CVE-2002-0678
CVSS7.2
发布时间 :2002-07-23 00:00:00
修订时间 :2016-10-17 22:21:18
NMCOS    

[原文]CDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.


[CNNVD]多家厂商CDE ToolTalk数据库服务程序本地符号链接漏洞(CNNVD-200207-076)

        
        Common Desktop Environment (CDE)是一款集成图形用户接口,运行在各种UNIX和LINUX操作系统下,CDE ToolTalk服务允许独立的开发应用程序,使应用程序可以跨主机和平台交换ToolTalk信息相互之间通信,使用ToolTalk服务,应用程序可以建立开放协议允许各种程序进行交换和新的程序插入到系统中可以尽可能最小化重新配置。ToolTalk RPC数据库服务程序,rpc.ttdbserverd用于管理ToolTalk应用通信。
        Common Desktop Environment (CDE) ToolTalk RPC数据库服务程序(rpc.ttdbserverd)没有充分的过滤传递给_TT_TRANSACTION()过程的参数,本地攻击者可以利用这个漏洞建立符号链接,再通过RPC请求以root用户权限覆盖系统中任意文件内容。
        ToolTalk RPC数据库服务程序包含_TT_TRANSACTION()过程,通过应用客户端提供的路径和文件参数来建立和写事务日志文件,ToolTalk RPC数据库服务在建立和写事务日志文件的时候没有检查符号连接,本地攻击者可以通过符号连接,再提交特殊构建的RPC调用,可以root用户权限覆盖系统中任意文件内容,可造成拒绝服务攻击,也可能获得权限提升。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sgi:irix:6.5SGI IRIX 6.5
cpe:/o:sgi:irix:6.0.1SGI IRIX 6.0.1
cpe:/o:sgi:irix:6.1SGI IRIX 6.1
cpe:/o:sgi:irix:5.2SGI IRIX 5.2
cpe:/o:sgi:irix:6.4SGI IRIX 6.4
cpe:/a:xi_graphics:dextop:2.1
cpe:/o:sgi:irix:6.2SGI IRIX 6.2
cpe:/o:sgi:irix:6.5.15SGI IRIX 6.5.15
cpe:/o:compaq:tru64:4.0fCompaq Tru64 4.0f
cpe:/o:compaq:tru64:4.0gCompaq Tru64 4.0g
cpe:/o:sgi:irix:6.0SGI IRIX 6.0
cpe:/o:sgi:irix:5.3SGI IRIX 5.3
cpe:/o:sgi:irix:6.3SGI IRIX 6.3
cpe:/o:ibm:aix:5.1IBM AIX 5.1
cpe:/a:caldera:unixware:7.0
cpe:/o:sun:solaris:7.0
cpe:/o:compaq:tru64:5.1aCompaq Tru64 5.1a
cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:8.0
cpe:/o:hp:hp-ux:11.11HP-UX 11.11
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/o:hp:hp-ux:10.24HP HP-UX 10.24
cpe:/o:sun:solaris:2.5.1
cpe:/o:sgi:irix:6.5.2SGI IRIX 6.5.2
cpe:/o:sgi:irix:6.5.7SGI IRIX 6.5.7
cpe:/o:sgi:irix:6.5.8SGI IRIX 6.5.8
cpe:/o:sgi:irix:6.5.5SGI IRIX 6.5.5
cpe:/o:compaq:tru64:5.1Compaq Tru64 5.1
cpe:/o:sgi:irix:6.5.3SGI IRIX 6.5.3
cpe:/o:sgi:irix:6.5.4SGI IRIX 6.5.4
cpe:/o:sgi:irix:6.5.1SGI IRIX 6.5.1
cpe:/o:sgi:irix:6.5.11SGI IRIX 6.5.11
cpe:/a:caldera:unixware:7.1.0
cpe:/o:sgi:irix:6.5.16SGI IRIX 6.5.16
cpe:/o:caldera:openunix:8.0
cpe:/a:caldera:unixware:7.1.1
cpe:/o:sgi:irix:6.5.14SGI IRIX 6.5.14
cpe:/o:sgi:irix:6.5.6SGI IRIX 6.5.6
cpe:/o:sgi:irix:6.5.12SGI IRIX 6.5.12
cpe:/o:sgi:irix:6.5.13SGI IRIX 6.5.13
cpe:/o:compaq:tru64:5.0aCompaq Tru64 5.0a
cpe:/o:sgi:irix:6.5.10SGI IRIX 6.5.10
cpe:/o:sgi:irix:6.5.9SGI IRIX 6.5.9
cpe:/o:sun:solaris:9.0::sparc
cpe:/o:hp:hp-ux:10.10HP HP-UX 10.10
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:ibm:aix:4.3.3IBM AIX 4.3.3

