CVE-2004-0828
CVSS2.1
发布时间 :2004-11-03 00:00:00
修订时间 :2008-09-05 16:39:32
NMCOPS    

[原文]The ctstrtcasd program in RSCT 2.3.0.0 and earlier on IBM AIX 5.2 and 5.3 does not properly drop privileges before executing the -f option, which allows local users to modify or create arbitrary files.


[CNNVD]IBM AIX ctstrtcasd本地文件破坏漏洞(CNNVD-200411-007)

        
        IBM AIX是一款商业操作系统。
        IBM AIX ctstrtcasd存在输入验证问题,本地攻击者可以利用这个漏洞破坏任意系统文件,或建立任意文件。
        ctstrtcasd是IBM AIX RSCT系统的一部分,以setuid root属性安装,如果用户使用-f选项指定一文件,文件内容就会被应用程序的65,535字节跟踪数据所覆盖。如果文件不存在,就会建立。文件的建立和覆盖操作全是root特权,因此攻击者可以通过此方法破坏或建立系统文件。
        

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:ibm:aix:5.2IBM AIX 5.2
cpe:/o:ibm:aix:5.3IBM AIX 5.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0828
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0828
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-007
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17514
(VENDOR_ADVISORY)  XF  ctstrtcasd-file-overwrite(17514)
http://www.securityfocus.com/bid/11264
(UNKNOWN)  BID  11264
http://securitytracker.com/id?1011429
(UNKNOWN)  SECTRACK  1011429
http://secunia.com/advisories/12664/
(UNKNOWN)  SECUNIA  12664

- 漏洞信息

IBM AIX ctstrtcasd本地文件破坏漏洞
低危 访问验证错误
2004-11-03 00:00:00 2005-10-20 00:00:00
本地  
        
        IBM AIX是一款商业操作系统。
        IBM AIX ctstrtcasd存在输入验证问题,本地攻击者可以利用这个漏洞破坏任意系统文件,或建立任意文件。
        ctstrtcasd是IBM AIX RSCT系统的一部分,以setuid root属性安装,如果用户使用-f选项指定一文件,文件内容就会被应用程序的65,535字节跟踪数据所覆盖。如果文件不存在,就会建立。文件的建立和覆盖操作全是root特权,因此攻击者可以通过此方法破坏或建立系统文件。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * chmod 555 /usr/sbin/rsct/bin/ctstrtcasd.
        厂商补丁:
        IBM
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

- 漏洞信息 (F34505)

iDEFENSE Security Advisory 2004-09-27.t (PacketStormID:F34505)
2004-10-01 00:00:00
iDefense Labs  idefense.com
advisory,arbitrary,local
aix
CVE-2004-0828
[点击下载]

iDEFENSE Security Advisory 09.27.04 - Local exploitation of an input validation vulnerability in the ctstrtcasd command included by default in multiple versions of AIX could allow for the corruption or creation of arbitrary files anywhere on the system.

IBM AIX ctstrtcasd Local File Corruption Vulnerability

iDEFENSE Security Advisory 09.27.04
www.idefense.com/application/poi/display?id=144&type=vulnerabilities
September 27, 2004

I. BACKGROUND

The ctstrtcasd program is a setuid root application, installed by 
default under newer versions of IBM AIX. It is part of the Reliable 
Scalable Cluster Technology (RSCT) system.  It is also installed with 
multiple IBM products under Linux, including IBM Tivoli System 
Automation, IBM Cluster Systems Management, IBM Hardware Management 
Console, and IBM General Parallel File System.

II. DESCRIPTION

Local exploitation of an input validation vulnerability in the
ctstrtcasd command included by default in multiple versions of IBM Corp.
AIX could allow for the corruption or creation of arbitrary files
anywhere on the system.

If a user specifies a file with the -f option, the contents of that file
will be overwritten with 65,535 bytes of application trace data. If the
file doesn't exist, it will be created. The file creation/overwrite is
done with root privileges, thus allowing an attacker to cause a denial
of service condition by damaging the file system or by filling the drive
with 65,535 byte files.

