LedgerSMB/SQL-Ledger 未明漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191341 漏洞类型 未知
发布时间 2007-03-13 更新时间 2007-03-13
CVE编号 CVE-2007-1437 CNNVD-ID CNNVD-200703-359
漏洞平台 N/A CVSS评分 9.0
|漏洞来源
https://www.securityfocus.com/bid/86533
https://cxsecurity.com/issue/WLB-2007030133
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-359
|漏洞详情
LedgerSMB1.1.5之前版本和SQL-Ledger2.6.25之前版本中存在未明漏洞。通过调用从执行中返回的习惯错误函数,远程攻击者可以重写文件和可能绕过身份认证;远程认证用户可以执行未授权代码。
|漏洞EXP
Hi;

A person on the LedgerSMB core team has found a serious arbitrary code 
execution issue in LedgerSMB prior to 1.1.5 and SQL-Ledger.  A version 
of SQL-Ledger which fixes this vulnerability was released today (version 
2.6.25).

The vulnerability allows a user to specify a custom function to run when 
the software encounters an error.  The software further assumes that the 
error function specified never returns.  For this reason, it is possible 
to cause the software to take alternate paths of execution, and to force 
these paths.  This is particularly dangerous for users with valid logins.

For those which do not have valid login credentials, the problem more 
limited but still quite dangerous.  Using this method it is possible to 
overwrite files in the users directory, thus affecting a DoS attack and 
possible authentication bypass.

The DoS attacks can be done by any user not currently logged in, and can 
force the writing of a nologin file (which will lock users out of the 
system) or overwrite the users/members file (which contains users' 
credentials info and settings) with invalid data.  This attack can be 
done with wget, for example.

All SQL-Ledger users are advised to upgrade to the latest version, and 
all LedgerSMB users using versions prior to 1.1.5 should upgrade as well.

Best Wishes,
Chris Travers
begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:chris (at) metatrontech (dot) com [email concealed]
tel;work:509-888-0220
tel;cell:509-630-7794
x-mozilla-html:FALSE
version:2.1
end:vcard
|受影响的产品
SQL-Ledger SQL-Ledger 2.6.24 LedgerSMB LedgerSMB 1.1 LedgerSMB LedgerSMB 1.0 LedgerSMB LedgerSMB 1.1.1
|参考资料

来源:BUGTRAQ
名称:20070305DoSandcodeexecutionissueinLedgerSMB<1.1.5andSQL-Ledger<2.6.25
链接:http://www.securityfocus.com/archive/1/archive/1/461944/100/100/threaded
来源:SECUNIA
名称:24366
链接:http://secunia.com/advisories/24366
来源:SECUNIA
名称:24363
链接:http://secunia.com/advisories/24363
来源:SREASON
名称:2435
链接:http://securityreason.com/securityalert/2435