CVE-2005-2716
CVSS7.5
发布时间 :2005-08-29 16:14:00
修订时间 :2016-10-17 23:29:38
NMCOPS    

[原文]The event_pin_code_request function in the btsrv daemon (btsrv.c) in Nokia Affix 2.1.2 and 3.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in a Bluetooth device name.


[CNNVD]Nokia Affix 远程命令执行漏洞(CNNVD-200508-296)

        Affix是由Nokia研究中心开发的Linux蓝牙协议栈。
        Nokia Affix BTSRV中存在远程命令执行漏洞。以下代码段位于affix-3.2.0/daemon/btsrv.c:
        int event_pin_code_request(struct PIN_Code_Request_Event *evt, int devnum)
        {
        ...
         err = HCI_RemoteNameRequest(fd, &dev, name);
         if (err) {
         BTDEBUG("Name request failed: 目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Nokia Affix 2.1.2
        Nokia Patch patch_btsrv_affix_2_1_2
        http://affix.sourceforge.net/patch_btsrv_affix_2_1_2
        Nokia Affix 3.2
        Nokia Patch patch_btsrv_affix_3_2_0
        http://affix.sourceforge.net/patch_btsrv_affix_3_2_0", hci_error(err));
        ...
         sprintf(cmdline, "/etc/affix/btsrv-gui pin \"\" ", name, bda2str( &evt->bda));
         DBPRT("cmdline: []", cmdline);
         fp = popen(cmdline, "r");
         if (!fp) {
         BTERROR("popen() failed");
         goto err;
         }
         err = fscanf(fp, "", pin);
         if (err == EOF) {
         BTERROR("fscanf() failed");
         pclose(fp);
         goto err;
         }
        调用HCI_RemoteNameRequest()导致了这个漏洞。攻击者可以通过设备名提供任意命令,并在服务环境中执行。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:nokia:affix:3.2.0Nokia Affix 3.2.0
cpe:/a:nokia:affix:2.1.2Nokia Affix 2.1.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2716
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2716
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-296
(官方数据源) CNNVD

- 其它链接及资源

http://affix.sourceforge.net/patch_btsrv_affix_2_1_2
(PATCH)  CONFIRM  http://affix.sourceforge.net/patch_btsrv_affix_2_1_2
http://affix.sourceforge.net/patch_btsrv_affix_3_2_0
(PATCH)  CONFIRM  http://affix.sourceforge.net/patch_btsrv_affix_3_2_0
http://marc.info/?l=bugtraq&m=112511370326063&w=2
(UNKNOWN)  BUGTRAQ  20050826 DMA[2005-0826a] - 'Nokia Affix Bluetooth btsrv poor use of popen()'
http://www.debian.org/security/2005/dsa-796
(UNKNOWN)  DEBIAN  DSA-796
http://www.digitalmunition.com/DMA%5B2005-0826a%5D.txt
(VENDOR_ADVISORY)  MISC  http://www.digitalmunition.com/DMA%5B2005-0826a%5D.txt
http://www.securityfocus.com/bid/14672
(UNKNOWN)  BID  14672
http://xforce.iss.net/xforce/xfdb/22034
(UNKNOWN)  XF  nokia-devicename-command-execution(22034)

- 漏洞信息

Nokia Affix 远程命令执行漏洞
高危 输入验证
2005-08-29 00:00:00 2005-10-20 00:00:00
远程  
        Affix是由Nokia研究中心开发的Linux蓝牙协议栈。
        Nokia Affix BTSRV中存在远程命令执行漏洞。以下代码段位于affix-3.2.0/daemon/btsrv.c:
        int event_pin_code_request(struct PIN_Code_Request_Event *evt, int devnum)
        {
        ...
         err = HCI_RemoteNameRequest(fd, &dev, name);
         if (err) {
         BTDEBUG("Name request failed: 目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Nokia Affix 2.1.2
        Nokia Patch patch_btsrv_affix_2_1_2
        http://affix.sourceforge.net/patch_btsrv_affix_2_1_2
        Nokia Affix 3.2
        Nokia Patch patch_btsrv_affix_3_2_0
        http://affix.sourceforge.net/patch_btsrv_affix_3_2_0", hci_error(err));
        ...
         sprintf(cmdline, "/etc/affix/btsrv-gui pin \"\" ", name, bda2str( &evt->bda));
         DBPRT("cmdline: []", cmdline);
         fp = popen(cmdline, "r");
         if (!fp) {
         BTERROR("popen() failed");
         goto err;
         }
         err = fscanf(fp, "", pin);
         if (err == EOF) {
         BTERROR("fscanf() failed");
         pclose(fp);
         goto err;
         }
        调用HCI_RemoteNameRequest()导致了这个漏洞。攻击者可以通过设备名提供任意命令,并在服务环境中执行。
        

