CVE-2003-0091
CVSS7.2
发布时间 :2003-04-02 00:00:00
修订时间 :2008-09-10 15:17:54
NMCOPS    

[原文]Stack-based buffer overflow in the bsd_queue() function for lpq on Solaris 2.6 and 7 allows local users to gain root privilege.


[CNNVD]Solaris lpstat缓冲区溢出漏洞(CNNVD-200304-065)

        Solaris 2.6和7版本中lpq的bsd_queue()存在基于堆栈的缓冲区溢出漏洞。本地用户利用该漏洞提升根特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:7.0
cpe:/o:sun:solaris:2.5.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:4383lpq Buffer Overflow in bsd_queue()
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0091
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0091
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200304-065
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0162.html
(VENDOR_ADVISORY)  VULNWATCH  20030331 NSFOCUS SA2003-02: Solaris lpq Stack Buffer Overflow Vulnerability
http://www.securityfocus.com/archive/1/archive/1/316957/30/25250/threaded
(UNKNOWN)  BUGTRAQ  20030331 NSFOCUS SA2003-02: Solaris lpq Stack Buffer Overflow Vulnerability
http://www.osvdb.org/8713
(UNKNOWN)  OSVDB  8713
http://www.nsfocus.com/english/homepage/sa2003-02.htm
(UNKNOWN)  MISC  http://www.nsfocus.com/english/homepage/sa2003-02.htm
http://www.ciac.org/ciac/bulletins/n-068.shtml
(UNKNOWN)  CIAC  N-068
http://sunsolve.sun.com/search/document.do?assetkey=1-26-52443-1
(UNKNOWN)  SUNALERT  52443
http://packetstormsecurity.org/0304-advisories/sa2003-02.txt
(UNKNOWN)  MISC  http://packetstormsecurity.org/0304-advisories/sa2003-02.txt

- 漏洞信息

Solaris lpstat缓冲区溢出漏洞
高危 缓冲区溢出
2003-04-02 00:00:00 2005-10-20 00:00:00
本地  
        Solaris 2.6和7版本中lpq的bsd_queue()存在基于堆栈的缓冲区溢出漏洞。本地用户利用该漏洞提升根特权。

- 公告与补丁

        Patches are available for vulnerable versions:
        Sun Solaris 2.6
        

  •         Sun 106235-12
            

  •         

        Sun Solaris 2.6 _x86
        

  •         Sun 106236-12
            

  •         

        Sun Solaris 7.0 _x86
        

  •         Sun 107116-12
            

  •         

        Sun Solaris 7.0
        

  •         Sun 107115-12
            

  •         

- 漏洞信息 (F30951)

sa2003-02.txt (PacketStormID:F30951)
2003-04-01 00:00:00
NSFOCUS  nsfocus.com
advisory,overflow,x86,local,root
solaris
CVE-2003-0091
[点击下载]

NSFOCUS Security Advisory SA2003-02 - Sun Solaris LPQ has a stack overflow which allows local users to execute code as root. Solaris 2.5.1, 2.6, and 2.7 on SPARC and x86 is affected.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NSFOCUS Security Advisory(SA2003-02)

Topic: Solaris lpq Stack Buffer Overflow Vulnerability

Release Date: 2003-3-31 

CVE CAN ID: CAN-2003-0091

Affected system:
===================

Sun Solaris 2.5.1 (SPARC/x86)
Sun Solaris 2.6 (SPARC/x86)
Sun Solaris 7   (SPARC/x86)
                                                               
Summary:
=========

NSFOCUS Security Team has found a buffer overflow vulnerability in lpq, an 
application in Sun Solaris system. Exploiting the vulnerability local 
attackers could gain root privilege.  

Description:
============

lpq, which is used to display the contents in printing queue, is a command 
in SunOS/BSD compatible package.By default suid root bit is set to it. 
Because valid bound check has not been implemented when handling the data 
provided by users, attackers could cause a fixed stack buffer to overflow.
By carefully crafting overflow data attackers could run arbitrary code with 
root privilege. 

Actually /usr/ucb/lpq is a symbol link to /usr/bin/lpstat. lpstat will 
operate according to the program names during the calling. If "lpq", it will
operate in BSD style, or it will operate in System V style. The bsd_queue()
function in lpq will call strcat() to copy the data provided by users to a 
buffer the size of which is fixed. Because the length of the copied data has
not been checked, if an attacker provides a over-long string, he/she will
cause a stack buffer overflow. By overwriting the returning addresses and other
data in the stack, local attackers could gain root privilege. 

Solaris 8/9 uses strlcat() to implement string copy, so it avoids buffer
overflow and therefore is not vulnerable to the issue.  

Workaround:
=============

 NSFOCUS suggests to disable suid root attribute of lpstat(lpq) temporarily:
 # chmod a-s /usr/bin/lpstat

Vendor Status:
==============

2002-12-11  Informed the vendor.
2002-12-13  The vendor confirmed the vulnerability. 
2003-03-31  The vendor released a Sun Alert and patches for this issue. 

The Sun Alert is available at:
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/52443

The patches are:

Solaris 2.6     106235-12
Solaris 2.6_x86 106236-12
Solaris 7       107115-12
Solaris 7_x86   107116-12


Additional Information:
========================

The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CAN-2003-0091 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security 
problems. Candidates may change significantly before they become official 
CVE entries.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE  1B90 D7BF 7877 C6A6 F6DA

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+iBNs1794d8am9toRArQpAKCPmoXrsyInS1pQgfYTuYtkR2XvswCfTjvL
VAzI4QN1JWJvITsvlI5heA8=
=erIs
-----END PGP SIGNATURE-----

    

- 漏洞信息

8713
Solaris lpq bsd_queue() Function Local Overflow
Local Access Required Input Manipulation
Loss of Integrity

- 漏洞描述

A local overflow exists in Solaris. The bsd_queue() function in lpq fails to valid user supplied input before copying it into a variable of fixed size, resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code with root privileges, resulting in a loss of integrity.

- 时间线

2003-03-31 Unknow
Unknow Unknow

- 解决方案

Sun Microsystems, Inc. has released patches to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround: remove the set-user-ID bit from lpstat. The lpq command is a symbolic link to lpstat. This can be done with the following command as the root user: #/usr/bin/chmod u-s /usr/bin/lpstat Note: Removing the set-user-ID bit from the lpstat binary will prevent unprivileged users from displaying information about the print service.

- 相关参考

- 漏洞作者

- 漏洞信息

Solaris lpstat Buffer Overflow Vulnerability
Boundary Condition Error 7239
No Yes
2003-03-31 12:00:00 2009-07-11 09:06:00
Discovered by NSFOCUS.

- 受影响的程序版本

Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1 _ppc
Sun Solaris 2.5.1
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
Sun Solaris 9_x86 Update 2
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc

- 不受影响的程序版本

Sun Solaris 9_x86 Update 2
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc

- 漏洞讨论

The lpstat utility is used to display the contents of the print queue. It has been reported that the version of lpstat shipped with Sun Solaris is vulnerable to a locally exploitable buffer overflow. As lpstat for Solaris is configured setuid root, exploitation of this vulnerability could result in elevation of privileges for a local attacker.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Patches are available for vulnerable versions:


Sun Solaris 7.0_x86
  • Sun 107116-12


Sun Solaris 2.6
  • Sun 106235-12


Sun Solaris 7.0
  • Sun 107115-12


Sun Solaris 2.6_x86
  • Sun 106236-12

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站