CVE-2002-0638
CVSS6.2
发布时间 :2002-08-12 00:00:00
修订时间 :2016-10-17 22:20:54
NMCO    

[原文]setpwnam.c in the util-linux package, as included in Red Hat Linux 7.3 and earlier, and other operating systems, does not properly lock a temporary file when modifying /etc/passwd, which may allow local users to gain privileges via a complex race condition that uses an open file descriptor in utility programs such as chfn and chsh.


[CNNVD]Util-linux文件锁住本地竞争条件漏洞(CNNVD-200208-115)

        
        util-linux是一套包含多种系统工具如'chfn'和'chsh'的软件包,包含在多种Linux系统中。
        util-linux工具在代码共享处理中存在竞争条件问题,本地攻击者可以利用这个漏洞进行权限提升。
        util-linux工具包含多个工具用于执行Linux系统功能,如'chfn'工具允许用户修改存储在/etc/passwd文件中的个人信息,要修改此文件,应用程序需要以setuid root权限安装。
        在部分条件下,利用util-linux工具中login-utils/setpwnam.c代码中复杂的文件被锁和修改操作上的漏洞,精心构建的攻击顺序可以利用竞争条件漏洞修改如/etc/passwd文件进行权限提升。不过要成功利用这个漏洞和进行权限提升需要和管理员有一些交互的操作。另外密码文件必须超过4K字节,而且本地攻击者修改/etc/passwd文件时不能把修改的条目放置在password文件4K字节的最后部分。
        Red Hat Linux作为核心部分附带util-linux工具,其他由Red Hat衍生的Linux版本也可能存在此漏洞。
        

- CVSS (基础分值)

CVSS分值: 6.2 [中等(MEDIUM)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:redhat:linux:6.0Red Hat Linux 6.0
cpe:/o:redhat:linux:6.1Red Hat Linux 6.1
cpe:/o:redhat:linux:7.0Red Hat Linux 7.0
cpe:/o:redhat:linux:6.2Red Hat Linux 6.2
cpe:/o:redhat:linux:7.1Red Hat Linux 7.1
cpe:/o:redhat:linux:7.2Red Hat Linux 7.2
cpe:/o:redhat:linux:7.1::ia64
cpe:/o:redhat:linux:7.2::ia64
cpe:/o:redhat:linux:7.3Red Hat Linux 7.3
cpe:/o:hp:secure_os:1.0::linux
cpe:/a:mandrakesoft:mandrake_single_network_firewall:7.2MandrakeSoft Mandrake Single Network Firewall 7.2
cpe:/o:mandrakesoft:mandrake_linux:8.2MandrakeSoft Mandrake Linux 8.2
cpe:/o:mandrakesoft:mandrake_linux:7.0MandrakeSoft Mandrake Linux 7.0
cpe:/o:mandrakesoft:mandrake_linux:8.1::ia64
cpe:/o:mandrakesoft:mandrake_linux:7.2MandrakeSoft Mandrake Linux 7.2
cpe:/o:mandrakesoft:mandrake_linux:8.1MandrakeSoft Mandrake Linux 8.1
cpe:/o:redhat:linux:6.2::alpha
cpe:/o:redhat:linux:7.1::alpha
cpe:/o:redhat:linux:6.0::alpha
cpe:/o:mandrakesoft:mandrake_linux:7.1MandrakeSoft Mandrake Linux 7.1
cpe:/o:mandrakesoft:mandrake_linux:8.0MandrakeSoft Mandrake Linux 8.0
cpe:/o:mandrakesoft:mandrake_linux:8.0::ppc
cpe:/o:redhat:linux:7.2::alpha
cpe:/o:redhat:linux:6.1::alpha
cpe:/o:redhat:linux:7.0::alpha
cpe:/o:mandrakesoft:mandrake_linux_corporate_server:1.0.1MandrakeSoft Mandrake Linux Corporate Server 1.0.1
cpe:/o:redhat:linux:6.0::sparc
cpe:/o:redhat:linux:6.1::sparc
cpe:/o:redhat:linux:6.2::sparc

