CVE-2006-0705
CVSS6.5
发布时间 :2006-02-15 06:06:00
修订时间 :2011-03-07 00:00:00
NMCOPS    

[原文]Format string vulnerability in a logging function as used by various SFTP servers, including (1) AttachmateWRQ Reflection for Secure IT UNIX Server before 6.0.0.9, (2) Reflection for Secure IT Windows Server before 6.0 build 38, (3) F-Secure SSH Server for Windows before 5.3 build 35, (4) F-Secure SSH Server for UNIX 3.0 through 5.0.8, (5) SSH Tectia Server 4.3.6 and earlier and 4.4.0, and (6) SSH Shell Server 3.2.9 and earlier, allows remote authenticated users to execute arbitrary commands via unspecified vectors, involving crafted filenames and the stat command.


[CNNVD]AttachmateWRQ Reflection for Secure IT远程格式化字符串漏洞(CNNVD-200602-222)

        在由多种SFTP服务器(包括(1) AttachmateWRQ Reflection for Secure IT UNIX Server 6.0.0.9之前的版本、(2) Reflection for Secure IT Windows Server 6.0 build 38之前的版本、(3) F-Secure SSH Server for Windows 5.3 build 35之前的版本、(4) F-Secure SSH Server for UNIX 3.0到5.0.8版、(5) SSH Tectia Server 4.3.6 及之前版本和4.4.0版以及(6) SSH Shell Server 3.2.9及之前版本)使用的日志功能中存在格式化字符串漏洞。远程认证用户可以借助涉及特制filenames和stat命令的未明向量执行任意命令。

- CVSS (基础分值)

CVSS分值: 6.5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: SINGLE_INSTANCE [--]

- CWE (弱点类目)

CWE-134 []

- CPE (受影响的平台与产品)

cpe:/a:f-secure:f-secure_ssh_server:3.2.3::unix
cpe:/a:f-secure:f-secure_ssh_server:3.0.2
cpe:/a:f-secure:f-secure_ssh_server:3.0.9
cpe:/a:f-secure:f-secure_ssh_server:3.0.0
cpe:/a:f-secure:f-secure_ssh_server:5.3::win
cpe:/a:attachmatewrq:reflection_for_secure_it_server:6.0::win
cpe:/a:f-secure:f-secure_ssh_server:3.1.0::unix
cpe:/a:f-secure:f-secure_ssh_server:5.1::win
cpe:/a:f-secure:f-secure_ssh_server:3.0.1::unix
cpe:/a:f-secure:f-secure_ssh_server:3.0.1
cpe:/a:attachmatewrq:reflection_for_secure_it_server:6.0::unix
cpe:/a:f-secure:f-secure_ssh_server:3.0.3
cpe:/a:f-secure:f-secure_ssh_server:3.0.7
cpe:/a:f-secure:f-secure_ssh_server:5.0
cpe:/a:f-secure:f-secure_ssh_server:3.1.0_build9
cpe:/a:f-secure:f-secure_ssh_server:3.1.0
cpe:/a:f-secure:f-secure_ssh_server:5.2::win
cpe:/a:f-secure:f-secure_ssh_server:3.0.8
cpe:/a:f-secure:f-secure_ssh_server:3.0.5
cpe:/a:f-secure:f-secure_ssh_server:3.0.4
cpe:/a:f-secure:f-secure_ssh_server:3.2.0::unix
cpe:/a:f-secure:f-secure_ssh_server:3.0.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0705
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0705
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-222
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/419241
(PATCH)  CERT-VN  VU#419241
http://www.securityfocus.com/bid/16625
(PATCH)  BID  16625
http://support.wrq.com/techdocs/1882.html
(PATCH)  CONFIRM  http://support.wrq.com/techdocs/1882.html
http://securitytracker.com/id?1015619
(PATCH)  SECTRACK  1015619
http://secunia.com/advisories/18843
(VENDOR_ADVISORY)  SECUNIA  18843
http://secunia.com/advisories/18828
(VENDOR_ADVISORY)  SECUNIA  18828
http://xforce.iss.net/xforce/xfdb/24651
(UNKNOWN)  XF  sftp-logging-format-string(24651)
http://www.vupen.com/english/advisories/2008/1008/references
(VENDOR_ADVISORY)  VUPEN  ADV-2008-1008
http://www.vupen.com/english/advisories/2006/0555
(VENDOR_ADVISORY)  VUPEN  ADV-2006-0555
http://www.vupen.com/english/advisories/2006/0554
(VENDOR_ADVISORY)  VUPEN  ADV-2006-0554
http://www.securityfocus.com/bid/16640
(UNKNOWN)  BID  16640
http://security.gentoo.org/glsa/glsa-200703-13.xml
(UNKNOWN)  GENTOO  GLSA-200703-13
http://secunia.com/advisories/29552
(VENDOR_ADVISORY)  SECUNIA  29552
http://secunia.com/advisories/24516
(VENDOR_ADVISORY)  SECUNIA  24516
http://marc.info/?l=bugtraq&m=120654385125315&w=2
(UNKNOWN)  HP  SSRT080011
http://marc.info/?l=bugtraq&m=120654385125315&w=2
(UNKNOWN)  HP  SSRT080011

