CVE-2004-0559
CVSS2.1
发布时间 :2004-10-20 00:00:00
修订时间 :2008-09-05 16:38:45
NMCOPS    

[原文]The maketemp.pl script in Usermin 1.070 and 1.080 allows local users to overwrite arbitrary files at install time via a symlink attack on the /tmp/.usermin directory.


[CNNVD]Webmin / Usermin安装不安全临时文件创建漏洞(CNNVD-200410-043)

        Usermin 1.070版本及1.080版本中的maketemp.pl脚本存在漏洞。本地用户借助/tmp/.usermin目录的符号连接攻击在安装时覆盖任意文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:mandrakesoft:mandrake_linux:10.0::amd64
cpe:/a:webmin:webmin:1.0.60
cpe:/a:webmin:webmin:1.1.00
cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1::x86_64
cpe:/a:webmin:webmin:1.0.50
cpe:/a:usermin:usermin:1.080
cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1MandrakeSoft Mandrake Linux Corporate Server 2.1
cpe:/a:webmin:webmin:1.0.80
cpe:/a:webmin:webmin:1.1.21
cpe:/a:usermin:usermin:1.000
cpe:/a:usermin:usermin:1.070
cpe:/a:usermin:usermin:1.040
cpe:/a:webmin:webmin:1.1.30
cpe:/a:webmin:webmin:1.1.40
cpe:/a:webmin:webmin:1.1.50
cpe:/a:usermin:usermin:1.051
cpe:/a:webmin:webmin:1.0.70
cpe:/a:webmin:webmin:1.0.00
cpe:/a:usermin:usermin:1.060
cpe:/o:mandrakesoft:mandrake_linux:9.2::amd64
cpe:/a:usermin:usermin:1.010
cpe:/o:mandrakesoft:mandrake_linux:9.2MandrakeSoft Mandrake Linux 9.2
cpe:/a:webmin:webmin:1.0.20
cpe:/o:mandrakesoft:mandrake_linux:10.0MandrakeSoft Mandrake Linux 10.0
cpe:/a:usermin:usermin:1.030
cpe:/a:usermin:usermin:1.020
cpe:/a:webmin:webmin:1.1.10
cpe:/a:webmin:webmin:1.0.90

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0559
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0559
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-043
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17299
(VENDOR_ADVISORY)  XF  usermin-installation-unspecified(17299)
http://www.securityfocus.com/bid/11153
(VENDOR_ADVISORY)  BID  11153
http://www.gentoo.org/security/en/glsa/glsa-200409-15.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200409-15
http://secunia.com/advisories/12488/
(VENDOR_ADVISORY)  SECUNIA  12488
http://www.webmin.com/uchanges-1.089.html
(UNKNOWN)  CONFIRM  http://www.webmin.com/uchanges-1.089.html

- 漏洞信息

Webmin / Usermin安装不安全临时文件创建漏洞
低危 访问验证错误
2004-10-20 00:00:00 2005-10-20 00:00:00
本地  
        Usermin 1.070版本及1.080版本中的maketemp.pl脚本存在漏洞。本地用户借助/tmp/.usermin目录的符号连接攻击在安装时覆盖任意文件。

- 公告与补丁

        It is reported that Usermin version 1.090 and Webmin 1.160 are not affected by this issue.
        Gentoo has released an advisory to address these issues. Please see the referenced advisory for more information. Gentoo users may carry out the following commands to update their computers:
        Usermin:
        emerge sync
        emerge -pv ">=app-admin/usermin-1.090"
        emerge ">=app-admin/usermin-1.090"
        Webmin:
        emerge sync
        emerge -pv ">=app-admin/webmin-1.160"
        emerge ">=app-admin/webmin-1.160"
        Debian has released advisory DSA 544-1 along with fixes dealing with this issue. Please see the referenced advisory for more information.
        Mandrake Linux has released advisory MDKSA-2004:101 along with fixes to address this issue. Please see the referenced advisory for further information.
        Turbolinux has released advisory 20050207 [TURBOLINUX SECURITY INFO] 07/Feb/2005 to address various issues. Please see the referenced advisory for more information.
        Webmin Webmin 1.0 00
        
        Usermin Usermin 1.0 10
        
        Webmin Webmin 1.0 90
        
        Usermin Usermin 1.0 00
        
        Usermin Usermin 1.0 30
        
        Webmin Webmin 1.0 50
        
        Usermin Usermin 1.0 80
        
        Webmin Webmin 1.0 80
        
        Usermin Usermin 1.0 51
        
        Usermin Usermin 1.0 60
        
        Usermin Usermin 1.0 40
        
        Webmin Webmin 1.0 60
        
        Webmin Webmin 1.0 70
        
        Usermin Usermin 1.0 70
        
        Webmin Webmin 1.0 20
        
        Usermin Usermin 1.0 20
        
        Webmin Webmin 1.100
        
        Webmin Webmin 1.110
        
        Webmin Webmin 1.121
        
        Webmin Webmin 1.130
        
        Webmin Webmin 1.140
        
        Webmin Webmin 1.150
        

- 漏洞信息 (F34351)

dsa-544.txt (PacketStormID:F34351)
2004-09-15 00:00:00
Debian  debian.org
advisory,web
linux,debian
CVE-2004-0559
[点击下载]

