Vulnerabilities > CVE-2008-0003 - Buffer Errors vulnerability in Openpegasus Management Server 2.6.1

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

redhat

openpegasus

CWE-119

critical

nessus

NVD

Published: 2008-01-08

Updated: 2018-10-15

Summary

Stack-based buffer overflow in the PAMBasicAuthenticator::PAMCallback function in OpenPegasus CIM management server (tog-pegasus), when compiled to use PAM and without PEGASUS_USE_PAM_STANDALONE_PROC defined, might allow remote attackers to execute arbitrary code via unknown vectors, a different vulnerability than CVE-2007-5360.

Vulnerable Configurations

Part	Description	Count
OS	Redhat Redhat Enterprise Linux 4.0 Redhat Enterprise Linux 4.5.Z Redhat Enterprise Linux Desktop 4.0 Redhat Enterprise Linux Desktop 5.0	7
Application	Openpegasus Openpegasus Management Server 2.6.1	1

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2008-0002.NASL
description	Updated tog-pegasus packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. The tog-pegasus packages provide OpenPegasus Web-Based Enterprise Management (WBEM) services. WBEM is a platform and resource independent DMTF standard that defines a common information model, and communication protocol for monitoring and controlling resources. During a security audit, a stack-based buffer overflow flaw was found in the PAM authentication code in the OpenPegasus CIM management server. An unauthenticated remote user could trigger this flaw and potentially execute arbitrary code with root privileges. (CVE-2008-0003) Note that the tog-pegasus packages are not installed by default on Red Hat Enterprise Linux. The Red Hat Security Response Team believes that it would be hard to remotely exploit this issue to execute arbitrary code, due to the default SELinux targeted policy on Red Hat Enterprise Linux 4 and 5, and the SELinux memory protection tests enabled by default on Red Hat Enterprise Linux 5. Users of tog-pegasus should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages the tog-pegasus service should be restarted.
last seen	2020-06-01
modified	2020-06-02
plugin id	29931
published	2008-01-14
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/29931
title	CentOS 4 / 5 : tog-pegasus (CESA-2008:0002)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2008:0002 and # CentOS Errata and Security Advisory 2008:0002 respectively. # include("compat.inc"); if (description) { script_id(29931); script_version("1.20"); script_cvs_date("Date: 2019/10/25 13:36:04"); script_cve_id("CVE-2008-0003"); script_bugtraq_id(27172); script_xref(name:"RHSA", value:"2008:0002"); script_name(english:"CentOS 4 / 5 : tog-pegasus (CESA-2008:0002)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated tog-pegasus packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. The tog-pegasus packages provide OpenPegasus Web-Based Enterprise Management (WBEM) services. WBEM is a platform and resource independent DMTF standard that defines a common information model, and communication protocol for monitoring and controlling resources. During a security audit, a stack-based buffer overflow flaw was found in the PAM authentication code in the OpenPegasus CIM management server. An unauthenticated remote user could trigger this flaw and potentially execute arbitrary code with root privileges. (CVE-2008-0003) Note that the tog-pegasus packages are not installed by default on Red Hat Enterprise Linux. The Red Hat Security Response Team believes that it would be hard to remotely exploit this issue to execute arbitrary code, due to the default SELinux targeted policy on Red Hat Enterprise Linux 4 and 5, and the SELinux memory protection tests enabled by default on Red Hat Enterprise Linux 5. Users of tog-pegasus should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages the tog-pegasus service should be restarted." ); # https://lists.centos.org/pipermail/centos-announce/2008-January/014562.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d9b34e51" ); # https://lists.centos.org/pipermail/centos-announce/2008-January/014591.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7229aeb9" ); # https://lists.centos.org/pipermail/centos-announce/2008-January/014592.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?55e8cd9d" ); # https://lists.centos.org/pipermail/centos-announce/2008-January/014599.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f7d7baef" ); # https://lists.centos.org/pipermail/centos-announce/2008-January/014600.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?aa27cb74" ); script_set_attribute( attribute:"solution", value:"Update the affected tog-pegasus packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tog-pegasus"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tog-pegasus-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tog-pegasus-test"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/01/08"); script_set_attribute(attribute:"patch_publication_date", value:"2008/01/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/01/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) \|\| "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^(4\|5)([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x / 5.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"tog-pegasus-2.5.1-5.el4_6.1")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"tog-pegasus-2.5.1-5.c4.1")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"tog-pegasus-2.5.1-5.el4_6.1")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"tog-pegasus-devel-2.5.1-5.el4_6.1")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"tog-pegasus-devel-2.5.1-5.c4.1")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"tog-pegasus-devel-2.5.1-5.el4_6.1")) flag++; if (rpm_check(release:"CentOS-4", cpu:"i386", reference:"tog-pegasus-test-2.5.1-5.el4_6.1")) flag++; if (rpm_check(release:"CentOS-4", cpu:"ia64", reference:"tog-pegasus-test-2.5.1-5.c4.1")) flag++; if (rpm_check(release:"CentOS-4", cpu:"x86_64", reference:"tog-pegasus-test-2.5.1-5.el4_6.1")) flag++; if (rpm_check(release:"CentOS-5", reference:"tog-pegasus-2.6.1-2.el5_1.1")) flag++; if (rpm_check(release:"CentOS-5", reference:"tog-pegasus-devel-2.6.1-2.el5_1.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tog-pegasus / tog-pegasus-devel / tog-pegasus-test"); }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2008-0002.NASL
