CVE-1999-1394
CVSS2.1
发布时间 :1999-07-02 00:00:00
修订时间 :2016-10-17 22:03:59
NMCOES    

[原文]BSD 4.4 based operating systems, when running at security level 1, allow the root user to clear the immutable and append-only flags for files by unmounting the file system and using a file system editor such as fsdb to directly modify the file through a device.


[CNNVD]BSD UFS安全一级漏洞(CNNVD-199907-006)

        基于BSD 4.4版本的操作系统存在漏洞。当操作系统运行在一级安全级别下时,根用户通过卸载文件系统以及运用文件系统编辑器(如:fsdb)直接修改设备中的文件,来清除文件中的immutable和append-only标志。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1394
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1394
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199907-006
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=93094058620450&w=2
(UNKNOWN)  BUGTRAQ  19990702 BSD-fileflags
http://www.securityfocus.com/bid/510
(UNKNOWN)  BID  510

- 漏洞信息

BSD UFS安全一级漏洞
低危 设计错误
1999-07-02 00:00:00 2005-10-20 00:00:00
本地  
        基于BSD 4.4版本的操作系统存在漏洞。当操作系统运行在一级安全级别下时,根用户通过卸载文件系统以及运用文件系统编辑器(如:fsdb)直接修改设备中的文件,来清除文件中的immutable和append-only标志。

- 公告与补丁

        Setting to secure level 2 will disallow writing directly to umounted devices. Running fsck manually will alert you to whether filesystems have been modified.
        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息 (19411)

BSDI BSD/OS 4.0,FreeBSD 3.2,NetBSD 1.4 x86,OpenBSD 2.5 UFS Secure Level 1 Vulnerability (EDBID:19411)
bsd local
1999-07-02 Verified
0 Stealth
N/A [点击下载]
source: http://www.securityfocus.com/bid/510/info

In 4.4BSD derivatives there are four secure levels that provide for added filesystem security (among other things) over and above the regular unix permission systems. Part of the secure levels are the system of file flags which include immutable and append-only flags. In secure level 0, these flags are irrelevant. The vulnerability lies in the inherent flaw with security level 1. In security level 1, the file flags are acknowledged; files such as /usr/bin/login can be set immutable and so forth -- however, umounted partitions/devices can be freely written to and modified (by root, of course). Stealth <stealth@cyberspace.org> has written a tool which allows for an intruder who has gained root to bypass security level 1 through writing directly to the device and clearing the file flags. The tool also sets the CLEAN flag in the filesystem which fools the computer into thinking the modified device is clean avoiding detection at bootup. A hypothetical situation for exploit of this vulnerability is as follows,

Hacker compromises root on target host.
Hacker attempts backdoor insertion and realizes suid binaries are immutable.
Hacker verifies secure level is set to 1.
Hacker umounts /usr.
Hacker writes directly to device previously mounted as /usr, clearing file flags.
Hacker mounts modified device as /usr.
Hacker installs backdoored /usr/bin/login. 

http://www.exploit-db.com/sploits/19411.tgz		

- 漏洞信息

13509
Multiple BSD Security Level 1 File Permission Restriction Bypass
Local Access Required Misconfiguration
Loss of Integrity Solution Unknown
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

1999-07-02 Unknow
1999-07-02 Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

BSD UFS Secure Level 1 Vulnerability
Design Error 510
No Yes
1999-07-02 12:00:00 2009-07-11 12:56:00
First posted to BugTraq by Stealth <stealth@DIONE.IDS.PL> on June 2, 1999.

- 受影响的程序版本

OpenBSD OpenBSD 2.5
NetBSD NetBSD 1.4 x86
FreeBSD FreeBSD 3.2
BSDI BSD/OS 4.0

- 漏洞讨论

In 4.4BSD derivatives there are four secure levels that provide for added filesystem security (among other things) over and above the regular unix permission systems. Part of the secure levels are the system of file flags which include immutable and append-only flags. In secure level 0, these flags are irrelevant. The vulnerability lies in the inherent flaw with security level 1. In security level 1, the file flags are acknowledged; files such as /usr/bin/login can be set immutable and so forth -- however, umounted partitions/devices can be freely written to and modified (by root, of course). Stealth &lt;stealth@cyberspace.org&gt; has written a tool which allows for an intruder who has gained root to bypass security level 1 through writing directly to the device and clearing the file flags. The tool also sets the CLEAN flag in the filesystem which fools the computer into thinking the modified device is clean avoiding detection at bootup. A hypothetical situation for exploit of this vulnerability is as follows,

Hacker compromises root on target host.
Hacker attempts backdoor insertion and realizes suid binaries are immutable.
Hacker verifies secure level is set to 1.
Hacker umounts /usr.
Hacker writes directly to device previously mounted as /usr, clearing file flags.
Hacker mounts modified device as /usr.
Hacker installs backdoored /usr/bin/login.

- 漏洞利用

x

- 解决方案

Setting to secure level 2 will disallow writing directly to umounted devices. Running fsck manually will alert you to whether filesystems have been modified.

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站