CVE-2002-1347
CVSS7.5
发布时间 :2002-12-18 00:00:00
修订时间 :2016-10-17 22:26:11
NMCOS    

[原文]Multiple buffer overflows in Cyrus SASL library 2.1.9 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) long inputs during user name canonicalization, (2) characters that need to be escaped during LDAP authentication using saslauthd, or (3) an off-by-one error in the log writer, which does not allocate space for the null character that terminates a string.


[CNNVD]Cyrus SASL库用户名堆破坏漏洞(CNNVD-200212-037)

        
        Cyrus SASL库提供多个用于安全认证的函数集。
        Cyrus SASL库由于在处理用户名时缺少充分的边界缓冲区检查,远程攻击者可以利用这个漏洞提交超长用户名而导致发生基于堆的破坏。
        由于对用户名长度缺少检查,使用Cyrus SASL库的应用服务程序可能被攻击者触发基于堆缓冲区溢出,精心构建用户名数据可能以当前进程权限在系统上执行任意指令。客户端库也存在这个问题,但是由于用户名是从本地用户获得,就比较难利用这个漏洞,这个溢出只有在默认realm被设置的情况下才存在。
        此问题在Cyrus上存在,但是其他使用了SASL库的应用程序也可能存在此漏洞。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1347
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1347
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-037
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/linux/suse/2002-q4/1275.html
(UNKNOWN)  SUSE  SuSE-SA:2002:048
http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000557
(UNKNOWN)  CONECTIVA  000557
http://lists.apple.com/archives/security-announce/2005/Mar/msg00000.html
(UNKNOWN)  APPLE  APPLE-SA-2005-03-21
http://marc.info/?l=bugtraq&m=103946297703402&w=2
(UNKNOWN)  BUGTRAQ  20021209 Cyrus SASL library buffer overflows
http://www.debian.org/security/2002/dsa-215
(UNKNOWN)  DEBIAN  DSA-215
http://www.redhat.com/support/errata/RHSA-2002-283.html
(UNKNOWN)  REDHAT  RHSA-2002:283
http://www.securityfocus.com/advisories/4826
(UNKNOWN)  GENTOO  200212-10
http://www.securityfocus.com/bid/6347
(UNKNOWN)  BID  6347
http://www.securityfocus.com/bid/6348
(UNKNOWN)  BID  6348
http://www.securityfocus.com/bid/6349
(UNKNOWN)  BID  6349
http://xforce.iss.net/xforce/xfdb/10810
(UNKNOWN)  XF  cyrus-sasl-username-bo(10810)
http://xforce.iss.net/xforce/xfdb/10811
(UNKNOWN)  XF  cyrus-sasl-saslauthd-bo(10811)
http://xforce.iss.net/xforce/xfdb/10812
(UNKNOWN)  XF  cyrus-sasl-logwriter-bo(10812)

- 漏洞信息

Cyrus SASL库用户名堆破坏漏洞
高危 边界条件错误
2002-12-18 00:00:00 2005-10-20 00:00:00
远程  
        
        Cyrus SASL库提供多个用于安全认证的函数集。
        Cyrus SASL库由于在处理用户名时缺少充分的边界缓冲区检查,远程攻击者可以利用这个漏洞提交超长用户名而导致发生基于堆的破坏。
        由于对用户名长度缺少检查,使用Cyrus SASL库的应用服务程序可能被攻击者触发基于堆缓冲区溢出,精心构建用户名数据可能以当前进程权限在系统上执行任意指令。客户端库也存在这个问题,但是由于用户名是从本地用户获得,就比较难利用这个漏洞,这个溢出只有在默认realm被设置的情况下才存在。
        此问题在Cyrus上存在,但是其他使用了SASL库的应用程序也可能存在此漏洞。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * Timo Sirainen <tss@iki.fi>提供如下第三方补丁:
        diff -ru cyrus-sasl-2.1.9-old/lib/canonusr.c cyrus-sasl-2.1.9/lib/canonusr.c
        --- cyrus-sasl-2.1.9-old/lib/canonusr.c 2002-09-16 21:37:20.000000000 +0300
        +++ cyrus-sasl-2.1.9/lib/canonusr.c 2002-12-05 06:18:36.000000000 +0200
        @@ -306,6 +306,7 @@
         /* Now copy! (FIXME: check for SASL_BUFOVER?) */
         memcpy(out_user, begin_u, MIN(ulen, out_umax));
         if(sconn && u_apprealm) {
        + if(ulen >= out_umax) return SASL_BUFOVER;
         out_user[ulen] = '@';
         memcpy(&(out_user[ulen+1]), sconn->user_realm,
         MIN(u_apprealm-1, out_umax-ulen-1));
        diff -ru cyrus-sasl-2.1.9-old/saslauthd/lak.c cyrus-sasl-2.1.9/saslauthd/lak.c
        --- cyrus-sasl-2.1.9-old/saslauthd/lak.c 2002-08-01 22:58:24.000000000 +0300
        +++ cyrus-sasl-2.1.9/saslauthd/lak.c 2002-12-05 07:43:34.000000000 +0200
        @@ -279,7 +279,7 @@
         char *buf;
         char *end, *ptr, *temp;
        
