发布时间 :2001-12-21 00:00:00
修订时间 :2017-10-09 21:29:55

[原文]uuxqt in Taylor UUCP package does not properly remove dangerous long options, which allows local users to gain privileges by calling uux and specifying an alternate configuration file with the --config option.

[CNNVD]Taylor UUCP包中的uuxqt提升特权漏洞(CNNVD-200112-124)

        Taylor UUCP包中的uuxqt不能正确的删除危险超长选项,本地用户通过调用uux且指定带有--config选项的交替配置文件提升特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20011130 Redhat 7.0 local root (via uucp) (attempt 2)
(UNKNOWN)  SUSE  SuSE-SA:2001:38
(VENDOR_ADVISORY)  BUGTRAQ  20010908 Multiple vendor 'Taylor UUCP' problems.
(UNKNOWN)  XF  uucp-argument-gain-privileges(7099)

- 漏洞信息

Taylor UUCP包中的uuxqt提升特权漏洞
高危 未知
2001-12-21 00:00:00 2005-05-02 00:00:00
        Taylor UUCP包中的uuxqt不能正确的删除危险超长选项,本地用户通过调用uux且指定带有--config选项的交替配置文件提升特权。

- 公告与补丁


- 漏洞信息 (21106)

Taylor UUCP 1.0.6 Argument Handling Privilege Elevation Vulnerability (EDBID:21106)
unix local
2001-09-08 Verified
0 zen-parse
N/A [点击下载]

Taylor UUCP is an implementation of the UUCP package written originally by Ian Lance Taylor.

A problem has been discovered in Taylor UUCP that makes it possible for local users to gain elevated privileges. The problem is due to the handling of configuration files when passed to uucp via the --config flag. When uux receives a request to execute commands using a malicious --config file, the commands will be executed with the privileges of uuxqt, a setuid uucp daemon by default.

This makes it possible for a local user to gain elevated privileges, and could lead to a local user gaining administrative access. 

uux 'uucp --config=/tmp/vv.v /tmp/somefile /tmp/someotherfile'

will use the supplied configuration, without dropping privileges.

1) Make a configuration file that allows any command to be executed, and allows files from anywhere to be copied to anywhere that is writable by uid/gid uucp. ( /tmp/config.uucp )
2) Make a command file with the command you want to be executed.
( /tmp/commands.uucp )
3) Do something like the following:

$ THISHOST=`uuname -l`
$ WHEREYOUWANTIT=/var/spool/uucp/${THISHOST}/X./X.${THISHOST}X1337
$ uux 'uucp --config=/tmp/config.uucp /tmp/commands.uucp '${WHEREYOUWANTIT}

The commands in /tmp/commands.uucp file will be executed by uuxqt, with the uid/gid of uucp. 		

- 漏洞信息

Taylor UUCP uuxqt Alternate Config Privilege Escalation
Local Access Required
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2004-04-09 Unknow
2004-04-09 Unknow

- 解决方案


Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete