CVE-2004-0368
CVSS10.0
发布时间 :2004-05-04 00:00:00
修订时间 :2008-09-10 15:25:58
NMCOPS    

[原文]Double free vulnerability in dtlogin in CDE on Solaris, HP-UX, and other operating systems allows remote attackers to execute arbitrary code via a crafted XDMCP packet.


[CNNVD]CDE dtlogin的XDMCP解析器远程堆溢出漏洞(CNNVD-200405-020)

        
        Common Desktop Environment (CDE)是基于UNIX系统的标准桌面环境。
        CDE包含的dtlogin的XDMCP解析器存在堆溢出问题,远程攻击者可以利用这个漏洞以root用户权限在系统上执行任意指令。
        dtlogin工具允许用户远程或者本地登陆到CDE会话,其用于调用X -query host:port的XDMCPD协议实现存在堆两次释放问题,远程攻击者可以无需验证以root用户权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/o:ibm:aix:5.1IBM AIX 5.1
cpe:/a:open_group:cde_common_desktop_environment:2.0
cpe:/a:xi_graphics:dextop:3.0
cpe:/a:open_group:cde_common_desktop_environment:2.1
cpe:/a:open_group:cde_common_desktop_environment:1.0.1
cpe:/a:open_group:cde_common_desktop_environment:1.0.2
cpe:/o:ibm:aix:5.2IBM AIX 5.2
cpe:/o:ibm:aix:4.3.3IBM AIX 4.3.3
cpe:/a:open_group:cde_common_desktop_environment:2.1.20
cpe:/a:xi_graphics:dextop:2.1
cpe:/a:open_group:cde_common_desktop_environment:1.2
cpe:/a:open_group:cde_common_desktop_environment:1.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1436Solaris CDE DTLogin XDMCP Parser Remote Double Free Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0368
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0368
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200405-020
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/179804
(VENDOR_ADVISORY)  CERT-VN  VU#179804
http://xforce.iss.net/xforce/xfdb/15581
(VENDOR_ADVISORY)  XF  cde-dtlogin-double-free(15581)
http://www.securityfocus.com/bid/9958
(UNKNOWN)  BID  9958
http://www.immunitysec.com/downloads/dtlogin.sxw.pdf
(UNKNOWN)  MISC  http://www.immunitysec.com/downloads/dtlogin.sxw.pdf
http://www.ciac.org/ciac/bulletins/o-129.shtml
(UNKNOWN)  CIAC  O-129
http://www.auscert.org.au/render.html?it=4103&cid=3734
(UNKNOWN)  HP  HPSBUX01038
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57539-1&searchclause=security
(UNKNOWN)  SUNALERT  57539
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101478-1
(UNKNOWN)  SUNALERT  101478
http://secunia.com/advisories/11614/
(VENDOR_ADVISORY)  SECUNIA  11614
http://secunia.com/advisories/11495/
(VENDOR_ADVISORY)  SECUNIA  11495
http://secunia.com/advisories/11214/
(VENDOR_ADVISORY)  SECUNIA  11214
http://secunia.com/advisories/11210/
(VENDOR_ADVISORY)  SECUNIA  11210
http://lists.immunitysec.com/pipermail/dailydave/2004-March/000402.html
(VENDOR_ADVISORY)  MLIST  [Dailydave] 20040323 dtlogin advisory
http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0064.html
(VENDOR_ADVISORY)  VULNWATCH  20040323 how much fun can you have with UDP?
ftp://patches.sgi.com/support/free/security/advisories/20040801-01-P
(UNKNOWN)  SGI  20040801-01-P

- 漏洞信息

CDE dtlogin的XDMCP解析器远程堆溢出漏洞
危急 设计错误
2004-05-04 00:00:00 2005-10-20 00:00:00
远程  
        
        Common Desktop Environment (CDE)是基于UNIX系统的标准桌面环境。
        CDE包含的dtlogin的XDMCP解析器存在堆溢出问题,远程攻击者可以利用这个漏洞以root用户权限在系统上执行任意指令。
        dtlogin工具允许用户远程或者本地登陆到CDE会话,其用于调用X -query host:port的XDMCPD协议实现存在堆两次释放问题,远程攻击者可以无需验证以root用户权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 不运行任何X Windows系统或不需要管理任何X服务程序,dtlogin可关闭或删除:
        /etc/init.d/dtlogin stop # 必须先杀掉dtlogin进程.
        cd /etc/rc2.d
        mkdir Disabled
        mv S99dtlogin Disabled # 防止dtlogin启动时候重新启动。
        # next boot.
        如果需管理其他X服务程序,不过只需要XDMCP时,一个独立的工作站,它的dtlogin不需要管理任何X服务器的情况下,可通过编辑'/etc/dt/config/Xconfig'文件关闭dtlogin:
        Dtlogin.requestPort: 0
        并且定义dtlogin访问访问文件,文件定义了允许XDMCP服务的主机,生成访问文件,然后通过设置如下参数修改'/etc/dt/config/Xconfig'文件:
        Dtlogin.accessFile
        厂商补丁:
        IBM
        ---
        IBM已经为此发布了一个安全公告(APR-27-2004-DTLOGIN)以及相应补丁:
        APR-27-2004-DTLOGIN:dtlogin improperly handles some XDMCP requests.
        补丁下载:
        IBM AIX 4.3.3:
        IBM APAR IY55362
        
