CVE-2003-0834
CVSS7.2
发布时间 :2003-12-01 00:00:00
修订时间 :2008-09-10 15:20:36
NMCOPS    

[原文]Buffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via (1) a modified DTHELPUSERSEARCHPATH environment variable and the Help feature, (2) DTSEARCHPATH, or (3) LOGNAME.


[CNNVD]CDE LibDTHelp DTHelpUserSearchPath本地缓冲区溢出漏洞(CNNVD-200312-005)

        
        Common Desktop Environment (CDE)是基于UNIX系统的标准桌面环境。
        CDE包含的libDTHelp对环境变量处理不正确,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以ROOT权限在系统上执行任意指令。
        在dtHelp应用程序初始化时用户可以设置特殊构建的环境变量进行权限提升。目前没有详细漏洞细节提供。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sco:unixware:7.1.1
cpe:/o:sco:unixware:7.1.3
cpe:/o:sco:open_unix:8.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5141CDE libDtHelp Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0834
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0834
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-005
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/575804
(VENDOR_ADVISORY)  CERT-VN  VU#575804
http://www.securityfocus.com/bid/8973
(VENDOR_ADVISORY)  BID  8973
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57414
(UNKNOWN)  SUNALERT  57414
http://archives.neohapsis.com/archives/hp/2003-q4/0047.html
(UNKNOWN)  HP  HPSBUX0311-297
ftp://patches.sgi.com/support/free/security/advisories/20040801-01-P
(UNKNOWN)  SGI  20040801-01-P
http://www.idefense.com/application/poi/display?id=134&type=vulnerabilities&flashstatus=false
(UNKNOWN)  IDEFENSE  20040825 CDE libDtHelp LOGNAME Buffer Overflow Vulnerability

- 漏洞信息

CDE LibDTHelp DTHelpUserSearchPath本地缓冲区溢出漏洞
高危 边界条件错误
2003-12-01 00:00:00 2005-10-20 00:00:00
本地  
        
        Common Desktop Environment (CDE)是基于UNIX系统的标准桌面环境。
        CDE包含的libDTHelp对环境变量处理不正确,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以ROOT权限在系统上执行任意指令。
        在dtHelp应用程序初始化时用户可以设置特殊构建的环境变量进行权限提升。目前没有详细漏洞细节提供。
        

- 公告与补丁

        厂商补丁:
        SCO
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        SCO Unixware 7.1.1:
        SCO Patch erg712445.pkg.Z
        ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.31
        SCO Unixware 7.1.3:
        SCO Patch erg712445.pkg.Z
        ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.31
        SCO Open UNIX 8.0:
        SCO Patch erg712445.pkg.Z
        ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.31

- 漏洞信息 (F35498)

raptor_libdthelp2.c (PacketStormID:F35498)
2004-12-31 00:00:00
Marco Ivaldi  0xdeadbeef.info
exploit,overflow,arbitrary,local,root
solaris
CVE-2003-0834
[点击下载]

Local root exploit for a buffer overflow in CDE libDtHelp library that allows local users to execute arbitrary code via a modified DTHELPUSERSEARCHPATH environment variable and the Help feature. Works against Solaris/SPARC 7/8/9. This is the ret-into-ld.so version of raptor_libdthelp.c, able to bypass the non-executable stack protection (noexec_user_stack=1 in /etc/system).

- 漏洞信息 (F35497)

raptor_libdthelp.c (PacketStormID:F35497)
2004-12-31 00:00:00
Marco Ivaldi  0xdeadbeef.info
exploit,overflow,arbitrary,local,root
solaris
CVE-2003-0834
[点击下载]

Local root exploit for a buffer overflow in CDE libDtHelp library that allows local users to execute arbitrary code via a modified DTHELPUSERSEARCHPATH environment variable and the Help feature. Works against Solaris/SPARC 7/8/9.

- 漏洞信息 (F34169)

iDEFENSE Security Advisory 2004-08-25.2 (PacketStormID:F34169)
2004-08-26 00:00:00
iDefense Labs  idefense.com
advisory,overflow,local,root
CVE-2003-0834
[点击下载]

iDEFENSE Security Advisory 08.25.04-2 - Exploitation of a buffer overflow in the libDtHelp library included with CDE can allow local attackers to gain root privileges. The vulnerability specifically exists due to a lack of bounds checking on the LOGNAME environment variable. Local attackers can specify a long LOGNAME to trigger a buffer overflow in any application linked with libDtHelp. The overflow is activated once the help subsystem is accessed by selecting any option under the Help menu.

