发布时间 :1999-04-21 00:00:00
修订时间 :2008-09-09 08:34:36

[原文]The SVR4 /dev/wabi special device file in NetBSD 1.3.3 and earlier allows a local user to read or write arbitrary files on the disk associated with that device.

[CNNVD]NetBSD SVR4 /dev/wabi权限许可和访问控制漏洞(CNNVD-199904-034)

        NetBSD 1.3.3及更早版本的SVR4 /dev/wabi特殊设备文件存在漏洞。本地用户可以读取或写入与该设备相关磁盘下的任意文件。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:netbsd:netbsd:1.3.3NetBSD 1.3.3
cpe:/o:netbsd:netbsd:1.3.1NetBSD 1.3.1
cpe:/o:netbsd:netbsd:1.3.2NetBSD 1.3.2
cpe:/o:netbsd:netbsd:1.3NetBSD 1.3

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

NetBSD SVR4 /dev/wabi权限许可和访问控制漏洞
高危 未知
1999-04-21 00:00:00 2005-05-02 00:00:00
        NetBSD 1.3.3及更早版本的SVR4 /dev/wabi特殊设备文件存在漏洞。本地用户可以读取或写入与该设备相关磁盘下的任意文件。

- 公告与补丁


- 漏洞信息

NetBSD SVR4 Compatibility Device Creation File Access
Local Access Required Misconfiguration
Loss of Integrity
Exploit Public

- 漏洞描述

NetBSD contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a shell script used to install System V Release 4 (SVR4) binary compatibility mismatches device major numbers during device creation, resulting in read and write access to any data on the first IDE disk. This flaw may lead to a loss of integrity.

- 时间线

1999-04-17 Unknow
1999-04-17 Unknow

- 解决方案

NetBSD has released a patch to address this vulnerability. Also, it is possible to correct the flaw by implementing the following workaround: remove the existing device special file and create a new one. #/bin/rm -f /emul/svr4/dev/wabi #/sbin/mknod /emul/svr4/dev/wabi c 2 2 #/bin/chmod u=rw,g=rw,o=rw /emul/svr4/dev/wabi

- 相关参考

- 漏洞作者