CVE-2003-0547
CVSS2.1
发布时间 :2003-08-27 00:00:00
修订时间 :2016-10-17 22:35:12
NMCOS    

[原文]GDM before 2.4.1.6, when using the "examine session errors" feature, allows local users to read arbitrary files via a symlink attack on the ~/.xsession-errors file.


[CNNVD]GDM Xsession-Errors不安全文件处理漏洞(CNNVD-200308-173)

        
        GDM是一款X下的GNOME显示管理器。XDMCP是X显示管理控制协议。
        GDM不安全处理'.xsession-errors'文件,本地攻击者可以利用这个漏洞以root用户权限查看系统上敏感文件内容。
        这个漏洞可以通过GDM的"检查会话错误"特征来完成,此功能用于显示在调用用户HOME目录下'.xsession-errors'文件中的内容。由于在处理这个文件时没有进行充分的过滤检查,可导致攻击者使用符号连接替代这个文件为任意系统文件,由于GDM默认以setuid root属性安装,因此可以以root用户权限查看系统上的任意文件内容。
        

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:gnome:gdm:2.4.1.3
cpe:/a:gnome:gdm:2.4.1
cpe:/a:gnome:gdm:2.4.1.4
cpe:/a:gnome:gdm:2.4.1.5
cpe:/a:gnome:gdm:2.4.1.6
cpe:/a:gnome:gdm:2.4.1.1
cpe:/a:gnome:gdm:2.4.1.2
cpe:/a:redhat:kdebase:2.4.0.7.13::i386
cpe:/a:redhat:kdebase:2.4.1.3.5::i386

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:112GDM Examine Errors Symlink Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0547
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0547
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-173
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000729
(UNKNOWN)  CONECTIVA  CLA-2003:729
http://mail.gnome.org/archives/gnome-hackers/2003-August/msg00045.html
(UNKNOWN)  CONFIRM  http://mail.gnome.org/archives/gnome-hackers/2003-August/msg00045.html
http://marc.info/?l=bugtraq&m=106194792924122&w=2
(UNKNOWN)  BUGTRAQ  20030824 [slackware-security] GDM security update (SSA:2003-236-01)
http://www.redhat.com/support/errata/RHSA-2003-258.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:258

- 漏洞信息

GDM Xsession-Errors不安全文件处理漏洞
低危 访问验证错误
2003-08-27 00:00:00 2006-09-05 00:00:00
本地  
        
        GDM是一款X下的GNOME显示管理器。XDMCP是X显示管理控制协议。
        GDM不安全处理'.xsession-errors'文件,本地攻击者可以利用这个漏洞以root用户权限查看系统上敏感文件内容。
        这个漏洞可以通过GDM的"检查会话错误"特征来完成,此功能用于显示在调用用户HOME目录下'.xsession-errors'文件中的内容。由于在处理这个文件时没有进行充分的过滤检查,可导致攻击者使用符号连接替代这个文件为任意系统文件,由于GDM默认以setuid root属性安装,因此可以以root用户权限查看系统上的任意文件内容。
        

- 公告与补丁

        厂商补丁:
        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2003:085)以及相应补丁:
        MDKSA-2003:085:Updated gdm packages fix vulnerabilities
        链接:
        http://www.linux-mandrake.com/en/security/2003/2003-085.php

        补丁下载:
        Updated Packages:
        Corporate Server 2.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/gdm-2.4.1.6-0.2mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/gdm-Xnest-2.4.1.6-0.2mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/gdm-2.4.1.6-0.2mdk.src.rpm
        Corporate Server 2.1/x86_64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/gdm-2.4.1.6-0.2mdk.x86_64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/gdm-Xnest-2.4.1.6-0.2mdk.x86_64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/SRPMS/gdm-2.4.1.6-0.2mdk.src.rpm
        Mandrake Linux 9.0:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/gdm-2.4.1.6-0.2mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/gdm-Xnest-2.4.1.6-0.2mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/SRPMS/gdm-2.4.1.6-0.2mdk.src.rpm
        Mandrake Linux 9.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/gdm-2.4.1.6-0.3mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/gdm-Xnest-2.4.1.6-0.3mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/gdm-2.4.1.6-0.3mdk.src.rpm
        Mandrake Linux 9.1/PPC:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/gdm-2.4.1.6-0.3mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/gdm-Xnest-2.4.1.6-0.3mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/gdm-2.4.1.6-0.3mdk.src.rpm
        上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
        