CDE libDtHelp LOGNAME Buffer Overflow Vulnerability

iDEFENSE Security Advisory 08.25.04
www.idefense.com/application/poi/display?id=134&type=vulnerabilities
August 25, 2004

I. BACKGROUND

The libDtHelp library is a core component of the Common Desktop
Environment (CDE). It provides the help subsystem used by most CDE
applications.

II. DESCRIPTION

Exploitation of a buffer overflow in the libDtHelp library included with
CDE can allow local attackers to gain root privileges.

The vulnerability specifically exists due to a lack of bounds checking
on the LOGNAME environment variable. Local attackers can specify a long
LOGNAME to trigger a buffer overflow in any application linked with
libDtHelp. The overflow is activated once the help subsystem is accessed
by selecting any option under the Help menu. 

This vulnerability occurs in the same sequence of code as the previously
disclosed DTSEARCHPATH and DTUSERSEARCHPATH vulnerabilities, described
in CAN-2003-0834. However, the LOGNAME environment variable was not
reported as a method of attack in related advisories.

US-CERT Vulnerability Note VU#575804, detailing the original attack
vectors is available at:

http://www.kb.cert.org/vuls/id/575804

III. ANALYSIS

Successful exploitation leads to root level access. CDE is a widely
deployed default desktop environment for UNIX operating systems. 
Depending on the function of the machine, this vulnerability could lead
to exposure of highly sensitive data. The vulnerability is easily
exploitable even when stack protections are enabled, furthering the
impact of exposure.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in Solaris 8
and Solaris 9 without the patches provided for in Sun Alert 57414.
Hewlett Packard HP-UX, Silicon Graphics, Inc. Irix and SCO Unixware are
also reportedly vulnerable.

V. WORKAROUND

If possible, remove the setuid bit from all applications linked to
libDtHelp. The command 'ldd' will display libraries linked with the
specified executable.

VI. VENDOR RESPONSE

Sun successfully addressed this issue with the patches described in Sun
Alert 57414. Specific vendor advisories addressing CAN-2003-0834 are
available in US-CERT Vulnerability Note VU#575804
(http://www.kb.cert.org/vuls/id/575804).
It is believed that other
vendor patches for CAN-2003-0834 will protect against this new attack
vector.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2003-0834 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org),
which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

03/04/2004   Initial vendor contact
             (Opengroup.org)
03/04/2004   iDEFENSE clients notified
03/31/2004   Initial vendor response
             (Opengroup.org - further coordination requested)
04/19/2004   Initial vendor contact
             (Hewlett-Packard, IBM, and Sun Microsystems)
04/19/2004   Initial vendor response (Sun Microsystems)
04/20/2004   Initial vendor response (Hewlett-Packard)
08/25/2004   Public disclosure

IX. CREDIT

iDEFENSE Labs is credited with discovering this vulnerability.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an as is condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
    

- 漏洞信息 (F33921)

20040801_01_P.asc (PacketStormID:F33921)
2004-08-04 00:00:00
 
advisory,local,root
CVE-2003-0834
[点击下载]

Two specific flaws may allow for local root exploit of systems with CDE (Common Desktop Environment) less than 5.3.4.

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

                          SGI Security Advisory

   Title:      libDtHelp and dtlogin vulnerabilities
   Number:     20040801-01-P
   Date:       August 3, 2004
   Reference:  SGI BUG 902695, CVE CAN-2003-0834, CERT VU#575804
   Reference:  SGI BUG 913116, CVE CAN-2004-0368, CERT VU#179804 
   Fixed in:   CDE 5.3.4
______________________________________________________________________________

SGI provides this information freely to the SGI user community for its
consideration, interpretation, implementation and use.   SGI recommends
that this information be acted upon as soon as possible.

SGI provides the information in this Security Advisory on an "AS-IS"
basis only, and disclaims all warranties with respect thereto, express,
implied or otherwise, including, without limitation, any warranty of
merchantability or fitness for a particular purpose.  In no event shall
SGI be liable for any loss of profits, loss of business, loss of data or

for any indirect, special, exemplary, incidental or consequential damages
of any kind arising from your use of, failure to use or improper use of
any of the instructions or information in this Security Advisory.
_____________________________________________________________________________

- -----------------------
- --- Issue Specifics ---
- -----------------------

It has been reported that there are two vulnerabilities in Common Desktop 
Environment (CDE) which can be used to obtain root user privileges:  

* 902695: libDtHelp has a buffer overflow
  http://www.kb.cert.org/vuls/id/575804 
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0834

* 913116: dtlogin double-free vulnerability
  http://www.kb.cert.org/vuls/id/179804 
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0368

A new CDE package has been released to address these vulnerabilities.

