CVE-2000-0824
CVSS7.2
发布时间 :2000-11-14 00:00:00
修订时间 :2016-10-17 22:07:34
NMCOE    

[原文]The unsetenv function in glibc 2.1.1 does not properly unset an environmental variable if the variable is provided twice to a program, which could allow local users to execute arbitrary commands in setuid programs by specifying their own duplicate environmental variables such as LD_PRELOAD or LD_LIBRARY_PATH.


[CNNVD]glib unsetenv()副本项目删除漏洞(CNNVD-200011-011)

        如果环境变量两次提供给一个程序,那么glibc 2.1.1版本的unsetenv函数不正确的移动该环境变量,本地用户通过指明它们自己的副本环境变量如LD_PRELOAD或者LD_LIBRARY_PATH从而执行setuid程序中的任意命令。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0824
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0824
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200011-011
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2000-08/0436.html
(UNKNOWN)  BUGTRAQ  20000902 Conectiva Linux Security Announcement - glibc
http://archives.neohapsis.com/archives/bugtraq/2000-08/0509.html
(UNKNOWN)  BUGTRAQ  20000905 Conectiva Linux Security Announcement - glibc
http://archives.neohapsis.com/archives/bugtraq/2000-08/0525.html
(UNKNOWN)  BUGTRAQ  20000906 [slackware-security]: glibc 2.1.3 vulnerabilities patched
http://marc.info/?l=bugtraq&m=93760201002154&w=2
(UNKNOWN)  BUGTRAQ  19990917 A few bugs...
http://www.calderasystems.com/support/security/advisories/CSSA-2000-028.0.txt
(UNKNOWN)  CALDERA  CSSA-2000-028.0
http://www.debian.org/security/2000/20000902
(UNKNOWN)  DEBIAN  20000902 glibc: local root exploit
http://www.linux-mandrake.com/en/updates/MDKSA-2000-040.php3
(UNKNOWN)  MANDRAKE  MDKSA-2000:040
http://www.linux-mandrake.com/en/updates/MDKSA-2000-045.php3
(UNKNOWN)  MANDRAKE  MDKSA-2000:045
http://www.novell.com/linux/security/advisories/adv5_draht_glibc_txt.html
(UNKNOWN)  SUSE  20000924 glibc locale security problem
http://www.redhat.com/support/errata/RHSA-2000-057.html
(UNKNOWN)  REDHAT  RHSA-2000:057
http://www.securityfocus.com/archive/1/79537
(VENDOR_ADVISORY)  BUGTRAQ  20000831 glibc unsetenv bug
http://www.securityfocus.com/bid/1639
(UNKNOWN)  BID  1639
http://www.securityfocus.com/bid/648
(VENDOR_ADVISORY)  BID  648
http://www.turbolinux.com/pipermail/tl-security-announce/2000-September/000020.html
(UNKNOWN)  TURBO  TLSA2000020-1
http://xforce.iss.net/static/5173.php
(UNKNOWN)  XF  glibc-ld-unsetenv

- 漏洞信息

glib unsetenv()副本项目删除漏洞
高危 其他
2000-11-14 00:00:00 2005-05-02 00:00:00
本地  
        如果环境变量两次提供给一个程序,那么glibc 2.1.1版本的unsetenv函数不正确的移动该环境变量,本地用户通过指明它们自己的副本环境变量如LD_PRELOAD或者LD_LIBRARY_PATH从而执行setuid程序中的任意命令。

- 公告与补丁

        It has been indicated that version 2.2 of glibc will remedy this problem.
        A patch is available to address this problem.
        GNU glibc 2.0
        
        GNU glibc 2.1
        
        GNU glibc 2.1.1
        
        GNU glibc 2.1.1 -6
        
        GNU glibc 2.1.2
        
        GNU glibc 2.1.3
        

- 漏洞信息 (19503)

ProFTPD 1.2 pre6 snprintf Vulnerability (EDBID:19503)
linux remote
1999-09-17 Verified
0 Tymm Twillman
N/A [点击下载]
source: http://www.securityfocus.com/bid/650/info

Lack of user input validation in ProFTPD can lead to a remote root vulnerability.

On systems that support it ProFTPD will attempt to modify the name of the program being executed (argv[0]) to display the command being executed by the logged on user. It does this by using snprintf to copy the input of the user into a buffer.

The call to snprintf is in the 'set_proc_title' function in the main.c source file. It is only compiled in if the define PF_ARGV_TYPE equals the PF_ARGV_WRITABLE define.

ProFTPD passes the user input to snprintf as the format argument string of the function call. This allows remote users to supply possible dangerous format arguments to snprintf. 

Tymm Twillman gives the following example:

- ftp to host
- login (anonymous or no)

(this should be all on one line, no spaces)

ftp> ls aaaXXXX%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%653300u%n

(replace the X's with the characters with ascii values 0xdc,0x4f,0x07,0x08
consecutively)


Since proftpd will pass on user input data to snprintf, argument attacks are easy. The a's at the beginning are just for alignment, the %u's to skip bytes in the stack, the %653300u is to increment the # of bytes that have been "output", and the %n stores that value (whose LSBs have now flipped over to 0) to the location pointed to by the current "argument" -- which just happens to point right after the a's in this string. The bytes that replace the X's are the address where proftpd keeps the current user ID...

Logging in as an anonymous user, you are still restricted as to some of the things you can do. But with a local login, root compromise at this point is trivial. And it is possible to modify this exploit for other systems, and for remote attacks.


		

- 漏洞信息

1077
GNU C Library (glibc) unsetenv Environment Variable Command Execution
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified, Third-party Verified

- 漏洞描述

The unsetenv function in glibc 2.1.1 does not properly unset an environmental variable if the variable is provided twice to a program, which could allow local users to execute arbitrary commands in setuid programs by specifying their own duplicate environmental variables such as LD_PRELOAD or LD_LIBRARY_PATH.

- 时间线

2000-09-02 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站