Vulnerabilities > CVE-2007-5360 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in OpenPegasus Management server, when compiled to use PAM and with PEGASUS_USE_PAM_STANDALONE_PROC defined, as used in VMWare ESX Server 3.0.1 and 3.0.2, might allow remote attackers to execute arbitrary code via vectors related to PAM authentication, a different vulnerability than CVE-2008-0003.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_37702.NASL description s700_800 11.11 HP WBEM Services A.02.05.08 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 32156 published 2008-05-09 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32156 title HP-UX PHSS_37702 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3) code # # (C) Tenable Network Security, Inc. # # The descriptive text and patch checks in this plugin were # extracted from HP patch PHSS_37702. The text itself is # copyright (C) Hewlett-Packard Development Company, L.P. # include("compat.inc"); if (description) { script_id(32156); script_version("1.14"); script_cvs_date("Date: 2019/10/16 10:34:21"); script_cve_id("CVE-2007-5360", "CVE-2008-0003"); script_bugtraq_id(27172); script_xref(name:"HP", value:"emr_na-c01438409"); script_xref(name:"HP", value:"SSRT080000"); script_name(english:"HP-UX PHSS_37702 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)"); script_summary(english:"Checks for the patch in the swlist output"); script_set_attribute( attribute:"synopsis", value:"The remote HP-UX host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "s700_800 11.11 HP WBEM Services A.02.05.08 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges." ); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01438409 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9d738e39" ); script_set_attribute( attribute:"solution", value:"Install patch PHSS_37702 or subsequent." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/01/08"); script_set_attribute(attribute:"patch_publication_date", value:"2008/04/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/05/09"); script_set_attribute(attribute:"patch_modification_date", value:"2009/02/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"HP-UX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("hpux.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX"); if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING); if (!hpux_check_ctx(ctx:"11.11")) { exit(0, "The host is not affected since PHSS_37702 applies to a different OS release."); } patches = make_list("PHSS_37702"); foreach patch (patches) { if (hpux_installed(app:patch)) { exit(0, "The host is not affected because patch "+patch+" is installed."); } } flag = 0; if (hpux_check_patch(app:"WBEMServices.WBEM-CORE", version:"A.02.05.08")) flag++; if (hpux_check_patch(app:"WBEMServices.WBEM-CORE-COM", version:"A.02.05.08")) flag++; if (hpux_check_patch(app:"WBEMServices.WBEM-MAN", version:"A.02.05.08")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_37700.NASL description s700_800 11.11 HP WBEM Services A.02.07.01 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 32154 published 2008-05-09 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32154 title HP-UX PHSS_37700 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3) code # # (C) Tenable Network Security, Inc. # # The descriptive text and patch checks in this plugin were # extracted from HP patch PHSS_37700. The text itself is # copyright (C) Hewlett-Packard Development Company, L.P. # include("compat.inc"); if (description) { script_id(32154); script_version("1.14"); script_cvs_date("Date: 2019/10/16 10:34:21"); script_cve_id("CVE-2007-5360", "CVE-2008-0003"); script_bugtraq_id(27172); script_xref(name:"HP", value:"emr_na-c01438409"); script_xref(name:"HP", value:"SSRT080000"); script_name(english:"HP-UX PHSS_37700 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)"); script_summary(english:"Checks for the patch in the swlist output"); script_set_attribute( attribute:"synopsis", value:"The remote HP-UX host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "s700_800 11.11 HP WBEM Services A.02.07.01 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges." ); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01438409 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9d738e39" ); script_set_attribute( attribute:"solution", value:"Install patch PHSS_37700 or subsequent." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/01/08"); script_set_attribute(attribute:"patch_publication_date", value:"2008/04/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/05/09"); script_set_attribute(attribute:"patch_modification_date", value:"2009/02/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"HP-UX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("hpux.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX"); if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING); if (!hpux_check_ctx(ctx:"11.11")) { exit(0, "The host is not affected since PHSS_37700 applies to a different OS release."); } patches = make_list("PHSS_37700"); foreach patch (patches) { if (hpux_installed(app:patch)) { exit(0, "The host is not affected because patch "+patch+" is installed."); } } flag = 0; if (hpux_check_patch(app:"WBEMServices.WBEM-CORE", version:"A.02.07.01")) flag++; if (hpux_check_patch(app:"WBEMServices.WBEM-CORE-COM", version:"A.02.07.01")) flag++; if (hpux_check_patch(app:"WBEMServices.WBEM-MAN", version:"A.02.07.01")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_37701.NASL description s700_800 11.23 HP WBEM Services A.02.07 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 32155 published 2008-05-09 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32155 title HP-UX PHSS_37701 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3) NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_38748.NASL description s700_800 11.23 HP WBEM Services A.02.00.11 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 35698 published 2009-02-17 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35698 title HP-UX PHSS_38748 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3) NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_37891.NASL description s700_800 11.31 HP WBEM Services A.02.07 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 32159 published 2008-05-09 