CVE-2002-1715
CVSS7.2
发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:31:19
NMCOE    

[原文]SSH 1 through 3, and possibly other versions, allows local users to bypass restricted shells such as rbash or rksh by uploading a script to a world-writeable directory, then executing that script to gain normal shell access.


[CNNVD]SSH受限SHELL可突破漏洞(CNNVD-200212-184)

        
        SSH是一款Secure Shell Protocol协议的实现,可以适用于多种操作系统。
        SSH存在安全漏洞,可以导致攻击者突破受限SHELL环境执行任意命令。
        一个授权用户如果设置成使用rbash或者rksh,远程授权用户可以上载文件到全局可写目录,并从全局目录中执行命令。在这种情况下,攻击者可以上载一脚本并执行脚本获得系统常规SEHLL,就可以突破受限制SHELL环境如rbash,然后进一步对系统进行攻击,问题存在于当命令从shell执行的时候,命令会建立一SHELL进程,然后rksh或者rbash会调用执行它。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ssh:ssh:1.2.24SSH Communications Security SSH daemon 1.2.24
cpe:/a:ssh:ssh2:2.0.11SSH Communications Security SSH2 2.0.11
cpe:/a:ssh:ssh2:3.0
cpe:/a:ssh:ssh2:2.4
cpe:/a:ssh:ssh:1.2.28SSH Communications Security SSH daemon 1.2.28
cpe:/a:ssh:ssh:1.2.18SSH Communications Security SSH daemon 1.2.18
cpe:/a:ssh:ssh:1.2.30SSH Communications Security SSH daemon 1.2.30
cpe:/a:ssh:ssh2:2.0.13SSH Communications Security SSH2 2.0.13
cpe:/a:ssh:ssh2:2.0.3SSH Communications Security SSH2 2.0.3
cpe:/a:ssh:ssh2:2.2
cpe:/a:ssh:ssh2:2.5
cpe:/a:ssh:ssh:1.2.3SSH Communications Security SSH daemon 1.2.3
cpe:/a:ssh:ssh2:2.1
cpe:/a:ssh:ssh2:2.0.2SSH Communications Security SSH2 2.0.2
cpe:/a:ssh:ssh:1.2.2SSH Communications Security SSH daemon 1.2.2
cpe:/a:ssh:ssh:1.2.4SSH Communications Security SSH daemon 1.2.4
cpe:/a:ssh:ssh2:2.3
cpe:/a:ssh:ssh:1.2.16SSH Communications Security SSH daemon 1.2.16
cpe:/a:ssh:ssh2:2.0.5SSH Communications Security SSH2 2.0.5
cpe:/a:ssh:ssh2:2.0
cpe:/a:ssh:ssh2:2.0.6SSH Communications Security SSH2 2.0.6
cpe:/a:ssh:ssh:1.2.25SSH Communications Security SSH daemon 1.2.25
cpe:/a:ssh:ssh:1.2.9SSH Communications Security SSH daemon 1.2.9
cpe:/a:ssh:ssh:1.2.22SSH Communications Security SSH daemon 1.2.22
cpe:/a:ssh:ssh:1.2.14SSH Communications Security SSH daemon 1.2.14
cpe:/a:ssh:ssh2:2.0.12SSH Communications Security SSH2 2.0.12
cpe:/a:ssh:ssh:1.2.15SSH Communications Security SSH daemon 1.2.15
cpe:/a:ssh:ssh:1.2.21SSH Communications Security SSH daemon 1.2.21
cpe:/a:ssh:ssh:1.2.19SSH Communications Security SSH daemon 1.2.19
cpe:/a:ssh:ssh:1.2.6SSH Communications Security SSH daemon 1.2.6
cpe:/a:ssh:ssh2:2.0.7SSH Communications Security SSH2 2.0.7
cpe:/a:ssh:ssh2:2.0.1SSH Communications Security SSH2 2.0.1
cpe:/a:ssh:ssh2:2.0.4SSH Communications Security SSH2 2.0.4
cpe:/a:ssh:ssh2:2.0.8SSH Communications Security SSH2 2.0.8
cpe:/a:ssh:ssh:1.2.12SSH Communications Security SSH daemon 1.2.12
cpe:/a:ssh:ssh:1.2.29SSH Communications Security SSH daemon 1.2.29
cpe:/a:ssh:ssh:1.2.8SSH Communications Security SSH daemon 1.2.8
cpe:/a:ssh:ssh:1.2.13SSH Communications Security SSH daemon 1.2.13
cpe:/a:ssh:ssh:1.2.20SSH Communications Security SSH daemon 1.2.20
cpe:/a:ssh:ssh:1.2.17SSH Communications Security SSH daemon 1.2.17
cpe:/a:ssh:ssh:1.2.0SSH Communications Security SSH daemon 1.2.0
cpe:/a:ssh:ssh:1.2.26SSH Communications Security SSH daemon 1.2.26
cpe:/a:ssh:ssh:1.2.23SSH Communications Security SSH daemon 1.2.23
cpe:/a:ssh:ssh:1.2.10SSH Communications Security SSH daemon 1.2.10
cpe:/a:ssh:ssh:1.2.5SSH Communications Security SSH daemon 1.2.5
cpe:/a:ssh:ssh:1.2.27SSH Communications Security SSH daemon 1.2.27
cpe:/a:ssh:ssh:1.2.11SSH Communications Security SSH daemon 1.2.11
cpe:/a:ssh:ssh2:2.0.10SSH Communications Security SSH2 2.0.10
cpe:/a:ssh:ssh:1.2.7SSH Communications Security SSH daemon 1.2.7
cpe:/a:ssh:ssh2:2.0.9SSH Communications Security SSH2 2.0.9
cpe:/a:ssh:ssh:1.2.31SSH Communications Security SSH daemon 1.2.31
cpe:/a:ssh:ssh:1.2.1SSH Communications Security SSH daemon 1.2.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1715
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1715
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-184
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/8908
(UNKNOWN)  XF  ssh-bypass-restricted-shells(8908)
http://www.securityfocus.com/bid/4547
(UNKNOWN)  BID  4547