        - buf = malloc(strlen(s) * 2 + 1);
        + buf = malloc(strlen(s) * 3 + 1);
         if (buf == NULL) {
         return LAK_NOMEM;
         }
        @@ -358,7 +358,8 @@
         if( *buf == '%' ) percents++;
         }
        
        - buf=malloc(strlen(lak->conf->filter) + (percents * maxparamlength) +1);
        + buf=malloc(strlen(lak->conf->filter) +
        + (percents * maxparamlength * 3) + 1);
         if(buf == NULL) {
         syslog(LOG_ERR|LOG_AUTH, "Cannot allocate memory");
         return LAK_NOMEM;
        diff -ru cyrus-sasl-2.1.9-old/lib/common.c cyrus-sasl-2.1.9/lib/common.c
        --- cyrus-sasl-2.1.9-old/lib/common.c 2002-09-19 01:07:54.000000000 +0300
        +++ cyrus-sasl-2.1.9/lib/common.c 2002-12-05 08:11:49.000000000 +0200
        @@ -1326,6 +1326,8 @@
         }
         }
        
        + result = _buf_alloc(&out, &alloclen, outlen+1);
        + if (result != SASL_OK) goto done;
         out[outlen]=0; /* put 0 at end */
        
         va_end(ap);
        不过该补丁的有效性没有得到证实。
        厂商补丁:
        Carnegie Mellon University
        --------------------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载最新版本:
        Cyrus Upgrade SASL 2.1.10
        ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.10.tar.gz

- 漏洞信息

10655
Cyrus SASL Library User Name Canonicalization Overflow
Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2002-12-09 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.1.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Cyrus SASL Library Logging Memory Corruption Vulnerability
Boundary Condition Error 6349
Yes No
2002-12-09 12:00:00 2009-07-11 07:16:00
Discovery of this vulnerability is credited to Timo Sirainen <tss@iki.fi>.

- 受影响的程序版本

Cyrus SASL 2.1.9
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
Apple Mac OS X Server 10.3.8
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X Server 10.2.8
Apple Mac OS X Server 10.2.7
Apple Mac OS X Server 10.2.6
Apple Mac OS X Server 10.2.5
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X Server 10.1.5
Apple Mac OS X Server 10.1.4
Apple Mac OS X Server 10.1.3
Apple Mac OS X Server 10.1.2
Apple Mac OS X Server 10.1.1
Apple Mac OS X Server 10.1
Apple Mac OS X Server 10.0
Apple Mac OS X 10.3.8
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
Apple Mac OS X 10.2.8
Apple Mac OS X 10.2.7
Apple Mac OS X 10.2.6
Apple Mac OS X 10.2.5
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
Apple Mac OS X 10.1.5
Apple Mac OS X 10.1.4
Apple Mac OS X 10.1.3
Apple Mac OS X 10.1.2
Apple Mac OS X 10.1.1
Apple Mac OS X 10.1
Apple Mac OS X 10.1
Apple Mac OS X 10.0.4
Apple Mac OS X 10.0.3
Apple Mac OS X 10.0.2
Apple Mac OS X 10.0.1
Apple Mac OS X 10.0 3
Apple Mac OS X 10.0
Cyrus SASL 2.1.10
Cyrus SASL 1.5.28

- 不受影响的程序版本

Cyrus SASL 2.1.10
Cyrus SASL 1.5.28

- 漏洞讨论

A memory corruption vulnerability has been discovered in SASL when generating logs files. It has been reported that under some circumstances SASL fails to allocate sufficient memory for string used in log entries. By causing Cyrus to generate a malicious log it may be possible for an attacker to corrupt memory.

This could potentially be exploited to overwrite the LSB of a sensitive variable or possibly cause inaccurate logs to be created.

It should be noted that although this vulnerability was discovered in Cyrus, it may also affect other programs that utilize the SASL library.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

It is recommended that all Gentoo Linux users who are running
dev-libs/cyrus-sasl-2.1.9 update their systems as follows:

emerge rsync
emerge cyrus-sasl
emerge clean

This issue has been fixed in version 2.1.10. Users are advised to upgrade as soon as possible.

Apple has released advisory (Security Update 2005-003) to address various issues. Please see the referenced advisory for more information. Updates for Mac OS X v10.3.8 and Mac OS X Server v10.3.8 are available.


Apple Mac OS X 10.3.8

Apple Mac OS X Server 10.3.8

Cyrus SASL 2.1.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站