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0638
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0638
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-115
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-043.0.txt
(UNKNOWN)  CALDERA  CSSA-2002-043.0
http://archives.neohapsis.com/archives/bugtraq/2002-07/0357.html
(UNKNOWN)  VULNWATCH  20020729 [VulnWatch] RAZOR advisory: Linux util-linux chfn local root vulnerability
http://archives.neohapsis.com/archives/bugtraq/2002-07/0396.html
(UNKNOWN)  BUGTRAQ  20020730 TSLSA-2002-0064 - util-linux
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000523
(UNKNOWN)  CONECTIVA  CLA-2002:523
http://marc.info/?l=bugtraq&m=102795787713996&w=2
(UNKNOWN)  BUGTRAQ  20020729 RAZOR advisory: Linux util-linux chfn local root vulnerability
http://online.securityfocus.com/advisories/4320
(UNKNOWN)  HP  HPSBTL0207-054
http://rhn.redhat.com/errata/RHSA-2002-132.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2002:132
http://www.iss.net/security_center/static/9709.php
(UNKNOWN)  XF  utillinux-chfn-race-condition(9709)
http://www.kb.cert.org/vuls/id/405955
(VENDOR_ADVISORY)  CERT-VN  VU#405955
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-047.php
(UNKNOWN)  MANDRAKE  MDKSA-2002:047
http://www.redhat.com/support/errata/RHSA-2002-137.html
(UNKNOWN)  REDHAT  RHSA-2002:137
http://www.securityfocus.com/bid/5344
(UNKNOWN)  BID  5344

- 漏洞信息

Util-linux文件锁住本地竞争条件漏洞
中危 竞争条件
2002-08-12 00:00:00 2005-05-02 00:00:00
本地  
        
        util-linux是一套包含多种系统工具如'chfn'和'chsh'的软件包,包含在多种Linux系统中。
        util-linux工具在代码共享处理中存在竞争条件问题,本地攻击者可以利用这个漏洞进行权限提升。
        util-linux工具包含多个工具用于执行Linux系统功能,如'chfn'工具允许用户修改存储在/etc/passwd文件中的个人信息,要修改此文件,应用程序需要以setuid root权限安装。
        在部分条件下,利用util-linux工具中login-utils/setpwnam.c代码中复杂的文件被锁和修改操作上的漏洞,精心构建的攻击顺序可以利用竞争条件漏洞修改如/etc/passwd文件进行权限提升。不过要成功利用这个漏洞和进行权限提升需要和管理员有一些交互的操作。另外密码文件必须超过4K字节,而且本地攻击者修改/etc/passwd文件时不能把修改的条目放置在password文件4K字节的最后部分。
        Red Hat Linux作为核心部分附带util-linux工具,其他由Red Hat衍生的Linux版本也可能存在此漏洞。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 建议暂时去掉/usr/bin/chfn和/usr/bin/chsh的setuid标记。
        厂商补丁:
        HP
        --
        HP Secure OS Software for Linux Release 1.0建议安装Redhat补丁
        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2002:132-14)以及相应补丁:
        RHSA-2002:132-14:Updated util-linux package fixes password locking race
        链接:https://www.redhat.com/support/errata/RHSA-2002-132.html
        补丁下载:
        Red Hat RPM util-linux-2.10f-7.6.2.src.rpm
        ftp://updates.redhat.com/6.2/en/os/SRPMS/util-linux-2.10f-7.6.2.src.rpm
        Red Hat RPM util-linux-2.10f-7.6.2.sparc.rpm
        ftp://updates.redhat.com/6.2/en/os/sparc/util-linux-2.10f-7.6.2.sparc.rpm
        RedHat Linux 6.2 alpha:
        Red Hat RPM util-linux-2.10f-7.6.2.src.rpm
        ftp://updates.redhat.com/6.2/en/os/SRPMS/util-linux-2.10f-7.6.2.src.rpm
        Red Hat RPM util-linux-2.10f-7.6.2.alpha.rpm
        ftp://updates.redhat.com/6.2/en/os/alpha/util-linux-2.10f-7.6.2.alpha.rpm
        RedHat Linux 6.2:
        Red Hat RPM util-linux-2.10f-7.6.2.src.rpm
        ftp://updates.redhat.com/6.2/en/os/SRPMS/util-linux-2.10f-7.6.2.src.rpm
        Red Hat RPM util-linux-2.10f-7.6.2.i386.rpm
        ftp://updates.redhat.com/6.2/en/os/i386/util-linux-2.10f-7.6.2.i386.rpm
        RedHat Linux 7.0 alpha:
        Red Hat RPM util-linux-2.10m-12.7.0.src.rpm
        ftp://updates.redhat.com/7.0/en/os/SRPMS/util-linux-2.10m-12.7.0.src.rpm
        Red Hat RPM util-linux-2.10m-12.7.0.alpha.rpm
        ftp://updates.redhat.com/7.0/en/os/alpha/util-linux-2.10m-12.7.0.alpha.rpm
        RedHat Linux 7.0:
        Red Hat RPM util-linux-2.10m-12.7.0.i386.rpm
        ftp://updates.redhat.com/7.0/en/os/i386/util-linux-2.10m-12.7.0.i386.rpm
        Red Hat RPM util-linux-2.10m-12.7.0.src.rpm
        ftp://updates.redhat.com/7.0/en/os/SRPMS/util-linux-2.10m-12.7.0.src.rpm
        RedHat Linux 7.1 ia64:
        Red Hat RPM util-linux-2.11f-17.7.2.src.rpm
        ftp://updates.redhat.com/7.1/en/os/SRPMS/util-linux-2.11f-17.7.2.src.rpm
        Red Hat RPM util-linux-2.11f-17.7.2.ia64.rpm
        ftp://updates.redhat.com/7.1/en/os/ia64/util-linux-2.11f-17.7.2.ia64.rpm
        RedHat Linux 7.1 alpha:
        Red Hat RPM util-linux-2.11f-17.7.2.src.rpm
        ftp://updates.redhat.com/7.1/en/os/SRPMS/util-linux-2.11f-17.7.2.src.rpm
        Red Hat RPM util-linux-2.11f-17.7.2.alpha.rpm
        ftp://updates.redhat.com/7.1/en/os/alpha/util-linux-2.11f-17.7.2.alpha.rpm
        RedHat Linux 7.1:
        Red Hat RPM util-linux-2.11f-17.7.2.src.rpm
        ftp://updates.redhat.com/7.1/en/os/SRPMS/util-linux-2.11f-17.7.2.src.rpm
        Red Hat RPM util-linux-2.11f-17.7.2.i386.rpm
        ftp://updates.redhat.com/7.1/en/os/i386/util-linux-2.11f-17.7.2.i386.rpm
        RedHat Linux 7.2 ia64:
        Red Hat RPM util-linux-2.11f-17.7.2.src.rpm
        ftp://updates.redhat.com/7.2/en/os/SRPMS/util-linux-2.11f-17.7.2.src.rpm
        Red Hat RPM util-linux-2.11f-17.7.2.ia64.rpm
        ftp://updates.redhat.com/7.2/en/os/ia64/util-linux-2.11f-17.7.2.ia64.rpm
        RedHat Linux 7.2 alpha:
        Red Hat RPM util-linux-2.11f-17.7.2.src.rpm
        ftp://updates.redhat.com/7.2/en/os/SRPMS/util-linux-2.11f-17.7.2.src.rpm
        RedHat Linux 7.2:
        Red Hat RPM util-linux-2.11f-17.7.2.src.rpm
        ftp://updates.redhat.com/7.2/en/os/SRPMS/util-linux-2.11f-17.7.2.src.rpm
        Red Hat RPM util-linux-2.11f-17.7.2.i386.rpm
        ftp://updates.redhat.com/7.2/en/os/i386/util-linux-2.11f-17.7.2.i386.rpm
        RedHat Linux 7.3:
        Michal Zalewski Patch setpwnam.patch
        