Debian Security Advisory DSA 544-1 - Ludwig Nussel discovered a problem in webmin, a web-based administration toolkit. A temporary directory was used but without checking for the previous owner. This could allow an attacker to create the directory and place dangerous symbolic links inside.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 544-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
September 14th, 2004                    http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : webmin
Vulnerability  : insecure temporary directory
Problem-Type   : root
Debian-specific: no
CVE ID         : CAN-2004-0559

Ludwig Nussel discovered a problem in webmin, a web-based
administration toolkit.  A temporary directory was used but without
checking for the previous owner.  This could allow an attacker to
create the directory and place dangerous symbolic links inside.

For the stable distribution (woody) this problem has been fixed in
version 0.94-7woody3.

For the unstable distribution (sid) this problem has been fixed in
version 1.160-1 of webmin and 1.090-1 of usermin.

We recommend that you upgrade your webmin packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94-7woody3.dsc
      Size/MD5 checksum:     1126 fc3cda806f5d94666cdc2cdac03e2c75
    http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94-7woody3.diff.gz
      Size/MD5 checksum:    63028 64e3c4f454a1d576a4c52df29554309b
    http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94.orig.tar.gz
      Size/MD5 checksum:  4831737 114c7ca2557c17faebb627a3de7acb97

  Architecture independent components:

