CVE-2004-0233
CVSS2.1
发布时间 :2004-08-18 00:00:00
修订时间 :2010-08-21 00:20:00
NMCOEPS    

[原文]Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files.


[CNNVD]UTempter多个本地漏洞(CNNVD-200408-197)

        Utempter允许包含..(点 点)目录遍历序列的设备名称,本地用户可以通过在与信任utmp或者wtmp文件的应用程序相组合的设备名称上的链接攻击覆盖任意文件。
        

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:utempter:utempter:0.5.3
cpe:/a:utempter:utempter:0.5.2
cpe:/a:sgi:propack:2.4SGI ProPack 2.4
cpe:/o:slackware:slackware_linux
cpe:/a:sgi:propack:3.0SGI ProPack 3.0
cpe:/o:slackware:slackware_linux:9.1Slackware Linux 9.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:979Utempter Directory Traversal Vulnerability
oval:org.mitre.oval:def:10115Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files ...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0233
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0233
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-197
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/10178
(VENDOR_ADVISORY)  BID  10178
http://www.redhat.com/support/errata/RHSA-2004-174.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:174
http://xforce.iss.net/xforce/xfdb/15904
(VENDOR_ADVISORY)  XF  utemper-symlink(15904)
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.404389
(UNKNOWN)  SLACKWARE  SSA:2004-110
http://www.redhat.com/support/errata/RHSA-2004-175.html
(UNKNOWN)  REDHAT  RHSA-2004:175
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1000752.1-1
(UNKNOWN)  SUNALERT  1000752
http://security.gentoo.org/glsa/glsa-200405-05.xml
(UNKNOWN)  GENTOO  GLSA-200405-05
http://www.mandriva.com/security/advisories?name=MDKSA-2004:031
(UNKNOWN)  MANDRAKE  MDKSA-2004:031

- 漏洞信息

UTempter多个本地漏洞
低危 路径遍历
2004-08-18 00:00:00 2006-09-22 00:00:00
本地  
        Utempter允许包含..(点 点)目录遍历序列的设备名称,本地用户可以通过在与信任utmp或者wtmp文件的应用程序相组合的设备名称上的链接攻击覆盖任意文件。
        

- 公告与补丁

        Red Hat has released an advisory RHSA-2004:175-01 and fixes to address this issue. Please see referenced advisory for further details regarding obtaining and applying appropriate fixes.
        Mandrake has released an advisory MDKSA-2004:031-1 and fixes to address this issue. Please see referenced advisory for further details regarding obtaining and applying appropriate fixes.
        Slackware Linux has released advisory SSA:2004-110-01 and updates dealing with this issue.
        Red Hat Fedora has released advisory FEDORA-2004-108 and information on updated the affected application. Please see the referenced advisory for more information.
        Gentoo Linux has released advisory GLSA 200405-05 dealing with this issue. It is recommended that affected users issue these commands to ensure their system is properly updated:
        # emerge sync
        # emerge -pv ">=sys-apps/utempter-0.5.5.4"
        # emerge ">=sys-apps/utempter-0.5.5.4"
        Red Hat Fedora Legacy has released advisory FLSA:1546 dealing with this issue for Red Hat Linux 8.0, 7.3 and 7.2. Please see the referenced advisory for more information.
        Red Hat has released advisory RHSA-2004:174-09 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.
        SGI has released an advisory (20040603-01-U) to address this and other issues in SGI ProPack 3. Please see the referenced advisory for more information.
        SGI has released an advisory (20040602-01-U) to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information.
        Sun has released Sun Alert Notification #57658 to address this issue in Sun Java Desktop System operating systems. Please see the referenced alert for further information on obtaining fixes.
        RedHat utempter-0.5.2-16.i386.rpm
        
        Slackware Linux -current
        
        utempter utempter 0.5.2
        

- 漏洞信息 (24027)

UTempter 0.5.x Multiple Local Vulnerabilities (EDBID:24027)
linux local
2004-04-19 Verified
0 Steve Grubb
N/A [点击下载]
source: http://www.securityfocus.com/bid/10178/info

It has been reported that utempter is affected by multiple local vulnerabilities. The first issue is due to an input validation error that causes the application to exit improperly; facilitating symbolic link attacks. The second issue is due to a failure of the application to properly validate buffer boundaries.

The first issue results in a symbolic link vulnerability. Since utempter runs with root privileges, this issue could be leveraged to corrupt arbitrary, attacker-specified system files.

The second problem presents itself when utempter processes certain strings. These errors may cause the affected process to crash. It has been conjectured that this may be leveraged to execute arbitrary code on the affected system, however this is currently unverified.

An attacker would create the following symbolic link that references an arbitrary system file:

/tmp/tty0

The attacker would then provide the following device descriptor string to the application:

/dev/../tmp/tty0		

- 漏洞信息 (F33129)

MDKSA-2004:031.txt (PacketStormID:F33129)
2004-04-19 00:00:00
Steve Grubb  mandrakesecure.net
advisory,denial of service,arbitrary
linux,mandrake
CVE-2004-0233
[点击下载]