description	Updated tog-pegasus packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. The tog-pegasus packages provide OpenPegasus Web-Based Enterprise Management (WBEM) services. WBEM is a platform and resource independent DMTF standard that defines a common information model, and communication protocol for monitoring and controlling resources. During a security audit, a stack-based buffer overflow flaw was found in the PAM authentication code in the OpenPegasus CIM management server. An unauthenticated remote user could trigger this flaw and potentially execute arbitrary code with root privileges. (CVE-2008-0003) Note that the tog-pegasus packages are not installed by default on Red Hat Enterprise Linux. The Red Hat Security Response Team believes that it would be hard to remotely exploit this issue to execute arbitrary code, due to the default SELinux targeted policy on Red Hat Enterprise Linux 4 and 5, and the SELinux memory protection tests enabled by default on Red Hat Enterprise Linux 5. Users of tog-pegasus should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages the tog-pegasus service should be restarted.
last seen	2020-06-01
modified	2020-06-02
plugin id	29875
published	2008-01-08
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/29875
title	RHEL 4 / 5 : tog-pegasus (RHSA-2008:0002)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2008:0002. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(29875); script_version ("1.31"); script_cvs_date("Date: 2019/10/25 13:36:13"); script_cve_id("CVE-2008-0003"); script_bugtraq_id(27172); script_xref(name:"RHSA", value:"2008:0002"); script_name(english:"RHEL 4 / 5 : tog-pegasus (RHSA-2008:0002)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated tog-pegasus packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. The tog-pegasus packages provide OpenPegasus Web-Based Enterprise Management (WBEM) services. WBEM is a platform and resource independent DMTF standard that defines a common information model, and communication protocol for monitoring and controlling resources. During a security audit, a stack-based buffer overflow flaw was found in the PAM authentication code in the OpenPegasus CIM management server. An unauthenticated remote user could trigger this flaw and potentially execute arbitrary code with root privileges. (CVE-2008-0003) Note that the tog-pegasus packages are not installed by default on Red Hat Enterprise Linux. The Red Hat Security Response Team believes that it would be hard to remotely exploit this issue to execute arbitrary code, due to the default SELinux targeted policy on Red Hat Enterprise Linux 4 and 5, and the SELinux memory protection tests enabled by default on Red Hat Enterprise Linux 5. Users of tog-pegasus should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages the tog-pegasus service should be restarted." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2008-0003" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2008:0002" ); script_set_attribute( attribute:"solution", value: "Update the affected tog-pegasus, tog-pegasus-devel and / or tog-pegasus-test packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tog-pegasus"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tog-pegasus-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tog-pegasus-test"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4.6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/01/08"); script_set_attribute(attribute:"patch_publication_date", value:"2008/01/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/01/08"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(4\|5)([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x / 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2008:0002"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { sp = get_kb_item("Host/RedHat/minor_release"); if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); flag = 0; if (sp == "5") { if (rpm_check(release:"RHEL4", sp:"5", reference:"tog-pegasus-2.5.1-2.el4_5.1")) flag++; } else { if (rpm_check(release:"RHEL4", reference:"tog-pegasus-2.5.1-5.el4_6.1")) flag++; } if (sp == "5") { if (rpm_check(release:"RHEL4", sp:"5", reference:"tog-pegasus-devel-2.5.1-2.el4_5.1")) flag++; } else { if (rpm_check(release:"RHEL4", reference:"tog-pegasus-devel-2.5.1-5.el4_6.1")) flag++; } if (sp == "5") { if (rpm_check(release:"RHEL4", sp:"5", reference:"tog-pegasus-test-2.5.1-2.el4_5.1")) flag++; } else { if (rpm_check(release:"RHEL4", reference:"tog-pegasus-test-2.5.1-5.el4_6.1")) flag++; } if (rpm_check(release:"RHEL5", reference:"tog-pegasus-2.6.1-2.el5_1.1")) flag++; if (rpm_check(release:"RHEL5", reference:"tog-pegasus-devel-2.6.1-2.el5_1.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tog-pegasus / tog-pegasus-devel / tog-pegasus-test"); } }

