CVE-2003-0056
CVSS7.2
发布时间 :2003-02-19 00:00:00
修订时间 :2016-10-17 22:28:54
NMCOES    

[原文]Buffer overflow in secure locate (slocate) before 2.7 allows local users to execute arbitrary code via a long (1) -c or (2) -r command line argument.


[CNNVD]slocate本地缓冲区溢出漏洞(CNNVD-200302-030)

        
        slocate是一款查找文件和目录的工具,slocate本身具有一个数据库,里面存放了系统中文件与目录的相关信息。
        slocate不正确处理超长命令行参数,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以root用户权限在系统上执行任意指令。
        slocate在解析regex('-r')和/etc/updatedb.conf('-c')命令行选项时存在问题,攻击者提供超长的数据作为这两个选项参数,可导致产生基于栈的缓冲区溢出,精心构建提交的数据可以覆盖指令指针,以root用户权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:slocate:slocate:2.6
cpe:/a:slocate:slocate:2.5

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11369Buffer overflow in secure locate (slocate) before 2.7 allows local users to execute arbitrary code via a long (1) -c or (2) -r command line ...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0056
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0056
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200302-030
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2003-009.0.txt
(UNKNOWN)  CALDERA  CSSA-2003-009.0
ftp://patches.sgi.com/support/free/security/advisories/20040202-01-U.asc
(UNKNOWN)  SGI  20040202-01-U
http://marc.info/?l=bugtraq&m=104342864418213&w=2
(UNKNOWN)  BUGTRAQ  20030124 [USG- SA- 2003.001] USG Security Advisory (slocate)
http://marc.info/?l=bugtraq&m=104348607205691&w=2
(UNKNOWN)  BUGTRAQ  20030125 Re: [USG- SA- 2003.001] USG Security Advisory (slocate)
http://marc.info/?l=bugtraq&m=104428624705363&w=2
(UNKNOWN)  BUGTRAQ  20030202 GLSA: slocate
http://rhn.redhat.com/errata/RHSA-2004-041.html
(UNKNOWN)  REDHAT  RHSA-2004:041
http://www.debian.org/security/2003/dsa-252
(VENDOR_ADVISORY)  DEBIAN  DSA-252
http://www.mandriva.com/security/advisories?name=MDKSA-2003:015
(UNKNOWN)  MANDRAKE  MDKSA-2003:015
http://www.net-security.org/advisory.php?id=2010
(UNKNOWN)  CONECTIVA  CLA-2003:643
http://www.usg.org.uk/advisories/2003.001.txt
(VENDOR_ADVISORY)  MISC  http://www.usg.org.uk/advisories/2003.001.txt

- 漏洞信息

slocate本地缓冲区溢出漏洞
高危 边界条件错误
2003-02-19 00:00:00 2005-10-20 00:00:00
本地  
        
        slocate是一款查找文件和目录的工具,slocate本身具有一个数据库,里面存放了系统中文件与目录的相关信息。
        slocate不正确处理超长命令行参数,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以root用户权限在系统上执行任意指令。
        slocate在解析regex('-r')和/etc/updatedb.conf('-c')命令行选项时存在问题,攻击者提供超长的数据作为这两个选项参数,可导致产生基于栈的缓冲区溢出,精心构建提交的数据可以覆盖指令指针,以root用户权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时去掉/usr/bin/slocate程序的suid位。
        厂商补丁:
        slocate
        -------
        目前厂商已经在新版的软件中修复了这个安全问题,请到厂商的主页下载:
        slocate Upgrade slocate-2.7.tar.gz
        ftp://ftp.geekreview.com/slocate/src/slocate-2.7.tar.gz

- 漏洞信息 (22197)

slocate 2.5/2.6 Local Buffer Overrun Vulnerability (EDBID:22197)
linux dos
2003-01-24 Verified
0 USG team
N/A [点击下载]
source: http://www.securityfocus.com/bid/6676/info

A vulnerability has been discovered in slocate. It has been reported that a buffer overrun occurs when running the slocate program with command line arguments of excessive length. Specifically, it is possible to overrun a buffer in slocate by supplying excessive data as the regex ('-r') and parse /etc/updatedb.conf ('-c') command line options. 