III. ANALYSIS

All that is required to exploit this vulnerability is a local account. 
Exploitation does not require any knowledge of application internals,
making exploitation trivial, even for unskilled attackers. It
is not evident that privilege escalation is possible through abuse of
this.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in IBM AIX 
5.2. IBM has reported that RSCT versions 2.3.0.0 and greater are 
affected, for AIX 5.2 and 5.3 on pSeries; AIX on i5/OS (iSeries); RSCT 
on Linux (pSeries, xSeries, zSeries), and the pSeries Hardware 
Management Console. Products shipping and installing these affected
versions of RSCT as reported by IBM are as follows:
 
  IBM AIX 5L Version 5.2 on pSeries
  IBM AIX 5L Version 5.3 on pSeries
  IBM AIX 5L Version 5.2, 5.3 on an i5/OS (iSeries) partition
  IBM Tivoli System Automation (TSA) for Linux 1.1
  IBM Tivoli System Automation (TSA) for Multiplatforms 1.2
  IBM Cluster Systems Management (CSM) for Linux Version 1.4
     (version 1.4 and greater)
  IBM Hardware Management Console (HMC) for pSeries Version 3
  IBM Hardware Management Console (HMC) for pSeries Version 4
  IBM General Parallel File System (GPFS) Version 2 Release 2
      on Linux for xSeries and Linux for pSeries 

V. WORKAROUND

Only allow trusted users local access to security critical systems.
Alternately, remove the setuid bit from ctstrtcasd using chmod 555
/usr/sbin/rsct/bin/ctstrtcasd.

VI. VENDOR RESPONSE

"Apply the workarounds or APARs as described [in the associated IBM
Security Alert].

If you would like to receive AIX Security Advisories via email, please
visit:

   https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs"

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0828 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
 
VIII. DISCLOSURE TIMELINE 
 
08/11/2004   Initial vendor notification
08/25/2004   Secondary vendor notification
08/26/2004   Vendor response 
09/27/2004   Coordinated public disclosure 
 
IX. CREDIT 
 
iDEFENSE Labs is credited with this discovery. 
 
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

10368
IBM RSCT ctstrtcasd -f Option Arbitrary File Corruption
Local Access Required Denial of Service, Input Manipulation
Loss of Availability
Exploit Public

- 漏洞描述

Reliable Scalable Cluster Technology contains a flaw that may allow a local denial of service. The issue is triggered when an malicious user repeatedly specifies an arbitrary file as argument to the -f command line option filling the file system with 65,535 byte files, and will result in loss of availability for the server.

- 时间线

2004-09-27 2004-08-11
2004-09-27 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workarounds: 1.) Remove the setuid bit from ctstrtcasd using: chmod 555 /usr/sbin/rsct/bin/ctstrtcasd 2.) Only allow trusted users local access to security critical systems

- 相关参考

- 漏洞作者

- 漏洞信息

IBM CTSTRTCASD Utility Local File Corruption Vulnerability
Access Validation Error 11264
No Yes
2004-09-27 12:00:00 2009-07-12 07:06:00
iDEFENSE Labs is credited with the discovery of this vulnerability.

- 受影响的程序版本

IBM Tivoli System Automation (TSA) for Multiplatforms 1.2
IBM Tivoli System Automation (TSA) for Linux 1.1
IBM Reliable Scalable Cluster Technology (RSCT) 2.3
IBM Hardware Management Console (HMC) for pSeries 4
IBM Hardware Management Console (HMC) for pSeries 3
IBM Hardware Management Console (HMC) for iSeries 4.0
IBM General Parallel File System (GPFS) Version 2 Release 2
IBM Cluster Systems Management (CSM) for Linux 1.4
IBM AIX 5.3 L
IBM AIX 5.2 L

- 漏洞讨论

It is reported that IBMs 'ctstrtcasd' utility is susceptible to a local file corruption vulnerability. This issue is due to a failure of the application to properly validate the permissions of the invoking user before overwriting a file specified by the user. This utility is setuid to the superuser, allowing for the overwriting of any file on affected computers, or the creation of files in any location.

As this vulnerability allows attackers to overwrite arbitrary files with superuser privileges, attackers have the ability to destroy data, or cause the computer to fail in such a manner that it will have to be reinstalled from backups. This will deny service to legitimate users.

RSCT versions 2.3.0.0 and higher running on AIX 5.2 and 5.3 on pSeries, AIX on i5/OS (iSeries), Linux (pSeries, xSeries, zSeries), and pSeries/iSeries Hardware Management Console are reported vulnerable.

- 漏洞利用

An exploit is not required.

- 解决方案

IBM recommends that users should upgrade to the latest maintenance level of RSCT version 2.3 and 2.4. IBM plans to release fixes for various platforms. Users are advised to deploy the workarounds and contact the vendor for more information about specific fixes. Please see the referenced IBM advisory for detailed information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站