CVE-2004-0952
CVSS6.4
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:50:06
NMCOPS    

[原文]HP-UX B.11.00 through B.11.23, when running Ignite-UX and using the add_new_client command, causes the TFTP server to set world-writable permissions on part of the directory tree, which allows remote attackers to modify data or cause disk consumption.


[CNNVD]HP Ignite-UX TFTP文件上传漏洞(CNNVD-200412-1214)

        
        Ignite-UX产品是一套 HP-UX 管理工具集,可协助远程恢复、监控客户机安装等各种任务。
        Ignite-UX的TFTP在处理文件路径时存在漏洞,远程攻击者可能利用此漏洞非法获得文件系统的访问。
        在安装过程中Ignite-UX会安装并启用TFTP服务程序以便于匿名访问配置数据。在某些环境中,部分TFTP服务器树可能是完全可写的,这就允许攻击者从主机移动数据/工具,或通过写满本地文件系统导致主机拒绝服务。
        

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:hp:hp-ux:11.23::ia64_64-bit
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:hp:hp-ux:11.11HP-UX 11.11
cpe:/o:hp:hp-ux:11.22HP-UX 11i v1.6

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5775HP-UX Ignite-UX, Remote Unauthorized Access
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0952
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0952
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-1214
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=112420609211136&w=2
(UNKNOWN)  BUGTRAQ  20050816 Corsaire Security Advisory: HP Ignite-UX filesystem permissions issue
http://marc.info/?l=bugtraq&m=112422597529112&w=2
(UNKNOWN)  HP  SSRT4874
http://securitytracker.com/id?1014711
(UNKNOWN)  SECTRACK  1014711
http://xforce.iss.net/xforce/xfdb/21857
(PATCH)  XF  hpigniteux-addnewclient-gain-access(21857)

- 漏洞信息

HP Ignite-UX TFTP文件上传漏洞
中危 设计错误
2004-12-31 00:00:00 2009-03-04 00:00:00
远程  
        
        Ignite-UX产品是一套 HP-UX 管理工具集,可协助远程恢复、监控客户机安装等各种任务。
        Ignite-UX的TFTP在处理文件路径时存在漏洞,远程攻击者可能利用此漏洞非法获得文件系统的访问。
        在安装过程中Ignite-UX会安装并启用TFTP服务程序以便于匿名访问配置数据。在某些环境中,部分TFTP服务器树可能是完全可写的,这就允许攻击者从主机移动数据/工具,或通过写满本地文件系统导致主机拒绝服务。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 禁用TFTP服务程序。
        厂商补丁:
        HP
        --
        HP已经为此发布了一个安全公告(HPSBUX01219)以及相应补丁:
        HPSBUX01219:SSRT4874 rev.0 - HP-UX Ignite-UX Remote Unauthorized Access
        链接:
        http://www2.itrc.hp.com/service/cki/docDisplay.do?hpweb_printable=true&docId=HPSBUX01219

- 漏洞信息 (F39432)

Corsaire Security Advisory 2004-11-23.2 (PacketStormID:F39432)
2005-08-17 00:00:00
Martin O'Neal,Corsaire  
advisory
CVE-2004-0952
[点击下载]

Corsaire Security Advisory - The aim of this document is to clearly define a vulnerability in the HP Ignite-UX product, as supplied by HP Inc., that would allow unauthenticated write access to the host filesystem, both remotely and locally.

-- Corsaire Security Advisory --

Title: HP Ignite-UX filesystem permissions issue
Date: 23.11.04
Application: HP Ignite-UX prior to version C.6.2.241
Environment: HP-UX
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c041123-002


-- Scope --

The aim of this document is to clearly define a vulnerability in the HP
Ignite-UX product, as supplied by HP Inc. [1], that would allow
unauthenticated write access to the host filesystem, both remotely and
locally.


-- History --

Discovered: 23.11.04 (Martin O'Neal)
Vendor notified: 23.11.04
Document released: 16.08.05


-- Overview --

The HP Ignite-UX "addresses the need for HP-UX system administrators to
perform system installations and deployment, often on a large scale" [2]

As part of the installation process, the product can install and enable
a TFTP server to facilitate anonymous access to configuration data. In
certain circumstances, sections of the TFTP server tree can become
world-writeable, allowing an attacker to use this as a mechanism for
moving data/tools into and out of the host, or simply launch a DoS
exhaustion attack against the host through filling the local filesystem.


-- Analysis --

The HP Ignite-UX can use a TFTP server to facilitate anonymous access to
configuration data. When the add_new_client command is used, sections of
the TFTP server tree may be made world-writeable.


-- Recommendations --

Download and apply the HP Ignite-UX version C.6.2.241 patches.

If in any doubt, disable the TFTP server.


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004- 0952 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardises names for
security problems.


-- References --

[1] http://www.hp.com
[2] http://software.hp.com/products/IUX/overview.html


-- Revision --

a. Initial release.
b. Released.


-- Distribution --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.

A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com


Copyright 2004 Corsaire Limited. All rights reserved.



    

- 漏洞信息

18750
HP-UX Ignite-UX TFTP Service Remote File Manipulation
Remote / Network Access Authentication Management, Information Disclosure
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Ignite-UX contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a malicious user accesses the TFTP Server anonymously. An error in handling the "add_new_client" command can cause sections of the TFTP server tree to become world writable, which could disclose any of the system files, resulting in a loss of confidentiality.

- 时间线

2005-08-15 2004-11-23
2005-08-16 Unknow

- 解决方案

Upgrade to version C.6.2.241 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Disable the TFTP server completely, if it doesn't interfere with your usage of the product.

- 相关参考

- 漏洞作者

- 漏洞信息

HP Ignite-UX TFTP File Upload Vulnerability
Design Error 14571
Yes No
2005-08-16 12:00:00 2009-07-12 05:06:00
Discovered by Martin O'Neal <martin.oneal@corsaire.com>.

- 受影响的程序版本

HP Ignite-UX
HP HP-UX B.11.23
HP HP-UX B.11.22
HP HP-UX B.11.11
HP HP-UX B.11.00

- 漏洞讨论

During installation, Ignite-UX can use a TFTP server for remote access. Under certain circumstances, parts of the server path can be made world writable. This occurs if the add_new_client command is issued. Remote TFTP clients may be able to then write data to parts of the file system anonymously.

- 漏洞利用

There is no exploit code required.

- 解决方案

Apply the HP Ignite-UX version C.6.2.241 patches. HP has made patches available to HP-UX administrators for versions B.11.0, B.11.11, B.11.22, and B.11.23 (patch Ignite-UX_All_C.6.2.241.depot contains fixes for all four) at http://www.hp.com/go/softwaredepot. See the advisory in the reference section for complete details:

HP has updated advisory HPSBUX01219 (SSRT4874 rev.1 - HP-UX Ignite-UX Remote Unauthorized Access) to include manual workarounds to address this issue. Please see the referenced advisory for more information.


HP HP-UX B.11.23
  • HP Ignite-UX-11-23_C.6.2.241_HP-UX_B.11.00_32+64.depot


HP HP-UX B.11.11
  • HP Ignite-UX-11-11_C.6.2.241_HP-UX_B.11.00_32+64.depot


HP HP-UX B.11.00
  • HP Ignite-UX-11-00_C.6.2.241_HP-UX_B.11.00_32+64.depot


HP HP-UX B.11.22
  • HP Ignite-IA-11-22_C.6.2.241_HP-UX_B.11.00_32+64.depot

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站