CVE-2000-0691
CVSS2.1
发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-05 16:21:39
NMCOES    

[原文]The faxrunq and faxrunqd in the mgetty package allows local users to create or modify arbitrary files via a symlink attack which creates a symlink in from /var/spool/fax/outgoing/.last_run to the target file.


[CNNVD]多厂商mgetty符号链接遍历漏洞(CNNVD-200010-029)

        mgetty数据包的faxrunq和faxrunqd存在漏洞。本地用户可以借助符号链接攻击创建或修改任意文件,该漏洞会创建/var/spool/fax/outgoing/.last_run到目标文件的符号链接。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:gert_doering:mgetty:1.1.21
cpe:/a:gert_doering:mgetty:1.1.19
cpe:/a:gert_doering:mgetty:1.1.20

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0691
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0691
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200010-029
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1612
(VENDOR_ADVISORY)  BID  1612
http://www.calderasystems.com/support/security/advisories/CSSA-2000-029.0.txt
(VENDOR_ADVISORY)  CALDERA  CSSA-2000-029.0
http://archives.neohapsis.com/archives/bugtraq/2000-08/0330.html
(UNKNOWN)  CONFIRM  http://archives.neohapsis.com/archives/bugtraq/2000-08/0330.html
http://archives.neohapsis.com/archives/bugtraq/2000-08/0329.html
(VENDOR_ADVISORY)  BUGTRAQ  20000826 Advisory: mgetty local compromise

- 漏洞信息

多厂商mgetty符号链接遍历漏洞
低危 未知
2000-10-20 00:00:00 2005-10-20 00:00:00
本地  
        mgetty数据包的faxrunq和faxrunqd存在漏洞。本地用户可以借助符号链接攻击创建或修改任意文件,该漏洞会创建/var/spool/fax/outgoing/.last_run到目标文件的符号链接。

- 公告与补丁

        Users of mgetty should upgrade to versions 1.1.22 to eliminate this vulnerability
        Mandrake Linux:
        The following patches are available for Mandrake Linux.
        Linux-Mandrake 6.0:
        a27f4bbce80bdc1e613eec900b581a44 6.0/RPMS/mgetty-1.1.22-2mdk.i586.rpm
        485fd02bcacf5eace99276dd2ce7f554 6.0/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
        b407ad2c8a5fdc3fca31204667a63a04 6.0/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
        839b2c1f09694e81b40b9e244f68b80b 6.0/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
        5ed6b9290249a74aa9e308296cb02783 6.0/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
        d1deb85b2deb0be64d48bf8138e06ae3 6.0/SRPMS/mgetty-1.1.22-2mdk.src.rpm
        Linux-Mandrake 6.1:
        10583e14f13a43cb96abbbba7394b590 6.1/RPMS/mgetty-1.1.22-2mdk.i586.rpm
        a51aa6db2867b7a1c27e0a0a6601f57a 6.1/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
        deac3868dfe80f917d3951add26ec6bb 6.1/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
        c24fc09f0621c083f526fcc554a9edac 6.1/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
        23bfc2f265564fc25c3316aa7d4df7d3 6.1/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
        d1deb85b2deb0be64d48bf8138e06ae3 6.1/SRPMS/mgetty-1.1.22-2mdk.src.rpm
        Linux-Mandrake 7.0:
        557a3d5d9e26c2d82e4f2f1384df9784 7.0/RPMS/mgetty-1.1.22-2mdk.i586.rpm
        25b2bd75ba4c06b94ba3db25d4929354 7.0/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
        5feb56b3a1e068afcef11c8fc4c74443 7.0/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
        78db1386e7ce356d5d5a1e05078cc6e3 7.0/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
        b4c845e5ca1c2de9d5db00e546ea0c2e 7.0/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
        d1deb85b2deb0be64d48bf8138e06ae3 7.0/SRPMS/mgetty-1.1.22-2mdk.src.rpm
        Linux-Mandrake 7.1:
        76b71d096e4102f8b17de8ff07353200 7.1/RPMS/mgetty-1.1.22-2mdk.i586.rpm
        c90db3acf3c5161040510954905a2ab1 7.1/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
        1e9af836c99a48f45278f2f45be4c148 7.1/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
        06169b07f2b3d091e011b68a2e9ca20f 7.1/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
        454aa7d8171a9645b4a77fee6d44a97a 7.1/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
        d1deb85b2deb0be64d48bf8138e06ae3 7.1/SRPMS/mgetty-1.1.22-2mdk.src.rpm
        ________________________________________________________________________
        To upgrade automatically, use « MandrakeUpdate ».
        If you want to upgrade manually, download the updated package from one
        of our FTP server mirrors and uprade with "rpm -Uvh package_name".
        You can download the updates directly from:
         ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates
         ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates
        Or try one of the other mirrors listed at:
        http://www.linux-mandrake.com/en/ftp.php3.
        Updated packages are available in the "updates/[ver]/RPMS/" directory.
        For example, if you are looking for an updated RPM package for
        Linux-Mandrake 7.1, look for it in "updates/7.1/RPMS/". Updated source
        RPMs are available as well, but you generally do not need to download
        them.
        Please be aware that sometimes it takes the mirrors a few hours to
        update, so if you want an immediate upgrade, please use one of the two
        above-listed mirrors.
        Gert Doering mgetty 1.1.19
        
