CVE-2002-1500
CVSS7.2
发布时间 :2003-04-02 00:00:00
修订时间 :2008-09-05 16:30:45
NMCOS    

[原文]Buffer overflow in (1) mrinfo, (2) mtrace, and (3) pppd in NetBSD 1.4.x through 1.6 allows local users to gain privileges by executing the programs after filling the file descriptor tables, which produces file descriptors larger than FD_SETSIZE, which are not checked by FD_SET().


[CNNVD]NetBSD IPv4多播工具缓冲区溢出漏洞(CNNVD-200304-007)

        
        NetBSD是一款开放源代码的操作系统。
        NetBSD多个IPv4多播程序在执行FD_SET()函数时缺少正确边界检查,攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以root用户权限在系统上执行任意指令。
        IPv4多播相关工具如mrinfo(1)和mtrace(1), 以及PPPD都是以suid root权限安装,这些工具使用了select(2),select(2)使用fd_set描述字符集,这个描述字符集支持FD_SETSIZE (256)个文件描述符,这些工具当执行FD_SET()操作的时候没有很好的对缓冲区边界进行检查,如果select(2)使用的文件描述符超过FD_SETSIZE定义的大小,就可以导致产生缓冲区溢出,利用这些程序可能以root用户权限在系统上执行任意指令。
        <*链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-014.txt.asc
        *>

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:netbsd:netbsd:1.4.1NetBSD 1.4.1
cpe:/o:netbsd:netbsd:1.4.1::arm32
cpe:/o:netbsd:netbsd:1.5.3NetBSD 1.5.3
cpe:/o:netbsd:netbsd:1.4.2::sparc
cpe:/o:netbsd:netbsd:1.4.2::alpha
cpe:/o:netbsd:netbsd:1.4.1::alpha
cpe:/o:netbsd:netbsd:1.4::arm32
cpe:/o:netbsd:netbsd:1.4::sparc
cpe:/o:netbsd:netbsd:1.5NetBSD 1.5
cpe:/o:netbsd:netbsd:1.5::sh3
cpe:/o:netbsd:netbsd:1.4.1::x86
cpe:/o:netbsd:netbsd:1.5.2NetBSD 1.5.2
cpe:/o:netbsd:netbsd:1.4::x86
cpe:/o:netbsd:netbsd:1.4.1::sparc
cpe:/o:netbsd:netbsd:1.4.2::arm32
cpe:/o:netbsd:netbsd:1.5.1NetBSD 1.5.1
cpe:/o:netbsd:netbsd:1.4.2::x86
cpe:/o:netbsd:netbsd:1.4::alpha
cpe:/o:netbsd:netbsd:1.4.3NetBSD 1.4.3
cpe:/o:netbsd:netbsd:1.4.1::sh3
cpe:/o:netbsd:netbsd:1.4NetBSD 1.4
cpe:/o:netbsd:netbsd:1.5::x86
cpe:/o:netbsd:netbsd:1.4.2NetBSD 1.4.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1500
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1500
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200304-007
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5727
(VENDOR_ADVISORY)  BID  5727
http://www.iss.net/security_center/static/10114.php
(VENDOR_ADVISORY)  XF  netbsd-fdset-bo(10114)
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-014.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2002-014

- 漏洞信息

NetBSD IPv4多播工具缓冲区溢出漏洞
高危 边界条件错误
2003-04-02 00:00:00 2005-10-20 00:00:00
本地  
        
        NetBSD是一款开放源代码的操作系统。
        NetBSD多个IPv4多播程序在执行FD_SET()函数时缺少正确边界检查,攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以root用户权限在系统上执行任意指令。
        IPv4多播相关工具如mrinfo(1)和mtrace(1), 以及PPPD都是以suid root权限安装,这些工具使用了select(2),select(2)使用fd_set描述字符集,这个描述字符集支持FD_SETSIZE (256)个文件描述符,这些工具当执行FD_SET()操作的时候没有很好的对缓冲区边界进行检查,如果select(2)使用的文件描述符超过FD_SETSIZE定义的大小,就可以导致产生缓冲区溢出,利用这些程序可能以root用户权限在系统上执行任意指令。
        <*链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-014.txt.asc
        *>

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 如果你不打算和计划使用多播相关的工具或者pppd,可使用暂时去除相关SETUID位进行修补:
        # chmod u-s /usr/sbin/mrinfo /usr/sbin/mtrace /usr/sbin/pppd
        厂商补丁:
        NetBSD
        ------
        NetBSD已经为此发布了一个安全公告(NetBSD-SA2002-014)以及相应补丁:
        NetBSD-SA2002-014:fd_set overrun in mbone tools and pppd
        链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-014.txt.asc
        最新的NetBSD 1.6 release不存在此漏洞,建议用户升级到NetBSD 1.6版本。
        否则你可以通过升级你的源代码树,重建和安装新的版本来更新二进制程序:
        * NetBSD-current:
         系统运行在2002-08-10之前的NetBSD-current版本必须升级到2002-08-10 NetBSD-current版本或者之后的版本。
        
