CVE-2002-1317
CVSS7.5
发布时间 :2002-12-11 00:00:00
修订时间 :2016-10-17 22:25:50
NMCOS    

[原文]Buffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.


[CNNVD]Solaris fs.auto远程缓冲区溢出漏洞(CNNVD-200212-008)

        
        XFS协议实现在X-Windows网络中用于共享字体信息。X Windows系统实现了字体的可扩展可升级特性。这种特性需要所有X Windows客户端和服务端存在一个机制用于访问字体数据,使字体数据通过X Windows网络分布。Solaris的XFS字体服务程序由fs.auto守护程序实现。
        fs.auto守护程序的Dispatch()函数对用户提供的数据缺少正确检查,远程攻击者可以利用这个漏洞可对fs.auto程序进行缓冲区溢出攻击,以fs.auto进程权限(一般是"nobody")在系统上执行任意指令。
        Dispatch()函数由于在传递用户提供的数据时,缺少充分的边界缓冲区检查,攻击者构建特殊XFS查询可导致服务崩溃,精心构建查询数据可能以"nobody"用户权限在系统上执行任意指令。
        由于fs.auto服务不是以超级管理员权限运行,因此攻击者需要利用其他漏洞获得"root"访问。Solaris操作系统默认配置启用fs.auto服务,一般绑定在系统高端口,通常被防火墙过滤。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:2.6::x86
cpe:/o:sun:solaris:8.0::x86
cpe:/o:sun:solaris:7.0::x86
cpe:/o:sgi:irix:6.5SGI IRIX 6.5
cpe:/o:sun:solaris:2.5.1::ppc
cpe:/o:sun:solaris:9.0:x86_update_2
cpe:/o:sun:solaris:7.0
cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:2.5.1::x86
cpe:/o:hp:hp-ux:11.11HP-UX 11.11
cpe:/a:xfree86_project:x11r6:3.3
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/o:hp:hp-ux:11.04HP HP-UX 11.04
cpe:/o:hp:hp-ux:10.24HP HP-UX 10.24
cpe:/o:sun:solaris:2.5.1
cpe:/o:sgi:irix:6.5.2SGI IRIX 6.5.2
cpe:/o:sgi:irix:6.5.7SGI IRIX 6.5.7
cpe:/o:sgi:irix:6.5.8SGI IRIX 6.5.8
cpe:/o:sgi:irix:6.5.5SGI IRIX 6.5.5
cpe:/o:sgi:irix:6.5.3SGI IRIX 6.5.3
cpe:/o:sgi:irix:6.5.4SGI IRIX 6.5.4
cpe:/o:sgi:irix:6.5.1SGI IRIX 6.5.1
cpe:/o:sgi:irix:6.5.11SGI IRIX 6.5.11
cpe:/o:sgi:irix:6.5.6SGI IRIX 6.5.6
cpe:/o:sgi:irix:6.5.12SGI IRIX 6.5.12
cpe:/o:sgi:irix:6.5.13SGI IRIX 6.5.13
cpe:/o:sgi:irix:6.5.10SGI IRIX 6.5.10
cpe:/o:sgi:irix:6.5.9SGI IRIX 6.5.9
cpe:/o:sun:solaris:9.0::sparc
cpe:/o:hp:hp-ux:10.10HP HP-UX 10.10
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:hp:hp-ux:11.22HP-UX 11i v1.6
cpe:/a:xfree86_project:x11r6:3.3.2
cpe:/a:xfree86_project:x11r6:3.3.3
cpe:/a:xfree86_project:x11r6:3.3.4
cpe:/a:xfree86_project:x11r6:3.3.5

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:2816XFS Dispatch() Buffer Overflow
oval:org.mitre.oval:def:152Solaris 7 X Font Server Remote Buffer Overrun
oval:org.mitre.oval:def:149Solaris 8 X Font Server Remote Buffer Overrun
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1317
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1317
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-008
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20021202-01-I
(UNKNOWN)  SGI  20021202-01-I
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21541
(VENDOR_ADVISORY)  ISS  20021125 Solaris fs.auto Remote Compromise Vulnerability
http://marc.info/?l=bugtraq&m=103825150527843&w=2
(UNKNOWN)  BUGTRAQ  20021125 ISS Security Brief: Solaris fs.auto Remote Compromise Vulnerability
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/48879
(UNKNOWN)  CONFIRM  http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/48879
http://www.cert.org/advisories/CA-2002-34.html
(VENDOR_ADVISORY)  CERT  CA-2002-34
http://www.ciac.org/ciac/bulletins/n-024.shtml
(UNKNOWN)  CIAC  N-024
http://www.iss.net/security_center/static/10375.php
(VENDOR_ADVISORY)  XF  solaris-fsauto-execute-code(10375)
http://www.kb.cert.org/vuls/id/312313
(UNKNOWN)  CERT-VN  VU#312313
http://www.securityfocus.com/advisories/4988
(UNKNOWN)  HP  HPSBUX0212-228
http://www.securityfocus.com/bid/6241
(VENDOR_ADVISORY)  BID  6241

