CVE-2004-0780
CVSS7.2
发布时间 :2004-12-31 00:00:00
修订时间 :2011-03-07 21:16:15
NMCOPS    

[原文]Buffer overflow in uustat in Sun Solaris 8 and 9 allows local users to execute arbitrary code via a long -S command line argument.


[CNNVD]Sun Solaris UUSTAT本地缓冲区溢出漏洞(CNNVD-200412-476)

        Sun Solaris 8和9版本的uustat存在缓冲区溢出漏洞。本地用户借助超长带-S命令行参数执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:9.0::sparc
cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:9.0::x86
cpe:/o:sun:solaris:8.0::x86

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0780
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0780
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-476
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/16193
(PATCH)  BID  16193
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101933-1
(VENDOR_ADVISORY)  SUNALERT  101933
http://secunia.com/advisories/18371
(VENDOR_ADVISORY)  SECUNIA  18371
http://www.vupen.com/english/advisories/2006/0113
(UNKNOWN)  VUPEN  ADV-2006-0113
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=366
(VENDOR_ADVISORY)  IDEFENSE  20060110 Sun Solaris uustat Buffer Overflow Vulnerability
http://xforce.iss.net/xforce/xfdb/24045
(UNKNOWN)  XF  solaris-uustat-bo(24045)
http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm
http://securitytracker.com/id?1015455
(UNKNOWN)  SECTRACK  1015455
http://secunia.com/advisories/19087
(UNKNOWN)  SECUNIA  19087

- 漏洞信息

Sun Solaris UUSTAT本地缓冲区溢出漏洞
高危 缓冲区溢出
2004-12-31 00:00:00 2006-01-13 00:00:00
本地  
        Sun Solaris 8和9版本的uustat存在缓冲区溢出漏洞。本地用户借助超长带-S命令行参数执行任意代码。

- 公告与补丁

        Sun has released an advisory (Sun Alert ID: 101933) and patches to address this issue.
        Please see the referenced vendor advisories for further information.
        Sun Solaris 8_x86
        
        Sun Solaris 8
        
        Sun Solaris 9
        
        Sun Solaris 9_x86
        

- 漏洞信息 (F42968)

iDEFENSE Security Advisory 2006-01-10.t (PacketStormID:F42968)
2006-01-11 00:00:00
iDefense Labs,Angelo Rosiello  idefense.com
advisory,overflow
solaris
CVE-2004-0780
[点击下载]

iDefense Security Advisory 01.10.06 - There exists a buffer overflow vulnerability in the /usr/bin/uustat binary in Sun Solaris 5.8 and 5.9.

Sun Solaris uustat Buffer Overflow Vulnerability

iDefense Security Advisory 01.10.06
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=366
January 10, 2006

I. BACKGROUND

The uustat binary (part of the uucp project) is used to display or
cancel uucp requests as well as to provide general status on uucp
connections to other systems.

II. DESCRIPTION

There exists a buffer overflow venerability in the /usr/bin/uustat
binary in Sun Solaris 5.8 and 5.9.

The uustat binary is installed setuid "uucp" by default on Solaris. The
"-S" command line argument causes the binary to crash when followed
with a string that is greater than or equal to 1152 bytes in length.

The following shows the buffer being overflowed and then the o1
register being completely overwritten with the letter 'A':

bash-2.03% ls -l /usr/bin/uustat
---s--x--x   1 uucp     uucp    62012 Jan 17 16:07 uustat

bash-2.03$ /usr/bin/uustat -S `perl -e 'print "A"x3000'`
Segmentation Fault
bash-2.03$
(gdb) info registers
g0             0x0      0
g1             0xff315e98       -13541736
g2             0x1cc00  117760
g3             0x440    1088
g4             0x0      0
g5             0x0      0
g6             0x0      0
g7             0x0      0
o0             0xff3276a8       -13470040
o1             0x41414141       1094795585
...

III. ANALYSIS

By exploiting this buffer overflow, an attacker can potentially gain
control of the return address of the executing function, allowing
arbitrary code execution with "uucp" privileges.

IV. DETECTION

Solaris 8 and 9 are running on SPARC and x86 architectures are
vulnerable.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

The vendor has released the following advisory to address this issue:

  http://sunsolve.sun.com/search/document.do?assetkey=1-26-101933-1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0780 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/11/2004   Initial vendor contact
08/11/2004   Initial vendor response
01/10/2006   Coordinated public disclosure

IX. CREDIT

Angelo Rosiello (http://www.rosiello.org) is credited with discovering
this vulnerability.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

    

- 漏洞信息

22304
Solaris uustat -S Parameter Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Patch / RCS
Exploit Private Vendor Verified, Coordinated Disclosure

- 漏洞描述

- 时间线

2006-01-10 2005-08-11
Unknow 2006-01-10

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle (formerly Sun Microsystems) has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Sun Solaris UUSTAT Local Buffer Overflow Vulnerability
Boundary Condition Error 16193
No Yes
2006-01-10 12:00:00 2009-07-12 05:56:00
Discovered by Angelo Rosiello.

- 受影响的程序版本

Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Avaya Interactive Response 1.3
Avaya Interactive Response 1.2.1
Avaya Interactive Response
Avaya CMS Server 13.0
Avaya CMS Server 12.0
Avaya CMS Server 11.0
Avaya CMS Server 10.0
Avaya CMS Server 9.0

- 漏洞讨论

Sun Solaris 'uustat' utility is prone to a local buffer-overflow vulnerability.

An attacker can exploit this issue to execute arbitrary code and gain 'uucp' user privileges that correspond to user ID 5 by default.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Sun has released an advisory (Sun Alert ID: 101933) and patches to address this issue.

Please see the referenced vendor advisories for further information.


Sun Solaris 8_x86

Sun Solaris 8_sparc

Sun Solaris 9

Sun Solaris 9_x86

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站