NASL family	HP-UX Local Security Checks
NASL id	HPUX_PHSS_37702.NASL
description	s700_800 11.11 HP WBEM Services A.02.05.08 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	32156
published	2008-05-09
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/32156
title	HP-UX PHSS_37702 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and patch checks in this plugin were # extracted from HP patch PHSS_37702. The text itself is # copyright (C) Hewlett-Packard Development Company, L.P. # include("compat.inc"); if (description) { script_id(32156); script_version("1.14"); script_cvs_date("Date: 2019/10/16 10:34:21"); script_cve_id("CVE-2007-5360", "CVE-2008-0003"); script_bugtraq_id(27172); script_xref(name:"HP", value:"emr_na-c01438409"); script_xref(name:"HP", value:"SSRT080000"); script_name(english:"HP-UX PHSS_37702 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)"); script_summary(english:"Checks for the patch in the swlist output"); script_set_attribute( attribute:"synopsis", value:"The remote HP-UX host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "s700_800 11.11 HP WBEM Services A.02.05.08 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges." ); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01438409 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9d738e39" ); script_set_attribute( attribute:"solution", value:"Install patch PHSS_37702 or subsequent." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/01/08"); script_set_attribute(attribute:"patch_publication_date", value:"2008/04/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/05/09"); script_set_attribute(attribute:"patch_modification_date", value:"2009/02/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"HP-UX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("hpux.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX"); if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING); if (!hpux_check_ctx(ctx:"11.11")) { exit(0, "The host is not affected since PHSS_37702 applies to a different OS release."); } patches = make_list("PHSS_37702"); foreach patch (patches) { if (hpux_installed(app:patch)) { exit(0, "The host is not affected because patch "+patch+" is installed."); } } flag = 0; if (hpux_check_patch(app:"WBEMServices.WBEM-CORE", version:"A.02.05.08")) flag++; if (hpux_check_patch(app:"WBEMServices.WBEM-CORE-COM", version:"A.02.05.08")) flag++; if (hpux_check_patch(app:"WBEMServices.WBEM-MAN", version:"A.02.05.08")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	HP-UX Local Security Checks
NASL id	HPUX_PHSS_37700.NASL
description	s700_800 11.11 HP WBEM Services A.02.07.01 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	32154
published	2008-05-09
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/32154
title	HP-UX PHSS_37700 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and patch checks in this plugin were # extracted from HP patch PHSS_37700. The text itself is # copyright (C) Hewlett-Packard Development Company, L.P. # include("compat.inc"); if (description) { script_id(32154); script_version("1.14"); script_cvs_date("Date: 2019/10/16 10:34:21"); script_cve_id("CVE-2007-5360", "CVE-2008-0003"); script_bugtraq_id(27172); script_xref(name:"HP", value:"emr_na-c01438409"); script_xref(name:"HP", value:"SSRT080000"); script_name(english:"HP-UX PHSS_37700 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)"); script_summary(english:"Checks for the patch in the swlist output"); script_set_attribute( attribute:"synopsis", value:"The remote HP-UX host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "s700_800 11.11 HP WBEM Services A.02.07.01 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges." ); # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01438409 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9d738e39" ); script_set_attribute( attribute:"solution", value:"Install patch PHSS_37700 or subsequent." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/01/08"); script_set_attribute(attribute:"patch_publication_date", value:"2008/04/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/05/09"); script_set_attribute(attribute:"patch_modification_date", value:"2009/02/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"HP-UX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("hpux.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX"); if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING); if (!hpux_check_ctx(ctx:"11.11")) { exit(0, "The host is not affected since PHSS_37700 applies to a different OS release."); } patches = make_list("PHSS_37700"); foreach patch (patches) { if (hpux_installed(app:patch)) { exit(0, "The host is not affected because patch "+patch+" is installed."); } } flag = 0; if (hpux_check_patch(app:"WBEMServices.WBEM-CORE", version:"A.02.07.01")) flag++; if (hpux_check_patch(app:"WBEMServices.WBEM-CORE-COM", version:"A.02.07.01")) flag++; if (hpux_check_patch(app:"WBEMServices.WBEM-MAN", version:"A.02.07.01")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	VMware ESX Local Security Checks
NASL id	VMWARE_VMSA-2008-0007.NASL