- 公告与补丁

        

- 漏洞信息 (F39817)

Debian Linux Security Advisory 796-1 (PacketStormID:F39817)
2005-09-05 00:00:00
Debian  debian.org
advisory,remote,arbitrary
linux,debian
CVE-2005-2716
[点击下载]

Debian Security Advisory DSA 796-1 - Kevin Finisterre reports that affix, a package used to manage bluetooth sessions under Linux, uses the popen call in an unsafe fashion. A remote attacker can exploit this vulnerability to execute arbitrary commands on a vulnerable system.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 796-1                     security@debian.org
http://www.debian.org/security/                              Michael Stone
September 1st, 2005                     http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : affix
Vulnerability  : remote command execution
Problem-Type   : unsafe use of popen
Debian-specific: no
CVE ID         : CAN-2005-2716

Kevin Finisterre reports that affix, a package used to manage
bluetooth sessions under Linux, uses the popen call in an unsafe
fashion. A remote attacker can exploit this vulnerability to execute
arbitrary commands on a vulnerable system.

The old stable distribution (woody) does not contain the affix
package.

For the stable distribution (sarge) this problem has been fixed in
version 2.1.1-3.

For the unstable distribution (sid) this problem has been fixed in
version 2.1.2-3.

We recommend that you upgrade your affix package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3.diff.gz
      Size/MD5 checksum:    81959 0914c96291c7bf8a4bbf5d05e5dc74c5
    http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3.dsc
      Size/MD5 checksum:      669 616d043f1c72b3a8ebcae37e4a59fb98

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_alpha.deb
      Size/MD5 checksum:    93462 a3569622764735b1b09829e575c34a04
    http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_alpha.deb
      Size/MD5 checksum:    75608 7d0d72ed495c904ca7820624fc66b8b5
    http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_alpha.deb
      Size/MD5 checksum:   103142 b534a5fbf6f1537456917fe45c5c8c58

  amd64 architecture (AMD x86_64 (AMD64))

    http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_amd64.deb
      Size/MD5 checksum:    93480 dead16d09da75e9628bae0d3a61cb04d
    http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_amd64.deb
      Size/MD5 checksum:    64450 ef7ec29b46f95b5255e9ad23243a117c
    http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_amd64.deb
      Size/MD5 checksum:    71796 0b83fbb8796d06867c26a197393cdbed

  arm architecture (ARM)

    http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_arm.deb
      Size/MD5 checksum:    85908 0e58ede6488bd4e9bd3dd4a06201ac7e
    http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_arm.deb
      Size/MD5 checksum:    69546 1fb4f727a1215a89fd4e998fc56d1f26
    http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_arm.deb
      Size/MD5 checksum:    56844 837b30e2112981a65327993f242d2e62

  hppa architecture (HP PA RISC)

    http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_hppa.deb
      Size/MD5 checksum:    76626 a701325fa8e52d04da9044b90cf2be5e
    http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_hppa.deb
      Size/MD5 checksum:    95006 80e8960c60548492a66c6642d9977e82
    http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_hppa.deb
      Size/MD5 checksum:    68558 a869b9ae8172cb4a2616e500dc3ba34d

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_i386.deb
      Size/MD5 checksum:    63360 e98b76db0c1be17fd0a0fad388580e28
    http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_i386.deb
      Size/MD5 checksum:    59644 6c1a4dde54ea88022052473c1385418d
    http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_i386.deb
      Size/MD5 checksum:    84952 87f0ced911c009e8cad63b1f1f517e0d

  ia64 architecture (Intel ia64)

    http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_ia64.deb
      Size/MD5 checksum:    93934 95cd1df0416297d184cf5f8a2fd8e6ff
    http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_ia64.deb
      Size/MD5 checksum:    83676 8eb81855b4e75cc1690cbea79569cceb
    http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_ia64.deb
      Size/MD5 checksum:   122328 317969cdc70be9a42632329472b425f8

  m68k architecture (Motorola Mc680x0)

    http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_m68k.deb
      Size/MD5 checksum:    80118 ec2c0265cb1068d676bb0e5dbadeb199
    http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_m68k.deb
      Size/MD5 checksum:    58458 76faca4c3f9a94e34398927d5024991f
    http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_m68k.deb
      Size/MD5 checksum:    54970 45bd12213859c4212baf4d1a127d0916

  mips architecture (MIPS (Big Endian))

    http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_mips.deb
      Size/MD5 checksum:    97566 1d8e834bd41fb7f062f47c975f25bcb8
    http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_mips.deb
      Size/MD5 checksum:    61378 918a6064f35db1800f03529ae32d6ed9
    http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_mips.deb
      Size/MD5 checksum:    76436 ee779d182b774efcf033a159a3e1d337

  mipsel architecture (MIPS (Little Endian))

    http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_mipsel.deb
      Size/MD5 checksum:    97296 8c445a7e88c489d53b0f52c46e9d0a50
    http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_mipsel.deb
      Size/MD5 checksum:    76320 32e64b4ee8452a037efc17ec02e6315f
    http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_mipsel.deb
      Size/MD5 checksum:    61012 717b6b4c932547467802ff042948fe08

