CVE-2005-0205
CVSS4.6
发布时间 :2005-05-02 00:00:00
修订时间 :2010-08-21 00:25:39
NMCOPS    

[原文]KPPP 2.1.2 in KDE 3.1.5 and earlier, when setuid root without certain wrappers, does not properly close a privileged file descriptor for a domain socket, which allows local users to read and write to /etc/hosts and /etc/resolv.conf and gain control over DNS name resolution by opening a number of file descriptors before executing kppp.


[CNNVD]KPPP特权文件描述符泄漏漏洞(CNNVD-200505-350)

        KPPP是pppd的拨号程序和前端,允许交互脚本生成和网络设置。
        KPPP的实现在权限处理上存在漏洞,本地攻击者可能利用些漏洞获取本地管理员权限。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:kde:kde:3.1.5
cpe:/o:kde:kde:3.1.2
cpe:/o:kde:kde:3.1.1
cpe:/o:kde:kde:3.1.4
cpe:/o:kde:kde:3.1
cpe:/o:bernd_wuebben:kppp:2.1.2
cpe:/o:kde:kde:3.1.3

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9596zend_hash_del_key_or_index in zend_hash.c in PHP before 4.4.3 and 5.x before 5.1.3 can cause zend_hash_del to delete the wrong element, whic...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0205
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0205
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-350
(官方数据源) CNNVD

- 其它链接及资源

http://www.redhat.com/support/errata/RHSA-2005-175.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2005:175
http://www.kde.org/info/security/advisory-20050228-1.txt
(VENDOR_ADVISORY)  CONFIRM  http://www.kde.org/info/security/advisory-20050228-1.txt
http://www.idefense.com/application/poi/display?id=208&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050228 KPPP Privileged File Descriptor Leak Vulnerability
http://www.debian.org/security/2005/dsa-692
(VENDOR_ADVISORY)  DEBIAN  DSA-692
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000934
(PATCH)  CONECTIVA  CLA-2005:934

- 漏洞信息

KPPP特权文件描述符泄漏漏洞
中危 设计错误
2005-05-02 00:00:00 2005-10-20 00:00:00
本地  
        KPPP是pppd的拨号程序和前端,允许交互脚本生成和网络设置。
        KPPP的实现在权限处理上存在漏洞,本地攻击者可能利用些漏洞获取本地管理员权限。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        ftp://ftp.kde.org/pub/kde/security_patches

- 漏洞信息 (F36361)

iDEFENSE Security Advisory 2005-02-28.2 (PacketStormID:F36361)
2005-02-28 00:00:00
iDefense Labs  idefense.com
advisory,local
CVE-2005-0205
[点击下载]

iDEFENSE Security Advisory 02.28.05 - Local exploitation of a privileged file descriptor leak in KPPP can allow attackers to hijack a system's domain name resolution function. The vulnerability specifically exists due to kppp's failure to properly close privileged file descriptors.

KPPP Privileged File Descriptor Leak Vulnerability

iDEFENSE Security Advisory 02.28.05
www.idefense.com/application/poi/display?id=208&type=vulnerabilities
February 28, 2005

I. BACKGROUND

KPPP is a dialer and front end for pppd. It allows for interactive
script generation and network setup. More information is available at:

    http://docs.kde.org/en/3.3/kdenetwork/kppp/

II. DESCRIPTION

Local exploitation of a privileged file descriptor leak in KPPP can
allow attackers to hijack a system's domain name resolution function.

The vulnerability specifically exists due to kppp's failure to properly
close privileged file descriptors. Typically, KPPP is installed setuid
root and uses privilege separation to allow only certain functions of
the PPP dialer to execute with elevated privileges. Communication
between the privileged portion and non-privileged portion of kppp is
done over a domain socket which does not properly get closed.

A fix for a similar vulnerability was introduced to the kppp code base
in 1998 as can be seen below:

    // close file descriptors
    for (int fd = 3; fd < 20; fd++)
      close(fd);

This fix may be easily bypassed if an attacker opens 17 file descriptors
before executing kppp. The loop will execute, closing the previously
opened file descriptors and leave the remaining privileged file
descriptor used to talk to the privileged component of kppp open for
attackers. KPPP may be abused to gain read and write access to
/etc/hosts and /etc/resolv.conf, thus giving attackers complete control
over a system's domain resolution capabilities.

III. ANALYSIS

Exploitation allows local attackers to gain control over a system's
domain name resolution function. Exploitation is trivial and allows an
attacker to write to the two files typically providing the configuration
for domain name resolution. Modifications of /etc/resolv.conf will allow
the attacker to specify a malicious domain server which may return
arbitrary responses to domain name lookups. Modifications to /etc/hosts
will cause hostname resolution redirection without the need for an
external domain server. This class of attack can be used to aid in
phishing and social engineering attempts.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in KPPP 
2.1.2. The vendor has confirmed that KPPP as included in KDE 3.1.5 and 
prior are affected. KDE 3.2.x and newer are not affected. 

Note that some Linux distributions which come with KPPP, such as Red 
Hat Linux, use a wrapper for executing X11 applications that require 
root privileges. This wrapper  safely closes all file descriptors in the

executed application.

