CVE-2004-0970
CVSS2.1
发布时间 :2005-02-09 00:00:00
修订时间 :2008-09-05 16:39:57
NMCOPS    

[原文]The (1) gzexe, (2) zdiff, and (3) znew scripts in the gzip package, as used by other packages such as ncompress, allows local users to overwrite files via a symlink attack on temporary files. NOTE: the znew vulnerability may overlap CVE-2003-0367.


[CNNVD]GNU GZip未指定的不安全临时文件创建漏洞(CNNVD-200502-021)

        gzip是GNU zip的缩写,它是一个GNU自由软件的文件压缩程序。
        gzip程序包中的(1) gzexe、(2) zdiff和(3) znew脚本,供ncompress等程序包使用,可让本地用户通过象征性的链接攻击临时文件,从而覆盖这些文件。注意:znew漏洞可能会叠加在CVE-2003-0367上。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0970
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0970
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-021
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/11288
(VENDOR_ADVISORY)  BID  11288
http://xforce.iss.net/xforce/xfdb/17583
(VENDOR_ADVISORY)  XF  script-temporary-file-overwrite(17583)
http://www.trustix.org/errata/2004/0050
(UNKNOWN)  TRUSTIX  2004-0050
http://www.debian.org/security/2004/dsa-588
(VENDOR_ADVISORY)  DEBIAN  DSA-588
http://www.zataz.net/adviso/ncompress-09052005.txt
(UNKNOWN)  MISC  http://www.zataz.net/adviso/ncompress-09052005.txt
http://secunia.com/advisories/13131
(UNKNOWN)  SECUNIA  13131

- 漏洞信息

GNU GZip未指定的不安全临时文件创建漏洞
低危 设计错误
2005-02-09 00:00:00 2005-10-28 00:00:00
本地  
        gzip是GNU zip的缩写,它是一个GNU自由软件的文件压缩程序。
        gzip程序包中的(1) gzexe、(2) zdiff和(3) znew脚本,供ncompress等程序包使用,可让本地用户通过象征性的链接攻击临时文件,从而覆盖这些文件。注意:znew漏洞可能会叠加在CVE-2003-0367上。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        GNU gzip 1.2.4 a
        Mandrake gzip-1.2.4a-11.3.C21mdk.i586.rpmMandrake Corporate Server 2.1
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake gzip-1.2.4a-11.3.C21mdk.x86_64.rpmMandrake Corporate Server 2.1/x86_64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake gzip-1.2.4a-11.3.M82mdk.i586.rpmMandrake Multi Network Firewall 8.2
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake gzip-1.2.4a-13.1.100mdk.amd64.rpmMandrake Linux 10.0/AMD64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake gzip-1.2.4a-13.1.100mdk.i586.rpmMandrake Linux 10.0
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake gzip-1.2.4a-13.1.101mdk.i586.rpmMandrake Linux 10.1
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake gzip-1.2.4a-13.1.101mdk.x86_64.rpmMandrake Linux 10.1/x86_64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake gzip-1.2.4a-13.1.92mdk.amd64.rpmMandrake Linux 9.2/AMD64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake gzip-1.2.4a-13.1.92mdk.i586.rpmMandrake Linux 9.2
        http://www.mandrakesecure.net/en/ftp.php
        Trustix gzip-1.2.4a-20tr.i586.rpmTrustix Secure Linux 1.5
        ftp://ftp.trustix.org/pub/trustix/updates/
        Trustix gzip-1.2.4a-25tr.i586.rpmTrustix Secure Linux 2.0
        ftp://ftp.trustix.org/pub/trustix/updates/
        Trustix gzip-1.2.4a-29tr.i586.rpmTrustix Secure Linux 2.1 & Enterprise Server 2
        ftp://ftp.trustix.org/pub/trustix/updates/
        Trustix gzip-doc-1.2.4a-20tr.i586.rpmTrustix Secure Linux 1.5
        ftp://ftp.trustix.org/pub/trustix/updates/
        Trustix gzip-doc-1.2.4a-25tr.i586.rpmTrustix Secure Linux 2.0
        ftp://ftp.trustix.org/pub/trustix/updates/
        Trustix gzip-doc-1.2.4a-29tr.i586.rpmTrustix Secure Linux 2.1 & Enterprise Server 2
        ftp://ftp.trustix.org/pub/trustix/updates/
        GNU gzip 1.3.3
        TurboLinux gzip-1.3.3-5.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u
        pdates/RPMS/gzip-1.3.3-5.i586.rpm
        TurboLinux gzip-1.3.3-5.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/up
        dates/RPMS/gzip-1.3.3-5.i586.rpm
        TurboLinux gzip-1.3.3-5.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/upd
        ates/RPMS/gzip-1.3.3-5.i586.rpm
        TurboLinux gzip-1.3.3-5.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/upd
        ates/RPMS/gzip-1.3.3-5.i586.rpm
        TurboLinux gzip-1.3.3-5.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/
        7/updates/RPMS/gzip-1.3.3-5.i586.rpm
        TurboLinux gzip-1.3.3-5.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/
        8/updates/RPMS/gzip-1.3.3-5.i586.rpm

- 漏洞信息 (F40107)

zataz-ncompress-09052005.txt (PacketStormID:F40107)
2005-09-20 00:00:00
ZATAZ Audits  zataz.net
advisory
CVE-2004-0970
[点击下载]

ncompress versions less than or equal to 4.2.4-r1 create temporary files insecurely.

