CVE-2004-0716
CVSS10.0
发布时间 :2004-08-06 00:00:00
修订时间 :2008-10-24 00:32:30
NMCOP    

[原文]Buffer overflow in the DCE daemon (DCED) for the DCE endpoint mapper (epmap) on HP-UX 11 allows remote attackers to execute arbitrary code via a request with a small fragment length and a large amount of data.


[CNNVD]HP dced远程缓冲区溢出漏洞(CNNVD-200408-040)

        
        HP-UX是一款HP公司开发的UNIX操作系统,其中DCE用于开发和部署安全的、企业级的分布式计算应用解决方案。
        HP-UX的DCE endpoint mapper (epmap)实现存在缓冲区溢出问题,远程攻击者可以利用这个漏洞在系统上以DCED进程权限执行任意指令。
        攻击者可以指定小分段长度,然后发送超大数量stub数据,可导致DCED发生缓冲区溢出,精心构建提交数据可能以DCED进程权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0716
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0716
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-040
(官方数据源) CNNVD

- 其它链接及资源

http://support.entegrity.com/private/patches/dce/ssrt4741.asp
(PATCH)  CONFIRM  http://support.entegrity.com/private/patches/dce/ssrt4741.asp
http://www.atstake.com/research/advisories/2004/a072204-1.txt
(UNKNOWN)  ATSTAKE  A072204-1

- 漏洞信息

HP dced远程缓冲区溢出漏洞
危急 未知
2004-08-06 00:00:00 2006-03-28 00:00:00
远程  
        
        HP-UX是一款HP公司开发的UNIX操作系统,其中DCE用于开发和部署安全的、企业级的分布式计算应用解决方案。
        HP-UX的DCE endpoint mapper (epmap)实现存在缓冲区溢出问题,远程攻击者可以利用这个漏洞在系统上以DCED进程权限执行任意指令。
        攻击者可以指定小分段长度,然后发送超大数量stub数据,可导致DCED发生缓冲区溢出,精心构建提交数据可能以DCED进程权限执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 关闭DCED守护程序。
        厂商补丁:
        HP
        --
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        OS: HP HP-UX 11:
        Patch: B.11.00 - PHSS_29963
         B.11.11 - PHSS_29964
         B.11.23 - PHSS_29966
        OS: HP Tru64
        ch:
        http://support.entegrity.com/private/patches/dce/ssrt4741.asp

        OS: HP OpenVMS
         HP OpenVMS Alpha Version: Patch Kit name:
         HP OpenVMS Alpha V7.3-2 VMS732_RPC-V0300
         HP OpenVMS Alpha V7.3-1 VMS731_RPC-V0400
         HP OpenVMS Alpha V7.3 VMS73_RPC-V0400

- 漏洞信息 (F33854)

Atstake Security Advisory 04-07-22.1 (PacketStormID:F33854)
2004-07-23 00:00:00
Atstake,Jeremy Jethro  atstake.com
advisory,overflow,arbitrary,root,tcp
CVE-2004-0716
[点击下载]

Atstake Security Advisory A072204-1 - A buffer overflow vulnerability was discovered in HP's implementation of the DCE endpoint mapper (epmap) which listens by default on TCP port 135. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary commands on the targeted system with the privileges of the DCED process which is typically run as the root user.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                                @stake, Inc.
                              www.atstake.com

                             Security Advisory

Advisory Name: HP dced Remote Command Execution 
 Release Date: 07/22/2004
  Application: dced
     Platform: HPUX 11
               HP Tru64
               HP OpenVMS
     Severity: A remote attacker can execute arbitrary commands
      Authors: Jeremy Jethro [jjethro@si.rr.com]
Vendor Status: Vendor has patches
CVE Candidate: CAN-2004-0716
    Reference: www.atstake.com/research/advisories/2004/a072204-1.txt


Overview:

A buffer overflow vulnerability was discovered in HP's implementation
of the DCE endpoint mapper (epmap) which listens by default on TCP
port 135.  Successful exploitation of this vulnerability may allow
an attacker to execute arbitrary commands on the targeted system
with the privileges of the DCED process which is typically run as
the root user.  


Details:

There is a buffer overflow in HP's DCED implementation that can be
triggered by specifying a small fragment length, and sending a large
amount of stub data. 

A Nessus (NASL) script that can detect vulnerable DCED daemons will
be released 30 days after the publication of this advisory.


Timeline:


Vendor notified on 4/23/2004 via email to security-alert@hp.com 

Vendor responded on 4/29/2004 that current patched version of 
HP-UX 11 with patches noted in bulletin HPSBUX0311-299 fixed this
issue. However, vendor noted that this issue effected other dced
implementations and suggested notifying US-CERT so all 
vendors may test their code.

US-CERT notified on 5/3/2004

US-CERT responded on 5/7/2004 and issued tracking number VU#259796

HP releases Tru64 security bulletin on 6/21/2004

HP releases OpenVMS security bulletin on 7/14/2004

US-CERT confirms that it knows of no other vendors that were
notified of issue VU#259796 that are vulnerable to same issue on
7/20/2004

Advisory released 7/22/2004



Vendor Response: 

OS: HP HP-UX 11 (Issue fixed prior to notification from @stake)

Bulletin: HPSBUX0311-299: SSRT3660 DCE (Rev.01) 

Patch: B.11.00 - PHSS_29963
       B.11.11 - PHSS_29964
       B.11.23 - PHSS_29966

       The patches are available on <http://itrc.hp.com>


OS: HP Tru64

Bulletin: SSRT4741 rev.0 DCE for HP Tru64 UNIX Potential RPC
          Buffer Overrun Attack 

Patch: http://support.entegrity.com/private/patches/dce/ssrt4741.asp


OS: HP OpenVMS

Bulletin: SSRT4741 Rev.1 DCE for HP OpenVMS Potential RPC Buffer
          Overrun Attack

      HP is releasing the following patch kits to resolve this
      issue and are available from the ITRC at
      http://www2.itrc.hp.com/service/patch/mainPage.do
      Search for the patch kit name as shown.

      HP OpenVMS Alpha Version: Patch Kit name:

      HP OpenVMS Alpha V7.3-2 VMS732_RPC-V0300
      HP OpenVMS Alpha V7.3-1 VMS731_RPC-V0400
      HP OpenVMS Alpha V7.3 VMS73_RPC-V0400 


@stake Recommendation:

Disable dced if not necessary.  If required install vendor patches.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

  CAN-2004-0716 HP dced Remote Command Execution

@stake Vulnerability Reporting Policy: 
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2004 @stake, Inc. All rights reserved.







-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3 - not licensed for commercial use: www.pgp.com

iQA/AwUBQP/3DUe9kNIfAm4yEQLzEwCg60XUutO7NbMPIS3usaKynS806S4AoJtx
ufrEUVgpDaNJsuvh/vK6YBAl
=Vnwi
-----END PGP SIGNATURE-----
    

- 漏洞信息

8188
HP DCED epmap Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

Hewlett Packard HP-UX, Tru64 and OpenVMS contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the DCED implementation's endpoint mapper (epmap) not checking stub data input. This allows an attacker to send a specially crafted request that could overflow the buffer and allow for arbitrary commands to be executed with the same privileges as the running daemon.

- 时间线

2004-07-22 2004-04-23
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Hewlett-Packard has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站