        Gert Doering mgetty 1.1.20
        
        Gert Doering mgetty 1.1.21
        

- 漏洞信息 (20179)

Gert Doering mgetty 1.1.19/1.1.20/1.1.21/1.22.8 Symbolic Link Traversal (EDBID:20179)
unix local
2000-08-25 Verified
0 Stan Bubrouski
N/A [点击下载]
source: http://www.securityfocus.com/bid/1612/info

A vulnerability exists in a portion of the mgetty package, by Gert Doering. By exploiting a flaw in the faxrunq and faxrunqd programs, it is possible for local users to create arbitrary files, and alter arbitrary files on the filesystem. This in turn can lead to local root compromise.

The faxrunq and faxrunqd programs will follow symbolic links. By creating a symbolic link named .last_run in /var/spool/fax/outgoing, and running the faxrunqd or faxrunq program, arbitrary files can be created. Existing files will have their contents overwritten.

mgetty is a popular getty replacement package that supports fax receipt and transmission. It runs on a wide range of systems, and is distributed with a number of popular Linux distributions. It is also part of the OpenBSD and FreeBSD ports packages. It is not, however, installed by default on either system.

mgetty is marked BROKEN in the OpenBSD ports package because of this problem and users are not able to install it.

ln -s /TEST /var/spoo/fax/outgoing/.lastrun
faxrunqd -l ttyS0		

- 漏洞信息

11861
mgetty faxrunqd Symlink Arbitrary File Modification
Local Access Required Race Condition
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2000-08-26 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.1.22 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor mgetty Symbolic Link Traversal Vulnerability
Unknown 1612
No Yes
2000-08-25 12:00:00 2009-07-11 02:56:00
This vulnerability was posted to the Bugtraq mailing list on August 25, 2000 by Stan Bubrouski<satan@fastdial.net>

- 受影响的程序版本

Gert Doering mgetty 1.22.8
- Caldera OpenLinux Desktop 2.3
- Caldera OpenLinux eBuilder 3.0
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ Mandriva Linux Mandrake 7.0
+ Mandriva Linux Mandrake 6.1
+ Mandriva Linux Mandrake 6.0
- OpenBSD OpenBSD 2.7
+ RedHat Linux 6.2 E sparc
+ RedHat Linux 6.2 E i386
+ RedHat Linux 6.2 E alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 alpha
+ RedHat Linux 6.0
- SCO eDesktop 2.4
- SCO eServer 2.3
+ Turbolinux Turbolinux 6.0.4
+ Turbolinux Turbolinux 6.0.3
+ Turbolinux Turbolinux 6.0.2
+ Turbolinux Turbolinux 6.0.1
Gert Doering mgetty 1.1.21
- Caldera OpenLinux Desktop 2.3
- Caldera OpenLinux eBuilder 3.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
+ Mandriva Linux Mandrake 7.1
+ Mandriva Linux Mandrake 7.0
+ Mandriva Linux Mandrake 6.1
+ Mandriva Linux Mandrake 6.0
- OpenBSD OpenBSD 2.7
+ RedHat Linux 6.2 E sparc
+ RedHat Linux 6.2 E i386
+ RedHat Linux 6.2 E alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 alpha
+ RedHat Linux 6.0
- SCO eDesktop 2.4
- SCO eServer 2.3
+ Turbolinux Turbolinux 6.0.4
+ Turbolinux Turbolinux 6.0.3
+ Turbolinux Turbolinux 6.0.2
+ Turbolinux Turbolinux 6.0.1
Gert Doering mgetty 1.1.20
- Caldera OpenLinux Desktop 2.3
- Caldera OpenLinux eBuilder 3.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
+ Mandriva Linux Mandrake 7.1
+ Mandriva Linux Mandrake 7.0
+ Mandriva Linux Mandrake 6.1
+ Mandriva Linux Mandrake 6.0
- OpenBSD OpenBSD 2.7
+ RedHat Linux 6.2 E sparc
+ RedHat Linux 6.2 E i386
+ RedHat Linux 6.2 E alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 alpha
+ RedHat Linux 6.0
- SCO eDesktop 2.4
- SCO eServer 2.3
+ Turbolinux Turbolinux 6.0.4
+ Turbolinux Turbolinux 6.0.3
+ Turbolinux Turbolinux 6.0.2
+ Turbolinux Turbolinux 6.0.1
Gert Doering mgetty 1.1.19
- Caldera OpenLinux Desktop 2.3
- Caldera OpenLinux eBuilder 3.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux 4.2
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.0
- IBM AIX 4.3
- IBM AIX 4.2
- IBM AIX 4.1
+ Mandriva Linux Mandrake 7.1
+ Mandriva Linux Mandrake 7.0
+ Mandriva Linux Mandrake 6.1
+ Mandriva Linux Mandrake 6.0
- OpenBSD OpenBSD 2.7
+ RedHat Linux 6.2 E sparc
+ RedHat Linux 6.2 E i386
+ RedHat Linux 6.2 E alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.1 sparc
+ RedHat Linux 6.1 i386
+ RedHat Linux 6.1 alpha
+ RedHat Linux 6.0 sparc
+ RedHat Linux 6.0 alpha
+ RedHat Linux 6.0
- SCO eDesktop 2.4
- SCO eServer 2.3
- SCO Open Desktop 3.2 v4
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
- Sun SunOS 4.1.4
- Sun SunOS 4.1.3
+ Turbolinux Turbolinux 6.0.4
+ Turbolinux Turbolinux 6.0.3
+ Turbolinux Turbolinux 6.0.2
+ Turbolinux Turbolinux 6.0.1

