CVE-2004-0115
CVSS4.6
发布时间 :2004-03-03 00:00:00
修订时间 :2008-09-05 16:37:34
NMCOP    

[原文]VirtualPC_Services in Microsoft Virtual PC for Mac 6.0 through 6.1 allows local attackers to truncate and overwrite arbitrary files, and execute arbitrary code, via a symlink attack on the VPCServices_Log temporary file.


[CNNVD]Microsoft Virtual PC For Mac临时文件权限提升漏洞(MS04-005)(CNNVD-200403-044)

        
        Virtual PC是一款可运行在Mac OS X和Windows平台的X86虚拟机系统。
        Mac OS X平台下的Virtual PC包含的几个程序不正确处理临时文件,本地攻击者可以利用这个漏洞获得root用户权限。
        VirtualPC_Services是一个SETUID ROOT程序,由于在建立临时文件时没有进行充分检查,允许攻击者通过符号链接,截断或覆盖系统上任意文件。
        VirtualPC_Services在启动时会建立/tmp/VPCServices_Log文件,由于没有检查文件是否存在,并任意可写,攻击者可以建立一个/tmp/目录下的符号连接把VPCServices_Log指向任意系统文件,当程序执行时,可以以root用户权限改写系统文件,造成拒绝服务或权限提升。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:virtual_pc:6.1::mac
cpe:/a:microsoft:virtual_pc:6.0::mac
cpe:/a:microsoft:virtual_pc:6.2::mac

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0115
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0115
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-044
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/9632
(VENDOR_ADVISORY)  BID  9632
http://www.microsoft.com/technet/security/bulletin/ms04-005.asp
(VENDOR_ADVISORY)  MS  MS04-005
http://www.atstake.com/research/advisories/2004/a021004-1.txt
(VENDOR_ADVISORY)  ATSTAKE  A021004-1
http://xforce.iss.net/xforce/xfdb/15113
(UNKNOWN)  XF  virtual-pc-gain-privileges(15113)
http://www.osvdb.org/3893
(UNKNOWN)  OSVDB  3893
http://www.ciac.org/ciac/bulletins/o-076.shtml
(UNKNOWN)  CIAC  O-076

- 漏洞信息

Microsoft Virtual PC For Mac临时文件权限提升漏洞(MS04-005)
中危 未知
2004-03-03 00:00:00 2005-05-13 00:00:00
本地  
        
        Virtual PC是一款可运行在Mac OS X和Windows平台的X86虚拟机系统。
        Mac OS X平台下的Virtual PC包含的几个程序不正确处理临时文件,本地攻击者可以利用这个漏洞获得root用户权限。
        VirtualPC_Services是一个SETUID ROOT程序,由于在建立临时文件时没有进行充分检查,允许攻击者通过符号链接,截断或覆盖系统上任意文件。
        VirtualPC_Services在启动时会建立/tmp/VPCServices_Log文件,由于没有检查文件是否存在,并任意可写,攻击者可以建立一个/tmp/目录下的符号连接把VPCServices_Log指向任意系统文件,当程序执行时,可以以root用户权限改写系统文件,造成拒绝服务或权限提升。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS04-005)以及相应补丁:
        MS04-005:Vulnerability in Virtual PC for Mac could lead to privilege elevation (835150)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS04-005.asp

        补丁下载:
        Microsoft Upgrade Virtual PC for Mac 6.1.1
        
        http://www.microsoft.com/mac/downloads.aspx?pid=download&location=/mac/download/misc/vpc6_1_1.xml&secid=100&ssid=1&flgnosysreq=True

- 漏洞信息 (F32666)

Atstake Security Advisory 04-02-10.1 (PacketStormID:F32666)
2004-02-11 00:00:00
Atstake,George Gal  atstake.com
advisory
apple,osx
CVE-2004-0115
[点击下载]

Atstake Security Advisory A021004-1 - Both Connectix Virtual PC 6.0.x and Microsoft Virtual PC 6.1 on Mac OS X suffer from an insecure temporary file creation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                                @stake, Inc.
                              www.atstake.com

                             Security Advisory

Advisory Name: Virtual PC Services Insecure Temporary File Creation
 Release Date: 02/10/2004
  Application: Connectix Virtual PC 6.0.x
               Microsoft Virtual PC 6.1
     Platform: Mac OS X
     Severity: Local privilege escalation
       Author: George Gal <ggal@atstake.com>
Vendor Status: Vendor has updated version of the software
CVE Candidate: CAN-2004-0115
    Reference: www.atstake.com/research/advisories/2004/a021004-1.txt


Overview: 

Virtual PC is a popular x86 virtual machine emulator capable running
several guest operating systems under the Mac OS X and Windows
platforms. Virtual PC provides a set of services for managing network
sharing capabilities under Mac OS X. These services are spawned from
the setuid root binary, VirtualPC_Services, which creats several
temporary files when it is executed. The VirtualPC_Services does not
check for several unsafe conditions prior to creation of these
temporary files. As a result an attacker with interactive login
access to the system may leverage insecure temporary files to become 
root or overwrite critical system files.


Details: 

@stake has identified a vulnerability within the setuid root binary, 
VirtualPC_Services, due to its inability to check for dangerous
conditions prior to temporary file creation.  This vulnerability
allows an attacker to truncate and overwrite arbitrary files in
addition to creation of arbitrary files with insecure file
permissions.  

Using this vulnerability it is feasible for an attacker to gain root
privileges on the system. The VirtualPC_Services binary creates a
log file upon startup as /tmp/VPCServices_Log.  An attacker may
create a symbolic link in the /tmp/ directory as VPCServices_Log
pointing to an arbitrary file to be overwritten when the
VirtualPC_Services binary is executed. However, when the symbolic
link points to a non-existent file a new file is created with file
permissions determined by the unprivileged user's umask(2) settings.


Vendor Response:

Microsoft has an updated version of the software available.

Download information available at:

http://www.microsoft.com/technet/security/bulletin/MS04-005.asp


Recommendation: 

If possible install the updated version of Virtual PC.

Do not install Virtual PC on a multi-user machine.  If this is a
requirement, only allow users with in a particular group to access
Virtual PC.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.


   CAN-2004-0115

@stake Vulnerability Reporting Policy: 
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2004 @stake, Inc. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQCkrWke9kNIfAm4yEQJr3gCgzh/grlYI0dPRnvOmCYIYXPtTKTEAniMG
FMuE/Uyj9h/1q8+peD80BmPq
=W/J8
-----END PGP SIGNATURE-----
    

- 漏洞信息

3893
Microsoft Virtual PC for Mac Insecure Temporary Files Creation
Local Access Required Race Condition
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

Virtual PC for Mac contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered because the program creates temporary files insecurely. This flaw may lead to a loss of integrity and/or availability.

- 时间线

2004-02-10 2004-02-10
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站