        http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

        IBM AIX 5.1:
        IBM APAR IY55361
        
        http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

        IBM AIX 5.2:
        IBM APAR IY55360
        
        http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

        Sun
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Sun Solaris 8.0 _x86:
        Sun Patch 108920-21
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=108919&rev=21

        Sun Solaris 8.0:
        Sun Patch 108919-21
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=108919&rev=21

        Sun Solaris 9.0 _x86:
        Sun Patch 114210-08
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=114210&rev=08

        Sun Solaris 9.0:
        Sun Patch 112807-09
        
        http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=112807&rev=09

- 漏洞信息 (F37075)

SCOSA-2005.18.txt (PacketStormID:F37075)
2005-04-17 00:00:00
 
advisory,remote,denial of service,arbitrary,protocol
CVE-2004-0368
[点击下载]

SCO Security Advisory - The CDE dtlogin utility has a double-free vulnerability in the X Display Manager Control Protocol (XDMCP). By sending a specially-crafted XDMCP packet to a vulnerable system, a remote attacker could obtain sensitive information, cause a denial of service or execute arbitrary code on the system.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



______________________________________________________________________________

			SCO Security Advisory

Subject:		UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : CDE dtlogin unspecified double free
Advisory number: 	SCOSA-2005.18
Issue date: 		2005 April 7
Cross reference:	sr890079 fz529303 erg712592 CAN-2004-0368 CERT VU#179804
______________________________________________________________________________


1. Problem Description

	The Common Desktop Environment (CDE) dtlogin utility is
	used to log into a CDE session. The CDE dtlogin utility has
	a double-free vulnerability in the X Display Manager Control
	Protocol (XDMCP). By sending a specially-crafted XDMCP
	packet to a vulnerable system, a remote attacker could
	obtain sensitive information, cause a denial of service or
	execute arbitrary code on the system. 

	CERT Vulnerability Note VU#179804, Common Desktop Environment 
	(CDE) dtlogin improperly deallocates memory at 
	http://www.kb.cert.org/vuls/id/179804. 

	The Common Vulnerabilities and Exposures project (cve.mitre.org) 
	has assigned the name CAN-2004-0368 to this issue.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	UnixWare 7.1.4 			/usr/dt/bin/dtgreet
					/usr/dt/bin/dtlogin
					/usr/dt/lib/libDtLogin.so.1

	UnixWare 7.1.3 			/usr/dt/bin/dtgreet
					/usr/dt/bin/dtlogin
					/usr/dt/lib/libDtLogin.so.1

	UnixWare 7.1.1 			See Maintenance Pack 5 notes
				
			
3. Solution

	The proper solution is to install the latest packages.

4. UnixWare 7.1.4

	4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.18

	4.2 Verification

	MD5 (erg712592.pkg.Z) = d3714b22a624db25740f5539c063d407

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	Download erg712592.pkg.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg712592.pkg.Z
	# pkgadd -d /var/spool/pkg/erg712592.pkg


5. UnixWare 7.1.3

	5.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.18


	5.2 Verification

	MD5 (erg712592.713.pkg.Z) = fc8d0c4f0ebdcf65504d1b4985c7ba52

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	5.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	Download erg712592.713.pkg.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg712592.713.pkg.Z
	# pkgadd -d /var/spool/pkg/erg712592.713.pkg


6. UnixWare 7.1.1 uw711mp5

	6.1 Location of Fixed Binaries

	The fixes are available in SCO UnixWare Release 7.1.1
        Maintenance Pack 5 or later.  See

        ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5.txt
        and
        ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5_errata.txt

	6.2 Verification

	MD5 (uw711mp5.cpio.Z) = 50bd66b7d57b2025da9dca4010d0ab1a

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools

	6.3 Installing Fixed Binaries

	See uw711mp5.txt and uw711mp5_errata.txt for install instructions.


7. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0368

	SCO security resources:
		http://www.sco.com/support/security/index.html

	SCO security advisories via email
		http://www.sco.com/support/forums/security.html

	This security fix closes SCO incidents sr890079 fz529303
	erg712592.


8. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


9. Acknowledgments

	SCO would like to thank Dave Aitel

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)

iD8DBQFCVYa9aqoBO7ipriERAiKPAJ9tygBRSAMRNqWS2jRKE5PWyJF4+gCff8Em
Hvk5XLjwEg89hCPj96JJ1MM=
=dRsT
-----END PGP SIGNATURE-----
    

- 漏洞信息

4556
CDE dtlogin XDMCP Parsing

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-03-25 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Common Desktop Environment DTLogin XDMCP Parser Remote Double Free Vulnerability
Design Error 9958
Yes No
2004-03-23 12:00:00 2009-07-12 03:06:00
Discovery of this issue is credited to Dave Aitel <dave@immunitysec.com>.

- 受影响的程序版本

Xi Graphics DeXtop 3.0
Xi Graphics DeXtop 2.1
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
SCO Unixware 7.1.4
SCO Unixware 7.1.3
SCO Unixware 7.1.1
Open Group CDE Common Desktop Environment 2.1 20
Open Group CDE Common Desktop Environment 2.1
+ Sun Solaris 9_x86 Update 2
+ Sun Solaris 9_x86
+ Sun Solaris 9
Open Group CDE Common Desktop Environment 2.0
Open Group CDE Common Desktop Environment 1.2
Open Group CDE Common Desktop Environment 1.1
Open Group CDE Common Desktop Environment 1.0.2
Open Group CDE Common Desktop Environment 1.0.1
IBM AIX 4.3.3
IBM AIX 5.2
IBM AIX 5.1
HP HP-UX 11.23
HP HP-UX 11.22
HP HP-UX 11.11
HP HP-UX 11.0 4
HP HP-UX 11.0
Avaya Interactive Response
Avaya CMS Server 11.0
Avaya CMS Server 9.0
Avaya CMS Server 8.0

- 漏洞讨论

It has been reported that a double free vulnerability exists in the dtlogin process of CDE. This issue presents itself due to the free() function being called on the same allocated chunk of memory more than once. This problem occurs prior to any authorization.

Successful exploitation of this issue could lead to the corruption of an arbitrary location in memory, ultimately allowing for the attacker to control the execution flow of the affected process.

- 漏洞利用

It has been reported that an exploit has been developed to leverage this issue, although it is currently not publicly available.

CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.

- 解决方案

SCO has released an advisory (SCOSA-2005.18) and fixes to address this issue for UnixWare platforms. Please see the referenced advisory for further information.

Sun has released an updated Security Bulletin (Sun Alert ID: 57539) for this issue that includes fix information for Solaris 7, 8 and 9. Fixes are referenced below.

Avaya has released an advisory that acknowledges this vulnerability in Avaya IR (Interactive Response), and CMS systems. Avaya recommends that customers disable the XDMCP service to workaround this issue, this can be accomplished as follows:
From the command line run:
cp /usr/dt/config/Xconfig /etc/dt/config/Xconfig
vi /etc/dt/config/Xconfig
Uncomment the line that reads:
"# Dtlogin.requestPort: 0"
Restart the dtlogin server.
/etc/rc2.d/S99dtlogin stop
/etc/rc2.d/S99dtlogin start
Avaya report that fixes may be available in the future, further information can be found in the advisory at the following location:
http://support.avaya.com/japple/css/japple?temp.groupID=128450&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=195188&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()

IBM has released an advisory (APR-27-2004-DTLOGIN) and APARs to address this issue. Customers are advised to apply an appropriate APAR as soon as possible. Further information regarding obtaining and applying APARs can be found in the referenced advisory.

Sun has released a Security Bulletin for this issue that includes fix information. This bulletin has also been revised to include fixes for Solaris 9.0.

HP has released advisory HPSBUX01038 - SSRT4721 dealing with this issue. Please see the referenced advisory for more information and details on obtaining fixes.

Sun has released an updated to their security bulletin providing an expanded workaround/relief section. Please see the referenced web advisory for more information.

SGI has released advisory 20040801-01-P with fixes to address this issue. Please see the referenced advisory for further information.


IBM AIX 5.1

Sun Solaris 7.0

IBM AIX 5.2

Sun Solaris 9

Sun Solaris 9_x86

Sun Solaris 7.0_x86

Sun Solaris 8_x86

Sun Solaris 8_sparc

IBM AIX 4.3.3

SCO Unixware 7.1.1

SCO Unixware 7.1.3

SCO Unixware 7.1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站