CVE-2003-0382
CVSS4.6
发布时间 :2003-07-02 00:00:00
修订时间 :2016-10-17 22:33:10
NMCOS    

[原文]Buffer overflow in Eterm 0.9.2 allows local users to gain privileges via a long ETERMPATH environment variable.


[CNNVD]Eterm PATH_ENV本地缓冲区溢出漏洞(CNNVD-200307-009)

        
        Eterm是可使用在多种Unix系统下的终端模拟器。
        Eterm处理环境变量时缺少正确的边界缓冲区检查,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能用来提升权限。
        部分系统下的Eterm不正确处理ETERMPATH环境变量,攻击者提供超长字符串作为此变量值,可导致触发缓冲区溢出,精心提供数据可能以utmp权限或在部分系统下可能以root用户权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:michael_jennings:eterm:0.9.1
cpe:/a:michael_jennings:eterm:0.9.2
cpe:/o:debian:debian_linux:3.0Debian Debian Linux 3.0
cpe:/o:debian:debian_linux:2.3Debian Debian Linux 2.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0382
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0382
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200307-009
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105427580626001&w=2
(UNKNOWN)  BUGTRAQ  20030509 BAZARR CODE NINER PINK TEAM GO GO GO
http://www.debian.org/security/2003/dsa-309
(VENDOR_ADVISORY)  DEBIAN  DSA-309
http://www.securityfocus.com/bid/7708
(UNKNOWN)  BID  7708

- 漏洞信息

Eterm PATH_ENV本地缓冲区溢出漏洞
中危 边界条件错误
2003-07-02 00:00:00 2006-09-05 00:00:00
本地  
        
        Eterm是可使用在多种Unix系统下的终端模拟器。
        Eterm处理环境变量时缺少正确的边界缓冲区检查,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能用来提升权限。
        部分系统下的Eterm不正确处理ETERMPATH环境变量,攻击者提供超长字符串作为此变量值,可导致触发缓冲区溢出,精心提供数据可能以utmp权限或在部分系统下可能以root用户权限执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        
        http://www.debian.org/security/2003/dsa-309

- 漏洞信息

8157
Eterm ETERMPATH Variable Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local overflow exists in Eterm. The Eterm fails to validate the ETERMPATH variable, resulting in a buffer overflow. By sending a overly long string to the ETERMPATH variable, a local attacker can cause a buffer overflow and gain elevated privileges of the group "utmp" on the system, resulting in a loss of confidentiality and integrity.

- 时间线

2003-05-27 Unknow
2003-05-29 Unknow

- 解决方案

Upgrade to version 0.9.2-0pre2002042903.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Eterm PATH_ENV Buffer Overflow Vulnerability
Boundary Condition Error 7708
No Yes
2003-05-27 12:00:00 2009-07-11 10:06:00
Discovery of this vulnerability has been credited to bazarr <bazarr@ziplip.com>.

- 受影响的程序版本

Eterm Eterm 0.9.2
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Eterm Eterm 0.9.1
- Debian Linux 2.3 powerpc

- 漏洞讨论

Eterm has been reported prone to a local buffer overflow vulnerability. Code execution with elevated privileges has been confirmed possible.

The issue is due to a lack of sufficient bounds checking performed on an environment variable that is copied into an internal memory buffer.

An attacker may exploit this vulnerability to have arbitrary shell code executed with elevated privileges. Code execution will occur in the context of the vulnerable Eterm, which may have setuid/setgid utmp or possibly root on some Unix/Linux distributions.

- 漏洞利用

An exploit for this vulnerability is publicly available.

- 解决方案

Debian has released a revised advisory containing new updates that eliminate the vulnerability. The previous fixes introduced a non-security related bug. See advisory DSA-309-2 (in the reference section) for download links to these new fixes.


Eterm Eterm 0.9.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站