CVE-2003-0937
CVSS4.6
发布时间 :2003-12-15 00:00:00
修订时间 :2016-10-17 22:38:25
NMCOS    

[原文]SCO UnixWare 7.1.1, 7.1.3, and Open UNIX 8.0.0 allows local users to bypass protections for the "as" address space file for a process ID (PID) by obtaining a procfs file descriptor for the file and calling execve() on a setuid or setgid program, which leaves the descriptor open to the user.


[CNNVD]SCO UnixWare/Open UNIX不安全ProcFS处理漏洞(CNNVD-200312-051)

        
        UnixWare和Open Unix是由SCO公司开发和维护的商业性质Unix操作系统。
        UnixWare和Open Unix的不安全处理procfs描述符,本地攻击者可以利用这个漏洞进行权限提升。
        "/proc/$PID/as"包含进程$PID的地址空间映射,可以被其他文件打开和访问,并用于操作进程。进程属主也拥有文件权限为600的"as"文件。
        但SCO UnixWare/Open UNIX的procfs实现存在漏洞允许本地攻击者绕过procfs setuid/setgid 'as'文件保护过程。这个保护可以通过首先获得一进程的描述符,然后对一setuid二进制程序进行execve()处理来绕过,execve()会替代进程映象,而setuid位和描述符会继续打开。因此攻击者可以利用这个漏洞进行权限提升。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sco:open_unix:8.0
cpe:/o:sco:unixware:7.1.1
cpe:/o:sco:unixware:7.1.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0937
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0937
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-051
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.32/CSSA-2003-SCO.32.txt
(VENDOR_ADVISORY)  SCO  CSSA-2003-SCO.32
http://marc.info/?l=bugtraq&m=106865297403687&w=2
(UNKNOWN)  BUGTRAQ  20031112 Insecure handling of procfs descriptors in UnixWare can lead to local privilege escalation.
http://www.texonet.com/advisories/TEXONET-20031024.txt
(VENDOR_ADVISORY)  MISC  http://www.texonet.com/advisories/TEXONET-20031024.txt

- 漏洞信息

SCO UnixWare/Open UNIX不安全ProcFS处理漏洞
中危 访问验证错误
2003-12-15 00:00:00 2005-10-20 00:00:00
本地  
        
        UnixWare和Open Unix是由SCO公司开发和维护的商业性质Unix操作系统。
        UnixWare和Open Unix的不安全处理procfs描述符,本地攻击者可以利用这个漏洞进行权限提升。
        "/proc/$PID/as"包含进程$PID的地址空间映射,可以被其他文件打开和访问,并用于操作进程。进程属主也拥有文件权限为600的"as"文件。
        但SCO UnixWare/Open UNIX的procfs实现存在漏洞允许本地攻击者绕过procfs setuid/setgid 'as'文件保护过程。这个保护可以通过首先获得一进程的描述符,然后对一setuid二进制程序进行execve()处理来绕过,execve()会替代进程映象,而setuid位和描述符会继续打开。因此攻击者可以利用这个漏洞进行权限提升。
        

- 公告与补丁

        厂商补丁:
        SCO
        ---
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        SCO Unixware 7.1.1:
        SCO Upgrade erg712482a.Z
        ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.32/erg712482a.Z
        SCO Unixware 7.1.3:
        SCO Upgrade erg712482c.Z
        ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.32/erg712482c.Z
        SCO Open UNIX 8.0:
        SCO Upgrade erg712482b.Z
        ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.32/erg712482b.Z

- 漏洞信息

2818
Open UNIX/UnixWare procfs Privilege Escalation

- 漏洞描述

SCO UnixWare 7.1.1, 7.1.3, and Open UNIX 8.0.0 contain a flaw that may allow a malicious local user to escalate their privileges. The issue is that procfs descriptors are handled insecurely. This allows malicious users to bypass the protection on a setuid/setgid file's process address space image ('/proc/$PID/as') and manipulate it. It is possible, because of the flaw, for a local user to run arbitrary code as another local user, resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2003-11-12 2003-10-24
Unknow Unknow

- 解决方案

Upgrade to the latest packages, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

SCO UnixWare/Open UNIX Insecure Handling Of ProcFS Vulnerability
Access Validation Error 9025
No Yes
2003-11-12 12:00:00 2009-07-12 12:56:00
Discovery of this vulnerability has been credited to Joel Soderberg and Christer Oberg from Texonet.

- 受影响的程序版本

SCO Unixware 7.1.3
SCO Unixware 7.1.1
SCO Open UNIX 8.0

- 漏洞讨论

There exists a protection facility in procfs to prevent access to certain files in the procfs when setuid/setgid executables are run by an unprivileged user.

The SCO UnixWare/Open UNIX implementation of procfs has been reported prone to a vulnerability that will allow a local attacker to bypass procfs setuid/setgid 'as' file protection procedures.

A local attacker may exploit this vulnerability to elevate privileges on a vulnerable system.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

SCO have released an advisory (CSSA-2003-SCO.32) and fixes to address this issue. Users who are potentially affected by this vulnerability are advised to apply the relevant fixes as soon as possible. Further information regarding obtaining and applying appropriate fixes can be found in the referenced advisory.


SCO Unixware 7.1.1

SCO Unixware 7.1.3

SCO Open UNIX 8.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站