Mandrake Linux Security Update Advisory - Problems lie in the utempter program versions 10.0, 9.2, 9.1, Corporate Server 2.1, and Multi Network Firewall 8.2 that allow for arbitrary file overwrites and denial of service attacks.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-type" content="text/html;charset=utf-8" />
<title>MDKSA-2004:031.txt ≈ Packet Storm</title>
<meta name="description" content="Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers" />
<meta name="keywords" content="security,exploit,advisory,whitepaper,xss,csrf,overflow,scanner,vulnerability" />
<link rel="shortcut icon" href="/img/pss.ico" />
<link rel="stylesheet" media="screen,print,handheld" href="http://packetstatic.com/css1366870159/pss.css" type="text/css" />
<!--[if lt ie 8]><link rel="stylesheet" type="text/css" href="http://packetstatic.com/css1366870159/ie.css" /><![endif]-->
<script type="text/javascript" src="http://packetstatic.com/js1366870155/pt.js"></script>
<script type="text/javascript" src="http://packetstatic.com/js1366870155/pss.js"></script>
<link rel="search" type="application/opensearchdescription+xml" href="http://packetstormsecurity.com/opensearch.xml" title="Packet Storm Site Search" />
<link rel="alternate" type="application/rss+xml" title="Packet Storm Headlines" href="http://rss.packetstormsecurity.com/news/" />
<link rel="alternate" type="application/rss+xml" title="Packet Storm Recent Files" href="http://rss.packetstormsecurity.com/files/" />
<link rel="alternate" type="application/rss+xml" title="Packet Storm Exploits" href="http://rss.packetstormsecurity.com/files/tags/exploit/" />
<link rel="alternate" type="application/rss+xml" title="Packet Storm Advisories" href="http://rss.packetstormsecurity.com/files/tags/advisory/" />
</head>
<body id="files">
<div id="t">
   <div id="tc">
      <a id="top" href="/"><img src="http://packetstatic.com/img1353978071/ps_logo.png" width="315" height="65" id="logo" alt="packet storm" /></a>
      <div id="slogan">what you don't know can hurt you
</div>
      <div id="account"><a href="https://packetstormsecurity.com/account/register/">Register</a> | <a href="https://packetstormsecurity.com/account/login/">Login</a></div>
      <div id="search">
        <form method="get" action="/search/"><input type="text" name="q" id="q" maxlength="120" value="Search …" /><button type="submit"></button><div id="q-tabs"><label for="s-files" class="on">Files</label><label for="s-news">News</label><label for="s-users">Users</label><label for="s-authors">Authors</label><input type="radio" value="files" name="s" id="s-files" /><input type="radio" value="news" name="s" id="s-news" /><input type="radio" value="users" name="s" id="s-users" /><input type="radio" value="authors" name="s" id="s-authors" /></div></form>
      </div>
   </div>
    <div id="tn"><div id="tnc">
        <a href="/" id="tn-home"><span>Home</span></a> <a href="/files/" id="tn-files"><span>Files</span></a> <a href="/news/" id="tn-news"><span>News</span></a> <a href="/about/" id="tn-about"><span>About</span></a> <a href="/contact/" id="tn-contact"><span>Contact</span></a> <a href="/submit/" id="tn-submit"><span>Add New</span></a>
    </div></div>
    <div id="tn2"></div>
</div>

<div id="c">

 <div id="cc">
     <div id="m">
    

    
    
    
     
