[UNIX] HP dced Remote Command Execution
From: SecuriTeam (support_at_securiteam.com)
Date: 07/25/04
- Previous message: SecuriTeam: "[NEWS] eSeSIX Thintune Thin Client Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 25 Jul 2004 15:01:47 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
HP dced Remote Command Execution
------------------------------------------------------------------------
SUMMARY
A buffer overflow vulnerability was discovered in HP's implementation of
the DCE endpoint mapper (epmap) that listens by default on TCP port 135.
Successful exploitation of this vulnerability may allow an attacker to
execute arbitrary commands on the targeted system with the privileges of
the DCED process which is typically run as the root user.
DETAILS
There is a buffer overflow in HP's DCED implementation that can be
triggered by specifying a small fragment length, and sending a large
amount of stub data.
A Nessus (NASL) script that can detect vulnerable DCED daemons will be
released 30 days after the publication of this advisory.
Timeline:
Vendor notified on 4/23/2004 via email to security-alert@hp.com
Vendor responded on 4/29/2004 that current patched version of HP-UX 11
with patches noted in bulletin HPSBUX0311-299 fixed this issue. However,
vendor noted that this issue effected other dced implementations and
suggested notifying US-CERT so all vendors may test their code.
US-CERT notified on 5/3/2004
US-CERT responded on 5/7/2004 and issued tracking number VU#259796
HP releases Tru64 security bulletin on 6/21/2004
HP releases OpenVMS security bulletin on 7/14/2004
US-CERT confirms that it knows of no other vendors that were notified of
issue VU#259796 that are vulnerable to same issue on
7/20/2004
Advisory released 7/22/2004
Vendor Response:
OS: HP HP-UX 11 (Issue fixed prior to notification from @stake)
Bulletin: HPSBUX0311-299: SSRT3660 DCE (Rev.01)
Patch: B.11.00 - PHSS_29963
B.11.11 - PHSS_29964
B.11.23 - PHSS_29966
The patches are available on <http://itrc.hp.com>
OS: HP Tru64
Bulletin: SSRT4741 rev.0 DCE for HP Tru64 UNIX Potential RPC Buffer
Overrun Attack
Patch: <http://support.entegrity.com/private/patches/dce/ssrt4741.asp>
http://support.entegrity.com/private/patches/dce/ssrt4741.asp
OS: HP OpenVMS
Bulletin: SSRT4741 Rev.1 DCE for HP OpenVMS Potential RPC Buffer Overrun
Attack
HP is releasing the following patch kits to resolve this issue and are
available from the ITRC at
<http://www2.itrc.hp.com/service/patch/mainPage.do>
http://www2.itrc.hp.com/service/patch/mainPage.do
Search for the patch kit name as shown.
HP OpenVMS Alpha Version: Patch Kit name:
HP OpenVMS Alpha V7.3-2 VMS732_RPC-V0300
HP OpenVMS Alpha V7.3-1 VMS731_RPC-V0400
HP OpenVMS Alpha V7.3 VMS73_RPC-V0400
@stake Recommendation:
Disable dced if not necessary. If required install vendor patches.
ADDITIONAL INFORMATION
The information has been provided by <mailto:jjethro@si.rr.com> Jeremy
Jethro.
The original article can be found at:
<http://www.atstake.com/research/advisories/2004/a072204-1.txt>
http://www.atstake.com/research/advisories/2004/a072204-1.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] eSeSIX Thintune Thin Client Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|