    http://security.debian.org/pool/updates/main/w/webmin/webmin-apache_0.94-7woody3_all.deb
      Size/MD5 checksum:   223812 12f056498c3ace868c1964ef2d9594b1
    http://security.debian.org/pool/updates/main/w/webmin/webmin-bind8_0.94-7woody3_all.deb
      Size/MD5 checksum:   182144 29ff6c45d83b13a482ef93d2ae8c7e3f
    http://security.debian.org/pool/updates/main/w/webmin/webmin-burner_0.94-7woody3_all.deb
      Size/MD5 checksum:    32688 4482f474e97ca209348a86e51c02a92b
    http://security.debian.org/pool/updates/main/w/webmin/webmin-cluster-software_0.94-7woody3_all.deb
      Size/MD5 checksum:    27688 6375d52cdd6f79d7f2e1b2e2d5d9bd6c
    http://security.debian.org/pool/updates/main/w/webmin/webmin-cluster-useradmin_0.94-7woody3_all.deb
      Size/MD5 checksum:    30790 157df9a37fa88cb7f4de6421c43d1f16
    http://security.debian.org/pool/updates/main/w/webmin/webmin-core_0.94-7woody3_all.deb
      Size/MD5 checksum:  1250120 f5fd9854a550095c27ab1c88254804e4
    http://security.debian.org/pool/updates/main/w/webmin/webmin-cpan_0.94-7woody3_all.deb
      Size/MD5 checksum:    26596 a4bc52ed84091eb648c399547b181ad3
    http://security.debian.org/pool/updates/main/w/webmin/webmin-dhcpd_0.94-7woody3_all.deb
      Size/MD5 checksum:    96632 36f8e9ed58c3f3f67146c0f3e5074d29
    http://security.debian.org/pool/updates/main/w/webmin/webmin-exports_0.94-7woody3_all.deb
      Size/MD5 checksum:    54808 9e9119bc090c28d5119daec9bf654f62
    http://security.debian.org/pool/updates/main/w/webmin/webmin-fetchmail_0.94-7woody3_all.deb
      Size/MD5 checksum:    27354 294e18b992f187865f85b2fc0d0abf80
    http://security.debian.org/pool/updates/main/w/webmin/webmin-heartbeat_0.94-7woody3_all.deb
      Size/MD5 checksum:    21776 f58063b055e6e0b429f15f1c9c578d2f
    http://security.debian.org/pool/updates/main/w/webmin/webmin-inetd_0.94-7woody3_all.deb
      Size/MD5 checksum:    48056 1db1b493a9088de2134891d5f0a9d23c
    http://security.debian.org/pool/updates/main/w/webmin/webmin-jabber_0.94-7woody3_all.deb
      Size/MD5 checksum:    31468 65d7199bd25d1f62ff376c0ad7e78a97
    http://security.debian.org/pool/updates/main/w/webmin/webmin-lpadmin_0.94-7woody3_all.deb
      Size/MD5 checksum:   103788 1920d9302034a175a6d3b00ca6f5dcf6
    http://security.debian.org/pool/updates/main/w/webmin/webmin-mon_0.94-7woody3_all.deb
      Size/MD5 checksum:    62498 ee4befa8d564ddb45b38643a62c61cfb
    http://security.debian.org/pool/updates/main/w/webmin/webmin-mysql_0.94-7woody3_all.deb
      Size/MD5 checksum:   119200 60eefbffc7c1a8a30807623b2fb078e4
    http://security.debian.org/pool/updates/main/w/webmin/webmin-nis_0.94-7woody3_all.deb
      Size/MD5 checksum:    62634 16ebd24ca1d45a7f3e76361fa5bda345
    http://security.debian.org/pool/updates/main/w/webmin/webmin-postfix_0.94-7woody3_all.deb
      Size/MD5 checksum:   196726 4d671bfbd3e1e2c8d6b3f9c8ecf93e3a
    http://security.debian.org/pool/updates/main/w/webmin/webmin-postgresql_0.94-7woody3_all.deb
      Size/MD5 checksum:    77564 f0b30ff5b2e01e9aa1e358f2a517e92a
    http://security.debian.org/pool/updates/main/w/webmin/webmin-ppp_0.94-7woody3_all.deb
      Size/MD5 checksum:    20840 8a7057272358f236075ae24aae4dfd9c
    http://security.debian.org/pool/updates/main/w/webmin/webmin-qmailadmin_0.94-7woody3_all.deb
      Size/MD5 checksum:    38028 4a8ef1a18d7d526f061e2924b83e238d
    http://security.debian.org/pool/updates/main/w/webmin/webmin-quota_0.94-7woody3_all.deb
      Size/MD5 checksum:    87994 bc7ec88cc7cf4556f8554d26b44063d3
    http://security.debian.org/pool/updates/main/w/webmin/webmin-raid_0.94-7woody3_all.deb
      Size/MD5 checksum:    35802 ec1761610e6a141705505abc407b5690
    http://security.debian.org/pool/updates/main/w/webmin/webmin-samba_0.94-7woody3_all.deb
      Size/MD5 checksum:   134254 bc70638898d2201d974cbeede4488a02
    http://security.debian.org/pool/updates/main/w/webmin/webmin-sendmail_0.94-7woody3_all.deb
      Size/MD5 checksum:   235266 362bdada21f7c9d6868b4b103593cb86
    http://security.debian.org/pool/updates/main/w/webmin/webmin-software_0.94-7woody3_all.deb
      Size/MD5 checksum:    89332 500a31253b2c7aa207dda9a301b8c325
    http://security.debian.org/pool/updates/main/w/webmin/webmin-squid_0.94-7woody3_all.deb
      Size/MD5 checksum:   222044 e6a595f8db937ded962582354a6a19f2
    http://security.debian.org/pool/updates/main/w/webmin/webmin-sshd_0.94-7woody3_all.deb
      Size/MD5 checksum:    44286 2b20ed27175c52318c937c3e14b7b0e0
    http://security.debian.org/pool/updates/main/w/webmin/webmin-ssl_0.94-7woody3_all.deb
      Size/MD5 checksum:     8524 3c50958c006ef46ccd1d6791dd6907d6
    http://security.debian.org/pool/updates/main/w/webmin/webmin-status_0.94-7woody3_all.deb
      Size/MD5 checksum:    42984 cc008a5c0670c1e2ccb3b63f841ebef6
    http://security.debian.org/pool/updates/main/w/webmin/webmin-stunnel_0.94-7woody3_all.deb
      Size/MD5 checksum:    26804 746be5ce521801c283f2e926621942aa
    http://security.debian.org/pool/updates/main/w/webmin/webmin-wuftpd_0.94-7woody3_all.deb
      Size/MD5 checksum:   111026 7e02060c23b92d5edc175b6cfa7b2f1b
    http://security.debian.org/pool/updates/main/w/webmin/webmin-xinetd_0.94-7woody3_all.deb
      Size/MD5 checksum:    31964 1e35a18332a9f6e753daee5e0157e362
    http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94-7woody3_all.deb
      Size/MD5 checksum:   509128 c24ae0eb379dcdfecb2b4ac2de7351fa

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/w/webmin/webmin-grub_0.94-7woody3_i386.deb
      Size/MD5 checksum:    29546 8fb9582004e9cdaa63fc97f0325ef2a8


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBRwcDW5ql+IAeqTIRAlgVAJ9egZEMvpURgeQWqW+yPXoLzFxWlgCgpKkd
Fn/qX1Q8x9dWQbJc+4isDU4=
=i4kA
-----END PGP SIGNATURE-----
    

- 漏洞信息

9775
Webmin/Usermin Installation .webmin Symlink Local Privilege Escalation
Local Access Required Input Manipulation, Race Condition
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

Usermin contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the /tmp/.webmin directory has been created prior to installation. It is possible for a malicious user to create a symlink to any other file on the system, which would be overwritten when Usermin writes to the link filename, resulting in a loss of integrity.

