CVE-2004-0793
CVSS7.2
发布时间 :2004-10-20 00:00:00
修订时间 :2016-10-17 22:49:03
NMCOPS    

[原文]The calendar program in bsdmainutils 6.0 through 6.0.14 does not drop root privileges when executed with the -a flag, which allows attackers to execute arbitrary commands via a calendar event file.


[CNNVD]bsdmainutils任意系统文件查看漏洞(CNNVD-200410-081)

        
        Debian bsdmainutils包含Calendar工具,此工具可通知用户将要发生的事件。
        Calendar在读取事件文件时处理不正确,本地攻击者可以利用这个漏洞以root用户权限访问任意系统文件。
        Calendar程序使用如下格式的事件文件:
        
        当调用"-a"选项时,程序会处理所有用户的事件文件并发送EMAIL。不过在以'-a'选项Calendar处理时没有正确丢弃权限(需要root用户权限),攻击者通过建立如下的事件文件,可导致获得SHADOW文件内容:
        #define root Jun. 28cut_here
        #include
        Jun. 28Birthday of Steven Van Acker
        Aug. 19Birthday of Andrew Griffith
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

cpe:/a:debian:bsdmainutils:6.0Debian bsdmainutils 6.0
cpe:/a:debian:bsdmainutils:6.0.13Debian bsdmainutils 6.0.13
cpe:/a:debian:bsdmainutils:6.0.14Debian bsdmainutils 6.0.14
cpe:/a:debian:bsdmainutils:6.0.11Debian bsdmainutils 6.0.11
cpe:/a:debian:bsdmainutils:6.0.12Debian bsdmainutils 6.0.12
cpe:/a:debian:bsdmainutils:6.0.10Debian bsdmainutils 6.0.10
cpe:/a:debian:bsdmainutils:6.0.9Debian bsdmainutils 6.0.9
cpe:/a:debian:bsdmainutils:6.0.8Debian bsdmainutils 6.0.8
cpe:/a:debian:bsdmainutils:6.0.7Debian bsdmainutils 6.0.7
cpe:/a:debian:bsdmainutils:6.0.6Debian bsdmainutils 6.0.6
cpe:/a:debian:bsdmainutils:6.0.5Debian bsdmainutils 6.0.5
cpe:/a:debian:bsdmainutils:6.0.4Debian bsdmainutils 6.0.4
cpe:/a:debian:bsdmainutils:6.0.3Debian bsdmainutils 6.0.3
cpe:/a:debian:bsdmainutils:6.0.2Debian bsdmainutils 6.0.2
cpe:/a:debian:bsdmainutils:6.0.1Debian bsdmainutils 6.0.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0793
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0793
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-081
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109396230317359&w=2
(UNKNOWN)  BUGTRAQ  20040830 Possible root compromose with bsdmainutils 6.0.x < 6.0.15 (Debian testing/unstable)
http://www.securityfocus.com/bid/11077
(VENDOR_ADVISORY)  BID  11077
http://xforce.iss.net/xforce/xfdb/17162
(PATCH)  XF  bsdmainutils-calendar-gain-privileges(17162)

- 漏洞信息

bsdmainutils任意系统文件查看漏洞
高危 权限许可和访问控制
2004-10-20 00:00:00 2005-10-20 00:00:00
本地  
        
        Debian bsdmainutils包含Calendar工具,此工具可通知用户将要发生的事件。
        Calendar在读取事件文件时处理不正确,本地攻击者可以利用这个漏洞以root用户权限访问任意系统文件。
        Calendar程序使用如下格式的事件文件:
        
        当调用"-a"选项时,程序会处理所有用户的事件文件并发送EMAIL。不过在以'-a'选项Calendar处理时没有正确丢弃权限(需要root用户权限),攻击者通过建立如下的事件文件,可导致获得SHADOW文件内容:
        #define root Jun. 28cut_here
        #include
        Jun. 28Birthday of Steven Van Acker
        Aug. 19Birthday of Andrew Griffith
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        升级到最新的bsdmainutils包。
        
        http://www.debian.org/security/

- 漏洞信息 (F34223)

calendar_advisory.txt (PacketStormID:F34223)
2004-09-02 00:00:00
Steven Van Acker  
advisory,local,root
CVE-2004-0793
[点击下载]

The bsdmainutils package versions below 6.0.15 allow for a local root compromise via the calendar program.