description	a. Updated pcre Service Console package addresses several security issues The pcre package contains the Perl-Compatible Regular Expression library. pcre is used by various Service Console utilities. Several security issues were discovered in the way PCRE handles regular expressions. If an application linked against PCRE parsed a malicious regular expression, it may have been possible to run arbitrary code as the user running the application. VMware would like to thank Ludwig Nussel for reporting these issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-7228 and CVE-2007-1660 to these issues. b. Updated net-snmp Service Console package addresses denial of service net-snmp is an implementation of the Simple Network Management Protocol (SNMP). SNMP is used by network management systems to monitor hosts. By default ESX has this service enabled and its ports open on the ESX firewall. A flaw was discovered in the way net-snmp handled certain requests. A remote attacker who can connect to the snmpd UDP port could send a malicious packet causing snmpd to crash, resulting in a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5846 to this issue. c. Updated OpenPegasus Service Console package fixes overflow condition OpenPegasus is a CIM (Common Information Model) and Web-Based Enterprise Management (WBEM) broker. These protocols are used by network management systems to monitor and control hosts. By default ESX has this service enabled and its ports open on the ESX firewall. A flaw was discovered in the OpenPegasus CIM management server that might allow remote attackers to execute arbitrary code. OpenPegasus when compiled to use PAM and without PEGASUS_USE_PAM_STANDALONE_PROC defined, has a stack-based buffer overflow condition. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-0003 to this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	40377
published	2009-07-27
reporter	This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/40377
title	VMSA-2008-0007 : Moderate Updated Service Console packages pcre, net-snmp, and OpenPegasus
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2008-0007. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(40377); script_version("1.24"); script_cvs_date("Date: 2018/08/07 11:56:11"); script_cve_id("CVE-2006-7228", "CVE-2007-1660", "CVE-2007-5846", "CVE-2008-0003"); script_bugtraq_id(26378, 26462, 26727, 27172); script_xref(name:"VMSA", value:"2008-0007"); script_name(english:"VMSA-2008-0007 : Moderate Updated Service Console packages pcre, net-snmp, and OpenPegasus"); script_summary(english:"Checks esxupdate output for the patches"); script_set_attribute( attribute:"synopsis", value: "The remote VMware ESX host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "a. Updated pcre Service Console package addresses several security issues The pcre package contains the Perl-Compatible Regular Expression library. pcre is used by various Service Console utilities. Several security issues were discovered in the way PCRE handles regular expressions. If an application linked against PCRE parsed a malicious regular expression, it may have been possible to run arbitrary code as the user running the application. VMware would like to thank Ludwig Nussel for reporting these issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2006-7228 and CVE-2007-1660 to these issues. b. Updated net-snmp Service Console package addresses denial of service net-snmp is an implementation of the Simple Network Management Protocol (SNMP). SNMP is used by network management systems to monitor hosts. By default ESX has this service enabled and its ports open on the ESX firewall. A flaw was discovered in the way net-snmp handled certain requests. A remote attacker who can connect to the snmpd UDP port could send a malicious packet causing snmpd to crash, resulting in a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5846 to this issue. c. Updated OpenPegasus Service Console package fixes overflow condition OpenPegasus is a CIM (Common Information Model) and Web-Based Enterprise Management (WBEM) broker. These protocols are used by network management systems to monitor and control hosts. By default ESX has this service enabled and its ports open on the ESX firewall. A flaw was discovered in the OpenPegasus CIM management server that might allow remote attackers to execute arbitrary code. OpenPegasus when compiled to use PAM and without PEGASUS_USE_PAM_STANDALONE_PROC defined, has a stack-based buffer overflow condition. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-0003 to this issue." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2008/000019.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(119, 189, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5"); script_set_attribute(attribute:"patch_publication_date", value:"2008/04/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2008-04-15"); flag = 0; if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1004184")) flag++; if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1004187")) flag++; if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1004188")) flag++; if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1004213")) flag++; if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1004217")) flag++; if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1004218")) flag++; if ( esx_check( ver : "ESX 3.5.0", patch : "ESX350-200803201-UG", patch_updates : make_list("ESX350-200911210-UG", "ESX350-200912406-BG", "ESX350-201006409-BG", "ESX350-201105403-BG", "ESX350-Update01", "ESX350-Update02", "ESX350-Update03", "ESX350-Update04", "ESX350-Update05", "ESX350-Update05a") ) ) flag++; if ( esx_check( ver : "ESX 3.5.0", patch : "ESX350-200803214-UG", patch_updates : make_list("ESX350-Update01", "ESX350-Update02", "ESX350-Update03", "ESX350-Update04", "ESX350-Update05", "ESX350-Update05a") ) ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	HP-UX Local Security Checks
NASL id	HPUX_PHSS_37701.NASL
description	s700_800 11.23 HP WBEM Services A.02.07 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	32155
published	2008-05-09
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/32155
title	HP-UX PHSS_37701 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)