        http://www.mandrakesecure.net/en/ftp.php

        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2003:258-01)以及相应补丁:
        RHSA-2003:258-01:GDM allows local user to read any file.
        链接:https://www.redhat.com/support/errata/RHSA-2003-258.html
        补丁下载:
        Red Hat Linux 7.1:
        SRPMS:
        ftp://updates.redhat.com/7.1/en/os/SRPMS/gdm-2.0beta2-46.src.rpm
        i386:
        ftp://updates.redhat.com/7.1/en/os/i386/gdm-2.0beta2-46.i386.rpm
        Red Hat Linux 7.1 for iSeries (64 bit):
        SRPMS:
        ftp://updates.redhat.com/7.1/en/os/iSeries/SRPMS/gdm-2.0beta2-46.src.rpm
        ppc:
        ftp://updates.redhat.com/7.1/en/os/iSeries/ppc/gdm-2.0beta2-46.ppc.rpm
        Red Hat Linux 7.1 for pSeries (64 bit):
        SRPMS:
        ftp://updates.redhat.com/7.1/en/os/pSeries/SRPMS/gdm-2.0beta2-46.src.rpm
        ppc:
        ftp://updates.redhat.com/7.1/en/os/pSeries/ppc/gdm-2.0beta2-46.ppc.rpm
        Red Hat Linux 7.2:
        SRPMS:
        ftp://updates.redhat.com/7.2/en/os/SRPMS/gdm-2.2.3.1-21.src.rpm
        i386:
        ftp://updates.redhat.com/7.2/en/os/i386/gdm-2.2.3.1-21.i386.rpm
        ia64:
        ftp://updates.redhat.com/7.2/en/os/ia64/gdm-2.2.3.1-21.ia64.rpm
        Red Hat Linux 7.3:
        SRPMS:
        ftp://updates.redhat.com/7.3/en/os/SRPMS/gdm-2.2.3.1-23.src.rpm
        i386:
        ftp://updates.redhat.com/7.3/en/os/i386/gdm-2.2.3.1-23.i386.rpm
        Red Hat Linux 8.0:
        SRPMS:
        ftp://updates.redhat.com/8.0/en/os/SRPMS/gdm-2.4.0.7-14.src.rpm
        i386:
        ftp://updates.redhat.com/8.0/en/os/i386/gdm-2.4.0.7-14.i386.rpm
        Red Hat Linux 9:
        SRPMS:
        ftp://updates.redhat.com/9/en/os/SRPMS/gdm-2.4.1.3-5.1.src.rpm
        i386:
        ftp://updates.redhat.com/9/en/os/i386/gdm-2.4.1.3-5.1.i386.rpm

- 漏洞信息

2461
GNOME Display Manager (gdm) .xsession-errors Symlink Arbitrary File Read
Local Access Required Race Condition
Vendor Verified

- 漏洞描述

- 时间线

2003-08-22 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

GDM Xsession-Errors Insecure File Handling Vulnerability
Access Validation Error 8469
No Yes
2003-08-21 12:00:00 2009-07-11 11:56:00
This vulnerability has been disclosed in a Red Hat security advisory.

- 受影响的程序版本

RedHat gdm-2.4.1.3-5.i386.rpm
+ RedHat Linux 9.0 i386
RedHat gdm-2.4.0.7-13.i386.rpm
+ RedHat Linux 8.0 i386
Martin K. Peterson gdm 2.4.1 0
Martin K. Peterson gdm 2.4.1 .6
+ Conectiva Linux 9.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.0
Martin K. Peterson gdm 2.4.1 .5
Martin K. Peterson gdm 2.4.1 .4
Martin K. Peterson gdm 2.4.1 .3
+ SOTLinux SOTLinux 2003 Desktop
+ SOTLinux SOTLinux 2003 Server
Martin K. Peterson gdm 2.4.1 .2
Martin K. Peterson gdm 2.4.1 .1

- 漏洞讨论

It has been reported that, under some circumstances GDM (Gnome Display Manager) is prone to an insecure file handling vulnerability. GDM is installed as a setuid root binary. As a result, an attacker may be capable of disclosing the contents of a privileged file.

The issue can be exploited through the use of GDM's "examine session errors" feature, which displays the contents of the '.xsession-errors' file located in the invoking users home directory. Due to insufficient sanity checks when handling this file, it is supposedly possible for an attacker to replace the file with a symbolic link to an arbitrary file. This will effectively result in the disclosure of the file's contents, potentially revealing sensitive system information to an unprivileged user.

- 漏洞利用

There is no exploit required.

- 解决方案

Mandrake has released a security advisory (MDKSA-2003:085) containing fixes to address these issues. See referenced advisory for further detail regarding applying relevant fixes.

Red Hat has released a security advisory (RHSA-2003:258-01) containing fixes to address this issue. See referenced advisory for further detail regarding applying relevant fixes.

Slackware has released an advisory containing fixes to address this issue. See referenced advisory for further details regarding applying relevant fixes.

Turbolinux has released an advisory containing fixes to address this issue. See referenced advisory for further details regarding applying relevant fixes.
Please use turbopkg tool to apply the updates.

SOTLinux has released an advisory containing fixes to address this issue. Users are advised to upgrade as soon as possible.

Fixes:


RedHat gdm-2.4.1.3-5.i386.rpm

RedHat gdm-2.4.0.7-13.i386.rpm

Martin K. Peterson gdm 2.4.1 .6

Martin K. Peterson gdm 2.4.1 .3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站