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:80Solaris 7 CDE ToolTalk Database Symbolic Link Vulnerability
oval:org.mitre.oval:def:2770Solaris 9 CDE ToolTalk Database Server Symbolic Link Vulnerability
oval:org.mitre.oval:def:175Solaris 8 CDE ToolTalk Database Server Symbolic Link Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0678
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0678
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-076
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.28/CSSA-2002-SCO.28.txt
(UNKNOWN)  CALDERA  CSSA-2002-SCO.28
ftp://patches.sgi.com/support/free/security/advisories/20021101-01-P
(UNKNOWN)  SGI  20021101-01-P
http://archives.neohapsis.com/archives/aix/2002-q3/0002.html
(UNKNOWN)  AIXAPAR  IY32368
http://marc.info/?l=bugtraq&m=102635906423617&w=2
(UNKNOWN)  BUGTRAQ  20020710 [CORE-20020528] Multiple vulnerabilities in ToolTalk Database server
http://www.cert.org/advisories/CA-2002-20.html
(VENDOR_ADVISORY)  CERT  CA-2002-20
http://www.iss.net/security_center/static/9527.php
(UNKNOWN)  XF  tooltalk-ttdbserverd-tttransaction-symlink(9527)
http://www.kb.cert.org/vuls/id/299816
(VENDOR_ADVISORY)  CERT-VN  VU#299816
http://www.securityfocus.com/bid/5083
(UNKNOWN)  BID  5083
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX0207-199
(UNKNOWN)  HP  HPSBUX0207-199

- 漏洞信息

多家厂商CDE ToolTalk数据库服务程序本地符号链接漏洞
高危 访问验证错误
2002-07-23 00:00:00 2005-05-02 00:00:00
远程  
        
        Common Desktop Environment (CDE)是一款集成图形用户接口,运行在各种UNIX和LINUX操作系统下,CDE ToolTalk服务允许独立的开发应用程序,使应用程序可以跨主机和平台交换ToolTalk信息相互之间通信,使用ToolTalk服务,应用程序可以建立开放协议允许各种程序进行交换和新的程序插入到系统中可以尽可能最小化重新配置。ToolTalk RPC数据库服务程序,rpc.ttdbserverd用于管理ToolTalk应用通信。
        Common Desktop Environment (CDE) ToolTalk RPC数据库服务程序(rpc.ttdbserverd)没有充分的过滤传递给_TT_TRANSACTION()过程的参数,本地攻击者可以利用这个漏洞建立符号链接,再通过RPC请求以root用户权限覆盖系统中任意文件内容。
        ToolTalk RPC数据库服务程序包含_TT_TRANSACTION()过程,通过应用客户端提供的路径和文件参数来建立和写事务日志文件,ToolTalk RPC数据库服务在建立和写事务日志文件的时候没有检查符号连接,本地攻击者可以通过符号连接,再提交特殊构建的RPC调用,可以root用户权限覆盖系统中任意文件内容,可造成拒绝服务攻击,也可能获得权限提升。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 关闭ToolTalk RPC数据库服务守护进程。
        编辑/etc/inetd.conf文件,注释或者删除'rpc.ttdbserver'相关的配置行。重启inetd守护进程。
        * 使用访问控制,限制对RPC服务端口的访问。
        厂商补丁:
        Caldera
        -------
        Caldera已经为此发布了一个安全公告(CSSA-2002-SCO.28)以及相应补丁:
        CSSA-2002-SCO.28:UnixWare 7.1.1 Open UNIX 8.0.0 : rpc.ttdbserverd file creation and deletion vulnerabilities
        链接:ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.28
        补丁下载:
        ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.28
        补丁安装方法:
        # uncompress /var/spool/pkg/erg712073.pkg.Z
        # pkgadd -d /var/spool/pkg/erg712073.pkg
        HP
        --
        HP已经为此发布了一个安全公告(HPSBUX0207-199)以及相应升级程序:
        HPSBUX0207-199:Sec. Vulnerability in rpc.ttdbserver (Rev.1)
        链接:
        新版程序下载:
        ftp://ttdb1:ttdb1@192.170.19.51/rpc.ttdbserver.tar.gz
        升级程序安装方法:
        将rpc.ttdbserver.tar.gz文件解压到一个临时目录中,进入到临时目录执行:
        ./install_rpc.ttdbserver rpc.ttdbserver.1020

- 漏洞信息

4508
CDE ToolTalk Transaction Log Symlink Arbitrary File Overwrite
Local Access Required Race Condition

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-07-10 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor CDE ToolTalk Database Server Symbolic Link Vulnerability
Access Validation Error 5083
Yes No
2002-07-11 12:00:00 2009-07-11 01:56:00
Discovered by Ricardo Quesada of CORE Security Technologies.