    <div class="h1"><h1>MDKSA-2004:031.txt</h1></div>
<dl id="F33129" class="file first">
<dt><a class="ico text-plain" href="/files/download/33129/MDKSA-2004%3A031.txt" title="Size: 5.7 KB"><strong>MDKSA-2004:031.txt</strong></a></dt>
<dd class="datetime">Posted <a href="/files/date/2004-04-19/" title="14:44:00 UTC">Apr 19, 2004</a></dd>
<dd class="refer">Authored by <a href="/files/author/3026/" class="person">Steve Grubb</a> | Site <a href="http://www.mandrakesecure.net/">mandrakesecure.net</a></dd>
<dd class="detail"><p>Mandrake Linux Security Update Advisory - Problems lie in the utempter program versions 10.0, 9.2, 9.1, Corporate Server 2.1, and Multi Network Firewall 8.2 that allow for arbitrary file overwrites and denial of service attacks.</p></dd>
<dd class="tags"><span>tags</span> | <a href="/files/tags/advisory">advisory</a>, <a href="/files/tags/denial_of_service">denial of service</a>, <a href="/files/tags/arbitrary">arbitrary</a></dd>
<dd class="os"><span>systems</span> | <a href="/files/os/linux">linux</a>, <a href="/files/os/mandrake">mandrake</a></dd>
<dd class="cve"><span>advisories</span> | <a href="/files/cve/CVE-2004-0233">CVE-2004-0233</a></dd>
<dd class="md5"><span>MD5</span> | <code>5cccf5c233164f75ee1005a187215e83</code></dd>
<dd class="act-links"><a href="/files/download/33129/MDKSA-2004%3A031.txt" title="Size: 5.7 KB" rel="nofollow">Download</a> | <a href="/files/favorite/33129/" class="fav" rel="nofollow">Favorite</a> | <a href="/files/33129/MDKSA-2004-031.txt.html">Comments <span>(0)</span></a></dd>
</dl>
<div id="extra-links"><a href="/files/related/33129/MDKSA-2004-031.txt.html" id="related">Related Files</a><div id="share">
<h2>Share This</h2>
<ul>
<li><iframe scrolling="no" frameborder="0" allowtransparency="true" style="border: medium none; overflow: hidden; width: 80px; height: 21px;" src="http://www.facebook.com/plugins/like.php?href=http://packetstormsecurity.com/files/33129/MDKSA-2004-031.txt.html&layout=button_count&show_faces=true&width=250&action=like&font&colorscheme=light&height=21"></iframe></li><li><iframe scrolling="no" frameborder="0" tabindex="0" allowtransparency="true" src="http://platform0.twitter.com/widgets/tweet_button.html?_=1286138321418&count=horizontal&lang=en&text=MDKSA-2004:031.txt&url=http://packetstormsecurity.com/files/33129/MDKSA-2004-031.txt.html&via=packet_storm" style="width: 110px; height: 20px;" title="Twitter"></iframe></li><li><a href="http://www.linkedin.com/shareArticle?mini=true&url=http://packetstormsecurity.com/files/33129/MDKSA-2004-031.txt.html&title=MDKSA-2004:031.txt&source=Packet+Storm" class="LinkedIn">LinkedIn</a></li><li><a href="http://www.reddit.com/submit?url=http://packetstormsecurity.com/files/33129/MDKSA-2004-031.txt.html&title=MDKSA-2004:031.txt" class="Reddit">Reddit</a></li><li><a href="http://digg.com/submit?phase=2&url=http://packetstormsecurity.com/files/33129/MDKSA-2004-031.txt.html" class="Digg">Digg</a></li><li><a href="http://www.stumbleupon.com/submit?url=http://packetstormsecurity.com/files/33129/MDKSA-2004-031.txt.html&title=MDKSA-2004:031.txt" class="StumbleUpon">StumbleUpon</a></li></ul>
</div>
</div>
<div class="h1"><h1>MDKSA-2004:031.txt</h1></div>
<div class="src">
<div><a href="/mirrors/">Change Mirror</a> <a href="/files/download/33129/MDKSA-2004%3A031.txt">Download</a></div>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA1<br /><br /> _______________________________________________________________________<br /><br />                 Mandrakelinux Security Update Advisory<br /> _______________________________________________________________________<br /><br /> Package name:           utempter<br /> Advisory ID:            MDKSA-2004:031<br /> Date:                   April 19th, 2004<br /><br /> Affected versions:   10.0, 9.1, 9.2, Corporate Server 2.1,<br />       Multi Network Firewall 8.2<br /> ______________________________________________________________________<br /><br /> Problem Description:<br /><br /> Steve Grubb discovered two potential issues in the utempter program:<br /> <br /> 1) If the path to the device contained /../ or /./ or //, the                 <br /> program was not exiting as it should. It would be possible to use something <br /> like /dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked <br /> to another important file, programs that have root privileges that do no <br /> further validation can then overwrite whatever the symlink pointed to.<br />                                                                                <br /> 2) Several calls to strncpy without a manual termination of the string.<br /> This would most likely crash utempter.<br /> <br /> The updated packages are patched to correct these problems.