         下面的目录必须从netbsd-current CVS branch (aka HEAD)升级:
         usr.sbin/mrinfo
         usr.sbin/mtrace
         usr.sbin/pppd
        
         要升级CVS,重建和重安装mrinfo和mtrace:
        
         # cd src
         # cvs update -dP usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd
         # cd usr.sbin/mrinfo
         # make cleandir dependall
         # make install
         # cd usr.sbin/mtrace
         # make cleandir dependall
         # make install
         # cd usr.sbin/pppd
         # make cleandir dependall
         # make install
        * NetBSD 1.6 beta:
        
         系统运行NetBSD 1.6 BETAs和Release Candidates版本必须升级到NetBSD 1.6 release版本。
        
        
         下面的目录必须从netbsd-1-6 CVS branch上升级:
         usr.sbin/mrinfo
         usr.sbin/mtrace
         usr.sbin/pppd
         要升级CVS,重建和重安装mrinfo和mtrace:
        
         # cd src
         # cvs update -d -P -r netbsd-1-6 \
         usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd
         # cd usr.sbin/mrinfo
         # make cleandir dependall
         # make install
         # cd usr.sbin/mtrace
         # make cleandir dependall
         # make install
         # cd usr.sbin/pppd
         # make cleandir dependall
         # make install
        
        * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
         系统运行在2002-09-05之前的NNetBSD 1.5 branch版本必须升级到2002-09-05 NetBSD 1.5 branch版本或者之后的版本。
        
         下面的目录必须从netbsd-1-5 CVS branch升级:
         usr.sbin/mrinfo
         usr.sbin/mtrace
         usr.sbin/pppd
        
         要升级CVS,重建和重安装mrinfo和mtrace:
        
         # cd src
         # cvs update -d -P -r netbsd-1-5 \
         usr.sbin/mrinfo usr.sbin/mtrace usr.sbin/pppd
         # cd usr.sbin/mrinfo
         # make cleandir dependall
         # make install
         # cd usr.sbin/mtrace
         # make cleandir dependall
         # make install
         # cd usr.sbin/pppd
         # make cleandir dependall
         # make install
        * NetBSD 1.4.x:
         尚无

- 漏洞信息

7567
NetBSD mtrace FD_SET File Descriptor Overflow
Local Access Required Input Manipulation
Loss of Confidentiality, Loss of Integrity, Loss of Availability

- 漏洞描述

A local overflow exists in NetBSD's mtrace. mtrace and other multicast mbone tools fails to correctly perform boundary checking on FD_SET() operations, allowing a user to fill up the file descriptor tables and then exec the binary, resulting in a buffer overflow. An attacker can cause their privileges to be elevated to root, resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2002-09-16 Unknow
Unknow Unknow

- 解决方案

Upgrade to version of 1.6 of NetBSD, a version later than September 5, 2002 for the 1.5 code train, or a version of NetBSD-current later than August 10, 2002, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by removing the setuid bit from mtrace if you are not intending to use the program.

- 相关参考

- 漏洞作者

- 漏洞信息

NetBSD IPv4 Multicast Tools Buffer Overflow Vulnerability
Boundary Condition Error 5727
No Yes
2002-09-17 12:00:00 2009-07-11 05:06:00
Discovery of this vulnerability credited to xs@kittenz.org.

- 受影响的程序版本

NetBSD NetBSD 1.5.3
NetBSD NetBSD 1.5.2
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5 x86
NetBSD NetBSD 1.5 sh3
NetBSD NetBSD 1.5
NetBSD NetBSD 1.4.3
NetBSD NetBSD 1.4.2 x86
NetBSD NetBSD 1.4.2 SPARC
NetBSD NetBSD 1.4.2 arm32
NetBSD NetBSD 1.4.2 Alpha
NetBSD NetBSD 1.4.2
NetBSD NetBSD 1.4.1 x86
NetBSD NetBSD 1.4.1 SPARC
NetBSD NetBSD 1.4.1 sh3
NetBSD NetBSD 1.4.1 arm32
NetBSD NetBSD 1.4.1 Alpha
NetBSD NetBSD 1.4.1
NetBSD NetBSD 1.4 x86
NetBSD NetBSD 1.4 SPARC
NetBSD NetBSD 1.4 arm32
NetBSD NetBSD 1.4 Alpha
NetBSD NetBSD 1.4
NetBSD NetBSD 1.6

- 不受影响的程序版本

NetBSD NetBSD 1.6

- 漏洞讨论

NetBSD has reported buffer overflow vulnerabilities in several of its IPv4 multicast tools as well as the pppd service. The mrinfo(1), mtrace(1) and the pppd(8) daemon are affected by this vulnerability.

The buffer overflow vulnerability is a result of improper boundary checking when performing FD_SET() operations. The multicast tools and the pppd service are setuid root applications. An attacker can exploit this vulnerability to obtain root privileges on vulnerable systems.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

NetBSD 1.5.3 and earlier are vulnerable to this issue. Users are strongly urged to upgrade to NetBSD 1.6 which is not vulnerable to this issue. Further details are available in the referenced advisory.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站