- 漏洞信息

Solaris fs.auto远程缓冲区溢出漏洞
高危 边界条件错误
2002-12-11 00:00:00 2005-05-13 00:00:00
远程  
        
        XFS协议实现在X-Windows网络中用于共享字体信息。X Windows系统实现了字体的可扩展可升级特性。这种特性需要所有X Windows客户端和服务端存在一个机制用于访问字体数据,使字体数据通过X Windows网络分布。Solaris的XFS字体服务程序由fs.auto守护程序实现。
        fs.auto守护程序的Dispatch()函数对用户提供的数据缺少正确检查,远程攻击者可以利用这个漏洞可对fs.auto程序进行缓冲区溢出攻击,以fs.auto进程权限(一般是"nobody")在系统上执行任意指令。
        Dispatch()函数由于在传递用户提供的数据时,缺少充分的边界缓冲区检查,攻击者构建特殊XFS查询可导致服务崩溃,精心构建查询数据可能以"nobody"用户权限在系统上执行任意指令。
        由于fs.auto服务不是以超级管理员权限运行,因此攻击者需要利用其他漏洞获得"root"访问。Solaris操作系统默认配置启用fs.auto服务,一般绑定在系统高端口,通常被防火墙过滤。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 临时关闭fs.auto服务:
        可以通过编辑/etc/inetd.conf文件,重新启动Inetd进程来关闭fs.auto服务:
        1. 注释/etc/inetd.conf文件中的如下一行:
        #fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
        2. 重新启动inetd进程:
        # ps -elf |grep inetd
         root 138 1 0 Oct 15 ? 0:00 /usr/sbin/inetd
        # kill -1 138
        厂商补丁:
        HP
        --
        HP已经为此发布了一个安全公告(HPSBUX0212-228)以及相应补丁:
        HPSBUX0212-228:SSRT2429 Security Vulnerability in xfs
        链接:
        http://archives.neohapsis.com/archives/hp/2002-q4/0053.html

        Sun
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/48879

        补丁下载:
        SPARC
        Solaris 2.6 patch 108129-05
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=108129&rev=05

        Solaris 7 patch 108117-06
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=108117&rev=06

        Solaris 8 patch 109862-03
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=109862&rev=03

        
        Solaris 9 patch 113923-02
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=113923&rev=02

        Intel
        Solaris 2.6 patch 108130-05
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=108130&rev=05

        Solaris 7 patch 108118-06
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=108118&rev=06

        Solaris 8 109863-03
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=109863&rev=03

- 漏洞信息

15140
Solaris fs.auto XFS Font Server Crafted XFS Query Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-11-25 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor X Font Server Remote Buffer Overrun Vulnerability
Boundary Condition Error 6241
Yes No
2002-11-25 12:00:00 2009-07-11 07:16:00
Discovered by Neel Mehta of ISS X-Force.

- 受影响的程序版本

XFree86 X11R6 3.3.5
- RedHat Linux 6.1 i386
XFree86 X11R6 3.3.4
XFree86 X11R6 3.3.3
XFree86 X11R6 3.3.2
+ Mandriva Linux Mandrake 8.0
XFree86 X11R6 3.3
Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1 _ppc
Sun Solaris 2.5.1
Sun Solaris 9_x86 Update 2
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
SGI IRIX 6.5.13
SGI IRIX 6.5.12
SGI IRIX 6.5.11
SGI IRIX 6.5.10
SGI IRIX 6.5.9
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.5
SGI IRIX 6.5.4
SGI IRIX 6.5.3
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
IBM AIX 4.3.3
IBM AIX 4.3.2
IBM AIX 4.3.1
IBM AIX 5.2
IBM AIX 5.1
HP HP-UX 11.22
HP HP-UX 11.11
HP HP-UX 11.0 4
HP HP-UX 11.0
HP HP-UX 10.24
HP HP-UX 10.20
HP HP-UX 10.10
XFree86 X11R6 4.2.1
+ Immunix Immunix OS 7.3
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ RedHat Linux 7.3
+ Slackware Linux 8.1
XFree86 X11R6 4.2 .0
+ Conectiva Linux Enterprise Edition 1.0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Workstation 8.0
XFree86 X11R6 4.1 .0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 i386
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 7.0
XFree86 X11R6 4.0.3
+ RedHat Linux 7.1
XFree86 X11R6 4.0.1
+ RedHat Linux 7.0
XFree86 X11R6 4.0
XFree86 X11R6 3.3.6
+ Debian Linux 2.2
+ Red Hat Linux 6.2
SGI IRIX 6.5.19
SGI IRIX 6.5.18
SGI IRIX 6.5.17
SGI IRIX 6.5.16
SGI IRIX 6.5.15
SGI IRIX 6.5.14

