CVE-2000-0336
CVSS2.1
发布时间 :2000-04-21 00:00:00
修订时间 :2008-09-10 15:04:10
NMCOE    

[原文]Linux OpenLDAP server allows local users to modify arbitrary files via a symlink attack.


[CNNVD]OpenLDAP /usr/tmp/ 的符号连接漏洞(CNNVD-200004-056)

        Linux OpenLDAP 服务器存在漏洞,本地用户可以通过符号连接攻击修改任意文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:openldap:openldap:1.2.10
cpe:/o:mandrakesoft:mandrake_linux:6.1MandrakeSoft Mandrake Linux 6.1
cpe:/o:redhat:linux:6.2::alpha
cpe:/o:redhat:linux:6.1::i386
cpe:/o:redhat:linux:6.2::sparc
cpe:/a:openldap:openldap:1.2.8
cpe:/o:redhat:linux:6.1::alpha
cpe:/o:mandrakesoft:mandrake_linux:7.0MandrakeSoft Mandrake Linux 7.0
cpe:/a:openldap:openldap:1.2.9
cpe:/o:turbolinux:turbolinux:6.0.2
cpe:/o:redhat:linux:6.1::sparc
cpe:/o:turbolinux:turbolinux:4.4
cpe:/o:redhat:linux:6.2::i386
cpe:/a:openldap:openldap:1.2.7
cpe:/o:turbolinux:turbolinux:4.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0336
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0336
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200004-056
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-009.0.txt
(VENDOR_ADVISORY)  CALDERA  CSSA-2000-009.0
http://www.turbolinux.com/pipermail/tl-security-announce/2000-May/000009.html
(UNKNOWN)  TURBO  TLSA2000010-1
http://www.securityfocus.com/bid/1232
(UNKNOWN)  BID  1232
http://www.redhat.com/support/errata/RHSA-2000-012.html
(UNKNOWN)  REDHAT  RHSA-2000:012

- 漏洞信息

OpenLDAP /usr/tmp/ 的符号连接漏洞
低危 竞争条件
2000-04-21 00:00:00 2005-05-02 00:00:00
本地  
        Linux OpenLDAP 服务器存在漏洞,本地用户可以通过符号连接攻击修改任意文件。

- 公告与补丁

        Patches are available from RedHat and TurboLinux to remedy this problem.
        Rebuilding OpenLDAP, and configuring the following values to something other than /usr/tmp will fix this problem:
        servers/slapd/back-ldbm/back-ldbm.g, "DEFAULT_DB_DIRECTORY" variable
        servers/slapd/slapd.conf, "directory" variable
        servers/slurpd/slurp.h, "DEFAULT_SLURPD_REPLICA_DIR" variable
        The latest version, 1.2.10, still appears vulnerable to this problem.
        RedHat openldap-1.2.7-2.i386.rpm
        
        RedHat openldap-1.2.9-5.i386.rpm
        
        Turbolinux Turbolinux 6.0.2
        
        MandrakeSoft Linux Mandrake 6.1
        
        RedHat Linux 6.1 i386
        
        RedHat Linux 6.1 sparc
        
        RedHat Linux 6.1 alpha
        
        RedHat Linux 6.2 sparc
        
        RedHat Linux 6.2 alpha
        
        RedHat Linux 6.2 i386
        
        MandrakeSoft Linux Mandrake 7.0
        

- 漏洞信息 (19946)

OpenLDAP 1.2.7/1.2.8/1.2.9/1.2.10 /usr/tmp/ Symlink Vulnerability (EDBID:19946)
linux local
2000-04-21 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/1232/info

A vulnerability exists in OpenLDAP as shipped with some versions of Linux, including RedHat 6.1 and 6.2, and TurboLinux 6.0.2 and earlier. OpenLDAP will create files in /usr/tmp, which is actually a symbolic link to the world writable /tmp directory. As OpenLDAP does not check for a files existence prior to opening the files in /usr/tmp, it is possible for an attacker to point an appropriately named symbolic link at any file on the filesystem, and cause it to be destroyed.

This vulnerability will also affect any Unix system with OpenLDAP assuming the following criteria is true:
1) slapd.conf configures the "directory" variable to be /usr/tmp
2) /usr/tmp is a world writable directory.
3) slurpd was built with the DEFAULT_SLURPD_REPLICA_DIR set to /usr/tmp 

ln -sf /etc/passwd /usr/tmp/NEXTID 		

- 漏洞信息

8050
OpenLDAP Symlink Arbitrary File Modification
Local Access Required Race Condition
Loss of Integrity Third-Party Solution
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-04-13 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.2-9.6 for Red Hat, 1.2.7-3 for Caldera OpenLinux, 1.2.10-1 for TurboLinux or higher, as they have been reported to fix this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站