<br /> _______________________________________________________________________<br /><br /> References:<br /><br />  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0233<br /> ______________________________________________________________________<br /><br /> Updated Packages:<br />  <br /> Mandrakelinux 10.0:<br /> e5458d8e68dd55b2dcface9f2ead71cd  10.0/RPMS/libutempter0-0.5.2-12.1.100mdk.i586.rpm<br /> 366d48de884799751c7110f84d835cc0  10.0/RPMS/libutempter0-devel-0.5.2-12.1.100mdk.i586.rpm<br /> 6eabf21bdf9d7eba1a86fac4589e5714  10.0/RPMS/utempter-0.5.2-12.1.100mdk.i586.rpm<br /> 52a5e2fa807981cba7156213684bb9ce  10.0/SRPMS/utempter-0.5.2-12.1.100mdk.src.rpm<br /><br /> Corporate Server 2.1:<br /> c16478b61d52db976f712b5817bbf167  corporate/2.1/RPMS/libutempter0-0.5.2-11.1.C21mdk.i586.rpm<br /> 7f74bd805709457dfb71a3bdc91f2577  corporate/2.1/RPMS/libutempter0-devel-0.5.2-11.1.C21mdk.i586.rpm<br /> eb25144f12a1d93d7d9634964a1d7bbd  corporate/2.1/RPMS/utempter-0.5.2-11.1.C21mdk.i586.rpm<br /> ef9fe684449e0faaf59be81ed63df284  corporate/2.1/SRPMS/utempter-0.5.2-11.1.C21mdk.src.rpm<br /><br /> Corporate Server 2.1/x86_64:<br /> 284d5f6f9bded143a8d26c8062eb9e70  x86_64/corporate/2.1/RPMS/libutempter0-0.5.2-11.1.C21mdk.x86_64.rpm<br /> 62ada7f5235b513c978dc8eea2184b8b  x86_64/corporate/2.1/RPMS/libutempter0-devel-0.5.2-11.1.C21mdk.x86_64.rpm<br /> 8755f9214bb5412a204b24e6cce68ab5  x86_64/corporate/2.1/RPMS/utempter-0.5.2-11.1.C21mdk.x86_64.rpm<br /> ef9fe684449e0faaf59be81ed63df284  x86_64/corporate/2.1/SRPMS/utempter-0.5.2-11.1.C21mdk.src.rpm<br /><br /> Mandrakelinux 9.1:<br /> ff42f22d509bf90dc87c29acf970548b  9.1/RPMS/libutempter0-0.5.2-10.1.91mdk.i586.rpm<br /> 7f100656a81b88e2ddc0f1a3ffd6cc1d  9.1/RPMS/libutempter0-devel-0.5.2-10.1.91mdk.i586.rpm<br /> ae56735580eaff60027404a27843b28f  9.1/RPMS/utempter-0.5.2-10.1.91mdk.i586.rpm<br /> 1f308d636a246978a66f79802467e09b  9.1/SRPMS/utempter-0.5.2-10.1.91mdk.src.rpm<br /><br /> Mandrakelinux 9.1/PPC:<br /> 1c72b8d5bf1e88e267fdd818094f1d52  ppc/9.1/RPMS/libutempter0-0.5.2-10.1.91mdk.ppc.rpm<br /> 45e56e24d73c0744460908206164bad6  ppc/9.1/RPMS/libutempter0-devel-0.5.2-10.1.91mdk.ppc.rpm<br /> 218199c662a394416a5b37ce95fe69fe  ppc/9.1/RPMS/utempter-0.5.2-10.1.91mdk.ppc.rpm<br /> 1f308d636a246978a66f79802467e09b  ppc/9.1/SRPMS/utempter-0.5.2-10.1.91mdk.src.rpm<br /><br /> Mandrakelinux 9.2:<br /> 90522a1350a48e3527ac5d62e9f42d02  9.2/RPMS/libutempter0-0.5.2-12.1.92mdk.i586.rpm<br /> 93cc7f6b06e932fb669cf4f6e76d219f  9.2/RPMS/libutempter0-devel-0.5.2-12.1.92mdk.i586.rpm<br /> 9295f7ce85188523ef2ddf02e2137d4b  9.2/RPMS/utempter-0.5.2-12.1.92mdk.i586.rpm<br /> 6bcb323d7d50949a1b4f8bae5bd84fd6  9.2/SRPMS/utempter-0.5.2-12.1.92mdk.src.rpm<br /><br /> Mandrakelinux 9.2/AMD64:<br /> 92b815911cfc95b1fe982b1e6d34fbe9  amd64/9.2/RPMS/lib64utempter0-0.5.2-12.1.92mdk.amd64.rpm<br /> 7e5c27d4817e8bd1cb661baf4fa2098d  amd64/9.2/RPMS/lib64utempter0-devel-0.5.2-12.1.92mdk.amd64.rpm<br /> d83101f51887fa4576ba70bd44dc96d4  amd64/9.2/RPMS/utempter-0.5.2-12.1.92mdk.amd64.rpm<br /> 6bcb323d7d50949a1b4f8bae5bd84fd6  amd64/9.2/SRPMS/utempter-0.5.2-12.1.92mdk.src.rpm<br /><br /> Multi Network Firewall 8.2:<br /> 4a73fd406115139f44a96595d7a7d636  mnf8.2/RPMS/libutempter0-0.5.2-5.1.M82mdk.i586.rpm<br /> 4ec3be7ee3b1afc20cee08edd699d88c  mnf8.2/RPMS/libutempter0-devel-0.5.2-5.1.M82mdk.i586.rpm<br /> 6f88c9436293c120c90877f12d8426a9  mnf8.2/RPMS/utempter-0.5.2-5.1.M82mdk.i586.rpm<br /> 273359b6f93965a0995a6c11cf3a1d77  mnf8.2/SRPMS/utempter-0.5.2-5.1.M82mdk.src.rpm<br /> _______________________________________________________________________<br /><br /> To upgrade automatically use MandrakeUpdate or urpmi.  The verification<br /> of md5 checksums and GPG signatures is performed automatically for you.<br /><br /> A list of FTP mirrors can be obtained from:<br /><br />  http://www.mandrakesecure.net/en/ftp.php<br /><br /> All packages are signed by Mandrakesoft for security.  You can obtain<br /> the GPG public key of the Mandrakelinux Security Team by executing:<br /><br />  gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98<br /><br /> Please be aware that sometimes it takes the mirrors a few hours to<br /> update.<br /><br /> You can view other update advisories for Mandrakelinux at:<br /><br />  http://www.mandrakesecure.net/en/advisories/<br /><br /> Mandrakesoft has several security-related mailing list services that<br /> anyone can subscribe to.  Information on these lists can be obtained by<br /> visiting:<br /><br />  http://www.mandrakesecure.net/en/mlist.php<br /><br /> If you want to report vulnerabilities, please contact<br /><br />  security_linux-mandrake.com<br /><br /> Type Bits/KeyID     Date       User ID<br /> pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team<br />  <security linux-mandrake.com><br />-----BEGIN PGP SIGNATURE-----<br />Version: GnuPG v1.0.7 (GNU/Linux)<br /><br />iD8DBQFAhB+AmqjQ0CJFipgRAph7AKDlya68fexJ14qf1DchzBMhGBA+0gCgsOEM<br />aRlgv9npCuiEhF7aWN+PaJg=<br />=5mCk<br />-----END PGP SIGNATURE-----<br /></code></pre>
</div>
<div id="comments">
<h2>Comments</h2><a href="http://rss.packetstormsecurity.com/files/33129" class="rss-cmt"><img src="http://packetstatic.com/img1353978071/bt_rss.gif" width="16" height="16" alt="RSS Feed" /> <span>Subscribe to this comment feed</span></a><br /><p id="comment-none">No comments yet, be the first!</p></div>
<div id="comment-form" style="display:none"></div><div id="comment-login"><a href="https://packetstormsecurity.com/account/login/">Login</a> or <a href="https://packetstormsecurity.com/account/register/">Register</a> to post a comment</div>
    