- 不受影响的程序版本

XFree86 X11R6 4.2.1
+ Immunix Immunix OS 7.3
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ RedHat Linux 7.3
+ Slackware Linux 8.1
XFree86 X11R6 4.2 .0
+ Conectiva Linux Enterprise Edition 1.0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Workstation 8.0
XFree86 X11R6 4.1 .0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 i386
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 7.0
XFree86 X11R6 4.0.3
+ RedHat Linux 7.1
XFree86 X11R6 4.0.1
+ RedHat Linux 7.0
XFree86 X11R6 4.0
XFree86 X11R6 3.3.6
+ Debian Linux 2.2
+ Red Hat Linux 6.2
SGI IRIX 6.5.19
SGI IRIX 6.5.18
SGI IRIX 6.5.17
SGI IRIX 6.5.16
SGI IRIX 6.5.15
SGI IRIX 6.5.14

- 漏洞讨论

A remotely exploitable buffer overrun condition has been reported in the XFS font server, fs.auto used by multiple vendors. This vulnerability may be exploited by remote attackers to execute commands on the target host with privileges of user nobody.

This vulnerability has been reported fixed in XFree86 3.3.6 and later.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

The initial temporary fixes released by HP enabled the SHLIB_PATH, which may expose systems to additional vulnerabilities. HP has released an updated advisory instructing users that have applied the first set of fixes to either download revised fixes, or perform the following task on vulnerable fixes:

chatr +s disable xfs.1020
chatr +s disable xfs.1100
chatr +s disable xfs.1111

HP has released an advisory which contains patches. The following manual fix information was also included:

HP-UX 10.24 users should extract xfs from the 10.20 patch
HP-UX 11.04 users should extract xfs from the 11.00 patch.
HP-UX 10.10 users should contact the vendor for fix information.

Further details are available in the referenced HP Advisory.

SGI has released a security advisory. Users are advised to upgrade to IRIX v6.5.14 or later. Further details can be obtained from the referenced advisory.

Sun has released a preliminary advisory addressing this issue. Sun has advised users to disable the vulnerable server until fixes are available. See the referenced advisory for more details.

Fixes available:


Sun Solaris 8_sparc

Sun Solaris 2.6_x86

IBM AIX 5.1

Sun Solaris 7.0

IBM AIX 5.2

Sun Solaris 9

Sun Solaris 7.0_x86

Sun Solaris 2.6

Sun Solaris 8_x86

HP HP-UX 10.20

HP HP-UX 11.0

HP HP-UX 11.11

HP HP-UX 11.22

XFree86 X11R6 3.3
  • XFree86 X11R6 4.2.0 installation script
    This is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
    ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh


XFree86 X11R6 3.3.2
  • XFree86 X11R6 4.2.0 installation script
    This is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
    ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh


XFree86 X11R6 3.3.3
  • XFree86 X11R6 4.2.0 installation script
    This is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
    ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh


XFree86 X11R6 3.3.4
  • XFree86 X11R6 4.2.0 installation script
    This is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
    ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh


XFree86 X11R6 3.3.5
  • XFree86 X11R6 4.2.0 installation script
    This is just the installation script. You must acquire the platform specific binary for this distribution from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ or http://ftp.xfree86.org/pub/XFree86/4.2.0/binaries/ . To determine which distribution you need to download, obtain the installation scr
    ftp://ftp.xfree86.org/pub/XFree86/4.2.0/Xinstall.sh


IBM AIX 4.3.1

IBM AIX 4.3.2

IBM AIX 4.3.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站