#########################################################

ncompress insecure temporary file creation

Vendor: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/
Advisory: http://www.zataz.net/adviso/ncompress-09052005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks in combination with a race
condition to create and overwrite arbitrary files
with the privileges of the user running the affected script.

Secunia has reported that D1g1t4lLeech has discovered this bug
the 2005-09-16

ZATAZ Audit has discovered this bug the 2005-09-05

D1g1t4lLeech is a true Leecher :)

Gentoo Security take care on your IRC Channel, spy everywhere.

##########
Versions:
##########

ncompress <= 4.2.4-r1

##########
Solution:
##########

To prevent symlink attack use kernel patch such as grsecurity

#########
Timeline:
#########

Discovered : 2005-09-05
Vendor notified : 2005-09-05
Vendor response : no reponse
Vendor fix : no patch
Vendor Sec report (vendor-sec@lst.de) :
Disclosure :

#####################
Technical details :
#####################

ncompress use vulnerable version off zdiff and zcmp.

#########
Related :
#########

Secunia : http://secunia.com/advisories/13131/
CVE : CAN-2004-0970

#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, Koon, etc.)
    

- 漏洞信息

11536
gzip gzexe Symlink Arbitrary File Overwrite
Local Access Required Race Condition
Loss of Integrity Third-Party Solution
Exploit Unknown Third-party Verified

- 漏洞描述

gzip contains a flaw that may allow a malicious local user to overwrite arbitrary files on the system. The issue is due to the gzexe.in script creating temporary files insecurely. It is possible for a local attacker to use a symlink attack against files to cause the program to unexpectedly write to, or overwrite an attacker specified file.

- 时间线

2004-11-08 Unknow
Unknow Unknow

- 解决方案

Multiple vendors have released upgrades to address this vulnerability. Check the vendor advisory, changelog, or solution in the references section for details.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

GNU GZip Unspecified Insecure Temporary File Creation Vulnerability
Design Error 11288
No Yes
2004-09-30 12:00:00 2009-07-12 07:06:00
The individual or individuals responsible for the discovery of this issue is currently unknown; Trustix security engineers are credited with these discoveries.

- 受影响的程序版本

GNU gzip 1.3.3 t
+ Turbolinux Appliance Server 1.0 Workgroup Edition
+ Turbolinux Appliance Server 1.0 Hosting Edition
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 10.0
+ Turbolinux Turbolinux Server 9.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
GNU gzip 1.3.3
+ Conectiva Linux 9.0
+ Gentoo Linux 1.4 _rc3
+ Gentoo Linux 1.4 _rc2
GNU gzip 1.2.4 a
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Multi Network Firewall 2.0
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 10.2 x86_64
+ Mandriva Linux Mandrake 10.2
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ Mandriva Linux Mandrake 7.0
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ SGI IRIX 6.5.15 m
+ SGI IRIX 6.5.15 f
+ SGI IRIX 6.5.14 m
+ SGI IRIX 6.5.14 f
+ SGI IRIX 6.5.13 m
+ SGI IRIX 6.5.13 f
+ SGI IRIX 6.5.12 m
+ SGI IRIX 6.5.12 f
+ SGI IRIX 6.5.11 m
+ SGI IRIX 6.5.11 f
+ SGI IRIX 6.5.10
+ SGI IRIX 6.5.9
+ SGI IRIX 6.5.8
+ SGI IRIX 6.5.7
+ SGI IRIX 6.5.6
+ SGI IRIX 6.5.5
+ SGI IRIX 6.5.4
+ SGI IRIX 6.5.3
+ SGI IRIX 6.5.2
+ SGI IRIX 6.5.1
+ SGI IRIX 6.5
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1

- 漏洞讨论

GNU gzip is affected by an unspecified insecure temporary file creation vulnerability. This issue is likely due to a design error that causes the application to fail to verify the existence of a file before writing to it.

An attacker may leverage this issue to overwrite arbitrary files with the privileges of an unsuspecting user that activates the vulnerable application. Reportedly this issue is unlikely to facilitate privilege escalation.

- 漏洞利用

No exploit is required to leverage this issue.

- 解决方案

Trustix Linux has released an advisory (TSL-2004-0050) along with fixes dealing with this issue. Please see the referenced advisory for more information.

Debian Linux has released an advisory (DSA 588-1) along with fixes dealing with this issue. Please see the referenced advisory for more information.

MandrakeSoft has issued an advisory (MDKSA-2004:142) along with patched upgrades. Please see the referenced advisory for more information.

TurboLinux has issued an advisory and fixes for TurboLinux systems. See advisory TLSA-2005-9 in the reference section.


GNU gzip 1.2.4 a

GNU gzip 1.3.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站