By exploiting this issue to overwrite an instruction pointer an attacker may gain the ability to execute arbitrary instructions. As slocate is typically installed setgid, all commands executed by the attacker will be run with the elevated group privileges.

*** Conflicting details have been released which provide information reporting that the issue described is not a buffer overflow. Furthermore, the programming error that occurs may not be a security issue and thus not exploitable.

/usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x 1024"`		

- 漏洞信息

6198
slocate -c and -r Argument Command Line Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local overflow exists in slocate. The slocate fails to validate the -c and -r parameters. By sending long (1024+ bytes string) -c or -r command line arguments, a local attacker can overflow the buffer and execute arbitrary code, resulting in a loss of integrity.

- 时间线

2003-01-24 Unknow
2003-01-24 Unknow

- 解决方案

Upgrade to version 2.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

slocate Local Buffer Overrun Vulnerability
Boundary Condition Error 6676
No Yes
2003-01-24 12:00:00 2009-07-11 08:06:00
The discovery of this vulnerability has been credited to the USG team.

- 受影响的程序版本

Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Workstation 6.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Server 7.0
Turbolinux Turbolinux Server 6.5
Turbolinux Turbolinux Server 6.1
Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux Advanced Server 6.0
slocate slocate 2.6
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ RedHat Linux 9.0 i386
+ RedHat Linux 8.0 i386
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.2 i386
+ Trustix Secure Linux 2.0
+ Trustix Secure Linux 1.5
slocate slocate 2.5
SGI ProPack 2.4
SGI ProPack 2.3
slocate slocate 2.7
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 10.2 x86_64
+ Mandriva Linux Mandrake 10.2
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
slocate slocate 2.1
+ Red Hat Linux 6.2

- 不受影响的程序版本

slocate slocate 2.7
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 10.2 x86_64
+ Mandriva Linux Mandrake 10.2
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
slocate slocate 2.1
+ Red Hat Linux 6.2

- 漏洞讨论

A vulnerability has been discovered in slocate. It has been reported that a buffer overrun occurs when running the slocate program with command line arguments of excessive length. Specifically, it is possible to overrun a buffer in slocate by supplying excessive data as the regex ('-r') and parse /etc/updatedb.conf ('-c') command line options.

By exploiting this issue to overwrite an instruction pointer an attacker may gain the ability to execute arbitrary instructions. As slocate is typically installed setgid, all commands executed by the attacker will be run with the elevated group privileges.

*** Conflicting details have been released which provide information reporting that the issue described is not a buffer overflow. Furthermore, the programming error that occurs may not be a security issue and thus not exploitable.

- 漏洞利用

It has been reported that a proof of concept exploit has been developed which exploits this vulnerability, and will be available to the public soon.

The following example has been given which demonstrates the overflow:

/usr/bin/slocate -c `perl -e "print 'A' x 1024"` -r `perl -e "print 'A' x 1024"`

- 解决方案

SGI has released an advisory 20040202-01-U to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information. Fixes are available below.

Turbolinux have released an advisory (TLSA-2004-6) and fixes to address this issue. Affected users are advised to apply the appropriate updates as soon as possible. Further information regarding obtaining and applying these updates can be found in the referenced advisory. Fixes are linked below.

Mandrake Linux has released Fixes and an Advisory.

Gentoo Linux has released an advisory. Users who have installed sys-apps/slocate are advised to upgrade to slocate-2.7 by issuing the following commands:

emerge sync
emerge -u slocate
emerge clean

SGI has released an advisory 20040201-01-U with a patch to address this and other issues. Please see the referenced advisory for more information.

Fedora has released advisory FLSA:1232 to address this issue in Red Hat Linux 7.2, 7.3, and 8.0.

Fixes available:


Turbolinux Turbolinux Desktop 10.0

SGI ProPack 2.3

SGI ProPack 2.4

slocate slocate 2.5

slocate slocate 2.6

Turbolinux Turbolinux Advanced Server 6.0

Turbolinux Turbolinux Workstation 6.0

Turbolinux Turbolinux Server 6.1

Turbolinux Turbolinux Server 6.5

Turbolinux Turbolinux Workstation 7.0

Turbolinux Turbolinux Server 7.0

Turbolinux Turbolinux Server 8.0

Turbolinux Turbolinux Workstation 8.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站