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32159 title HP-UX PHSS_37891 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3) NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_38747.NASL description s700_800 11.11 HP WBEM Services A.02.00.11 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 35697 published 2009-02-17 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35697 title HP-UX PHSS_38747 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3) NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_37704.NASL description s700_800 11.31 HP WBEM Services A.02.05.08 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 32158 published 2008-05-09 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32158 title HP-UX PHSS_37704 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3) NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_37703.NASL description s700_800 11.23 HP WBEM Services A.02.05.08 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 32157 published 2008-05-09 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32157 title HP-UX PHSS_37703 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2008-0001.NASL description I Service Console package security updates a. OpenPegasus PAM Authentication Buffer Overflow Alexander Sotirov from VMware Security Research discovered a buffer overflow vulnerability in the OpenPegasus Management server. This flaw could be exploited by a malicious remote user on the service console network to gain root access to the service console. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5360 to this issue. b. Updated Samba package An issue where attackers on the service console management network can cause a stack-based buffer overflow in the reply_netbios_packet function of nmbd in Samba. On systems where Samba is being used as a WINS server, exploiting this vulnerability can allow remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. An issue where attackers on the service console management network can exploit a vulnerability that occurs when Samba is configured as a Primary or Backup Domain controller. The vulnerability allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5398 and CVE-2007-4572 to these issues. Note: By default Samba is not configured as a WINS server or a domain controller and ESX is not vulnerable unless the administrator has changed the default configuration. This vulnerability can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. c. Updated util-linux package The patch addresses an issue where the mount and umount utilities in util-linux call the setuid and setgid functions in the wrong order and do not check the return values, which could allow attackers to gain elevated privileges via helper application such as mount.nfs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5191 to this issue. d. Updated Perl package The update addresses an issue where the regular expression engine in Perl can be used to issue a specially crafted regular expression that allows the attacker to run arbitrary code with the permissions level of the current Perl user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5116 to this issue. e. Updated OpenSSL package A flaw in the SSL_get_shared_ciphers() function could allow an attacker to cause a buffer overflow problem by sending ciphers to applications that use the function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-3108, and CVE-2007-5135 to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 40372 published 2009-07-27 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40372 title VMSA-2008-0001 : Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 27188,27172 CVE(CAN) ID: CVE-2008-0003,CVE-2007-5360 OpenPegasus是一个开源项目,用于实现DMTF CIM和WBEM企业管理标准。 OpenPegasus的PAM认证模块实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制服务器。 OpenPegasus的PAM认证模块中的PAMBasicAuthenticator::PAMCallback()函数存在缓冲区溢出漏洞: // // copy the user password // resp[i]->resp = (char *)malloc(PAM_MAX_MSG_SIZE); strcpy(resp[i]->resp, mydata->userPassword); resp[i]->resp_retcode = 0; break; 在这里mydata->userPassword为2000个字符,而PAM_MAX_MSG_SIZE为512字符,因此如果用户提交了超长口令的话就会触发栈溢出,导致以cimserver进程的权限执行任意指令。 Open Group OpenPegasus 2.6.1 Open Group ---------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://cvs.opengroup.org/cgi-bin/cvsweb.cgi/pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.diff?cvsroot=Pegasus&r1=1.31&r2=1.31.2.1&f=H&only_with_tag=RELEASE_2_5-branch target=_blank>http://cvs.opengroup.org/cgi-bin/cvsweb.cgi/pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.diff?cvsroot=Pegasus&r1=1.31&r2=1.31.2.1&f=H&only_with_tag=RELEASE_2_5-branch</a> RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2008:0002-01)以及相应补丁: RHSA-2008:0002-01:Critical: tog-pegasus security update 链接:<a href=https://www.redhat.com/support/errata/RHSA-2008-0002.html target=_blank>https://www.redhat.com/support/errata/RHSA-2008-0002.html</a> |
| id | SSV:2798 |
| last seen | 2017-11-19 |
| modified | 2008-01-10 |
| published | 2008-01-10 |
| reporter | Root |
| title | OpenPegasus管理服务器PAM认证模块远程栈溢出漏洞 |
Statements
| contributor | Mark J Cox |
| lastmodified | 2008-01-09 |
| organization | Red Hat |
| statement | Not vulnerable. This issue did not affect versions of tog-pegasus as shipped with Red Hat Enterprise Linux 4, or 5. For more details see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-5360 |
References
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01438409
- http://lists.vmware.com/pipermail/security-announce/2008/000002.html
- http://secunia.com/advisories/28358
- http://secunia.com/advisories/28368
- http://secunia.com/advisories/28636
- http://secunia.com/advisories/29986
- http://securityreason.com/securityalert/3538
- http://www.attrition.org/pipermail/vim/2008-January/001879.html
- http://www.novell.com/linux/security/advisories/suse_security_summary_report.html
- http://www.securityfocus.com/archive/1/485936/100/0/threaded
- http://www.securityfocus.com/archive/1/486859/100/0/threaded
- http://www.vmware.com/security/advisories/VMSA-2008-0001.html
- http://www.vupen.com/english/advisories/2008/0063
- http://www.vupen.com/english/advisories/2008/0064
- http://www.vupen.com/english/advisories/2008/1391/references
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-5360
- https://exchange.xforce.ibmcloud.com/vulnerabilities/39524