CVE-2002-1513
CVSS4.6
发布时间 :2003-04-02 00:00:00
修订时间 :2008-09-05 16:30:47
NMCOES    

[原文]The UCX POP server in HP TCP/IP services for OpenVMS 4.2 through 5.3 allows local users to truncate arbitrary files via the -logfile command line option, which overrides file system permissions because the server runs with the SYSPRV and BYPASS privileges.


[CNNVD]OpenVMS POP服务程序本地文件破坏漏洞(CNNVD-200304-062)

        
        UCX是OpenVMS系统使用的主要TCP/IP堆栈,UCX pop是使用POP协议进行通信的程序。
        UCX pop服务程序对命令行选项缺少正确处理,本地攻击者可以利用这个漏洞以0字节文件覆盖系统中任意文件。
        UCX pop服务程序SYS$SYSTEM:UCX$POP_SERVER.EXE默认以VMS的BYPASS和SYSPRV权限安装:
        INSTALL> list ucx$pop_server.exe /full
        DISK$OPENVMS071:.EXE
         UCX$POP_SERVER;1 Prv
         Entry access count = 1
         Privileges = SYSPRV BYPASS
        INSTALL>
        BYPASS权限允许POP服务程序超越权限对文件系统进行操作,通过使用-logfile命令行选项,可能可以使服务程序打开系统任意文件或者对任何已经存在的文件进行截断操作,如果本地用户能正确控制日志输出,可能可以利用这个漏洞获得系统全部权限。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:compaq:tcp-ip_services:5.0a::openvms
cpe:/o:compaq:tcp-ip_services:5.3::openvms
cpe:/o:compaq:tcp-ip_services:4.2::openvms
cpe:/o:compaq:tcp-ip_services:5.1::openvms

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1513
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1513
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200304-062
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5790
(VENDOR_ADVISORY)  BID  5790
http://www.iss.net/security_center/static/10236.php
(VENDOR_ADVISORY)  XF  openvms-pop-gain-privileges(10236)
http://online.securityfocus.com/archive/1/293070
(VENDOR_ADVISORY)  BUGTRAQ  20020927 OpenVMS POP server local vulnerability
http://archives.neohapsis.com/archives/bugtraq/2002-10/0010.html
(VENDOR_ADVISORY)  BUGTRAQ  20021001 [security bulletin] SSRT2371 HP OpenVMS Potential POP server local vulnerability (fwd)
http://archives.neohapsis.com/archives/compaq/2002-q4/0000.html
(UNKNOWN)  COMPAQ  SSRT2371

- 漏洞信息

OpenVMS POP服务程序本地文件破坏漏洞
中危 访问验证错误
2003-04-02 00:00:00 2005-05-13 00:00:00
本地  
        
        UCX是OpenVMS系统使用的主要TCP/IP堆栈,UCX pop是使用POP协议进行通信的程序。
        UCX pop服务程序对命令行选项缺少正确处理,本地攻击者可以利用这个漏洞以0字节文件覆盖系统中任意文件。
        UCX pop服务程序SYS$SYSTEM:UCX$POP_SERVER.EXE默认以VMS的BYPASS和SYSPRV权限安装:
        INSTALL> list ucx$pop_server.exe /full
        DISK$OPENVMS071:.EXE
         UCX$POP_SERVER;1 Prv
         Entry access count = 1
         Privileges = SYSPRV BYPASS
        INSTALL>
        BYPASS权限允许POP服务程序超越权限对文件系统进行操作,通过使用-logfile命令行选项,可能可以使服务程序打开系统任意文件或者对任何已经存在的文件进行截断操作,如果本地用户能正确控制日志输出,可能可以利用这个漏洞获得系统全部权限。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 去掉POP服务程序SYS$SYSTEM:UCX$POP_SERVER.EXE的执行权限。
        厂商补丁:
        Compaq
        ------
        Compaq发布了ECO修正了这个问题:
        ECO B 1-JUL-2002 Alpha 和VAX

- 漏洞信息 (21856)

OpenVMS 5.3/6.2/7.x UCX POP Server Arbitrary File Modification Vulnerability (EDBID:21856)
multiple local
2002-09-25 Verified
0 Mike Riley
N/A [点击下载]
source: http://www.securityfocus.com/bid/5790/info

An issue with the UCX POP (Post Office Protocol) server used by OpenVMS has been reported. It is possible for a malicous local user to overwrite arbitrary files on the filesystem by exploiting a vulnerability in the UCX POP server.

$
$ break_it :== $sys$system:ucx$pop_server.exe
$ break_it -logfile sys$system:I_SHOULDNT_BE_ABLE_TO_WRITE_HERE		

- 漏洞信息

11089
OpenVMS TCP/IP Services UCX POP Server -logfile Command Arbitrary File Truncation

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-10-01 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

OpenVMS UCX POP Server Arbitrary File Modification Vulnerability
Access Validation Error 5790
No Yes
2002-09-25 12:00:00 2009-07-11 05:06:00
Discovery of this vulnerability credited to "Mike Riley" <mike@akitanet.co.uk>.

- 受影响的程序版本

Compaq TCP/IP Services For OpenVMS 5.3
- Compaq OpenVMS 5.3
Compaq TCP/IP Services For OpenVMS 5.1
Compaq TCP/IP Services For OpenVMS 5.0 a
Compaq TCP/IP Services For OpenVMS 4.2
Compaq OpenVMS 7.3 VAX
Compaq OpenVMS 7.3 Alpha
Compaq OpenVMS 7.2.1 Alpha
Compaq OpenVMS 7.2 VAX
Compaq OpenVMS 7.2 Alpha
Compaq OpenVMS 7.1 VAX
Compaq OpenVMS 7.1 Alpha
Compaq OpenVMS 6.2 VAX
Compaq OpenVMS 6.2 Alpha
Compaq OpenVMS 6.2
Compaq OpenVMS 5.3

- 漏洞讨论

An issue with the UCX POP (Post Office Protocol) server used by OpenVMS has been reported. It is possible for a malicous local user to overwrite arbitrary files on the filesystem by exploiting a vulnerability in the UCX POP server.

- 漏洞利用

The following proof-of-concept was submitted by "Mike Riley" &lt;mike@akitanet.co.uk&gt;:

$
$ break_it :== $sys$system:ucx$pop_server.exe
$ break_it -logfile sys$system:I_SHOULDNT_BE_ABLE_TO_WRITE_HERE

- 解决方案

Fixes available:


Compaq TCP/IP Services For OpenVMS 4.2

Compaq TCP/IP Services For OpenVMS 5.0 a

Compaq TCP/IP Services For OpenVMS 5.1

Compaq TCP/IP Services For OpenVMS 5.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站