    
     </div>
    
      <div id="adblock">
        
      </div>
      <div id="mn">
        <div class="mn-like-us">
<ul>
<li><a href="https://twitter.com/packet_storm"><img src="http://packetstatic.com/img1353978071/s_twitter.png" width="24" height="24" alt="Follow on Twitter" /> Follow us on Twitter</a></li>
<li><a href="https://www.facebook.com/packetstormfeed"><img src="http://packetstatic.com/img1353978071/s_facebook.png" width="24" height="24" alt="Follow on Facebook" /> Follow us on Facebook</a></li>
<li><a href="/feeds"><img src="http://packetstatic.com/img1353978071/s_rss.png" width="24" height="24" alt="View RSS Feeds" /> Subscribe to an RSS Feed</a></li>
</ul>
</div>
<div class="mn-like-us"><ul><li style="border-color: #afa; background: #efe"><a style="border-color: #6f6; background: #afa; color: #060; padding-left: 0;" href="/bugbounty/"><span style="color:#393">$ $ $</span>  Write Exploits? Get Paid!</a></li></ul></div>
<div>
<form id="cal" action="/files/cal/" method="post">
<h2>File Archive:</h2><h3>April 2013</h3>
<button id="cal-prev" name="cal-prev" type="button" value="2013-4"><span><</span></button><ul class="dotw"><li>Su</li><li>Mo</li><li>Tu</li><li>We</li><li>Th</li><li>Fr</li><li>Sa</li></ul>
<ul><li></li><li class="low"><a href="/files/date/2013-04-01/">1</a><div class="stats"><div class="point"></div><div class="date">Apr 1st</div><div class="count">10 Files</div></div></li><li class="med"><a href="/files/date/2013-04-02/">2</a><div class="stats"><div class="point"></div><div class="date">Apr 2nd</div><div class="count">15 Files</div></div></li><li class="med"><a href="/files/date/2013-04-03/">3</a><div class="stats"><div class="point"></div><div class="date">Apr 3rd</div><div class="count">16 Files</div></div></li><li class="med"><a href="/files/date/2013-04-04/">4</a><div class="stats"><div class="point"></div><div class="date">Apr 4th</div><div class="count">15 Files</div></div></li><li class="med"><a href="/files/date/2013-04-05/">5</a><div class="stats"><div class="point"></div><div class="date">Apr 5th</div><div class="count">30 Files</div></div></li><li class="low"><a href="/files/date/2013-04-06/">6</a><div class="stats"><div class="point"></div><div class="date">Apr 6th</div><div class="count">4 Files</div></div></li></ul>
<ul><li class="low"><a href="/files/date/2013-04-07/">7</a><div class="stats"><div class="point"></div><div class="date">Apr 7th</div><div class="count">12 Files</div></div></li><li class="med"><a href="/files/date/2013-04-08/">8</a><div class="stats"><div class="point"></div><div class="date">Apr 8th</div><div class="count">23 Files</div></div></li><li class="med"><a href="/files/date/2013-04-09/">9</a><div class="stats"><div class="point"></div><div class="date">Apr 9th</div><div class="count">26 Files</div></div></li><li class="med"><a href="/files/date/2013-04-10/">10</a><div class="stats"><div class="point"></div><div class="date">Apr 10th</div><div class="count">30 Files</div></div></li><li class="high"><a href="/files/date/2013-04-11/">11</a><div class="stats"><div class="point"></div><div class="date">Apr 11th</div><div class="count">63 Files</div></div></li><li class="low"><a href="/files/date/2013-04-12/">12</a><div class="stats"><div class="point"></div><div class="date">Apr 12th</div><div class="count">12 Files</div></div></li><li class="low"><a href="/files/date/2013-04-13/">13</a><div class="stats"><div class="point"></div><div class="date">Apr 13th</div><div class="count">3 Files</div></div></li></ul>
<ul><li class="low"><a href="/files/date/2013-04-14/">14</a><div class="stats"><div class="point"></div><div class="date">Apr 14th</div><div class="count">2 Files</div></div></li><li class="low"><a href="/files/date/2013-04-15/">15</a><div class="stats"><div class="point"></div><div class="date">Apr 15th</div><div class="count">11 Files</div></div></li><li class="med"><a href="/files/date/2013-04-16/">16</a><div class="stats"><div class="point"></div><div class="date">Apr 16th</div><div class="count">16 Files</div></div></li><li class="med"><a href="/files/date/2013-04-17/">17</a><div class="stats"><div class="point"></div><div class="date">Apr 17th</div><div class="count">15 Files</div></div></li><li class="med"><a href="/files/date/2013-04-18/">18</a><div class="stats"><div class="point"></div><div class="date">Apr 18th</div><div class="count">15 Files</div></div></li><li class="med"><a href="/files/date/2013-04-19/">19</a><div class="stats"><div class="point"></div><div class="date">Apr 19th</div><div class="count">19 Files</div></div></li><li class="low"><a href="/files/date/2013-04-20/">20</a><div class="stats"><div class="point"></div><div class="date">Apr 20th</div><div class="count">3 Files</div></div></li></ul>
<ul><li class="low"><a href="/files/date/2013-04-21/">21</a><div class="stats"><div class="point"></div><div class="date">Apr 21st</div><div class="count">3 Files</div></div></li><li class="low"><a href="/files/date/2013-04-22/">22</a><div class="stats"><div class="point"></div><div class="date">Apr 22nd</div><div class="count">12 Files</div></div></li><li class="low"><a href="/files/date/2013-04-23/">23</a><div class="stats"><div class="point"></div><div class="date">Apr 23rd</div><div class="count">13 Files</div></div></li><li class="low"><a href="/files/date/2013-04-24/">24</a><div class="stats"><div class="point"></div><div class="date">Apr 24th</div><div class="count">11 Files</div></div></li><li class="none today"><a href="/files/date/2013-04-25/">25</a><div class="stats"><div class="point"></div><div class="date">Apr 25th</div><div class="count">0 Files</div></div></li><li class="none"><a href="/files/date/2013-04-26/">26</a><div class="stats"><div class="point"></div><div class="date">Apr 26th</div><div class="count">0 Files</div></div></li><li class="none"><a href="/files/date/2013-04-27/">27</a><div class="stats"><div class="point"></div><div class="date">Apr 27th</div><div class="count">0 Files</div></div></li></ul>
<ul><li class="none"><a href="/files/date/2013-04-28/">28</a><div class="stats"><div class="point"></div><div class="date">Apr 28th</div><div class="count">0 Files</div></div></li><li class="none"><a href="/files/date/2013-04-29/">29</a><div class="stats"><div class="point"></div><div class="date">Apr 29th</div><div class="count">0 Files</div></div></li><li class="none"><a href="/files/date/2013-04-30/">30</a><div class="stats"><div class="point"></div><div class="date">Apr 30th</div><div class="count">0 Files</div></div></li><li></li><li></li><li></li><li></li></ul>
</form></div>
<div id="mn-top-author" class="top-ten">
<h2>Top Authors In Last 30 Days</h2>