- 受影响的程序版本

Xi Graphics DeXtop 2.1
Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
SGI IRIX 6.5.17 m
SGI IRIX 6.5.17 f
SGI IRIX 6.5.17
SGI IRIX 6.5.16 m
SGI IRIX 6.5.16 f
SGI IRIX 6.5.16
SGI IRIX 6.5.15 m
SGI IRIX 6.5.15 f
SGI IRIX 6.5.15
SGI IRIX 6.5.14 m
SGI IRIX 6.5.14 f
SGI IRIX 6.5.14
SGI IRIX 6.5.13 m
SGI IRIX 6.5.13 f
SGI IRIX 6.5.13
SGI IRIX 6.5.12 m
SGI IRIX 6.5.12 f
SGI IRIX 6.5.12
SGI IRIX 6.5.11 m
SGI IRIX 6.5.11 f
SGI IRIX 6.5.11
SGI IRIX 6.5.10 m
SGI IRIX 6.5.10 f
SGI IRIX 6.5.10
SGI IRIX 6.5.9 m
SGI IRIX 6.5.9 f
SGI IRIX 6.5.9
SGI IRIX 6.5.8 m
SGI IRIX 6.5.8 f
SGI IRIX 6.5.8
SGI IRIX 6.5.7 m
SGI IRIX 6.5.7 f
SGI IRIX 6.5.7
SGI IRIX 6.5.6 m
SGI IRIX 6.5.6 f
SGI IRIX 6.5.6
SGI IRIX 6.5.5 m
SGI IRIX 6.5.5 f
SGI IRIX 6.5.5
SGI IRIX 6.5.4 m
SGI IRIX 6.5.4 f
SGI IRIX 6.5.4
SGI IRIX 6.5.3 m
SGI IRIX 6.5.3 f
SGI IRIX 6.5.3
SGI IRIX 6.5.2 m
SGI IRIX 6.5.2 f
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
SGI IRIX 6.4
SGI IRIX 6.3
SGI IRIX 6.2
SGI IRIX 6.1
SGI IRIX 6.0.1
SGI IRIX 6.0
SGI IRIX 5.3
SGI IRIX 5.2
IBM AIX 4.3.3
IBM AIX 5.1
HP HP-UX 11.11
HP HP-UX 11.0
HP HP-UX 10.24
HP HP-UX 10.20
HP HP-UX 10.10
Compaq Tru64 5.1 a
Compaq Tru64 5.1
Compaq Tru64 5.0 a
Compaq Tru64 4.0 g
Compaq Tru64 4.0 f
Caldera UnixWare 7.1.1
Caldera UnixWare 7.1 .0
Caldera UnixWare 7
Caldera OpenUnix 8.0
SCO Open Server 5.0.6 a
SCO Open Server 5.0.6
SCO Open Server 5.0.5
SCO Open Server 5.0.4
SCO Open Server 5.0.3
SCO Open Server 5.0.2
SCO Open Server 5.0.1
SCO Open Server 5.0
Fujitsu UXP/V V10L20
Fujitsu UXP/V V10L10
Caldera OpenLinux 3.1 -IA64
Caldera OpenLinux 2.4
Caldera OpenLinux 2.3
Caldera OpenLinux 2.2
Caldera OpenLinux 1.3

- 不受影响的程序版本

SCO Open Server 5.0.6 a
SCO Open Server 5.0.6
SCO Open Server 5.0.5
SCO Open Server 5.0.4
SCO Open Server 5.0.3
SCO Open Server 5.0.2
SCO Open Server 5.0.1
SCO Open Server 5.0
Fujitsu UXP/V V10L20
Fujitsu UXP/V V10L10
Caldera OpenLinux 3.1 -IA64
Caldera OpenLinux 2.4
Caldera OpenLinux 2.3
Caldera OpenLinux 2.2
Caldera OpenLinux 1.3

- 漏洞讨论

CDE ships with a daemon called the ToolTalk database server. The ToolTalk database server allows for programs designed for use in CDE to communicate with each other. It is enabled by default on most systems shipped with CDE.

The ToolTalk database server is vulnerable to a symbolic link vulnerability that is exploitable by attackers with access to the filesystem.

The server logs transactions to logfiles with filenames based on the name of the ToolTalk database supplied by the client. When writing to the logfile, the server does not check to ensure that it is not a symbolic link. If an attacker creates a symbolic link on the filesystem with the path/filename of the logfile, transaction data will be written to the destination file as root.