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_powerpc.deb
      Size/MD5 checksum:    65466 15e4ae116669a5c3431edeed01439790
    http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_powerpc.deb
      Size/MD5 checksum:    94880 8af910d14455e555e6cb5840830c5724
    http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_powerpc.deb
      Size/MD5 checksum:    70092 03882f73d1876f72b3bd8034b20f3f71

  s390 architecture (IBM S/390)

    http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_s390.deb
      Size/MD5 checksum:    73034 d1a72f0d825afd50bbbe65d03ac4f492
    http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_s390.deb
      Size/MD5 checksum:    66810 3f8535a792cebdd817ff27c3a2dacd5a
    http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_s390.deb
      Size/MD5 checksum:    92464 bd4141e5726e01b520b8766e3e1fabdd

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/a/affix/affix_2.1.1-3_sparc.deb
      Size/MD5 checksum:    84816 2b20cbbc4020bad007a38bb8bd69718d
    http://security.debian.org/pool/updates/main/a/affix/libaffix-dev_2.1.1-3_sparc.deb
      Size/MD5 checksum:    66094 ae3660011a4422011ce0f202af218f09
    http://security.debian.org/pool/updates/main/a/affix/libaffix2_2.1.1-3_sparc.deb
      Size/MD5 checksum:    57762 00bdb8e55e4a68cb8675b0220947d423

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQCVAwUBQxevUg0hVr09l8FJAQI0rQQA1hUhAHzcfxyorSWMxUaysrfeAwOtcDzO
TTlpJqFvoyMACHNdkhAwq+4QVkpY/D9EfTRTOYUPhEUDugCowOrQRilNocOUukSn
IcfRlZwBM7uTE0i0qDRWIOgXpq/lPvyvSC3z/AlTzbM1CvP0STIw8oOduPJt41cK
+NC5NBC1QBI=
=uvAf
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

19050
Affix btsrv Bluetooth Device Name Arbitrary Command Execution

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-08-26 2005-08-06
2005-08-26 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Nokia Affix BTSRV Device Name Remote Command Execution Vulnerability
Input Validation Error 14672
Yes No
2005-08-26 12:00:00 2009-07-12 05:06:00
Discovery is credited to Kevin Finisterre.

- 受影响的程序版本

Nokia Affix 3.2
Nokia Affix 3.1
Nokia Affix 3.0
Nokia Affix 2.1.2
Nokia Affix 2.1.1
- Debian Linux 3.1 sparc
- Debian Linux 3.1 s/390
- Debian Linux 3.1 ppc
- Debian Linux 3.1 mipsel
- Debian Linux 3.1 mips
- Debian Linux 3.1 m68k
- Debian Linux 3.1 ia-64
- Debian Linux 3.1 ia-32
- Debian Linux 3.1 hppa
- Debian Linux 3.1 arm
- Debian Linux 3.1 amd64
- Debian Linux 3.1 alpha
- Debian Linux 3.1
Nokia Affix 2.1
- Debian Linux 3.1 sparc
- Debian Linux 3.1 s/390
- Debian Linux 3.1 ppc
- Debian Linux 3.1 mipsel
- Debian Linux 3.1 mips
- Debian Linux 3.1 m68k
- Debian Linux 3.1 ia-64
- Debian Linux 3.1 ia-32
- Debian Linux 3.1 hppa
- Debian Linux 3.1 arm
- Debian Linux 3.1 alpha
- Debian Linux 3.1
Nokia Affix 2.0.2
Nokia Affix 2.0.1
Nokia Affix 2.0

- 漏洞讨论

Nokia Affix BTSRV is affected by a remote command execution vulnerability.

An attacker can supply arbitrary commands through a device name and have them executed in the context of the service. This can lead to a complete compromise.

- 漏洞利用

An exploit is not required.

- 解决方案

Debian has released advisory DSA 796-1 to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

The vendor has released patches to address this issue.


Nokia Affix 2.1.1

Nokia Affix 2.1.2

Nokia Affix 3.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站