发布时间 :1999-01-02 00:00:00
修订时间 :2018-05-02 21:29:05

[原文]HP-UX aserver program allows local users to gain privileges via a symlink attack.

[CNNVD]HP-UX Aserver /tmp/null符号链接漏洞(CNNVD-199901-026)

        HP-UX aserver程序中存在漏洞。本地用户借助一个符号攻击获得特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:hp:aserverHP Aserver
cpe:/o:hp:hp-ux:7.00HP HP-UX 7.0
cpe:/o:hp:hp-ux:7.02HP HP-UX 7.2
cpe:/o:hp:hp-ux:7.04HP HP-UX 7.4
cpe:/o:hp:hp-ux:7.06HP HP-UX 7.6
cpe:/o:hp:hp-ux:7.08HP HP-UX 7.8
cpe:/o:hp:hp-ux:8.00HP HP-UX 8.0
cpe:/o:hp:hp-ux:8.01HP HP-UX 8.1
cpe:/o:hp:hp-ux:8.02HP HP-UX 8.02
cpe:/o:hp:hp-ux:8.04HP HP-UX 8.4
cpe:/o:hp:hp-ux:8.05HP HP-UX 8.5
cpe:/o:hp:hp-ux:8.06HP HP-UX 8.06
cpe:/o:hp:hp-ux:8.07HP HP-UX 8.7
cpe:/o:hp:hp-ux:8.08HP HP-UX 8.8
cpe:/o:hp:hp-ux:8.09HP HP-UX 8.9
cpe:/o:hp:hp-ux:9.00HP HP-UX 9.0
cpe:/o:hp:hp-ux:9.01HP HP-UX 9.01
cpe:/o:hp:hp-ux:9.03HP HP-UX 9.3
cpe:/o:hp:hp-ux:9.04HP HP-UX 9.4
cpe:/o:hp:hp-ux:9.05HP HP-UX 9.05
cpe:/o:hp:hp-ux:9.06HP HP-UX 9.6
cpe:/o:hp:hp-ux:9.07HP HP-UX 9.7
cpe:/o:hp:hp-ux:9.08HP HP-UX 9.8
cpe:/o:hp:hp-ux:9.09HP HP-UX 9.9
cpe:/o:hp:hp-ux:9.10HP HP-UX 9.10
cpe:/o:hp:hp-ux:10.00HP HP-UX 10.00
cpe:/o:hp:hp-ux:10.01HP HP-UX 10.01
cpe:/o:hp:hp-ux:10.08HP HP-UX 10.8
cpe:/o:hp:hp-ux:10.09HP HP-UX 10.9
cpe:/o:hp:hp-ux:10.10HP HP-UX 10.10
cpe:/o:hp:hp-ux:10.16HP HP-UX 10.16
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/o:hp:hp-ux:10.24HP HP-UX 10.24
cpe:/o:hp:hp-ux:10.30HP HP-UX 10.30
cpe:/o:hp:hp-ux:10.34HP HP-UX 10.34
cpe:/o:hp:hp-ux:11.00HP-UX 11.00

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5635/opt/audio/bin/Aserver can be used to gain root access.

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

HP-UX Aserver /tmp/null符号链接漏洞
高危 其他
1999-01-02 00:00:00 2009-03-04 00:00:00
        HP-UX aserver程序中存在漏洞。本地用户借助一个符号攻击获得特权。

- 公告与补丁

        HP HP-UX 11.0

- 漏洞信息

HP-UX aserver -f Argument last_uuid Symlink Privilege Escalation
Local Access Required Race Condition

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-01-01 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

HP-UX Aserver /tmp/null Symbolic Link Vulnerability
Origin Validation Error 1928
No Yes
2000-01-02 12:00:00 2009-07-11 03:56:00
First posted to Bugtraq by Justin Tripp <> on Jan 02, 2000.

- 受影响的程序版本

HP HP-UX (VVOS) 10.24
HP HP-UX 11.0 4
HP HP-UX 11.0
HP HP-UX 10.34
HP HP-UX 10.30
HP HP-UX 10.20
HP HP-UX 10.16
HP HP-UX 10.10
HP HP-UX 10.9
HP HP-UX 10.8
HP HP-UX 10.0

- 漏洞讨论

Aserver is a server program that ships with HP-UX versions 10.x and above that is used to interface client applications with the audio hardware. Because it talks to hardware, it is installed setuid root by default.

During normal execution, Aserver uses a temporary file in /tmp called "null". Aserver does not check to see whether this file already exists or not when writing to it. If a malicious local user creates a symbolic link in /tmp called 'null', Aserver will overwrite whatever is pointed to when run. Since this is done as root, any file on the filesystem can be written to.

The data written is the output of "ps -e", which may lead to an elevation of privileges of the attacker can somehow get the right data out of this command into the right file (eg, "\n+ +\n" in /.rhosts). This may also lead to a denial of service if critial files, such as /etc/passwd, are overwritten.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at:

- 解决方案

- 相关参考