NASL family	HP-UX Local Security Checks
NASL id	HPUX_PHSS_38748.NASL
description	s700_800 11.23 HP WBEM Services A.02.00.11 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	35698
published	2009-02-17
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/35698
title	HP-UX PHSS_38748 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20080107_TOG_PEGASUS_ON_SL5_X.NASL
description	During a security audit, a stack-based buffer overflow flaw was found in the PAM authentication code in the OpenPegasus CIM management server. An unauthenticated remote user could trigger this flaw and potentially execute arbitrary code with root privileges. (CVE-2008-0003) Users of tog-pegasus should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages the tog-pegasus service should be restarted.
last seen	2020-06-01
modified	2020-06-02
plugin id	60341
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/60341
title	Scientific Linux Security Update : tog-pegasus on SL5.x, SL4.x i386/x86_64

NASL family	HP-UX Local Security Checks
NASL id	HPUX_PHSS_37891.NASL
description	s700_800 11.31 HP WBEM Services A.02.07 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	32159
published	2008-05-09
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/32159
title	HP-UX PHSS_37891 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2008-0506.NASL
description	- Thu Jan 10 2008 Vitezslav Crhonek <vcrhonek at redhat.com> - 2.6.0-3 - Fix PAM authentication buffer overflow (CVE-2008-0003) Resolves: #427828 - Wed Mar 28 2007 Vitezslav Crhonek <vcrhonek at redhat.com> - 2.6.0-2 - Update changelog - Build with Open Pegasus
last seen	2020-06-01
modified	2020-06-02
plugin id	29946
published	2008-01-14
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/29946
title	Fedora 7 : tog-pegasus-2.6.0-3.fc7 (2008-0506)