        http://www.securityfocus.com/data/vulnerabilities/patches/setpwnam.patch

        Unofficial source code patch. Applies to util-linux-2.11nn.
        Red Hat RPM util-linux-2.11n-12.7.3.src.rpm
        ftp://updates.redhat.com/7.3/en/os/SRPMS/util-linux-2.11n-12.7.3.src.rpm
        Red Hat RPM util-linux-2.11n-12.7.3.i386.rpm
        ftp://updates.redhat.com/7.3/en/os/i386/util-linux-2.11n-12.7.3.i386.rpm
        Red Hat RPM mount-2.11n-12.7.3.i386.rpm
        ftp://updates.redhat.com/7.3/en/os/i386/mount-2.11n-12.7.3.i386.rpm
        Red Hat RPM losetup-2.11n-12.7.3.i386.rpm
        ftp://updates.redhat.com/7.3/en/os/i386/losetup-2.11n-12.7.3.i386.rpm

- 漏洞信息

5164
util-linux setpwnam.c Open File Descriptor Race
Local Access Required Race Condition
Loss of Integrity
Exploit Unknown

- 漏洞描述

The util-linux utilities contain a flaw that may allow a malicious user to gain elevated priviliges. The race condition can be triggered if the attacker is able to successfully execute a complex attack-sequence using /usr/bin/chfn or usr/bin/chsh. The attack requires that the system administrator interacts with the system. He specifically needs to remove /etc/ptmp before the attacker can complete the attack. The flaw, if executed successfully, will allow the attacker to create new entries in /etc/passwd.

- 时间线

2002-07-29 Unknow
Unknow Unknow

- 解决方案

Update to version 2.11u or above or patch the sources as follows: --- util-linux-2.11n-old/login-utils/setpwnam.c Mon Jul 31 08:50:39 2000 +++ util-linux-2.11n/login-utils/setpwnam.c Wed Jun 12 21:37:12 2002 @@ -98,7 +98,8 @@ /* sanity check */ for (x = 0; x < 3; x++) { if (x > 0) sleep(1); - fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT, 0644); + // Never share the temporary file. + fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { umask(oldumask); return -1; A workaround for this flaw is to remove the setuid flags from /usr/bin/chfn and /usr/bin/chsh.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站