<ul>
<li><a href="/files/authors/3786">Mandriva</a> <span>126 files</span></li>
<li><a href="/files/authors/4676">Red Hat</a> <span>44 files</span></li>
<li><a href="/files/authors/3695">Ubuntu</a> <span>28 files</span></li>
<li><a href="/files/authors/2985">Cisco Systems</a> <span>17 files</span></li>
<li><a href="/files/authors/2821">Debian</a> <span>11 files</span></li>
<li><a href="/files/authors/4612">HP</a> <span>11 files</span></li>
<li><a href="/files/authors/8993">juan vazquez</a> <span>9 files</span></li>
<li><a href="/files/authors/8123">Michael Messner</a> <span>7 files</span></li>
<li><a href="/files/authors/8035">High-Tech Bridge SA</a> <span>7 files</span></li>
<li><a href="/files/authors/8982">Slackware Security Team</a> <span>7 files</span></li>
</ul>
</div>
<div id="mn-tag-file"><h2>File Tags</h2><ul><li><a href="/files/tags/activex/">ActiveX</a> <span>(873)</span></li><li><a href="/files/tags/advisory/">Advisory</a> <span>(55,748)</span></li><li><a href="/files/tags/arbitrary/">Arbitrary</a> <span>(8,747)</span></li><li><a href="/files/tags/bbs/">BBS</a> <span>(2,859)</span></li><li><a href="/files/tags/bypass/">Bypass</a> <span>(575)</span></li><li><a href="/files/tags/cgi/">CGI</a> <span>(847)</span></li><li><a href="/files/tags/code_execution/">Code Execution</a> <span>(3,370)</span></li><li><a href="/files/tags/cracker/">Cracker</a> <span>(685)</span></li><li><a href="/files/tags/csrf/">CSRF</a> <span>(1,857)</span></li><li><a href="/files/tags/denial_of_service/">DoS</a> <span>(14,917)</span></li><li><a href="/files/tags/encryption/">Encryption</a> <span>(2,115)</span></li><li><a href="/files/tags/exploit/">Exploit</a> <span>(29,367)</span></li><li><a href="/files/tags/file_inclusion/">File Inclusion</a> <span>(3,386)</span></li><li><a href="/files/tags/firewall/">Firewall</a> <span>(748)</span></li><li><a href="/files/tags/info_disclosure/">Info Disclosure</a> <span>(1,212)</span></li><li><a href="/files/tags/intrusion_detection/">Intrusion Detection</a> <span>(663)</span></li><li><a href="/files/tags/java/">Java</a> <span>(1,320)</span></li><li><a href="/files/tags/javascript/">JavaScript</a> <span>(503)</span></li><li><a href="/files/tags/kernel/">Kernel</a> <span>(2,825)</span></li><li><a href="/files/tags/local/">Local</a> <span>(10,570)</span></li><li><a href="/files/tags/magazine/">Magazine</a> <span>(503)</span></li><li><a href="/files/tags/overflow/">Overflow</a> <span>(8,311)</span></li><li><a href="/files/tags/perl/">Perl</a> <span>(1,213)</span></li><li><a href="/files/tags/php/">PHP</a> <span>(3,984)</span></li><li><a href="/files/tags/proof_of_concept/">Proof of Concept</a> <span>(1,589)</span></li><li><a href="/files/tags/protocol/">Protocol</a> <span>(1,839)</span></li><li><a href="/files/tags/python/">Python</a> <span>(705)</span></li><li><a href="/files/tags/remote/">Remote</a> <span>(19,367)</span></li><li><a href="/files/tags/root/">Root</a> <span>(2,443)</span></li><li><a href="/files/tags/scanner/">Scanner</a> <span>(1,317)</span></li><li><a href="/files/tags/tool/">Security Tool</a> <span>(5,638)</span></li><li><a href="/files/tags/shell/">Shell</a> <span>(1,943)</span></li><li><a href="/files/tags/shellcode/">Shellcode</a> <span>(772)</span></li><li><a href="/files/tags/sniffer/">Sniffer</a> <span>(781)</span></li><li><a href="/files/tags/spoof/">Spoof</a> <span>(1,653)</span></li><li><a href="/files/tags/sql_injection/">SQL Injection</a> <span>(12,575)</span></li><li><a href="/files/tags/tcp/">TCP</a> <span>(1,961)</span></li><li><a href="/files/tags/trojan/">Trojan</a> <span>(541)</span></li><li><a href="/files/tags/udp/">UDP</a> <span>(713)</span></li><li><a href="/files/tags/virus/">Virus</a> <span>(573)</span></li><li><a href="/files/tags/vulnerability/">Vulnerability</a> <span>(22,058)</span></li><li><a href="/files/tags/web/">Web</a> <span>(5,497)</span></li><li><a href="/files/tags/paper/">Whitepaper</a> <span>(2,850)</span></li><li><a href="/files/tags/x86/">x86</a> <span>(585)</span></li><li><a href="/files/tags/xss/">XSS</a> <span>(12,267)</span></li><li><a href="/files/tags/">Other</a></li></ul></div><div id="mn-arch-file"><h2>File Archives</h2><ul><li><a href="/files/date/2013-04/">April 2013</a></li><li><a href="/files/date/2013-03/">March 2013</a></li><li><a href="/files/date/2013-02/">February 2013</a></li><li><a href="/files/date/2013-01/">January 2013</a></li><li><a href="/files/date/2012-12/">December 2012</a></li><li><a href="/files/date/2012-11/">November 2012</a></li><li><a href="/files/date/2012-10/">October 2012</a></li><li><a href="/files/date/2012-09/">September 2012</a></li><li><a href="/files/date/2012-08/">August 2012</a></li><li><a href="/files/date/2012-07/">July 2012</a></li><li><a href="/files/date/2012-06/">June 2012</a></li><li><a href="/files/date/2012-05/">May 2012</a></li><li><a href="/files/date/">Older</a></li></ul></div><div id="mn-os-file"><h2>Systems</h2><ul><li><a href="/files/os/aix/">AIX</a> <span>(371)</span></li><li><a href="/files/os/apple/">Apple</a> <span>(1,067)</span></li><li><a href="/files/os/bsd/">BSD</a> <span>(305)</span></li><li><a href="/files/os/cisco/">Cisco</a> <span>(1,393)</span></li><li><a href="/files/os/debian/">Debian</a> <span>(4,133)</span></li><li><a href="/files/os/fedora/">Fedora</a> <span>(1,663)</span></li><li><a href="/files/os/freebsd/">FreeBSD</a> <span>(1,053)</span></li><li><a href="/files/os/gentoo/">Gentoo</a> <span>(2,646)</span></li><li><a href="/files/os/hpux/">HPUX</a> <span>(735)</span></li><li><a href="/files/os/iphone/">iPhone</a> <span>(99)</span></li><li><a href="/files/os/irix/">IRIX</a> <span>(218)</span></li><li><a href="/files/os/juniper/">Juniper</a> <span>(63)</span></li><li><a href="/files/os/linux/">Linux</a> <span>(23,246)</span></li><li><a href="/files/os/osx/">Mac OS X</a> <span>(453)</span></li><li><a href="/files/os/mandriva/">Mandriva</a> <span>(2,472)</span></li><li><a href="/files/os/netbsd/">NetBSD</a> <span>(244)</span></li><li><a href="/files/os/openbsd/">OpenBSD</a> <span>(422)</span></li><li><a href="/files/os/redhat/">RedHat</a> <span>(3,170)</span></li><li><a href="/files/os/slackware/">Slackware</a> <span>(447)</span></li><li><a href="/files/os/solaris/">Solaris</a> <span>(1,524)</span></li><li><a href="/files/os/suse/">SUSE</a> <span>(1,440)</span></li><li><a href="/files/os/ubuntu/">Ubuntu</a> <span>(3,312)</span></li><li><a href="/files/os/unix/">UNIX</a> <span>(7,126)</span></li><li><a href="/files/os/unixware/">UnixWare</a> <span>(152)</span></li><li><a href="/files/os/windows/">Windows</a> <span>(4,233)</span></li><li><a href="/files/os/">Other</a></li></ul></div>
      </div>