- 漏洞信息

SSH受限SHELL可突破漏洞
高危 访问验证错误
2002-12-31 00:00:00 2006-09-05 00:00:00
本地  
        
        SSH是一款Secure Shell Protocol协议的实现,可以适用于多种操作系统。
        SSH存在安全漏洞,可以导致攻击者突破受限SHELL环境执行任意命令。
        一个授权用户如果设置成使用rbash或者rksh,远程授权用户可以上载文件到全局可写目录,并从全局目录中执行命令。在这种情况下,攻击者可以上载一脚本并执行脚本获得系统常规SEHLL,就可以突破受限制SHELL环境如rbash,然后进一步对系统进行攻击,问题存在于当命令从shell执行的时候,命令会建立一SHELL进程,然后rksh或者rbash会调用执行它。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时没有合适的临时解决方法。
        厂商补丁:
        SSH Communications Security
        ---------------------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.ssh.com

- 漏洞信息 (21398)

SSH2 3.0 Restricted Shell Escaping Command Execution Vulnerability (EDBID:21398)
linux local
2002-04-18 Verified
0 A.Dimitrov
N/A [点击下载]
source: http://www.securityfocus.com/bid/4547/info

SSH (and derivatives) is the protocol Secure Shell protocol implementation. It is available for various operating systems, although this vulnerability affects operating systems such as Unix and Linux.

It has been reported that it is possible for a remote user to upload files to world-writeable directories, and execute commands from world-writeable directories. In doing so, a user may be able to upload a script, and execute the script to gain access to a regular shell on the system. This would allow the user unrestricted, but unprivileged access.

After uploading 'malicious' to /tmp:

ssh -l user host '/tmp/malicious' 		

- 漏洞信息

23589
SSH Directory Permission Weakness Restricted Shell Bypass
Local Access Required Misconfiguration
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2002-04-19 Unknow
2002-04-19 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站