CVE-2004-1028
CVSS7.2
发布时间 :2005-01-10 00:00:00
修订时间 :2008-09-10 15:28:39
NMCOPS    

[原文]Untrusted execution path vulnerability in chcod on AIX IBM 5.1.0, 5.2.0, and 5.3.0 allows local users to execute arbitrary programs by modifying the PATH environment variable to point to a malicious "grep" program, which is executed from chcod.


[CNNVD]IBM AIX chcod本地特权提升漏洞(CNNVD-200501-112)

        AIX是IBM公司的UNIX操作系统。
        IBM AIX 5.1.0、5.2.0及5.3.0版本在处理路径时存在安全问题,导致出现用户权限提升漏洞。
        本地攻击者可通过修改PATH环境变量,将其指向一个恶意的"grep"程序,通过chcod调用,从而执行任意程序。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:ibm:aix:5.1IBM AIX 5.1
cpe:/o:ibm:aix:5.3_lIBM AIX 5.3 L
cpe:/o:ibm:aix:5.2IBM AIX 5.2
cpe:/o:ibm:aix:5.1lIBM AIX 5.1L
cpe:/o:ibm:aix:5.3IBM AIX 5.3
cpe:/o:ibm:aix:5.2.2IBM AIX 5.2.2
cpe:/o:ibm:aix:5.2_lIBM AIX 5.2 L

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1028
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1028
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-112
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/18625
(UNKNOWN)  XF  aix-chcod-gain-privileges(18625)
http://www.idefense.com/application/poi/display?id=170&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20041220 IBM AIX chcod Local Privilege Escalation Vulnerability
http://www-1.ibm.com/support/search.wss?rs=0&q=IY64356&apar=only
(UNKNOWN)  AIXAPAR  IY64356
http://www-1.ibm.com/support/search.wss?rs=0&q=IY64355&apar=only
(UNKNOWN)  AIXAPAR  IY64355
http://www-1.ibm.com/support/search.wss?rs=0&q=IY64354&apar=only
(UNKNOWN)  AIXAPAR  IY64354

- 漏洞信息

IBM AIX chcod本地特权提升漏洞
高危 资料不足
2005-01-10 00:00:00 2005-10-20 00:00:00
本地  
        AIX是IBM公司的UNIX操作系统。
        IBM AIX 5.1.0、5.2.0及5.3.0版本在处理路径时存在安全问题,导致出现用户权限提升漏洞。
        本地攻击者可通过修改PATH环境变量,将其指向一个恶意的"grep"程序,通过chcod调用,从而执行任意程序。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www-01.ibm.com/support/docview.wss?uid=isg1IY64356

- 漏洞信息 (F35454)

iDEFENSE Security Advisory 2004-12-20.t (PacketStormID:F35454)
2004-12-31 00:00:00
iDefense Labs  idefense.com
advisory,arbitrary,local,root,code execution
aix
CVE-2004-1028
[点击下载]

iDEFENSE Security Advisory 12.20.2004 - Local exploitation of an untrusted path vulnerability in the chcod command included by default in multiple versions of IBM Corp. AIX could allow for arbitrary code execution as the root user. Verified in version 5.2.

IBM AIX chcod Local Privilege Escalation Vulnerability

iDEFENSE Security Advisory 12.20.04
www.idefense.com/application/poi/display?id=170&type=vulnerabilities
December 20, 2004

I. BACKGROUND

The chcod program is a setuid root application, installed by default
under newer versions of IBM AIX, that manages capacity upgrade on demand
(CUoD).

II. DESCRIPTION

Local exploitation of an untrusted path vulnerability in the chcod
command included by default in multiple versions of IBM Corp. AIX could
allow for arbitrary code execution as the root user.

During execution, chcod invokes an external application ("grep") while
trusting the user specified PATH environment variable. Root privileges
are not dropped before this execution occurs, thus allowing an attacker
to gain root access by specifying a controlled path and creating a
malicious binary within that path.  All an attacker needs to do to
exploit the vulnerability is create a file called grep which contains
malicious code, set their PATH variable to the current directory, and
execute /usr/sbin/chcod.

III. ANALYSIS

The impact of this vulnerability is lessened by the fact that an
attacker must first gain access to the "system" group in order to use
this binary.  Once group id "system" has been acquired, all that is
required to exploit this vulnerability is a writable directory.    

- 漏洞信息

12530
IBM AIX chcod Path Subversion Privilege Escalation

- 漏洞描述

- 时间线

2004-12-20 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 5.1.0, 5.2.0 or 5.3.0 or higher, as it has been reported to fix this vulnerability. In addition, IBM has released a patch for some older versions.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

IBM AIX CHCOD Local Privilege Escalation Vulnerability
Unknown 12060
No Yes
2004-12-21 12:00:00 2009-07-12 09:26:00
Discovery of this vulnerability is credited to iDEFENSE Labs.

- 受影响的程序版本

IBM AIX 5.3 L
IBM AIX 5.2.2
IBM AIX 5.2 L
IBM AIX 5.1 L
IBM AIX 5.3
IBM AIX 5.2
IBM AIX 5.1

- 漏洞讨论

The AIX 'chcod' utility is reported prone to a local privilege escalation vulnerability. The vendor describes that this vulnerability results from an insecure path handling issue.

Reports indicate that this issue may be exploited by a local user that is a member of the 'system' group to run arbitrary code as the superuser.

- 漏洞利用

No exploit is required.

- 解决方案

The vendor has released an advisory and APARs to address this vulnerability, please see the referenced advisory for further detail in regards to obtaining and installing appropriate APARs.


IBM AIX 5.1

IBM AIX 5.2

IBM AIX 5.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站