  </div>

</div>

<div id="f">
  <div id="fc">

    <div class="f-box" style="margin: 50px 0 0 0;">
        <a href="/"><img src="http://packetstatic.com/img1353978071/ps_logo.png" width="218" alt="packet storm" /></a>
    <p class="copy">© 2013 Packet Storm. All rights reserved.</p>
    </div>

    <div class="f-box">
    <dl>
      <dt>Site Links</dt>
      <dd><a href="/news/date/">News by Month</a></dd>
      <dd><a href="/news/tags/">News Tags</a></dd>
      <dd><a href="/files/date/">Files by Month</a></dd>
      <dd><a href="/files/tags/">File Tags</a></dd>
      <dd><a href="/files/directory/">File Directory</a></dd>
    </dl>    
    </div>

    <div class="f-box">
    <dl>
      <dt>About Us</dt>
      <dd><a href="/about/">History & Purpose</a></dd>
      <dd><a href="/contact/">Contact Information</a></dd>
      <dd><a href="/legal/tos.html">Terms of Service</a></dd>
      <dd><a href="/legal/privacy.html">Privacy Statement</a></dd>
      <dd><a href="/legal/copyright.html">Copyright Information</a></dd>
    </dl>
    </div>

    <div class="f-box">
	<dl>
      <dt>Services</dt>
      <dd><a href="/services/">Security Services</a></dd>
      <dt style="margin-top:1.5em;">Hosting By</dt>
      <dd><a href="http://www.rokabear.com/">Rokabear</a></dd>
      <dd><a href="/mirrors/">Global Mirror List</a></dd>
    </dl>   
    </div>
    <div class="f-box">
    <ul class="f-follow">
     <li><a href="https://twitter.com/packet_storm"><img width="24" height="24" alt="Follow on Twitter" src="http://packetstatic.com/img1353978071/s_twitter.png" /> Follow us on Twitter</a></li>
     <li><a href="https://www.facebook.com/packetstormfeed"><img width="24" height="24" alt="Follow on Facebook" src="http://packetstatic.com/img1353978071/s_facebook.png" /> Follow us on Facebook</a></li>
     <li><a href="/feeds"><img width="24" height="24" alt="View RSS Feeds" src="http://packetstatic.com/img1353978071/s_rss.png" /> Subscribe to an RSS Feed</a></li>
    </ul>
    </div>