- 时间线

2004-09-05 Unknow
2004-09-05 2004-09-05

- 解决方案

Upgrade to version 1.090, 1.160 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Webmin / Usermin Installation Insecure Temporary File Creation Vulnerability
Access Validation Error 11153
No Yes
2004-09-10 12:00:00 2009-07-12 07:06:00
The vendor announced this vulnerability.

- 受影响的程序版本

Webmin Webmin 1.150
Webmin Webmin 1.140
Webmin Webmin 1.130
Webmin Webmin 1.121
Webmin Webmin 1.110
Webmin Webmin 1.100
Webmin Webmin 1.0 90
Webmin Webmin 1.0 80
Webmin Webmin 1.0 70
+ HP Apache-Based Web Server 1.3.27 .01
+ HP Apache-Based Web Server 1.3.27 .01
+ HP Webmin-Based Admin 1.0.1 .01
+ HP Webmin-Based Admin 1.0.1 .01
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
Webmin Webmin 1.0 60
Webmin Webmin 1.0 50
Webmin Webmin 1.0 20
Webmin Webmin 1.0 00
Usermin Usermin 1.0 80
Usermin Usermin 1.0 70
Usermin Usermin 1.0 60
Usermin Usermin 1.0 51
Usermin Usermin 1.0 40
Usermin Usermin 1.0 30
Usermin Usermin 1.0 20
Usermin Usermin 1.0 10
Usermin Usermin 1.0 00
Usermin Usermin 0.990
Usermin Usermin 0.980
Usermin Usermin 0.970
Usermin Usermin 0.960
Usermin Usermin 0.950
Usermin Usermin 0.940
Usermin Usermin 0.930
Usermin Usermin 0.920
Usermin Usermin 0.910
Usermin Usermin 0.90
Usermin Usermin 0.80
Usermin Usermin 0.7
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
Mandriva Linux Mandrake 9.2 amd64
Mandriva Linux Mandrake 9.2
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
Webmin Webmin 1.160
Usermin Usermin 1.0 90

- 不受影响的程序版本

Webmin Webmin 1.160
Usermin Usermin 1.0 90

- 漏洞讨论

It is reported that Webmin and Usermin create insecure temporary files during installation. The result of this is that temporary files created by the applications may use predictable filenames.

A local attacker may possibly exploit this vulnerability to execute symbolic link file overwrite attacks.

Versions of Usermin prior to version 1.090 are reported prone to this vulnerability. Webmin 1.150 and prior versions are affected as well.

- 漏洞利用

No exploit is required.

- 解决方案

It is reported that Usermin version 1.090 and Webmin 1.160 are not affected by this issue.

Gentoo has released an advisory to address these issues. Please see the referenced advisory for more information. Gentoo users may carry out the following commands to update their computers:

Usermin:
emerge sync
emerge -pv ">=app-admin/usermin-1.090"
emerge ">=app-admin/usermin-1.090"

Webmin:
emerge sync
emerge -pv ">=app-admin/webmin-1.160"
emerge ">=app-admin/webmin-1.160"

Debian has released advisory DSA 544-1 along with fixes dealing with this issue. Please see the referenced advisory for more information.

Mandrake Linux has released advisory MDKSA-2004:101 along with fixes to address this issue. Please see the referenced advisory for further information.

Turbolinux has released advisory 20050207 [TURBOLINUX SECURITY INFO] 07/Feb/2005 to address various issues. Please see the referenced advisory for more information.


Usermin Usermin 0.7

Usermin Usermin 0.80

Usermin Usermin 0.90

Usermin Usermin 0.910

Usermin Usermin 0.920

Usermin Usermin 0.930

Usermin Usermin 0.940

Usermin Usermin 0.950

Usermin Usermin 0.960

Usermin Usermin 0.970

Usermin Usermin 0.980

Usermin Usermin 0.990

Webmin Webmin 1.0 00

Webmin Webmin 1.0 90

Webmin Webmin 1.0 50

Webmin Webmin 1.0 80

Usermin Usermin 1.0 60

Webmin Webmin 1.0 70

Usermin Usermin 1.0 70

Usermin Usermin 1.0 20

Usermin Usermin 1.0 10

Usermin Usermin 1.0 00

Usermin Usermin 1.0 30

Usermin Usermin 1.0 80

Usermin Usermin 1.0 51

Usermin Usermin 1.0 40

Webmin Webmin 1.0 60

Webmin Webmin 1.0 20

Webmin Webmin 1.100

Webmin Webmin 1.110

Webmin Webmin 1.121

Webmin Webmin 1.130

Webmin Webmin 1.140

Webmin Webmin 1.150

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站