Possible root compromise with calendar (bsdmainutils 6.0.x < 6.0.15)
--------------------------------------------------------------------

Introduction
------------

The calendar utility is a handy little tool that informs you about upcoming
events. Each user can define his/her own calendar events. In Debian 
 (and possibly other distributions as this option is builtin in calendar),
calendar can be run from cron so that users get upcoming event notifications
by mail.
This can be abused to gain root access.

This vulnerability is also known CAN-2004-0793.

Systems affected
----------------

Debian testing and Debian unstable with the bsdmainutils package installed.
(Versions 6.0 to 6.0.14 are vulnerable, >=6.0.15 is not)

How calendar works
------------------

The calendar program uses event files with this format:

<date><tab><event description>

This is not all however. Calender gives users the ability to include other
event-files and define variables and macro's. To do this, it calls cpp (the C
preprocessor) on the main event file and processes the output.

When called with the "-a" option, calendar will processes the event files of
all users and send the result by mail.

The bsdmainutils package in Debian uses this feature from
/etc/cron.daily/bsdmainutils.
Luckily, it is not enabled by default since you have to uncomment an "exit 0"
line in the cron script to activate it.

The problem
-----------

Calendar does not drop its privileges. In order to be useful when running with
the "-a" option, it needs to run as root.
By creating an event file as follows, we can get the hashed root password (on
June 28th ;) :

#define root Jun. 28<tab>cut_here
#include </etc/shadow>
Jun. 28<tab>Birthday of Steven Van Acker
Aug. 19<tab>Birthday of Andrew Griffith

(<tab> indicates an actual tab, so char '\t')

Since calendar is running as root, there will be no problem accessing the
shadow password file. The result contains the hashed password of root, which
can then be cracked.
 

Solution
--------

Quick fix: don't run "calendar -a" as root !
Graham Wilson (the bsdmainutils package maintainer for Debian) has provided a
fix for this issue. Please upgrade the package :)

Thanks to Graham Wilson for solving the problem and Jacques A. Vidrine
(FreeBSD) for keeping me from making a foolish mistake ;)

greets,
-- Steven

PS: happy birthday andrewg! ;)

Steven Van Acker
deepstar@ulyssis.org

[ Need a challenge ?                  ]
[    Visit http://www.pulltheplug.com ]

    

- 漏洞信息

9400
bsdmainutils calendar Event File Local Privilege Escalation
Local Access Required Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

bsdmainutils contains a flaw with the calendar utility that may lead to an unauthorized information disclosure. The issue is triggered when a user creates a specially crafted event file, which may result in the user viewing arbitrary files with root privileges resulting in a loss of confidentiality.

- 时间线

2004-08-30 Unknow
2004-08-30 Unknow

- 解决方案

Upgrade to version 6.0.15 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Implement the fix released by Debian if applicable

- 相关参考

- 漏洞作者

- 漏洞信息

Bsdmainutils Calendar Information Disclosure Vulnerability
Access Validation Error 11077
No Yes
2004-08-31 12:00:00 2009-07-12 07:06:00
Steven Van Acker <deepstar@ulyssis.org> disclosed this vulnerability.

- 受影响的程序版本

Debian bsdmainutils 6.0.14
Debian bsdmainutils 6.0.15

- 不受影响的程序版本

Debian bsdmainutils 6.0.15

- 漏洞讨论

The calendar utility contained in the bsdmainutils package on Debian GNU/Linux systems is reported susceptible to an information disclosure vulnerability. This is due to a lack of proper file authorization checks by the application.

The application fails to enforce permissions of included files when run as the superuser with the '-a' argument, therefore it is possible for a local attacker to create a calendar file that will disclose the contents of arbitrary, potentially sensitive files. This may aid them in further attacks against the affected computer.

By default, the package is installed with a crontab file that will not call the calendar utility. Systems are only affected if the crontab is enabled by administrators.

Debian GNU/Linux computers with bsdmainutils versions prior to 6.0.15 are reported to be vulnerable.

- 漏洞利用

An exploit is not required. An example calendar file sufficient to exploit this vulnerability was provided. This file would likely be located in '~/.calendar/calendar':

#define root Jun. 28&lt;tab&gt;cut_here
#include &lt;/etc/shadow&gt;
Jun. 28&lt;tab&gt;Birthday of Steven Van Acker
Aug. 19&lt;tab&gt;Birthday of Andrew Griffith

(where &lt;tab&gt; should be replaced by an actual Tab character)

- 解决方案

Debian has released version 6.0.15 of bsdmainutils for the unstable branch. Users of affected packages are urged to use Debians package management utilities to upgrade to the latest version of bsdmainutils.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站