发布时间 :2004-08-06 00:00:00
修订时间 :2008-09-05 16:39:01

[原文]eupdatedb in esearch 0.6.1 and earlier allows local users to create arbitrary files via a symlink attack on the temporary file.

[CNNVD]Esearch eupdatedb符号链接漏洞(CNNVD-200408-048)

        Esearch是一款"emerge search"命令的替代工具。
        eupdatedb工具使用临时文件(/tmp/指示eupdatedb进程正在运行,当运行的时候,eupdatedb会检查此文件是否存在,但没有检查是否是断开的符号连接(broken symlink),如果文件是断开的符号连接,那么脚本会通过符号连接所指向建立文件来代替打印错误并退出。攻击者可以利用这个漏洞破坏系统文件。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  XF  esearch-eupdatedb-symlink(16584)

- 漏洞信息

Esearch eupdatedb符号链接漏洞
高危 设计错误
2004-08-06 00:00:00 2005-10-20 00:00:00
        Esearch是一款"emerge search"命令的替代工具。
        eupdatedb工具使用临时文件(/tmp/指示eupdatedb进程正在运行,当运行的时候,eupdatedb会检查此文件是否存在,但没有检查是否是断开的符号连接(broken symlink),如果文件是断开的符号连接,那么脚本会通过符号连接所指向建立文件来代替打印错误并退出。攻击者可以利用这个漏洞破坏系统文件。

- 公告与补丁


- 漏洞信息

esearch eupdatedb Insecure Temporary File Creation
Local Access Required Race Condition
Loss of Confidentiality, Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

esearch contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when eupdatedb creates a file in /tmp without first checking for the existence of a link. This flaw may lead to a loss of Confidentiality, Integrity and/or Availability.

- 时间线

2004-07-01 2004-06-28
Unknow Unknow

- 解决方案

Upgrade to version 0.6.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Esearch eupdatedb Symbolic Link Vulnerability
Design Error 10644
No Yes
2004-07-01 12:00:00 2009-07-12 05:16:00
The individual responsible for the discovery of this issue is currently unknown; this issue was disclosed in the referenced Gentoo advisory.

- 受影响的程序版本

esearch emerge search tool 0.6.1
+ Gentoo Linux 1.4 _rc3
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.4
esearch emerge search tool 0.6
esearch emerge search tool 0.5.3
esearch emerge search tool 0.5.2
esearch emerge search tool 0.5.1
esearch emerge search tool 0.5
esearch emerge search tool 0.4.2
esearch emerge search tool 0.4.1
esearch emerge search tool 0.4
esearch emerge search tool 0.3.1
esearch emerge search tool 0.6.2

- 不受影响的程序版本

esearch emerge search tool 0.6.2

- 漏洞讨论

It has been reported that eupdatedb, an esearch utility is affected by a symbolic link vulnerability. This issue is due to a failure of the application to properly handle temporary file creation.

An attacker can leverage this vulnerability to create an arbitrary file with the permissions of an unsuspecting user that has activated the vulnerable utility; facilitating a number of possible attacks.

- 漏洞利用

No exploit is required to leverage this issue.

- 解决方案

Gentoo has released advisory GLSA 200407-01 along with an upgrade dealing with this issue. Gentoo has advised the following actions be taken to apply the upgrade:

# emerge sync

# emerge -pv ">=app-portage/esearch-0.6.2"
# emerge ">=app-portage/esearch-0.6.2"

Please see the referenced advisory for more information.

- 相关参考