[UNIX] HP dced Remote Command Execution
From: SecuriTeam (support_at_securiteam.com)
Date: 07/25/04
- Previous message: SecuriTeam: "[NEWS] eSeSIX Thintune Thin Client Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 25 Jul 2004 15:01:47 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
HP dced Remote Command Execution
------------------------------------------------------------------------
SUMMARY
A buffer overflow vulnerability was discovered in HP's implementation of
the DCE endpoint mapper (epmap) that listens by default on TCP port 135.
Successful exploitation of this vulnerability may allow an attacker to
execute arbitrary commands on the targeted system with the privileges of
the DCED process which is typically run as the root user.
DETAILS
There is a buffer overflow in HP's DCED implementation that can be
triggered by specifying a small fragment length, and sending a large
amount of stub data.
A Nessus (NASL) script that can detect vulnerable DCED daemons will be
released 30 days after the publication of this advisory.
Timeline:
Vendor notified on 4/23/2004 via email to security-alert@hp.com
Vendor responded on 4/29/2004 that current patched version of HP-UX 11
with patches noted in bulletin HPSBUX0311-299 fixed this issue. However,
vendor noted that this issue effected other dced implementations and
suggested notifying US-CERT so all vendors may test their code.
US-CERT notified on 5/3/2004
US-CERT responded on 5/7/2004 and issued tracking number VU#259796
HP releases Tru64 security bulletin on 6/21/2004
HP releases OpenVMS security bulletin on 7/14/2004
US-CERT confirms that it knows of no other vendors that were notified of
issue VU#259796 that are vulnerable to same issue on
7/20/2004
Advisory released 7/22/2004
Vendor Response:
OS: HP HP-UX 11 (Issue fixed prior to notification from @stake)
Bulletin: HPSBUX0311-299: SSRT3660 DCE (Rev.01)
Patch: B.11.00 - PHSS_29963
B.11.11 - PHSS_29964
B.11.23 - PHSS_29966
The patches are available on <http://itrc.hp.com>
OS: HP Tru64
Bulletin: SSRT4741 rev.0 DCE for HP Tru64 UNIX Potential RPC Buffer
Overrun Attack
Patch: <http://support.entegrity.com/private/patches/dce/ssrt4741.asp>
http://support.entegrity.com/private/patches/dce/ssrt4741.asp
OS: HP OpenVMS
Bulletin: SSRT4741 Rev.1 DCE for HP OpenVMS Potential RPC Buffer Overrun
Attack
HP is releasing the following patch kits to resolve this issue and are
available from the ITRC at
<http://www2.itrc.hp.com/service/patch/mainPage.do>
http://www2.itrc.hp.com/service/patch/mainPage.do
Search for the patch kit name as shown.
HP OpenVMS Alpha Version: Patch Kit name:
HP OpenVMS Alpha V7.3-2 VMS732_RPC-V0300
HP OpenVMS Alpha V7.3-1 VMS731_RPC-V0400
HP OpenVMS Alpha V7.3 VMS73_RPC-V0400
@stake Recommendation:
Disable dced if not necessary. If required install vendor patches.
ADDITIONAL INFORMATION
The information has been provided by <mailto:jjethro@si.rr.com> Jeremy
Jethro.
The original article can be found at:
<http://www.atstake.com/research/advisories/2004/a072204-1.txt>
http://www.atstake.com/research/advisories/2004/a072204-1.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] eSeSIX Thintune Thin Client Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NEWS] Vulnerability Issues in Implementations of the H.323 Protocol (Generic)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news
from a reliable source. ... discovered a number of implementation specific vulnerabilities
in the ... The severity of these vulnerabilities varies by vendor. ... (Securiteam) - [Full-Disclosure] Security Industry Under Scrutiny: Part 3
... > varying degrees of 'faith' in the security industry. ... site admins and
other whitehats. ... > architect would be notifying the software vendor alone...
... Full disclosure isn't so much a tool to get vunerability information ... (Full-Disclosure) - RE: Vendor wants remote control of our Servers and Workstations
... Of course the age-old problem with security is that ... Vendor has significant
access to your internal ... this vendor uses the same method to support a number ...
customer and makes significant changes ... ... (Security-Basics) - Security researchers organization
... of security researchers, plain and simple. ... better than the vendor
itself. ... industry, telecommunications industry and banking industry has ( ...
These are all common ideals we can agree and act upon, ... (NT-Bugtraq) - [NEWS] Path Traversal Vulnerability in VMwares Shared Folders Implementation
... Get your security news from a reliable source. ... Path Traversal Vulnerability
in VMware's Shared Folders Implementation ... Software from VMWare Inc. allows users
to run an entire computer system ... Vendor Information, Solutions and Workarounds ...
(Securiteam)
