CVE-2003-0453
CVSS10.0
发布时间 :2003-08-07 00:00:00
修订时间 :2016-10-17 22:34:00
NMCOS    

[原文]traceroute-nanog 6.1.1 allows local users to overwrite unauthorized memory and possibly execute arbitrary code via certain "nprobes" and "max_ttl" arguments that cause an integer overflow that is used when allocating memory, which leads to a buffer overflow.


[CNNVD]Traceroute-Nanog整数溢出内存腐败漏洞(CNNVD-200308-039)

        traceroute-nanog 6.1.1版本存在漏洞。本地用户借助某些"nprobes"和"max_ttl"参数覆盖未认证的内存且可能执行任意代码,在分配内存时这些参数可导致整数溢出,该漏洞引发缓冲区溢出。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0453
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0453
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-039
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105613905425563&w=2
(UNKNOWN)  BUGTRAQ  20030620 BAZARR FAREWELL
http://www.debian.org/security/2003/dsa-348
(UNKNOWN)  DEBIAN  DSA-348

- 漏洞信息

Traceroute-Nanog整数溢出内存腐败漏洞
危急 缓冲区溢出
2003-08-07 00:00:00 2005-10-20 00:00:00
本地  
        traceroute-nanog 6.1.1版本存在漏洞。本地用户借助某些"nprobes"和"max_ttl"参数覆盖未认证的内存且可能执行任意代码,在分配内存时这些参数可导致整数溢出,该漏洞引发缓冲区溢出。

- 公告与补丁

        Debian has released advisory DSA 348-1 to address this issue. For fix information, see referenced advisory.
        NANOG Traceroute 6.1.1
        

- 漏洞信息

4634
NANOG traceroute max_ttl Arbitrary Memory Overwrite

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-06-20 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Traceroute-Nanog Integer Overflow Memory Corruption Vulnerability
Design Error 7994
No Yes
2003-06-20 12:00:00 2009-07-11 10:06:00
Discovery of this vulnerability has been credited to "assasa sasasaaa" <bazrar@hotmail.com>.

- 受影响的程序版本

NANOG Traceroute 6.1.1
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2

- 漏洞讨论

An integer overflow vulnerability has been reported for Traceroute-Nanog. It has been reported that when processing certain max_ttl and nprobes values from a traceroute invocation, some functions or utilities may fail to sufficiently handle the size of data returned.

Because an attacker can control arbitrary memory corruption, although conjectured and unconfirmed, an attacker might exploit this condition to execute arbitrary instructions with elevated privileges.

It should be noted that this vulnerability might only affect the Debian implementation of Traceroute-Nanog.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Debian has released advisory DSA 348-1 to address this issue. For fix information, see referenced advisory.


NANOG Traceroute 6.1.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站