IBM AIX chcons命令本地溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1197458 漏洞类型 缓冲区溢出
发布时间 2005-11-01 更新时间 2009-03-04
CVE编号 CVE-2005-3396 CNNVD-ID CNNVD-200511-016
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2005120041
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200511-016
|漏洞详情
IBMAIX是一款商业性质的UNIX操作系统。IBMAIXchcons命令中存在本地溢出漏洞,成功利用这个漏洞的攻击者可以以当前用户的权限执行任意代码。如果启用了DEBUGMALLOC的话,则攻击者可以通过发送超长的输入参数导致chcon发生核心转储(coredump)。
|漏洞EXP
                            In GOD We Trust
                  Kachal667 Under9round Team (KuT)
Hi,
Here's my(LrK) new advisory about Hosting Controller.

Hosting Controller - CSS vulnerabilities

Found date : Pri8
Public Date: 02/11/2005

Summary
-------

Hosting Controller is an all-in-one administrative hosting tool for Windows.
It automates a wide range of hosting tasks and provides control of each 
hosted site to the respective owners. Hosting
Controller is now widely 
used by
hosting providers and can be found at
http://www.hostingcontroller.com.

HostingController was 
tested. (Probably all prior versions)

Vulnerability

Impact: An attacker may be able to put him message or photo or ..
not intended to 
be publically accessible and upload scripts to
manipulate files and 
control administration of sites using the latest
version of HostingController.

Lone Rider Knight

Details
-------

Vulnerability

Hosting Controller has a security flaw which allows
outside attackers 
to Put her message with css

Sample scripts that allow browsing anywhere on the
server:
http://www.eg.com/admin/hosting/error.asp?error=<salam!>
http://www.eg.com/admin/hosting/error.asp?error=<IMG%20height=340%20src=
"http://eg.com/Deface/deface.jpg"%20width="596">
http://www.eg.com/hosting/error.asp?error=<IMG%20height=340%20src="http:
//eg.com/Deface/deface.jpg"%20width="596">

The directory "hc" is an example of the path to the
HostingController
script on the sample domain. The actual "hc" directory
name -- such as 
"admin" or "hostingcontroller" -- must be discovered
for each "eg.com" 
and 
replaced in the above URL scripts.

Lone Rider Knight
|参考资料

来源:VUPEN
名称:ADV-2005-2253
链接:http://www.frsirt.com/english/advisories/2005/2253
来源:SECTRACK
名称:1015122
链接:http://securitytracker.com/id?1015122
来源:SECUNIA
名称:17380
链接:http://secunia.com/advisories/17380
来源:BID
名称:15247
链接:http://www.securityfocus.com/bid/15247
来源:AIXAPAR
名称:IY78253
链接:http://www-1.ibm.com/support/docview.wss?uid=isg1IY78253
来源:AIXAPAR
名称:IY78241
链接:http://www-1.ibm.com/support/docview.wss?uid=isg1IY78241
来源:OVAL
名称:oval:org.mitre.oval:def:5470
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5470
来源:SREASON
名称:261
链接:http://securityreason.com/securityalert/261