V. WORKAROUND

As a workaround, temporarily remove the setuid bit from KPPP and
manually gain root privileges before executing KPPP:

chmod -s /usr/sbin/kppp

VI. VENDOR RESPONSE

A vendor advisory for this issue is available at:

   http://www.kde.org/info/security/advisory-20050228-1.txt

A patch for KDE 3.1 is available from 

   ftp://ftp.kde.org/pub/kde/security_patches :

   0e999df54963edd5f565b6d541f408d9  post-3.1.5-kdenetwork.diff

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2005-0205 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

02/09/2005  Initial vendor notification
02/09/2005  Initial vendor response
02/28/2005  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

14275
KDE kppp Privileged File Descriptor Leak
Local Access Required
Loss of Integrity Workaround, Patch / RCS
Exploit Private Vendor Verified, Coordinated Disclosure

- 漏洞描述

- 时间线

2005-02-28 Unknow
Unknow 2005-02-28

- 解决方案

KDE has released a patch to address this vulnerability. Additionally, it is possible to temporarily work around the flaw by implementing the following workaround: As a workaround, temporarily remove the setuid bit from KPPP and manually gain root privileges before executing KPPP: chmod -s /usr/sbin/kppp

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

KPPP Privileged File Descriptor Leakage Vulnerability
Design Error 12677
No Yes
2005-02-28 12:00:00 2009-07-12 10:56:00
Discovery is credited to an anonymous researcher.

- 受影响的程序版本

SGI ProPack 3.0
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
KDE KPPP 2.1.2
KDE KDE 3.1.5
KDE KDE 3.1.4
KDE KDE 3.1.3
+ Red Hat Enterprise Linux AS 3
+ Red Hat Enterprise Linux AS 3
+ RedHat Desktop 3.0
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
KDE KDE 3.1.2
+ Conectiva Linux 9.0
+ Conectiva Linux 9.0
+ KDE KDE 3.1.2
KDE KDE 3.1.1 a
KDE KDE 3.1.1
+ Conectiva Linux 9.0
+ S.u.S.E. Linux Personal 8.2
+ S.u.S.E. Linux Personal 8.2
KDE KDE 3.1
+ RedHat Linux 9.0 i386
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.1
KDE KDE 3.0.5 b
KDE KDE 3.0.5 a
+ RedHat Linux 8.0 i386
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3 i386
KDE KDE 3.0.5
+ Conectiva Linux 8.0
KDE KDE 3.0.4
+ Conectiva Linux 8.0
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
+ Gentoo Linux 1.2
KDE KDE 3.0.3 a
KDE KDE 3.0.3
+ Conectiva Linux 8.0
+ Conectiva Linux 8.0
+ Conectiva Linux Enterprise Edition 1.0
+ FreeBSD FreeBSD 4.7 -STABLE
+ FreeBSD FreeBSD 4.7 -STABLE
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 9.0
KDE KDE 3.0.2
+ Mandriva Linux Mandrake 8.2
KDE KDE 3.0.1
KDE KDE 3.0
+ Conectiva Linux 8.0
KDE KDE 2.2.2
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 3.0
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.1
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 i386
+ RedHat Linux Advanced Work Station 2.1
+ Sun Linux 5.0.7
+ Sun Linux 5.0.7
+ Sun Linux 5.0.6
+ Sun Linux 5.0.6
+ Sun Linux 5.0.5
+ Sun Linux 5.0.5
KDE KDE 2.2.1
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Caldera OpenLinux Workstation 3.1
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
KDE KDE 2.2
KDE KDE 2.1.2
+ Conectiva Linux 7.0
KDE KDE 2.1.1
KDE KDE 2.1
KDE KDE 2.0.1
+ Conectiva Linux 6.0
KDE KDE 2.0 BETA
KDE KDE 2.0
KDE KDE 1.2
- S.u.S.E. Linux 6.4
KDE KDE 1.1.2
+ Caldera OpenLinux 2.3
+ Mandriva Linux Mandrake 7.0
KDE KDE 1.1.1
KDE KDE 1.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Bernd Johanness Wueb kppp 1.1.3
KDE KDE 3.3.2
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Debian Linux 3.1
+ Debian Linux 3.1
KDE KDE 3.3.2
KDE KDE 3.3.1
+ Red Hat Fedora Core3
KDE KDE 3.3
KDE KDE 3.2.3
KDE KDE 3.2.2
+ KDE KDE 3.2.2
+ Red Hat Fedora Core2
KDE KDE 3.2.1
KDE KDE 3.2

- 不受影响的程序版本

KDE KDE 3.3.2
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Debian Linux 3.1
+ Debian Linux 3.1
KDE KDE 3.3.2
KDE KDE 3.3.1
+ Red Hat Fedora Core3
KDE KDE 3.3
KDE KDE 3.2.3
KDE KDE 3.2.2
+ KDE KDE 3.2.2
+ Red Hat Fedora Core2
KDE KDE 3.2.1
KDE KDE 3.2

- 漏洞讨论

KPPP is reported prone to a file descriptor leakage vulnerability. This vulnerability can allow local attackers to gain read or write access to sensitive files such as '/etc/hosts' and '/etc/resolv.conf', which may lead to other attacks against the computer.

This vulnerability has been confirmed in KPPP 2.1.2. KPPP versions included with KDE 3.1.5 and prior versions are affected as well.

- 漏洞利用

An exploit is not required.

- 解决方案

A patch is available for KDE 3.1.

Red Hat has released advisory RHSA-2005:175-06 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

Debian Linux has released advisory DSA 692-1 addressing this issue. Please see the referenced advisory for obtaining and applying fixes.

Conectiva has released advisory CLSA-2005:934 to address this issue. Please see the advisory in Web references for more information.

SGI has released an advisory 20050302-01-U including updated SGI ProPack 3 Service Pack 4 packages to address this issue. Please see the referenced advisory for more information.


KDE KDE 2.2.2

SGI ProPack 3.0

KDE KDE 3.1

KDE KDE 3.1.1

KDE KDE 3.1.1 a

KDE KDE 3.1.2

KDE KDE 3.1.3

KDE KDE 3.1.4

KDE KDE 3.1.5

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站