NASL family	HP-UX Local Security Checks
NASL id	HPUX_PHSS_38747.NASL
description	s700_800 11.11 HP WBEM Services A.02.00.11 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	35697
published	2009-02-17
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/35697
title	HP-UX PHSS_38747 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2008-0002.NASL
description	From Red Hat Security Advisory 2008:0002 : Updated tog-pegasus packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. The tog-pegasus packages provide OpenPegasus Web-Based Enterprise Management (WBEM) services. WBEM is a platform and resource independent DMTF standard that defines a common information model, and communication protocol for monitoring and controlling resources. During a security audit, a stack-based buffer overflow flaw was found in the PAM authentication code in the OpenPegasus CIM management server. An unauthenticated remote user could trigger this flaw and potentially execute arbitrary code with root privileges. (CVE-2008-0003) Note that the tog-pegasus packages are not installed by default on Red Hat Enterprise Linux. The Red Hat Security Response Team believes that it would be hard to remotely exploit this issue to execute arbitrary code, due to the default SELinux targeted policy on Red Hat Enterprise Linux 4 and 5, and the SELinux memory protection tests enabled by default on Red Hat Enterprise Linux 5. Users of tog-pegasus should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages the tog-pegasus service should be restarted.
last seen	2020-06-01
modified	2020-06-02
plugin id	67629
published	2013-07-12
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/67629
title	Oracle Linux 4 / 5 : tog-pegasus (ELSA-2008-0002)

NASL family	HP-UX Local Security Checks
NASL id	HPUX_PHSS_37704.NASL
description	s700_800 11.31 HP WBEM Services A.02.05.08 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	32158
published	2008-05-09
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/32158
title	HP-UX PHSS_37704 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)

NASL family	HP-UX Local Security Checks
NASL id	HPUX_PHSS_37703.NASL
description	s700_800 11.23 HP WBEM Services A.02.05.08 : Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	32157
published	2008-05-09
reporter	This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/32157
title	HP-UX PHSS_37703 : HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges (HPSBMA02331 SSRT080000 rev.3)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2008-0572.NASL
description	- Thu Jan 10 2008 Vitezslav Crhonek <vcrhonek at redhat.com> - 2.6.1-3 - Fix PAM authentication buffer overflow (CVE-2008-0003) Resolves: #427829 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	29949
published	2008-01-14
reporter	This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/29949
title	Fedora 8 : tog-pegasus-2.6.1-3.fc8 (2008-0572)

Oval

accepted

2013-04-29T04:04:16.938-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 4
oval oval:org.mitre.oval:def:11831
comment CentOS Linux 4.x
oval oval:org.mitre.oval:def:16636
comment Oracle Linux 4.x
oval oval:org.mitre.oval:def:15990
comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:10282

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

Redhat

advisories

bugzilla

id	426578
title	CVE-2008-0003 tog-pegasus pam authentication buffer overflow

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 4 is installed
oval oval:com.redhat.rhba:tst:20070304025

