Vulnerabilities > CVE-2007-5360 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
openpegasus
vmware
CWE-119
nessus

Summary

Buffer overflow in OpenPegasus Management server, when compiled to use PAM and with PEGASUS_USE_PAM_STANDALONE_PROC defined, as used in VMWare ESX Server 3.0.1 and 3.0.2, might allow remote attackers to execute arbitrary code via vectors related to PAM authentication, a different vulnerability than CVE-2008-0003.

Vulnerable Configurations

Part Description Count
Application
Openpegasus
1
OS
Vmware
2

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_37702.NASL
    descriptions700_800 11.11 HP WBEM Services A.02.05.08 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id32156
    published2008-05-09
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32156
    titleHP-UX PHSS_37702 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and patch checks in this plugin were 
    # extracted from HP patch PHSS_37702. The text itself is
    # copyright (C) Hewlett-Packard Development Company, L.P.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(32156);
      script_version("1.14");
      script_cvs_date("Date: 2019/10/16 10:34:21");
    
      script_cve_id("CVE-2007-5360", "CVE-2008-0003");
      script_bugtraq_id(27172);
      script_xref(name:"HP", value:"emr_na-c01438409");
      script_xref(name:"HP", value:"SSRT080000");
    
      script_name(english:"HP-UX PHSS_37702 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)");
      script_summary(english:"Checks for the patch in the swlist output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote HP-UX host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "s700_800 11.11 HP WBEM Services A.02.05.08 : 
    
    Potential security vulnerabilities have been identified with HP-UX
    running WBEM Services. These vulnerabilities could be exploited
    remotely to execute arbitrary code or to gain extended privileges."
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01438409
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?9d738e39"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install patch PHSS_37702 or subsequent."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/01/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/04/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/05/09");
      script_set_attribute(attribute:"patch_modification_date", value:"2009/02/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"HP-UX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("hpux.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
    if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if (!hpux_check_ctx(ctx:"11.11"))
    {
      exit(0, "The host is not affected since PHSS_37702 applies to a different OS release.");
    }
    
    patches = make_list("PHSS_37702");
    foreach patch (patches)
    {
      if (hpux_installed(app:patch))
      {
        exit(0, "The host is not affected because patch "+patch+" is installed.");
      }
    }
    
    
    flag = 0;
    if (hpux_check_patch(app:"WBEMServices.WBEM-CORE", version:"A.02.05.08")) flag++;
    if (hpux_check_patch(app:"WBEMServices.WBEM-CORE-COM", version:"A.02.05.08")) flag++;
    if (hpux_check_patch(app:"WBEMServices.WBEM-MAN", version:"A.02.05.08")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_37700.NASL
    descriptions700_800 11.11 HP WBEM Services A.02.07.01 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id32154
    published2008-05-09
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32154
    titleHP-UX PHSS_37700 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and patch checks in this plugin were 
    # extracted from HP patch PHSS_37700. The text itself is
    # copyright (C) Hewlett-Packard Development Company, L.P.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(32154);
      script_version("1.14");
      script_cvs_date("Date: 2019/10/16 10:34:21");
    
      script_cve_id("CVE-2007-5360", "CVE-2008-0003");
      script_bugtraq_id(27172);
      script_xref(name:"HP", value:"emr_na-c01438409");
      script_xref(name:"HP", value:"SSRT080000");
    
      script_name(english:"HP-UX PHSS_37700 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)");
      script_summary(english:"Checks for the patch in the swlist output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote HP-UX host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "s700_800 11.11 HP WBEM Services A.02.07.01 : 
    
    Potential security vulnerabilities have been identified with HP-UX
    running WBEM Services. These vulnerabilities could be exploited
    remotely to execute arbitrary code or to gain extended privileges."
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01438409
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?9d738e39"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install patch PHSS_37700 or subsequent."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/01/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/04/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/05/09");
      script_set_attribute(attribute:"patch_modification_date", value:"2009/02/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"HP-UX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("hpux.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
    if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if (!hpux_check_ctx(ctx:"11.11"))
    {
      exit(0, "The host is not affected since PHSS_37700 applies to a different OS release.");
    }
    
    patches = make_list("PHSS_37700");
    foreach patch (patches)
    {
      if (hpux_installed(app:patch))
      {
        exit(0, "The host is not affected because patch "+patch+" is installed.");
      }
    }
    