  </div>
</div>

<div id="o-box"><img src="http://packetstatic.com/img1353978071/o_close.png" alt="close" height="30" width="30" id="o-close" /><div id="o-main"></div></div>


<script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-18885198-1']); _gaq.push(['_setDomainName', '.packetstormsecurity.com']); _gaq.push(['_trackPageview']); (function() {var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);})(); </script><noscript><img src="http://www.google-analytics.com/__utm.gif?utmwv=1.3&utmn=1470454012&utmcs=ISO-8859-1&utmsr=31337x31337&utmsc=32-bit&utmul=en-us&utmje=0&utmfl=-&utmcn=1&utmdt=MDKSA-2004%3A031.txt%u2248%20Packet%20Storm&utmhn=packetstormsecurity.com&utmr=-&utmp=%2Ffiles%2F33129%2F&utmac=UA-18885198-1&utmcc=__utma%3D32867617.1470454012.1366882503.1366882503.1366882503.1%3B%2B__utmz%3D32867617.1366882503.1.1.utmccn%3D(direct)%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)" width="2" height="2" alt="" /></noscript>
<!-- Thu, 25 Apr 2013 09:35:00 GMT -->
</body>
</html>
    

- 漏洞信息

5550
utempter Symlink Arbitrary File Overwrite
Local Access Required Input Manipulation, Race Condition
Loss of Integrity
Exploit Unknown

- 漏洞描述

utempter contains a flaw that may allow a malicious user to overwrite arbitrary files. The issue is triggered when a path to a device contains "/../", "/./", or "//" characters. It is possible that the flaw may allow a malicious user to create symlink attacks and overwrite arbitrary files resulting in a loss of integrity.

- 时间线

2004-04-19 Unknow
Unknow Unknow

- 解决方案

Consult your vendor for an appropriate upgrade. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

UTempter Multiple Local Vulnerabilities
Unknown 10178
No Yes
2004-04-19 12:00:00 2009-07-12 04:06:00
Discovery of these issues has been credited to Steve Grubb.

- 受影响的程序版本

utempter utempter 0.5.3
utempter utempter 0.5.2
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 10.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.1
Sun Java Desktop System (JDS) 2.0
Sun Java Desktop System (JDS) 2003
Slackware Linux 9.1
Slackware Linux -current
SGI ProPack 3.0
SGI ProPack 2.4
RedHat utempter-0.5.2-16.i386.rpm
+ RedHat Linux 9.0 i386
utempter utempter 0.5.5 .4

- 不受影响的程序版本

utempter utempter 0.5.5 .4

- 漏洞讨论

It has been reported that utempter is affected by multiple local vulnerabilities. The first issue is due to an input validation error that causes the application to exit improperly; facilitating symbolic link attacks. The second issue is due to a failure of the application to properly validate buffer boundaries.

The first issue results in a symbolic link vulnerability. Since utempter runs with root privileges, this issue could be leveraged to corrupt arbitrary, attacker-specified system files.

The second problem presents itself when utempter processes certain strings. These errors may cause the affected process to crash. It has been conjectured that this may be leveraged to execute arbitrary code on the affected system, however this is currently unverified.

This BID will be updated as new information becomes available.

- 漏洞利用

The following proof of concept has been provided to leverage the symbolic link issue:

An attacker would create the following symbolic link that references an arbitrary system file:

/tmp/tty0

The attacker would then provide the following device descriptor string to the application:

/dev/../tmp/tty0

- 解决方案

Red Hat has released an advisory RHSA-2004:175-01 and fixes to address this issue. Please see referenced advisory for further details regarding obtaining and applying appropriate fixes.

Mandrake has released an advisory MDKSA-2004:031-1 and fixes to address this issue. Please see referenced advisory for further details regarding obtaining and applying appropriate fixes.

Slackware Linux has released advisory SSA:2004-110-01 and updates dealing with this issue.

Red Hat Fedora has released advisory FEDORA-2004-108 and information on updated the affected application. Please see the referenced advisory for more information.

Gentoo Linux has released advisory GLSA 200405-05 dealing with this issue. It is recommended that affected users issue these commands to ensure their system is properly updated:
# emerge sync
# emerge -pv ">=sys-apps/utempter-0.5.5.4"
# emerge ">=sys-apps/utempter-0.5.5.4"

Red Hat Fedora Legacy has released advisory FLSA:1546 dealing with this issue for Red Hat Linux 8.0, 7.3 and 7.2. Please see the referenced advisory for more information.

Red Hat has released advisory RHSA-2004:174-09 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

SGI has released an advisory (20040603-01-U) to address this and other issues in SGI ProPack 3. Please see the referenced advisory for more information.

SGI has released an advisory (20040602-01-U) to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information.

Sun has released Sun Alert Notification #57658 to address this issue in Sun Java Desktop System operating systems. Please see the referenced alert for further information on obtaining fixes.


RedHat utempter-0.5.2-16.i386.rpm

Slackware Linux -current

utempter utempter 0.5.2

utempter utempter 0.5.3

SGI ProPack 2.4

SGI ProPack 3.0

Slackware Linux 9.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站