracle HTTP Server 9.2 .0
+ Oracle Oracle HTTP Server 9.0.1
+ Oracle Oracle9i Application Server 9.0.2
+ Oracle Oracle9i Application Server 1.0.2 .2
+ Oracle Oracle9i Application Server 1.0.2 .1s
+ Oracle Oracle9i Application Server 1.0.2
+ Slackware Linux 8.1
+ Unisphere Networks SDX-300 2.0.3
Apache Software Foundation Apache 1.3.23
- IBM AIX 4.3
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
Apache Software Foundation Apache 1.3.22
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ OpenPKG OpenPKG 1.0
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
Apache Software Foundation Apache 1.3.20
- HP HP-UX 11.22
- HP HP-UX 11.20
+ MandrakeSoft Single Network Firewall 7.2
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ SGI IRIX 6.5.18
+ SGI IRIX 6.5.17
+ SGI IRIX 6.5.16
+ SGI IRIX 6.5.15
+ SGI IRIX 6.5.14 m
+ SGI IRIX 6.5.14 f
+ SGI IRIX 6.5.14
+ SGI IRIX 6.5.13 m
+ SGI IRIX 6.5.13 f
+ SGI IRIX 6.5.13
+ SGI IRIX 6.5.12 m
+ SGI IRIX 6.5.12 f
+ SGI IRIX 6.5.12
+ Slackware Linux 8.0
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt RaQ 550
+ Sun Solaris 9_x86 Update 2
+ Sun Solaris 9_x86
+ Sun Solaris 9
+ Sun SunOS 5.9 _x86
+ Sun SunOS 5.9
Apache Software Foundation Apache 1.3.19
- Apple Mac OS X 10.0.3
- Caldera OpenLinux 2.4
+ Debian Linux 2.3
- Digital (Compaq) TRU64/DIGITAL UNIX 5.0
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 g
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 f
+ EnGarde Secure Linux 1.0.1
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 3.5.1
- HP HP-UX 11.11
- HP HP-UX 11.0 4
- HP HP-UX 11.0
- HP HP-UX 10.20
+ HP Secure OS software for Linux 1.0
- HP VirtualVault 4.5
+ Mandriva Linux Mandrake 8.1
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- NetBSD NetBSD 1.5.1
- NetBSD NetBSD 1.5
+ OpenBSD OpenBSD 2.9
- OpenBSD OpenBSD 2.8
+ OpenBSD OpenBSD 3.0
- Red Hat Linux 6.2
- RedHat Linux 7.1
- RedHat Linux 7.0
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
- SCO eDesktop 2.4
- SCO eServer 2.3.1
- SGI IRIX 6.5.9
- SGI IRIX 6.5.8
- Sun Solaris 8_sparc
- Sun Solaris 7.0
Apache Software Foundation Apache 1.3.18
Apache Software Foundation Apache 1.3.17
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ OpenBSD OpenBSD 2.8
+ S.u.S.E. Linux 7.1
Apache Software Foundation Apache 1.3.14
+ EnGarde Secure Linux 1.0.1
- MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ SGI IRIX 6.5.11
+ SGI IRIX 6.5.10
+ SGI IRIX 6.5.9
+ SGI IRIX 6.5.8
+ SGI IRIX 6.5.7
+ SGI IRIX 6.5.6
+ SGI IRIX 6.5.5
+ SGI IRIX 6.5.4
+ SGI IRIX 6.5.3
+ SGI IRIX 6.5.2
+ SGI IRIX 6.5.1
+ SGI IRIX 6.5
Apache Software Foundation Apache 1.3.12
+ NetScreen NetScreen-Global PRO Express Policy Manager Server
+ NetScreen NetScreen-Global PRO Policy Manager Server
+ OpenBSD OpenBSD 2.8
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0
+ Sun Cobalt ManageRaQ v2 3599BD
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ4 3001R
Apache Software Foundation Apache 1.3.11
Apache Software Foundation Apache 1.3.9
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ NetScreen NetScreen-Global PRO Express Policy Manager Server
+ NetScreen NetScreen-Global PRO Policy Manager Server
+ Sun Solaris 8_x86
+ Sun Solaris 8_sparc
+ Sun SunOS 5.8 _x86
+ Sun SunOS 5.8
Apache Software Foundation Apache 1.3.6
+ Sun Cobalt ManageRaQ3 3000R-mr
+ Sun Cobalt RaQ3 3000R
+ Sun Cobalt Velociraptor
Apache Software Foundation Apache 1.3.4
+ BSDI BSD/OS 4.0
Apache Software Foundation Apache 1.3.3
+ RedHat Linux 5.2 sparc
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 alpha
Apache Software Foundation Apache 1.3.1
Apache Software Foundation Apache 1.3
+ Apple Mac OS X 10.3.2
+ Apple Mac OS X 10.3.1
+ Apple Mac OS X 10.3
+ Apple Mac OS X 10.2.8
+ Apple Mac OS X 10.2.7
+ Apple Mac OS X 10.2.6
+ Apple Mac OS X 10.2.5
+ Apple Mac OS X 10.2.4
+ Apple Mac OS X 10.2.3
+ Apple Mac OS X 10.2.2
+ Apple Mac OS X 10.2.1
+ Apple Mac OS X 10.2
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X Server 10.3.2
+ Apple Mac OS X Server 10.3.1
+ Apple Mac OS X Server 10.3
+ Apple Mac OS X Server 10.2.8
+ Apple Mac OS X Server 10.2.7
+ Apple Mac OS X Server 10.2.6
+ Apple Mac OS X Server 10.2.5
+ Apple Mac OS X Server 10.2.4
+ Apple Mac OS X Server 10.2.3
+ Apple Mac OS X Server 10.2.2
+ Apple Mac OS X Server 10.2.1
+ Apple Mac OS X Server 10.2
+ Apple Mac OS X Server 10.1.5
+ Apple Mac OS X Server 10.1.4
+ Apple Mac OS X Server 10.1.3
+ Apple Mac OS X Server 10.1.2
+ Apple Mac OS X Server 10.1.1
+ Apple Mac OS X Server 10.1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0

- 漏洞讨论

Apache creates temporary files insecurely for htdigest. As a result, it is possible for local attackers to read or corrupt the Apache password file. If the attacker can write custom-data to the password file, it may be possible to gain unauthorized access to resources protected by htpasswd. Alternatively, an attacker could reportedly read the password file and gain unauthorized access to credentials.

- 漏洞利用

There is no exploit required.

- 解决方案

Debian has released advisory DSA 195-1, which contains updates for apache-perl packages. Further information is available in the referenced advisory.

Fixes are available:


Apache Software Foundation Apache 1.3.26

Apache Software Foundation Apache 1.3.9

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站