任何一個OS都有他漏洞 , Unix的漏洞不少只是你不知. 例最近的Solaris. CERT Advisory CA-2002-01 Exploitation of Vulnerability in CDE Subprocess Control Service Original release date: January 14, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running CDE Overview The CERT/CC has received credible reports of scanning and exploitation of Solaris systems running the CDE Subprocess Control Service buffer overflow vulnerability identified in CA-2001-31 and discussed in VU#172583. I. Description Since CA-2001-31 was originally released last November, the CERT/CC has received reports of scanning for dtspcd (6112/tcp). Just recently, however, we have received credible reports of an exploit for Solaris systems. Using network traces provided by The Honeynet Project, we have confirmed that the dtspcd vulnerability identified in CA-2001-31 and discussed in VU#172583 is actively being exploited. The Common Desktop Environment (CDE) is an integrated graphical user interface that runs on UNIX and Linux operating systems. The CDE Subprocess Control Service (dtspcd) is a network daemon that accepts requests from clients to execute commands and launch applications remotely. On systems running CDE, dtspcd is spawned by the Internet services daemon (typically inetd or xinetd) in response to a CDE client request. dtspcd is typically configured to run on port 6112/tcp with root privileges. There is a remotely exploitable buffer overflow vulnerability in a shared library that is used by dtspcd. During client negotiation, dtspcd accepts a length value and subsequent data from the client without performing adequate input validation. As a result, a malicious client can manipulate data sent to dtspcd and cause a buffer overflow, potentially executing code with root privileges. The overflow occurs in a fixed-size 4K buffer that is exploited by the contents of one of the attack packets. The signature can be found at bytes 0x3e-0x41 in the following attack packet from a tcpdump log (lines may wrap): 09:46:04.378306 10.10.10.1.3592 > 10.10.10.2.6112: P 1:1449(1448) ack 1 win 16060 (DF) 0x0000 4500 05dc a1ac 4000 3006 241c 0a0a 0a01 E.....@.0.$..... 0x0010 0a0a 0a02 0e08 17e0 fee2 c115 5f66 192f ...f........_f./ 0x0020 8018 3ebc e1e9 0000 0101 080a 1ba7 dffb ..>............. 0x0030 003f 7548 3030 3030 3030 3032 3034 3130 .?uH000000020410 0x0040 3365 3030 3031 2020 3420 0000 0031 3000 3e0001..4....10. 0x0050 801c 4011 801c 4011 1080 0101 801c 4011 ..@...@.......@. 0x0060 801c 4011 801c 4011 801c 4011 801c 4011 ..@...@...@...@. ... The value 0x103e in the ASCII (right) column above is interpreted by the server as the number of bytes in the packet to copy into the internal 4K (0x1000) buffer. Since 0x103e is greater than 0x1000, the last 0x3e bytes of the packet will overwrite memory after the end of the 4K buffer. This is the same compromise vector identified in VU#172583. It is important to note that several Internet-enabled games may also use port 6112/tcp as a legitimate part of their normal operation, therefore, not all network activity involving this service may be malicious. Network administrators monitoring this type of activity may wish to verify whether probes of this type are actually attempts to exploit VU#172583. Many common UNIX systems ship with CDE installed and enabled by default. To determine if your system is configured to run dtspcd, check for the following entries (lines may wrap): in /etc/services dtspc 6112/tcp in /etc/inetd.conf dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd Any system that does not run the CDE Subprocess Control Service is not vulnerable to this problem. II. Impact An attacker can execute arbitrary code with root privileges. III. Solution Apply a patch VU#172583 contains information from vendors who have provided information for this advisory. We will update the vulnerability note as we receive more information. If a vendor`s name does not appear, then the CERT/CC did not hear from that vendor. Please contact your vendor directly. Vendor information can be found in the "Systems Affected" section of VU#172583 http://www.kb.cert.org/vuls/id/172583#systems Limit access to vulnerable service Until patches are available and can be applied, you may wish to limit or block access to the Subprocess Control Service from untrusted networks such as the Internet. Using a firewall or other packet-filtering technology, block or restrict access to the port used by the Subprocess Control Service. As noted above, dtspcd is typically configured to listen on port 6112/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved access control and logging functionality for dtspcd connections. Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. It is important to understand your network configuration and service requirements before deciding what changes are appropriate. TCP Wrapper is available from ftp://ftp.porcupine.org/pub/security/index.html Disable vulnerable service You may wish to consider disabling dtspcd by commenting out the appropriate entry in /etc/inetd.conf. As a best practice, the CERT/CC recommends disabling any services that are not explicitly required. As noted above, it is important to consider the consequences of such a change in your environment. Appendix A. - References 1. http://www.kb.cert.org/vuls/id/172583 2. http://www.cert.org/advisories/CA-2001-31.html 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0803 4. http://xforce.iss.net/alerts/advise101.php 5. http://www.opengroup.org/cde/ 6. http://www.opengroup.org/desktop/faq/ _________________________________________________________________ The CERT Coordination Center thanks The Honeynet Project for their assistance in providing network traces of the exploitation. _________________________________________________________________ Authors: Allen Householder and Art Manion ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-01.html 還有Redhat Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated secureweb packages available Advisory ID: RHSA-2001:164-08 Issue date: 2001-12-05 Updated on: 2001-12-07 Product: Red Hat Secure Web Server Keywords: secureweb directory listing Cross references: RHSA-2001:126 Obsoletes: RHBA-2000:020 --------------------------------------------------------------------- 1. Topic: Updated packages are now available for Red Hat Secure Web Server 3.2 (U.S.). These updates close a potential security hole which would present clients with a listing of the contents of a directory instead of the contents of an index file or the proper error message. 2. Relevant releases/architectures: Red Hat Secure Web Server 3.2 - i386 3. Problem description: By using a carefully constructed HTTP request, a server with mod_negotiation and either mod_dir or mod_autoindex loaded could be tricked into displaying a listing of the contents of a directory, despite the presence of an index file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2001-0730, and CAN-2001-0731 to these issues. 4. Solution: The main secureweb package is provided as an rhmask file. In order to generate the actual secureweb RPM package, you will need the secureweb-3.2-12 package file from the Secure Web Server CD. Then, using the rhmask command, generate the secureweb RPM package: rhmask secureweb-3.2-12.i386.rpm secureweb-3.2.4-1.i386.rpm.rhmask Before applying this update, make sure you have applied all previously released errata relevant to your system. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 6. RPMs required: Red Hat Secure Web Server 3.2: i386: ftp://updates.redhat.com/3.2/en/secureweb/i386/secureweb-3.2.4-1.i386.rpm.rhmask ftp://updates.redhat.com/3.2/en/secureweb/i386/secureweb-devel-3.2.4-1.i386.rpm ftp://updates.redhat.com/3.2/en/secureweb/i386/secureweb-manual-3.2.4-1.i386.rpm 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 3097ba872708a54b64354a54a3e38771 3.2/en/secureweb/i386/secureweb-3.2.4-1.i386.rpm.rhmask 93f2a1bbe394454bf35c665b5ceebddf 3.2/en/secureweb/i386/secureweb-devel-3.2.4-1.i386.rpm f819ce00eea66d0524cba6f92c7a661e 3.2/en/secureweb/i386/secureweb-manual-3.2.4-1.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0730 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0731 http://www.apacheweek.com/issues/01-10-05#security http://httpd.apache.org/dist/httpd/CHANGES_1.3 http://www.securityfocus.com/bid/3009 所以要時常注意新的更新Bug 3.當然MS的也不少.

------
**********************************************************
哈哈&兵燹
最會的2大絕招 這個不會與那個也不會 哈哈哈 粉好

Delphi K.Top的K.Top分兩個字解釋Top代表尖端的意思,希望本討論區能提供Delphi的尖端新知
K.表Knowlege 知識,就是本站的標語:Open our mind