    
    flag = 0;
    if (hpux_check_patch(app:"WBEMServices.WBEM-CORE", version:"A.02.07.01")) flag++;
    if (hpux_check_patch(app:"WBEMServices.WBEM-CORE-COM", version:"A.02.07.01")) flag++;
    if (hpux_check_patch(app:"WBEMServices.WBEM-MAN", version:"A.02.07.01")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_37701.NASL
    descriptions700_800 11.23 HP WBEM Services A.02.07 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id32155
    published2008-05-09
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32155
    titleHP-UX PHSS_37701 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_38748.NASL
    descriptions700_800 11.23 HP WBEM Services A.02.00.11 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id35698
    published2009-02-17
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35698
    titleHP-UX PHSS_38748 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_37891.NASL
    descriptions700_800 11.31 HP WBEM Services A.02.07 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id32159
    published2008-05-09
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32159
    titleHP-UX PHSS_37891 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_38747.NASL
    descriptions700_800 11.11 HP WBEM Services A.02.00.11 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id35697
    published2009-02-17
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35697
    titleHP-UX PHSS_38747 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_37704.NASL
    descriptions700_800 11.31 HP WBEM Services A.02.05.08 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id32158
    published2008-05-09
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32158
    titleHP-UX PHSS_37704 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_37703.NASL
    descriptions700_800 11.23 HP WBEM Services A.02.05.08 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id32157
    published2008-05-09
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32157
    titleHP-UX PHSS_37703 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2008-0001.NASL
    descriptionI Service Console package security updates a. OpenPegasus PAM Authentication Buffer Overflow Alexander Sotirov from VMware Security Research discovered a buffer overflow vulnerability in the OpenPegasus Management server. This flaw could be exploited by a malicious remote user on the service console network to gain root access to the service console. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5360 to this issue. b. Updated Samba package An issue where attackers on the service console management network can cause a stack-based buffer overflow in the reply_netbios_packet function of nmbd in Samba. On systems where Samba is being used as a WINS server, exploiting this vulnerability can allow remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. An issue where attackers on the service console management network can exploit a vulnerability that occurs when Samba is configured as a Primary or Backup Domain controller. The vulnerability allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5398 and CVE-2007-4572 to these issues. Note: By default Samba is not configured as a WINS server or a domain controller and ESX is not vulnerable unless the administrator has changed the default configuration. This vulnerability can be exploited remotely only if the attacker has access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. c. Updated util-linux package The patch addresses an issue where the mount and umount utilities in util-linux call the setuid and setgid functions in the wrong order and do not check the return values, which could allow attackers to gain elevated privileges via helper application such as mount.nfs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5191 to this issue. d. Updated Perl package The update addresses an issue where the regular expression engine in Perl can be used to issue a specially crafted regular expression that allows the attacker to run arbitrary code with the permissions level of the current Perl user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5116 to this issue. e. Updated OpenSSL package A flaw in the SSL_get_shared_ciphers() function could allow an attacker to cause a buffer overflow problem by sending ciphers to applications that use the function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-3108, and CVE-2007-5135 to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id40372
    published2009-07-27
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40372
    titleVMSA-2008-0001 : Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 27188,27172 CVE(CAN) ID: CVE-2008-0003,CVE-2007-5360 OpenPegasus是一个开源项目,用于实现DMTF CIM和WBEM企业管理标准。 OpenPegasus的PAM认证模块实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制服务器。 OpenPegasus的PAM认证模块中的PAMBasicAuthenticator::PAMCallback()函数存在缓冲区溢出漏洞: // // copy the user password // resp[i]-&gt;resp = (char *)malloc(PAM_MAX_MSG_SIZE); strcpy(resp[i]-&gt;resp, mydata-&gt;userPassword); resp[i]-&gt;resp_retcode = 0; break; 在这里mydata-&gt;userPassword为2000个字符,而PAM_MAX_MSG_SIZE为512字符,因此如果用户提交了超长口令的话就会触发栈溢出,导致以cimserver进程的权限执行任意指令。 Open Group OpenPegasus 2.6.1 Open Group ---------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://cvs.opengroup.org/cgi-bin/cvsweb.cgi/pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.diff?cvsroot=Pegasus&amp;r1=1.31&amp;r2=1.31.2.1&amp;f=H&amp;only_with_tag=RELEASE_2_5-branch target=_blank>http://cvs.opengroup.org/cgi-bin/cvsweb.cgi/pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.diff?cvsroot=Pegasus&amp;r1=1.31&amp;r2=1.31.2.1&amp;f=H&amp;only_with_tag=RELEASE_2_5-branch</a> RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2008:0002-01)以及相应补丁: RHSA-2008:0002-01:Critical: tog-pegasus security update 链接:<a href=https://www.redhat.com/support/errata/RHSA-2008-0002.html target=_blank>https://www.redhat.com/support/errata/RHSA-2008-0002.html</a>
idSSV:2798
last seen2017-11-19
modified2008-01-10
published2008-01-10
reporterRoot
titleOpenPegasus管理服务器PAM认证模块远程栈溢出漏洞

Statements

contributorMark J Cox
lastmodified2008-01-09
organizationRed Hat
statementNot vulnerable. This issue did not affect versions of tog-pegasus as shipped with Red Hat Enterprise Linux 4, or 5. For more details see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-5360