SGI has investigated the issue and recommends the following steps for
resolving this issue.  It is HIGHLY RECOMMENDED that these measures
be implemented on ALL vulnerable SGI systems.


- --------------
- --- Impact ---
- --------------

CDE is an optional product and is not installed by default.

To determine if CDE is installed, execute the following
command:

  # /usr/sbin/versions -b CDE

This will return a result similar to the following:

     Name                 Date        Description
  I  CDE                  5/11/03     Common Desktop Environment, 5.3.3


- ----------------
- --- Solution ---
- ----------------

SGI has provided a new CDE 5.3.4 inst package to address these security issues.
The new CDE 5.3.4 inst package is available on the IRIX 6.5.25 Applications 
CD or ftp://patches.sgi.com/support/free/security/patches/6.5.25/

         Version                      Vulnerable?   Other Actions
- ---------------------------------     -----------   -------------
Common Desktop Environment, 5.0        unknown      Note 1 
Common Desktop Environment, 5.1        unknown      Note 1
Common Desktop Environment, 5.2        unknown      Note 1
Common Desktop Environment, 5.3        unknown      Note 1
Common Desktop Environment, 5.3.1      unknown      Note 1
Common Desktop Environment, 5.3.2      unknown      Note 1
Common Desktop Environment, 5.3.3       yes         Notes 2 & 3
Common Desktop Environment, 5.3.4       no    


   NOTES

     1) This version of the CDE is not actively supported.
        Upgrade to an actively supported CDE package.
        See http://support.sgi.com/ for more information.

     2) Install the new CDE 5.3.4 inst package from IRIX 6.5.25 Applications 
        CD or ftp://patches.sgi.com/support/free/security/patches/6.5.25/

     3) libDtHelp vulnerability is also addressed with patch 5386,
        but does not include the dtlogin fix.


- ------------------------
- --- Acknowledgments ----
- ------------------------

SGI wishes to thank CERT, Dave Aitel and FIRST for their assistance 
in this matter.


- -------------
- --- Links ---
- -------------

SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/

Red Hat Errata: Security Alerts, Bugfixes, and Enhancements
http://www.redhat.com/apps/support/errata/

SGI Advanced Linux Environment security updates can found on:
ftp://oss.sgi.com/projects/sgi_propack/download/

SGI patches can be found at the following patch servers:
http://support.sgi.com/

The primary SGI anonymous FTP site for security advisories and 
security patches is ftp://patches.sgi.com/support/free/security/


- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------

If there are questions about this document, email can be sent to
security-info@sgi.com.

                      ------oOo------

SGI provides security information and patches for use by the entire SGI 
community.  This information is freely available to any person needing the
information and is available via anonymous FTP and the Web. 

The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com.  Security advisories and patches are located under the URL
ftp://patches.sgi.com/support/free/security/

The SGI Security Headquarters Web page is accessible at the URL:
http://www.sgi.com/support/security/

For issues with the patches on the FTP sites, email can be sent to 
security-info@sgi.com.

For assistance obtaining or working with security patches, please
contact your SGI support provider.

                      ------oOo------

SGI provides a free security mailing list service called wiretap and 
encourages interested parties to self-subscribe to receive (via email) all 
SGI Security Advisories when they are released. Subscribing to the mailing 
list can be done via the Web
(http://www.sgi.com/support/security/wiretap.html) or by sending email to
SGI as outlined below.

% mail wiretap-request@sgi.com 
subscribe wiretap < YourEmailAddress such as midwatch@sgi.com > 
end
^d

In the example above, <YourEmailAddress> is the email address that you wish
the mailing list information sent to.  The word end must be on a separate
line to indicate the end of the body of the message. The control-d (^d) is
used to indicate to the mail program that you are finished composing the
mail message.


                      ------oOo------

SGI provides a comprehensive customer World Wide Web site. This site is 
located at http://www.sgi.com/support/security/ .

                      ------oOo------

If there are general security questions on SGI systems, email can be sent to
security-info@sgi.com.

For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider.  A support
contract is not required for submitting a security report.

