CVE-1999-0765
CVSS10.0
发布时间 :1999-05-19 00:00:00
修订时间 :2008-09-09 08:35:21
NMCOES    

[原文]SGI IRIX midikeys program allows local users to modify arbitrary files via a text editor.


[CNNVD]IRIX midikeys 根漏洞(CNNVD-199905-039)

        SGI IRIX midikeys程序中存在漏洞。本地用户通过文本编辑器修改任意文件。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0765
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0765
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199905-039
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/262
(UNKNOWN)  BID  262
ftp://patches.sgi.com/support/free/security/advisories/19990501-01-A
(UNKNOWN)  SGI  19990501-01-A

- 漏洞信息

IRIX midikeys 根漏洞
危急 访问验证错误
1999-05-19 00:00:00 2005-05-02 00:00:00
本地  
        SGI IRIX midikeys程序中存在漏洞。本地用户通过文本编辑器修改任意文件。

- 公告与补丁

        Remove the suid bit from the midikeys program.

- 漏洞信息 (19210)

SGI IRIX <= 6.5.4 midikeys Root Vulnerability (EDBID:19210)
irix local
1999-05-19 Verified
0 W. Cashdollar
N/A [点击下载]
source: http://www.securityfocus.com/bid/262/info

The setuid root "midikeys" executable can be used to edit arbitrary files via its graphical user interface. This grants malicious users root access to the system.

Running the midikeys application, clicking in sounds, and then songs will bring up a file dialog. By entering a filename of a known file it will be opened for editing with root privileges.

The packge that midikeys is part of is dmedia_eoe.sw.synth.

People have reported trouble reproducting the vulnerability when the editor is vi. Please try again using some other editor such as gvim or emacs. Alternatively you can change the WINEDITOR environment variable to be any command you want executed as root(e.g. "/bin/chmod 4755 /tmp/sh").

You can change it under Irix 6.2 by going to Toolchest -> Desktop -> Customize -> Desktop -> Default Editor: Other, or under Irix 6.5 in Toolchest -> Desktop -> Customize -> Utilities -> Test Editor: Other.

devel 26% ./midikeys -display remotehost:0

devel 27% Xlib: extension "GLX" missing on display remotehost:0.0". Xlib: extension "GLX" missing on display "remotehost:0.0".

under the midikeys window click sounds and then midi songs. This will open a file manager type interface.

You can enter the path and filename of files you which to read, including root owned with group/world read/write permissions unset.

If you select a file like "/usr/share/data/music/README" it will appear in a text editor. Use the text editor to open /etc/passwd and make modifications at will. Save and enjoy. 
  			

- 漏洞信息

8515
IRIX midikeys Arbitrary File Modification
Local Access Required Misconfiguration
Loss of Confidentiality, Loss of Integrity Workaround
Exploit Public Third-party Verified

- 漏洞描述

The irix midikeys binary is setuid root when it should not be. This allows a non privileged user to edit arbitrary system files as root or execute a shell as root.

- 时间线

1999-05-19 1999-05-19
1999-05-19 Unknow

- 解决方案

chmod -s /usr/sbin/midikeys

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

IRIX midikeys Root Vulnerability
Access Validation Error 262
No Yes
1999-05-19 12:00:00 1999-05-19 12:00:00
This vulnerability was published in the BUGTRAQ mailing list by Larry W. Cashdollar <lwcashd@biw.com> Ma 19, 1999.

- 受影响的程序版本

SGI IRIX 6.5.4
SGI IRIX 6.5.3 m
SGI IRIX 6.5.3 f
SGI IRIX 6.5.3
SGI IRIX 6.5.2 m
SGI IRIX 6.5
SGI IRIX 6.3
SGI IRIX 6.2

- 漏洞讨论

The setuid root "midikeys" executable can be used to edit arbitrary files via its graphical user interface. This grants malicious users root access to the system.

Running the midikeys application, clicking in sounds, and then songs will bring up a file dialog. By entering a filename of a known file it will be opened for editing with root privileges.

The packge that midikeys is part of is dmedia_eoe.sw.synth.

People have reported trouble reproducting the vulnerability when the editor is vi. Please try again using some other editor such as gvim or emacs. Alternatively you can change the WINEDITOR environment variable to be any command you want executed as root(e.g. "/bin/chmod 4755 /tmp/sh").

You can change it under Irix 6.2 by going to Toolchest -> Desktop -> Customize -> Desktop -> Default Editor: Other, or under Irix 6.5 in Toolchest -> Desktop -> Customize -> Utilities -> Test Editor: Other.

- 漏洞利用

devel 26% ./midikeys -display remotehost:0

devel 27% Xlib: extension "GLX" missing on display remotehost:0.0". Xlib: extension "GLX" missing on display "remotehost:0.0".

under the midikeys window click sounds and then midi songs. This will open a file manager type interface.

You can enter the path and filename of files you which to read, including root owned with group/world read/write permissions unset.

If you select a file like "/usr/share/data/music/README" it will appear in a text editor. Use the text editor to open /etc/passwd and make modifications at will. Save and enjoy.

- 解决方案

Remove the suid bit from the midikeys program.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站