- 漏洞信息

AttachmateWRQ Reflection for Secure IT远程格式化字符串漏洞
中危 格式化字符串
2006-02-15 00:00:00 2006-03-03 00:00:00
远程  
        在由多种SFTP服务器(包括(1) AttachmateWRQ Reflection for Secure IT UNIX Server 6.0.0.9之前的版本、(2) Reflection for Secure IT Windows Server 6.0 build 38之前的版本、(3) F-Secure SSH Server for Windows 5.3 build 35之前的版本、(4) F-Secure SSH Server for UNIX 3.0到5.0.8版、(5) SSH Tectia Server 4.3.6 及之前版本和4.4.0版以及(6) SSH Shell Server 3.2.9及之前版本)使用的日志功能中存在格式化字符串漏洞。远程认证用户可以借助涉及特制filenames和stat命令的未明向量执行任意命令。

- 公告与补丁

        供应商已发布了公告以及修补程序来解决此问题。请参阅引用的公告,了解关于获取修复补丁的更多信息。

- 漏洞信息 (F64903)

HP Security Bulletin 2008-00.11 (PacketStormID:F64903)
2008-03-26 00:00:00
Hewlett Packard  hp.com
advisory,remote,denial of service,arbitrary
unix
CVE-2006-0705
[点击下载]

HP Security Bulletin - A potential security vulnerability has been identified in the SFTP Server (sftp-server) component of SSH version 3.2.0 and earlier running on HP Tru64 UNIX. The vulnerability could be exploited by a remote user to execute arbitrary code or cause a Denial of Service (DoS). Yes, this is from 2006. Yes, HP is just notifying people now.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01404118
Version: 1

HPSBTU02322 SSRT080011 rev.1 - HP Tru64 UNIX running SSH/SFTP Server, Remote Execution of Arbitrary Code or Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2008-03-19
Last Updated: 2008-03-25

Potential Security Impact: Remote execution of asrbitrary code or Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in the SFTP Server (sftp- server) component of SSH v 3.2.0 and earlier running on HP Tru64 UNIX. The vulnerability could be exploited by a remote user to execute arbitrary code or cause a Denial of Service (DoS).

References: CVE-2006-0705 

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
The following supported software versions are affected: 

SSH v 3.2.0 and earlier as provided with...

HP Tru64 UNIX v 5.1B-4 
HP Tru64 UNIX v 5.1B-3 

BACKGROUND

CVSS 2.0 Base Metrics 

Reference                Base Vector                    Base Score 
CVE-2006-0705  (AV:N/AC:L/Au:S/C:P/I:P/A:P)  6.5
 
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.