- 漏洞讨论

A vulnerability exists in a portion of the mgetty package, by Gert Doering. By exploiting a flaw in the faxrunq and faxrunqd programs, it is possible for local users to create arbitrary files, and alter arbitrary files on the filesystem. This in turn can lead to local root compromise.

The faxrunq and faxrunqd programs will follow symbolic links. By creating a symbolic link named .last_run in /var/spool/fax/outgoing, and running the faxrunqd or faxrunq program, arbitrary files can be created. Existing files will have their contents overwritten.

mgetty is a popular getty replacement package that supports fax receipt and transmission. It runs on a wide range of systems, and is distributed with a number of popular Linux distributions. It is also part of the OpenBSD and FreeBSD ports packages. It is not, however, installed by default on either system.

mgetty is marked BROKEN in the OpenBSD ports package because of this problem and users are not able to install it.

- 漏洞利用

ln -s /TEST /var/spoo/fax/outgoing/.lastrun
faxrunqd -l ttyS0

- 解决方案

Users of mgetty should upgrade to versions 1.1.22 to eliminate this vulnerability

Mandrake Linux:
The following patches are available for Mandrake Linux.
Linux-Mandrake 6.0:
a27f4bbce80bdc1e613eec900b581a44 6.0/RPMS/mgetty-1.1.22-2mdk.i586.rpm
485fd02bcacf5eace99276dd2ce7f554 6.0/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
b407ad2c8a5fdc3fca31204667a63a04 6.0/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
839b2c1f09694e81b40b9e244f68b80b 6.0/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
5ed6b9290249a74aa9e308296cb02783 6.0/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
d1deb85b2deb0be64d48bf8138e06ae3 6.0/SRPMS/mgetty-1.1.22-2mdk.src.rpm

Linux-Mandrake 6.1:
10583e14f13a43cb96abbbba7394b590 6.1/RPMS/mgetty-1.1.22-2mdk.i586.rpm
a51aa6db2867b7a1c27e0a0a6601f57a 6.1/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
deac3868dfe80f917d3951add26ec6bb 6.1/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
c24fc09f0621c083f526fcc554a9edac 6.1/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
23bfc2f265564fc25c3316aa7d4df7d3 6.1/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
d1deb85b2deb0be64d48bf8138e06ae3 6.1/SRPMS/mgetty-1.1.22-2mdk.src.rpm

Linux-Mandrake 7.0:
557a3d5d9e26c2d82e4f2f1384df9784 7.0/RPMS/mgetty-1.1.22-2mdk.i586.rpm
25b2bd75ba4c06b94ba3db25d4929354 7.0/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
5feb56b3a1e068afcef11c8fc4c74443 7.0/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
78db1386e7ce356d5d5a1e05078cc6e3 7.0/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
b4c845e5ca1c2de9d5db00e546ea0c2e 7.0/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
d1deb85b2deb0be64d48bf8138e06ae3 7.0/SRPMS/mgetty-1.1.22-2mdk.src.rpm

Linux-Mandrake 7.1:
76b71d096e4102f8b17de8ff07353200 7.1/RPMS/mgetty-1.1.22-2mdk.i586.rpm
c90db3acf3c5161040510954905a2ab1 7.1/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
1e9af836c99a48f45278f2f45be4c148 7.1/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
06169b07f2b3d091e011b68a2e9ca20f 7.1/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
454aa7d8171a9645b4a77fee6d44a97a 7.1/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
d1deb85b2deb0be64d48bf8138e06ae3 7.1/SRPMS/mgetty-1.1.22-2mdk.src.rpm
________________________________________________________________________

To upgrade automatically, use « MandrakeUpdate ».

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and uprade with "rpm -Uvh package_name".

You can download the updates directly from:
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates

Or try one of the other mirrors listed at:

http://www.linux-mandrake.com/en/ftp.php3.

Updated packages are available in the "updates/[ver]/RPMS/" directory.
For example, if you are looking for an updated RPM package for
Linux-Mandrake 7.1, look for it in "updates/7.1/RPMS/". Updated source
RPMs are available as well, but you generally do not need to download
them.

Please be aware that sometimes it takes the mirrors a few hours to
update, so if you want an immediate upgrade, please use one of the two
above-listed mirrors.


Gert Doering mgetty 1.1.19

Gert Doering mgetty 1.1.20

Gert Doering mgetty 1.1.21

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站