AND
comment tog-pegasus is earlier than 2:2.5.1-5.el4_6.1
oval oval:com.redhat.rhsa:tst:20080002001
comment tog-pegasus is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20080002002
AND
comment tog-pegasus-devel is earlier than 2:2.5.1-5.el4_6.1
oval oval:com.redhat.rhsa:tst:20080002003
comment tog-pegasus-devel is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20080002004
AND
comment tog-pegasus-test is earlier than 2:2.5.1-5.el4_6.1
oval oval:com.redhat.rhsa:tst:20080002005
comment tog-pegasus-test is signed with Red Hat master key
oval oval:com.redhat.rhsa:tst:20080002006

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND

comment tog-pegasus-devel is earlier than 2:2.6.1-2.el5_1.1
oval oval:com.redhat.rhsa:tst:20080002008
comment tog-pegasus-devel is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20080002009

AND
comment tog-pegasus is earlier than 2:2.6.1-2.el5_1.1
oval oval:com.redhat.rhsa:tst:20080002010
comment tog-pegasus is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20080002011

rhsa

id	RHSA-2008:0002
released	2008-01-07
severity	Critical
title	RHSA-2008:0002: tog-pegasus security update (Critical)

rpms

tog-pegasus-2:2.5.1-2.el4_5.1
tog-pegasus-2:2.5.1-5.el4_6.1
tog-pegasus-2:2.6.1-2.el5_1.1
tog-pegasus-debuginfo-2:2.5.1-2.el4_5.1
tog-pegasus-debuginfo-2:2.5.1-5.el4_6.1
tog-pegasus-debuginfo-2:2.6.1-2.el5_1.1
tog-pegasus-devel-2:2.5.1-2.el4_5.1
tog-pegasus-devel-2:2.5.1-5.el4_6.1
tog-pegasus-devel-2:2.6.1-2.el5_1.1
tog-pegasus-test-2:2.5.1-2.el4_5.1
tog-pegasus-test-2:2.5.1-5.el4_6.1

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 27188，27172 CVE(CAN) ID: CVE-2008-0003，CVE-2007-5360 OpenPegasus是一个开源项目，用于实现DMTF CIM和WBEM企业管理标准。 OpenPegasus的PAM认证模块实现上存在缓冲区溢出漏洞，远程攻击者可能利用此漏洞控制服务器。 OpenPegasus的PAM认证模块中的PAMBasicAuthenticator::PAMCallback()函数存在缓冲区溢出漏洞： // // copy the user password // resp[i]->resp = (char *)malloc(PAM_MAX_MSG_SIZE); strcpy(resp[i]->resp, mydata->userPassword); resp[i]->resp_retcode = 0; break; 在这里mydata->userPassword为2000个字符，而PAM_MAX_MSG_SIZE为512字符，因此如果用户提交了超长口令的话就会触发栈溢出，导致以cimserver进程的权限执行任意指令。 Open Group OpenPegasus 2.6.1 Open Group ---------- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href=http://cvs.opengroup.org/cgi-bin/cvsweb.cgi/pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.diff?cvsroot=Pegasus&r1=1.31&r2=1.31.2.1&f=H&only_with_tag=RELEASE_2_5-branch target=_blank>http://cvs.opengroup.org/cgi-bin/cvsweb.cgi/pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.diff?cvsroot=Pegasus&r1=1.31&r2=1.31.2.1&f=H&only_with_tag=RELEASE_2_5-branch</a> RedHat ------ RedHat已经为此发布了一个安全公告（RHSA-2008:0002-01）以及相应补丁: RHSA-2008:0002-01：Critical: tog-pegasus security update 链接：<a href=https://www.redhat.com/support/errata/RHSA-2008-0002.html target=_blank>https://www.redhat.com/support/errata/RHSA-2008-0002.html</a>
id	SSV:2798
last seen	2017-11-19
modified	2008-01-10
published	2008-01-10
reporter	Root
title	OpenPegasus管理服务器PAM认证模块远程栈溢出漏洞

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Oval

Redhat

Seebug

References