CVE-2002-1403
CVSS7.2
发布时间 :2003-01-17 00:00:00
修订时间 :2016-10-17 22:26:55
NMCOS    

[原文]dhcpcd DHCP client daemon 1.3.22 and earlier allows local users to execute arbitrary code via shell metacharacters that are fed from a dhcpd .info script into a .exe script.


[CNNVD]DHCPCD字符扩展远程命令执行漏洞(CNNVD-200301-030)

        
        dhcpcd是一款RFC2131和RFC1541兼容DHCP客户端守护程序。
        dhcpcd对DHCP服务器提供的数据缺少正确验证,远程攻击者可以利用这个漏洞以root用户权限在客户端系统上执行任意命令。
        当分配IP地址给网络接口时,dhcpcd会执行外部脚本'/sbin/dhcpcd-.exe',这个是可选配置,在Conectiva系统中(其他没有证实)必须通过拷贝脚本到/sbin/来手工设置。脚本'dhcpcd-.exe'使用来自 '/var/lib/dhcpcd/dhcpcd-.info'的值,此值源自DHCP服务器,由于对此数据缺少充分检查,如果恶意DHCP服务器插入包含SHELL元字符的任意系统命令到'/var/lib/dhcpcd/dhcpcd-.info',可导致这些命令以root用户权限在客户端系统上执行。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:phystech:dhcpcd:1.3.22_pl1
cpe:/a:phystech:dhcpcd:1.3.17_pl2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1403
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1403
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200301-030
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000549
(UNKNOWN)  CONECTIVA  CLA-2002:549
http://marc.info/?l=bugtraq&m=104189546709447&w=2
(UNKNOWN)  GENTOO  GLSA-200301-3
http://www.debian.org/security/2002/dsa-219
(VENDOR_ADVISORY)  DEBIAN  DSA-219
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:003
(UNKNOWN)  MANDRAKE  MDKSA-2003:003
http://www.securityfocus.com/bid/6200
(UNKNOWN)  BID  6200
http://xforce.iss.net/xforce/xfdb/10663
(VENDOR_ADVISORY)  XF  dhcpcd-info-execute-commands(10663)

- 漏洞信息

DHCPCD字符扩展远程命令执行漏洞
高危 输入验证
2003-01-17 00:00:00 2005-05-13 00:00:00
远程  
        
        dhcpcd是一款RFC2131和RFC1541兼容DHCP客户端守护程序。
        dhcpcd对DHCP服务器提供的数据缺少正确验证,远程攻击者可以利用这个漏洞以root用户权限在客户端系统上执行任意命令。
        当分配IP地址给网络接口时,dhcpcd会执行外部脚本'/sbin/dhcpcd-.exe',这个是可选配置,在Conectiva系统中(其他没有证实)必须通过拷贝脚本到/sbin/来手工设置。脚本'dhcpcd-.exe'使用来自 '/var/lib/dhcpcd/dhcpcd-.info'的值,此值源自DHCP服务器,由于对此数据缺少充分检查,如果恶意DHCP服务器插入包含SHELL元字符的任意系统命令到'/var/lib/dhcpcd/dhcpcd-.info',可导致这些命令以root用户权限在客户端系统上执行。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 删除'/sbin/dhcpd-.exe'脚本。
        厂商补丁:
        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2002:549)以及相应补丁:
        CLA-2002:549:dhcpcd
        链接:
        http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000549

        补丁下载:
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/dhcpcd-1.3.22pl3-1U60_2cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/dhcpcd-1.3.22pl3-1U60_2cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/dhcpcd-1.3.22pl3-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/dhcpcd-1.3.22pl3-1U70_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/dhcpcd-1.3.22pl3-1U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/SRPMS/dhcpcd-1.3.22pl3-1U80_1cl.src.rpm
        Conectiva Linux version 6.0及以上版本的用户可以使用apt进行RPM包的更新:
        - 把以下的文本行加入到/etc/apt/sources.list文件中:
        
        rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
        (如果你不是使用6.0版本,用合适的版本号代替上面的6.0)
        - 执行: apt-get update
        - 更新以后,再执行: apt-get upgrade
        Phystech
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        Phystech Upgrade dhcpcd-1.3.22-pl2
        
        http://www.phystech.com/download/

        Phystech Upgrade dhcpcd-1.3.22-pl3
        
        http://www.phystech.com/download/

- 漏洞信息

16011
dhcpcd DHCP Client Daemon .info File Command Execution

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-11-18 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

DHCPCD Character Expansion Remote Command Execution Vulnerability
Input Validation Error 6200
Yes No
2002-11-18 12:00:00 2009-07-11 07:16:00
Vulnerability announced in a Conectiva security advisory.

- 受影响的程序版本

Phystech dhcpcd 1.3.22 -pl1
+ MandrakeSoft Multi Network Firewall 2.0
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
Phystech dhcpcd 1.3.17 -pl2
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
Phystech dhcpcd 1.3.22 -pl3
Phystech dhcpcd 1.3.22 -pl2

- 不受影响的程序版本

Phystech dhcpcd 1.3.22 -pl3
Phystech dhcpcd 1.3.22 -pl2

- 漏洞讨论

When assigning an IP address to a network interface, dhcpcd may execute an external script, '/sbin/dhcpd-<interface>.exe'. This is an optional configuration that must be setup manually on Conectiva systems (others are not confirmed) by copying the script into /sbin/.

The script 'dhcpcd-<interface>.exe' uses values from '/var/lib/dhcpcd/dhcpcd-<interface>.info', which originate from the DHCP server. A lack of input validation on this data may make it possible for commands injected by a malicious DHCP server to be executed through the use of shell metacharacters such as ';' and '|'. These commands may run with root privileges.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Conectiva has released a security advisory. Fixes are available.

It is recommended that all Gentoo Linux users who are running
net-misc/dhcpcd-1.3.20_p0-r1 or earlier update their systems as
follows:

emerge rsync
emerge dhcpcd
emerge clean

The vendor has addressed the issue in the latest dhcpcd release.

Fixes:


Phystech dhcpcd 1.3.17 -pl2

Phystech dhcpcd 1.3.22 -pl1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站