______________________________________________________________________________
      This information is provided freely to all interested parties 
      and may be redistributed provided that it is not altered in any 
      way, SGI is appropriately credited and the document retains and 
      includes its valid PGP signature.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBQQ/1X7Q4cFApAP75AQHulwP/YS1mk8pTl6b9omxJdyDKfEwgaU+lSGqF
862cjLO9WdAbL+vH6IDtmOENU31TK0T6sbXXsYCetsHgytmHKwqT1Z8PFtnZoE/N
KvIb6nppfso5AmfRDU/gynlrudMirxZZp9t8H7EvjswMIzhkJuxDXfS8FH4i74fX
IYi14o1v3Fc=
=BP3a
-----END PGP SIGNATURE-----

    

- 漏洞信息

9186
CDE libDtHelp LOGNAME Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local overflow exists in the 'libDtHelp' library in CDE. The 'LOGNAME' environment variable fails to perform proper bounds checking resulting in a buffer overflow. By specifying an overly long LOGNAME, a malicious user can gain access to root privileges resulting in a loss of integrity.

- 时间线

2004-08-25 2004-03-04
2004-12-22 Unknow

- 解决方案

Contact your vendor for an appropriate patch.

- 相关参考

- 漏洞作者

- 漏洞信息

CDE LibDTHelp DTHelpUserSearchPath Local Buffer Overflow Vulnerability
Boundary Condition Error 8973
No Yes
2003-11-04 12:00:00 2009-07-12 12:56:00
Discovery credited to Kevin Kotas.

- 受影响的程序版本

Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
SCO Unixware 7.1.3
SCO Unixware 7.1.1
SCO Open UNIX 8.0
HP HP-UX (VVOS) 11.0 4
HP HP-UX 11.23
HP HP-UX 11.22
HP HP-UX 11.11
HP HP-UX 11.0
Compaq Tru64 5.1 PK6 (BL20)
Compaq Tru64 5.1 PK5 (BL19)
Compaq Tru64 5.1 PK4 (BL18)
Compaq Tru64 5.1 PK3 (BL17)
Compaq Tru64 5.1
Compaq Tru64 5.0 f
Compaq Tru64 5.0 a PK3 (BL17)
Compaq Tru64 5.0 a
Compaq Tru64 5.0 PK4 (BL18)
Compaq Tru64 5.0 PK4 (BL17)
Compaq Tru64 5.0
Compaq Tru64 4.0 g PK4 (BL22)
Compaq Tru64 4.0 g PK3 (BL17)
Compaq Tru64 4.0 g
Compaq Tru64 4.0 f PK8 (BL22)
Compaq Tru64 4.0 f PK7 (BL18)
Compaq Tru64 4.0 f PK6 (BL17)
Compaq Tru64 4.0 f

- 漏洞讨论

A problem has been identified in CDE libDtHelp. Because of this, it may be possible for a local attacker to gain elevated privileges.

- 漏洞利用

Raptor has made the following exploits available:

- 解决方案

Hewlett-Packard has released an updated advisory (HPSBUX0311-297 Rev. 2) to address this issue. Customers who are potentially affected by this vulnerability are advised to apply the appropriate patch as soon as possible. Further information regarding the application of these patches is available in the referenced advisory. Patches are linked below.

SCO has released advisory CSSA-2003-SCO.31 with fixes to address this issue.

Sun has released Alert ID 57414 with patches to address this issue. A final solution for all affected platforms is pending.

HP has released advisory SSRT3657 to address this issue in Tru64.

SGI has released advisory 20040801-01-P with fixes to address this issue. Please see the referenced advisory for further information.

HP has released a revised advisory (SSRT3657 rev.3) to address this issue. Please see the referenced advisory for more information.


Sun Solaris 7.0

Sun Solaris 9

Sun Solaris 9_x86

Sun Solaris 7.0_x86

Sun Solaris 8_x86

Sun Solaris 8_sparc

HP HP-UX 11.0

HP HP-UX (VVOS) 11.0 4

HP HP-UX 11.11

HP HP-UX 11.22

HP HP-UX 11.23

Compaq Tru64 5.1 PK4 (BL18)

Compaq Tru64 5.1

Compaq Tru64 5.1 PK3 (BL17)

Compaq Tru64 5.1 PK6 (BL20)

Compaq Tru64 5.1 PK5 (BL19)

SCO Unixware 7.1.1

SCO Unixware 7.1.3

SCO Open UNIX 8.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站