CVE-2001-1145
CVSS6.2
发布时间 :2001-08-17 00:00:00
修订时间 :2008-09-10 15:09:45
NMCO    

[原文]fts routines in FreeBSD 4.3 and earlier, NetBSD before 1.5.2, and OpenBSD 2.9 and earlier can be forced to change (chdir) into a different directory than intended when the directory above the current directory is moved, which could cause scripts to perform dangerous actions on the wrong directories.


[CNNVD]多个BSD FTS目录遍历竞争条件漏洞(CNNVD-200108-087)

        FreeBSD 4.3版本及之前版本,NetBSD 1.5.2之前版本,以及OpenBSD 2.9版本及之前版本的fts程序在当前目录之上的目录被移动时,可能被强迫改变(改变当前工作目录)成与预期不同的目录,该漏洞可能导致脚本对错误目录执行危险行为。

- CVSS (基础分值)

CVSS分值: 6.2 [中等(MEDIUM)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/o:openbsd:openbsd:2.9OpenBSD 2.9
cpe:/o:netbsd:netbsd:1.5.1NetBSD 1.5.1
cpe:/o:netbsd:netbsd:1.5NetBSD 1.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1145
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1145
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200108-087
(官方数据源) CNNVD

- 其它链接及资源

http://www.openbsd.org/errata28.html
(PATCH)  OPENBSD  20010530 029: SECURITY FIX: May 30, 2001
http://archives.neohapsis.com/archives/netbsd/2001-q3/0204.html
(VENDOR_ADVISORY)  NETBSD  NetBSD-SA2001-016
http://www.securityfocus.com/bid/3205
(UNKNOWN)  BID  3205
http://www.osvdb.org/5466
(UNKNOWN)  OSVDB  5466
http://www.iss.net/security_center/static/8715.php
(UNKNOWN)  XF  bsd-fts-race-condition(8715)
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:40.fts.v1.1.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-01:40

- 漏洞信息

多个BSD FTS目录遍历竞争条件漏洞
中危 竞争条件
2001-08-17 00:00:00 2005-05-02 00:00:00
本地  
        FreeBSD 4.3版本及之前版本,NetBSD 1.5.2之前版本,以及OpenBSD 2.9版本及之前版本的fts程序在当前目录之上的目录被移动时,可能被强迫改变(改变当前工作目录)成与预期不同的目录,该漏洞可能导致脚本对错误目录执行危险行为。

- 公告与补丁

        Patches available:
        NetBSD NetBSD 1.5
        
        NetBSD NetBSD 1.5.1
        
        OpenBSD OpenBSD 2.8
        
        FreeBSD FreeBSD 4.3 -STABLE
        
        FreeBSD FreeBSD 4.3 -RELEASE
        

- 漏洞信息

5466
Multiple BSD fts Routines chdir Arbitrary Directory Access
Local Access Required Race Condition
Loss of Integrity
Exploit Unknown

- 漏洞描述

Some BSD derived systems contain a flaw that may allow a malicious user to have actions performed in an unintended file system hierarchy. The issue is triggered when a directory is moved while a command is being executed. It is possible that the race condition may allow commands to run resulting in a loss of integrity.

- 时间线

2001-06-04 Unknow
Unknow Unknow

- 解决方案

Upgrade operating system to newer version, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. FreeBSD users should upgrade to 4.3-STABLE after the correction date 2001-06-01. NetBSD users should upgrade to NetBSD-1.5 branch: 2001-08-22 (1.5.2 includes the fix) or NetBSD-current after the correction date 2001-07-09. OpenBSD users should upgrade to version 2.9 or OpenBSD-current after the correction date 2001-05-30.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站