发布时间 :2004-12-06 00:00:00
修订时间 :2008-09-05 16:38:19

[原文]The xatitv program in the gatos package does not properly drop root privileges when the configuration file does not exist, which allows local users to execute arbitrary commands via shell metacharacters in a system call.

[CNNVD]Gatos xatitv丢失配置文件权限提升漏洞(CNNVD-200412-015)

        xatitv一般以setuid root安装为了直接访问显示硬件,不过一般会成功初始化后丢弃权限,但是如果由于配置文件没有而导致初始化失败,ROOT权限就会不正确丢弃,xatitv并且没有对用户提供的环境变量进行过滤就直接调用system(3)函数执行配置文件。不过一般配置文件默认包含,除非管理员不小心删除。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  XF  gatos-xatitv-gain-privileges(16273)

- 漏洞信息

Gatos xatitv丢失配置文件权限提升漏洞
高危 其他
2004-12-06 00:00:00 2005-10-20 00:00:00
        xatitv一般以setuid root安装为了直接访问显示硬件,不过一般会成功初始化后丢弃权限,但是如果由于配置文件没有而导致初始化失败,ROOT权限就会不正确丢弃,xatitv并且没有对用户提供的环境变量进行过滤就直接调用system(3)函数执行配置文件。不过一般配置文件默认包含,除非管理员不小心删除。

- 公告与补丁


- 漏洞信息 (F33453)

dsa-509.txt (PacketStormID:F33453)
2004-05-30 00:00:00
Matt Zimmerman

Debian Security Advisory DSA 509-1 - Steve Kemp discovered a vulnerability in xatitv, one of the programs in the gatos package. If an administrator removes the default configuration file, a local attacker can escalate to root privileges.

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 509-1                                        Matt Zimmerman
May 29th, 2004                
- --------------------------------------------------------------------------

Package        : gatos
Vulnerability  : privilege escalation
Problem-Type   : local
Debian-specific: no
CVE Ids        : CAN-2004-0395

Steve Kemp discovered a vulnerability in xatitv, one of the programs
in the gatos package, which is used to display video with certain
ATI video cards.

xatitv is installed setuid root in order to gain direct access to the
video hardware.  It normally drops root privileges after successfully
initializing itself.  However, if initialization fails due to a
missing configuration file, root privileges are not dropped, and
xatitv executes the system(3) function to launch its configuration
program without sanitizing user-supplied environment variables.

By exploiting this vulnerability, a local user could gain root
privileges if the configuration file does not exist.  However, a
default configuration file is supplied with the package, and so this
vulnerability is not exploitable unless this file is removed by the

For the current stable distribution (woody) this problem has been
fixed in version 0.0.5-6woody1.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you update your gatos package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:
      Size/MD5 checksum:      629 73d7637956bdcc827fb3c9be500902a0
      Size/MD5 checksum:    40666 2ff18e9bbf71ea71ce9b2a43486c8cc6
      Size/MD5 checksum:   483916 9c16631afc933bde6f5d5e1421efddb7

  Intel IA-32 architecture:
      Size/MD5 checksum:   176268 d64a2e508adbd6423c6a0bbf2426c11b
      Size/MD5 checksum:   109416 81ada7ba7f2d0d44d2cf107154a2cd93
      Size/MD5 checksum:    75040 4c2f9aea5082612027d520bab82dbff5

  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>
Version: GnuPG v1.2.4 (GNU/Linux)


- 漏洞信息

Debian GATOS xatitv Initialization Privilege Escalation
Local Access Required Authentication Management, Misconfiguration
Loss of Confidentiality
Exploit Unknown

- 漏洞描述

Debian Gatos contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an administrator removes the Gates default configuration file, root privileges are not dropped on xativ initialization, and xatitv executes the system(3) function to launch its configuration program without sanitizing user-supplied environment variables. This flaw may lead to a loss of Confidentiality.

- 时间线

2004-05-31 Unknow
Unknow Unknow

- 解决方案

Upgrade to version version 0.0.5-6woody1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Gatos xatitv Missing Configuration File Privilege Escalation Vulnerability
Failure to Handle Exceptional Conditions 10437
No Yes
2004-05-29 12:00:00 2009-07-12 05:16:00
Discovery is credited to Steve Kemp.

- 受影响的程序版本

gatos gatos 0.0.5
- Debian Linux 3.0 sparc
- Debian Linux 3.0 s/390
- Debian Linux 3.0 ppc
- Debian Linux 3.0 mipsel
- Debian Linux 3.0 mips
- Debian Linux 3.0 m68k
- Debian Linux 3.0 ia-64
- Debian Linux 3.0 ia-32
- Debian Linux 3.0 hppa
- Debian Linux 3.0 arm
- Debian Linux 3.0 alpha
- Debian Linux 3.0

- 漏洞讨论

The gatos xatitv utility is prone to a local privilege escalation vulnerability.

This issue may occur when the utility, which is installed setuid root, fails to drop privileges due to a missing configuration file. Unsanitized user-supplied environment variables may then be exploited to escalate privileges.

It is noted that the software ships with a default configuration file, so exploitation would require that the file was removed at some point.

- 漏洞利用

There is no exploit required.

- 解决方案

Debian has released fixs for this vulnerability.

gatos gatos 0.0.5

- 相关参考