CVE-2002-0435
CVSS1.2
发布时间 :2002-07-26 00:00:00
修订时间 :2008-09-05 16:28:01
NMCOS    

[原文]Race condition in the recursive (1) directory deletion and (2) directory move in GNU File Utilities (fileutils) 4.1 and earlier allows local users to delete directories as the user running fileutils by moving a low-level directory to a higher level as it is being deleted, which causes fileutils to chdir to a ".." directory that is higher than expected, possibly up to the root file system.


[CNNVD]GNU Fileutils目录删除竞争条件漏洞(CNNVD-200207-094)

        
        GNU fileutils是一个开放源码的,免费的文件管理工具,由开放源码组织开发和维护,这个工具可运行于Linux系统下。
        GNU fileutils实现上存在竞争条件漏洞,本地攻击者可能利用此漏洞造成本地拒绝服务攻击。
        在某些情况下,当root用户递归删除/tmp目录下的子目录和文件时,由于fileutils设计上对文件加锁不充分,而且对chdir的调用也不安全,从而导致攻击者可能利用/tmp下的可写目录去引导root递归删除根目录,构造有效的拒绝服务攻击。
        

- CVSS (基础分值)

CVSS分值: 1.2 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:gnu:fileutils:4.1GNU Fileutils 4.1
cpe:/a:gnu:fileutils:4.1.6GNU Fileutils 4.1.6
cpe:/a:gnu:fileutils:4.0GNU Fileutils 4.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0435
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0435
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-094
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4266
(VENDOR_ADVISORY)  BID  4266
http://www.iss.net/security_center/static/8432.php
(VENDOR_ADVISORY)  XF  gnu-fileutils-race-condition(8432)
ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-018.1.txt
(VENDOR_ADVISORY)  CALDERA  CSSA-2002-018.1
http://www.securityfocus.com/archive/1/260936
(VENDOR_ADVISORY)  BUGTRAQ  20020310 GNU fileutils - recursive directory removal race condition
http://mail.gnu.org/archive/html/bug-fileutils/2002-03/msg00028.html
(UNKNOWN)  CONFIRM  http://mail.gnu.org/archive/html/bug-fileutils/2002-03/msg00028.html
http://www.redhat.com/support/errata/RHSA-2003-016.html
(UNKNOWN)  REDHAT  RHSA-2003:016
http://www.redhat.com/support/errata/RHSA-2003-015.html
(UNKNOWN)  REDHAT  RHSA-2003:015
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-031.php
(UNKNOWN)  MANDRAKE  MDKSA-2002:031

- 漏洞信息

GNU Fileutils目录删除竞争条件漏洞
低危 竞争条件
2002-07-26 00:00:00 2005-10-12 00:00:00
本地  
        
        GNU fileutils是一个开放源码的,免费的文件管理工具,由开放源码组织开发和维护,这个工具可运行于Linux系统下。
        GNU fileutils实现上存在竞争条件漏洞,本地攻击者可能利用此漏洞造成本地拒绝服务攻击。
        在某些情况下,当root用户递归删除/tmp目录下的子目录和文件时,由于fileutils设计上对文件加锁不充分,而且对chdir的调用也不安全,从而导致攻击者可能利用/tmp下的可写目录去引导root递归删除根目录,构造有效的拒绝服务攻击。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * root用户在删除/tmp下的文件时确认环境是否安全。
        厂商补丁:
        GNU
        ---
        厂商已经提供了一个针对fileutils-4.1.6的补丁,您可以在下列地址中获取相关补丁:
        
        http://mail.gnu.org/pipermail/bug-fileutils/2002-March/002440.html

        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2003:015-05)以及相应补丁:
        RHSA-2003:015-05:Updated fileutils package fixes race condition in recursive operations
        链接:https://www.redhat.com/support/errata/RHSA-2003-015.html
        Sun
        ---
        Sun已经为此发布了一个安全公告(Sun-Alert-102782)以及相应补丁:
        Sun-Alert-102782:Security Vulnerability in rm(1) may Lead to Unauthorized Deletion of Files or Directories
        链接:
        http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102782-1

- 漏洞信息

5294
GNU Fileutils Delete Arbitrary Files

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-04-08 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

GNU Fileutils Directory Removal Race Condition Vulnerability
Race Condition Error 4266
No Yes
2002-03-11 12:00:00 2007-03-07 11:25:00
Vulnerability discovery credited to Wojciech Purczynski <cliph@isec.pl>.

- 受影响的程序版本

Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 10.0_x86
Sun Solaris 10.0
GNU fileutils 4.1.6
+ Sun Linux 5.0.6
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
GNU fileutils 4.1
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Caldera OpenLinux Workstation 3.1
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 3.0
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ RedHat Linux 7.3
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.2
+ RedHat Linux 7.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0 alpha
+ Slackware Linux 8.0
+ Slackware Linux 8.0
+ Sun Cobalt Qube 3
+ Sun Cobalt Qube 3
+ Sun Cobalt RaQ 4
+ Sun Cobalt RaQ 4
+ Sun Cobalt RaQ 550
+ Sun Cobalt RaQ 550
+ Sun Cobalt RaQ XTR
+ Sun Cobalt RaQ XTR
+ Sun Linux 5.0.7
+ Sun Linux 5.0.6
+ Sun Linux 5.0.6
+ Sun Linux 5.0.5
+ Sun Linux 5.0.5
+ Sun Linux 5.0.3
+ Sun Linux 5.0.3
+ Sun Linux 5.0
+ Sun Linux 5.0
+ Sun LX50
+ Sun LX50
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
+ Trustix Secure Linux 1.1
GNU fileutils 4.0.36
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1
+ RedHat Linux 7.1
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for iSeries 7.1
+ RedHat Linux for pSeries 7.1
GNU fileutils 4.0
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2 68k
+ Debian Linux 2.2 68k
+ Immunix Immunix OS 7+
+ Red Hat Linux 6.2
+ Red Hat Linux 6.2
+ Red Hat Linux 6.2
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0
+ RedHat Linux 7.0
+ RedHat Linux 7.0
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 i386
+ Slackware Linux 7.1
+ Slackware Linux 7.1
+ Slackware Linux 7.1
+ Slackware Linux 7.0
+ Slackware Linux 7.0
+ Slackware Linux 7.0
Avaya Interactive Response 1.3
Avaya Interactive Response 1.2.1
Avaya Interactive Response 2.0
Avaya Interactive Response
Avaya CMS Server 13.0
Avaya CMS Server 12.0
Avaya CMS Server 11.0
Avaya CMS Server 9.0
Avaya CMS Server 13.1

- 漏洞讨论

GNU fileutils is a freely available, open-source file manager. It is designed for use on Linux and other UNIX-like operating systems.

Under some circumstances, a local user may be able to remove the root directory of the system. Due to inadequate file locking and an insecure 'chdir' call, an attacker could move files from the '/tmp' directory into the root directory. The problem occurs with a directory tree that has several single subdirectories in '/tmp' when the root user tries to remove the directories recursively. If the root user tries to recursively remove the directory tree from '/tmp' and if the directory tree is writable by another user, then the user could move a high-level directory into '/tmp' after the 'rm' program has descended the tree. The 'rm' program would then ascend from the '/tmp' directory to the root directory, recursively removing the contents of the root directory.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.

- 解决方案

Please see the references for more information and fixes.


GNU fileutils 4.0

GNU fileutils 4.0.36

GNU fileutils 4.1

GNU fileutils 4.1.6

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站