CVE-2004-0965
CVSS7.2
发布时间 :2005-02-09 00:00:00
修订时间 :2016-10-17 22:50:15
NMCOP    

[原文]stmkfont in HP-UX B.11.00 through B.11.23 relies on the user-specified PATH when executing certain commands, which allows local users to execute arbitrary code by modifying the PATH environment variable to point to malicious programs.


[CNNVD]HP-UX STMKFONT本地特权升级漏洞(CNNVD-200502-035)

        HP-UX是以System V为基础所研发成的类UNIX操作系统。
        HP-UX B.11.00至B.11.23中的stmkfont在执行某些命令时依赖于用户指定的PATH,这可让本地用户通过将PATH环境变量修改为指向恶意程序来执行任意代码

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:hp:hp-ux:11.23::ia64_64-bit
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:hp:hp-ux:11.11HP-UX 11.11
cpe:/o:hp:hp-ux:11.22HP-UX 11i v1.6

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5538HP-UX stmkfont Local Unauthorized Privileged Access
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0965
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0965
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-035
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109837243713696&w=2
(UNKNOWN)  BUGTRAQ  20041021 NSFOCUS SA2004-02 : HP-UX stmkfont Local Privilege Escalation Vulnerability
http://www.nsfocus.com/english/homepage/research/0402.htm
(UNKNOWN)  MISC  http://www.nsfocus.com/english/homepage/research/0402.htm
http://www.securityfocus.com/advisories/7351
(UNKNOWN)  HP  SSRT4807
http://www.securityfocus.com/bid/11493
(VENDOR_ADVISORY)  BID  11493
http://xforce.iss.net/xforce/xfdb/17813
(VENDOR_ADVISORY)  XF  hpux-stmkfont-gain-privileges(17813)

- 漏洞信息

HP-UX STMKFONT本地特权升级漏洞
高危 输入验证
2005-02-09 00:00:00 2009-03-04 00:00:00
本地  
        HP-UX是以System V为基础所研发成的类UNIX操作系统。
        HP-UX B.11.00至B.11.23中的stmkfont在执行某些命令时依赖于用户指定的PATH,这可让本地用户通过将PATH环境变量修改为指向恶意程序来执行任意代码

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        HP HP-UX B.11.11
        HP PHSS_31988
        http://itrc.hp.com/
        HP HP-UX B.11.23
        HP PHSS_31990
        http://itrc.hp.com/
        HP HP-UX B.11.00
        HP PHSS_31987
        http://itrc.hp.com/
        HP HP-UX B.11.22
        HP PHSS_31989
        http://itrc.hp.com/

- 漏洞信息 (F34800)

NSFOCUS Security Advisory 2004.2 (PacketStormID:F34800)
2004-10-27 00:00:00
NSFOCUS  nsfocus.com
advisory,local
hpux
CVE-2004-0965
[点击下载]

NSFOCUS Security Advisory SA2004-02 - NSFOCUS Security Team found a security vulnerability in the program stmkfont of an HP-UX system. Exploiting this vulnerability, local attackers could gain group bin privileges.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NSFOCUS Security Advisory(SA2004-02)

Topic: HP-UX stmkfont Local Privilege Escalation Vulnerability

Release Date: 2004-10-20

CVE CAN ID: CAN-2004-0965

http://www.nsfocus.com/english/homepage/research/0402.htm

Affected system:
===================

- - HP-UX B.11.00
- - HP-UX B.11.11
- - HP-UX B.11.22
- - HP-UX B.11.23

Summary:
=========

NSFOCUS Security Team found a security vulnerability during an external 
command execution in the program stmkfont of HP HP-UX system. Exploiting 
this vulnerability local attackers could gain group 'bin' privilege.

Description:
============

HP-UX stmkfont is installed sgid 'bin' bit by default.

stmkfont uses relative path when executing some external commands, and local
attackers could cause stmkfont to call any specified external command by
setting PATH environment variable. Therefore, attackers could run arbitrary 
command with the privilege of group 'bin'.

Workaround:
=============

NSFOCUS suggests to temporarily remove the sgid 'bin' bit from stmkfont:

# chmod a-s /usr/bin/stmkfont

Vendor Status:
==============

2004.10.20 Vendor released a security bulletin (HPSBUX01088) and relative
           patches for the vulnerability.

Detailed information for the HP security bulletin is available at:
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01088

Note: Valid ITRC account is required for the link above.

Patch IDs:

PHSS_31990 - HP-UX B.11.23
PHSS_31989 - HP-UX B.11.22
PHSS_31988 - HP-UX B.11.11
PHSS_31987 - HP-UX B.11.00


Additional Information:
========================

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0965 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems. Candidates may change significantly before they become official
CVE entries.

Acknowledgment
===============

Yang Jilong of NSFOCUS Security Team found the vulnerability.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBd0Bo1794d8am9toRAurEAJ9lBsN27LhAdBFSMPgBj0OralBa3QCdHzNM
bHfNzy7oK/a+lo2TGsr/uAs=
=jr2r
-----END PGP SIGNATURE-----

    

- 漏洞信息

11028
HP-UX stmkfont Path Subversion Local Privilege Escalation
Patch / RCS

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-10-22 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站