RESOLUTION
HP is releasing the following Early Release Patch (ERP) kits publicly for use by any customer until updates are available in mainstream release patch kits. 

The resolutions contained in the ERP kits are targeted for availability in the following mainstream kit: 

HP Tru64 UNIX v 5.1B-5

The ERP kits use dupatch to install and will not install over any Customer Specific Patches (CSPs) that have file intersections with the ERPs. Contact your service provider for assistance if the installation of the ERPs is blocked by any of your installed CSPs.

The ERP kits distribute the following items:

Patched version of SSH v 3.2.0

HP Tru64 UNIX Version v 5.1B-4 
PREREQUISITE: HP Tru64 UNIX v 5.1B-4 PK6 (BL27) 
Name: T64KIT1001460-V51BB27-ES-20080310 
Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001460-V51BB27-ES-20080310 
 
HP Tru64 UNIX Version v 5.1B-3 
PREREQUISITE: HP Tru64 UNIX v 5.1B-3 PK5 (BL26) 
Name: T64KIT1001467-V51BB26-ES-20080314 
Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001467-V51BB26-ES-20080314 
 


MD5 checksums are available from the ITRC patch database main page. From the patch database main page, click Tru64 UNIX, then click verifying MD5 checksums under useful links.

PRODUCT SPECIFIC INFORMATION 

HISTORY 

Version:1 (rev.1) - 25 March 2008 Initial release 

Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com 
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-alert@hp.com 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
  - verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.


To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault


System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.


"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."

    

- 漏洞信息 (F55192)

Gentoo Linux Security Advisory 200703-13 (PacketStormID:F55192)
2007-03-20 00:00:00
Gentoo  security.gentoo.org
advisory,shell
linux,gentoo
CVE-2006-0705
[点击下载]

Gentoo Linux Security Advisory GLSA 200703-13 - The SSH Secure Shell Server contains a format string vulnerability in the SFTP code that handles file transfers (scp2 and sftp2). In some situations, this code passes the accessed filename to the system log. During this operation, an unspecified error could allow uncontrolled stack access. Versions less than 4.3.7 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200703-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: SSH Communications Security's Secure Shell Server: SFTP
            privilege escalation
      Date: March 14, 2007
      Bugs: #168584
        ID: 200703-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The SSH Secure Shell Server SFTP function is vulnerable to privilege
escalation.

Background
==========

The SSH Secure Shell Server from SSH Communications Security
(www.ssh.com) is a commercial SSH implementation available free for
non-commercial use.

Affected packages
=================

    -------------------------------------------------------------------
     Package       /  Vulnerable  /                         Unaffected
    -------------------------------------------------------------------
  1  net-misc/ssh       < 4.3.7                            Vulnerable!
    -------------------------------------------------------------------
     NOTE: Certain packages are still vulnerable. Users should migrate
           to another package if one is available or wait for the
           existing packages to be marked stable by their
           architecture maintainers.

Description
===========

The SSH Secure Shell Server contains a format string vulnerability in
the SFTP code that handles file transfers (scp2 and sftp2). In some
situations, this code passes the accessed filename to the system log.
During this operation, an unspecified error could allow uncontrolled
stack access.

Impact
======

An authenticated system user may be able to exploit this vulnerability
to bypass command restrictions, or run commands as another user.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

This package is currently masked, there is no upgrade path for the
3.2.x version, and a license must be purchased in order to update to a
non-vulnerable version. Because of this, we recommend unmerging this
package:

    # emerge --ask --verbose --unmerge net-misc/ssh

References
==========

  [ 1 ] CVE-2006-0705
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0705

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200703-13.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
    

- 漏洞信息

23120
SSH Tectia Server SFTP Service Filename Logging Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-02-13 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

SSH Tectia Server Remote Format String Vulnerability
Input Validation Error 16640
Yes No
2006-02-13 12:00:00 2008-12-01 11:52:00
The vendor disclosed this issue.