Exploitation of this vulnerability may result in a denial of service if sensitive files are corrupted. As client-supplied data is written to the file, it may also be possible for this vulnerability to be exploited to elevate privileges.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

HP has stated that HP-MPE/ix HP OpenVMS HP NonStop Servers are not vulnerable to this issue. HP has also revised an advisory with fix information. Users running HP-UX 10.10 are advised to contact security-alert@hp.com for fix information.

Compaq Computer Corporation

CROSS REFERENCE: SSRT2251

At this time Compaq does have solutions in final testing and will publish HP Tru64 UNIX security bulletin (SSRT2251) with patch information as soon as testing has completed and kits are available from the support ftp web site.

Cray, Inc.

Cray, Inc. does include ToolTalk within the CrayTools product. However, rpc.ttdbserverd is not turned on or used by any Cray provided application. Since a site may have turned this on for their own use, they can always remove the binary /opt/ctl/bin/rpc.ttdbserverd if they are concerned.

IBM Corporation

The CDE desktop product shipped with AIX is vulnerable to both the issues detailed above in the advisory. This affects AIX releases 4.3.3 and 5.1.0. Patches have been made available.

Sun Microsystems, Inc.

The Solaris RPC-based ToolTalk database server, rpc.ttdbserverd, is vulnerable to the two vulnerabilities [VU#975403 VU#299816] described in this advisory in all currently supported versions of Solaris:

Solaris 2.5.1, 2.6, 7, 8, and 9

Patches are available for the following releases:

2.6, 7, 8, and 9.

Xi Graphics

Xi Graphics deXtop CDE v2.1 is vulnerable to this attack. A update correcting this issue will be available on our ftp site once this vulnerability has been publically announced.

When announced, the update and accompanying text file will be:

ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.tar.gz
ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.016.txt

SGI has released a new advisory. A new patch, 4669, is available for IRIX 6.5.13 to 6.5.17.

Sun has released a revision of their advisory dealing with this issue. Please see the referenced advisory for more informaiton.


Sun Solaris 8_sparc

IBM AIX 5.1

Sun Solaris 2.6

Sun Solaris 2.6_x86

Sun Solaris 7.0

Sun Solaris 9

Sun Solaris 7.0_x86

Sun Solaris 8_x86

HP HP-UX 10.10
  • HP rpc.ttdbserver
    FTP login credentials are required in order to access this fix. Username and password is ttdb1/ttdb1. Proper patches are forthcoming.
    ftp://hprc.external.hp.com


HP HP-UX 10.20

HP HP-UX 10.24

HP HP-UX 11.0

HP HP-UX 11.11

IBM AIX 4.3.3

SGI IRIX 6.5

SGI IRIX 6.5.1

SGI IRIX 6.5.10

SGI IRIX 6.5.10 m

SGI IRIX 6.5.10 f

SGI IRIX 6.5.11

SGI IRIX 6.5.11 m

SGI IRIX 6.5.11 f

SGI IRIX 6.5.12 f

SGI IRIX 6.5.12 m

SGI IRIX 6.5.12

SGI IRIX 6.5.13 f

SGI IRIX 6.5.13 m

SGI IRIX 6.5.13

SGI IRIX 6.5.14 f

SGI IRIX 6.5.14

SGI IRIX 6.5.14 m

SGI IRIX 6.5.15

SGI IRIX 6.5.15 m

SGI IRIX 6.5.15 f

SGI IRIX 6.5.16 f

SGI IRIX 6.5.16

SGI IRIX 6.5.16 m

SGI IRIX 6.5.17

SGI IRIX 6.5.17 m

SGI IRIX 6.5.17 f

SGI IRIX 6.5.2 m

SGI IRIX 6.5.2 f

SGI IRIX 6.5.2

SGI IRIX 6.5.3 f

SGI IRIX 6.5.3

SGI IRIX 6.5.3 m

SGI IRIX 6.5.4 m

SGI IRIX 6.5.4

SGI IRIX 6.5.4 f

SGI IRIX 6.5.5

SGI IRIX 6.5.5 f

SGI IRIX 6.5.5 m

SGI IRIX 6.5.6

SGI IRIX 6.5.6 m

SGI IRIX 6.5.6 f

SGI IRIX 6.5.7 m

SGI IRIX 6.5.7

SGI IRIX 6.5.7 f

SGI IRIX 6.5.8 m

SGI IRIX 6.5.8

SGI IRIX 6.5.8 f

SGI IRIX 6.5.9 f

SGI IRIX 6.5.9 m

SGI IRIX 6.5.9

Caldera UnixWare 7.1.1

Caldera OpenUnix 8.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站