- 受影响的程序版本

SSH Communications Security Tectia Server 4.4
SSH Communications Security Tectia Server 4.3.6
SSH Communications Security Tectia Server 4.3.5
SSH Communications Security Tectia Server 4.3.4
SSH Communications Security Tectia Server 4.3.3
SSH Communications Security Tectia Server 4.3.2
SSH Communications Security Tectia Server 4.3.1
SSH Communications Security Tectia Server 4.3
SSH Communications Security Tectia Server 4.2.1
SSH Communications Security Tectia Server 4.0.5
SSH Communications Security Tectia Server 4.0.4
SSH Communications Security Tectia Server 4.0.3
SSH Communications Security Tectia Server 4.0
SSH Communications Security Tectia Server 4.1
SSH Communications Security SSH2 for Win32 3.1.2
SSH Communications Security SSH2 for Win32 3.1.1
SSH Communications Security SSH2 for Win32 3.1
SSH Communications Security SSH2 for Unix 3.2.2
SSH Communications Security SSH2 for Unix 3.1.2
SSH Communications Security SSH2 for Unix 3.1.1
SSH Communications Security SSH2 for Unix 3.1
SSH Communications Security SSH2 3.2.9
SSH Communications Security SSH2 3.2.5
SSH Communications Security SSH2 3.2.4
SSH Communications Security SSH2 3.2.3
SSH Communications Security SSH2 3.2.2
SSH Communications Security SSH2 3.2.1
SSH Communications Security SSH2 3.2
SSH Communications Security SSH2 3.1.8
SSH Communications Security SSH2 3.1.7
SSH Communications Security SSH2 3.1.6
SSH Communications Security SSH2 3.1.5
SSH Communications Security SSH2 3.1.4
SSH Communications Security SSH2 3.1.3
SSH Communications Security SSH2 3.1.2
SSH Communications Security SSH2 3.1.1
SSH Communications Security SSH2 3.1
SSH Communications Security SSH2 3.0.1
SSH Communications Security SSH2 3.0
SSH Communications Security SSH2 2.5
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
SSH Communications Security SSH2 2.4
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
SSH Communications Security SSH2 2.3
SSH Communications Security SSH2 2.2
SSH Communications Security SSH2 2.1
SSH Communications Security SSH2 2.0.13
SSH Communications Security SSH2 2.0.12
SSH Communications Security SSH2 2.0.11
SSH Communications Security SSH2 2.0.10
SSH Communications Security SSH2 2.0.9
SSH Communications Security SSH2 2.0.8
SSH Communications Security SSH2 2.0.7
SSH Communications Security SSH2 2.0.6
SSH Communications Security SSH2 2.0.5
SSH Communications Security SSH2 2.0.4
SSH Communications Security SSH2 2.0.3
SSH Communications Security SSH2 2.0.2
SSH Communications Security SSH2 2.0.1
SSH Communications Security SSH2 2.0
HP Tru64 UNIX 5.1.0 B-4
HP Tru64 UNIX 5.1.0 B-3
HP Tru64 5.1 B-4
HP Tru64 5.1 B-3
Gentoo Linux
SSH Communications Security Tectia Server 4.4.2
SSH Communications Security Tectia Server 4.3.7

- 不受影响的程序版本

SSH Communications Security Tectia Server 4.4.2
SSH Communications Security Tectia Server 4.3.7

- 漏洞讨论

A remote format-string vulnerability affects SSH Tectia Server. The application fails to properly sanitize user-supplied input data before using it in a formatted-printing function.

A remote attacker may leverage this issue to execute arbitrary machine code, possibly allowing for privilege escalation and for the bypassing of SFTP-only access controls on affected SSH servers.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

The vendor has released an advisory along with fixes to address this issue. Please see the referenced advisory for information on obtaining fixes.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站