CVE-2005-0610
CVSS7.2
发布时间 :2005-04-12 00:00:00
修订时间 :2008-09-05 16:46:47
NMCOS    

[原文]Multiple symlink vulnerabilities in portupgrade before 20041226_2 in FreeBSD allow local users to (1) overwrite arbitrary files and possibly replace packages to execute arbitrary code via pkg_fetch, (2) overwrite arbitrary files via temporary files when portupgrade upgrades a port or package, or (3) create arbitrary zero-byte files via the pkgdb.fixme temporary file.


[CNNVD]FreeBSD PortUpgrade本地不安全临时文件处理漏洞(CNNVD-200504-028)

        FreeBSD是一种类UNIX操作系统,但不是真正意义上的UNIX操作系统,它是由经过BSD、386BSD和4.4BSD发展而来的Unix的一个重要分支,它支持 x86 兼容(包括 Pentium® 和 Athlon?)、amd64 兼容(包括 Opteron?、Athlon 64 和 EM64T)、 Alpha/AXP、IA-64、PC-98以及 UltraSPARC® 架构的计算机。它运行在Intel x86 family兼容处理器、DEC Alpha、Sun微系统的UltraSPARC、Itanium (IA-64)和AMD64处理器上。针对PowerPC的支持正在开发中。它被普遍认为是相当可靠和稳定的。苹果电脑的Mac OS X即以 Mach 为内核, 配合 FreeBSD 的驱动程序和实用工具为基础。FreeBSD 源于 BSD ──美国加州大学伯克利分校开发 UNIX® 版本它由来自世界各地的志愿者开发和维护.FreeBSD 为不同架构的计算机系统提供了不同程度的支持.
        FreeBSD中portupgrade的20041226_2之前版本存在多个symlink漏洞,本地用户可以(1)借助pkg_fetch来重写任意文件并可能将包更换成可执行的代码,(2)在portupgrade更新端口或包时通过临时文件来重写任意文件或者(3)通过pkgdb.fixme临时文件来创建任意的零字节文件。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:5.1FreeBSD 5.1
cpe:/o:freebsd:freebsd:5.2.1:release
cpe:/o:freebsd:freebsd:4.3:releng
cpe:/o:freebsd:freebsd:4.6.2FreeBSD 4.6.2
cpe:/o:freebsd:freebsd:5.0FreeBSD 5.0
cpe:/o:freebsd:freebsd:4.9:pre-release
cpe:/o:freebsd:freebsd:4.6:stable
cpe:/o:freebsd:freebsd:4.7:release_p17
cpe:/o:freebsd:freebsd:4.7:releng
cpe:/o:freebsd:freebsd:4.3:release_p38
cpe:/o:freebsd:freebsd:4.7FreeBSD 4.7
cpe:/o:freebsd:freebsd:5.3:releng
cpe:/o:freebsd:freebsd:4.1.1:stable
cpe:/o:freebsd:freebsd:5.1:release
cpe:/o:freebsd:freebsd:4.4:release_p42
cpe:/o:freebsd:freebsd:5.4:release
cpe:/o:freebsd:freebsd:4.10:release
cpe:/o:freebsd:freebsd:4.1.1:release
cpe:/o:freebsd:freebsd:4.2FreeBSD 4.2
cpe:/o:freebsd:freebsd:4.11:stable
cpe:/o:freebsd:freebsd:5.4:pre-release
cpe:/o:freebsd:freebsd:4.4:stable
cpe:/o:freebsd:freebsd:5.1:alpha
cpe:/o:freebsd:freebsd:5.3FreeBSD 5.3
cpe:/o:freebsd:freebsd:5.2FreeBSD 5.2
cpe:/o:freebsd:freebsd:4.6:releng
cpe:/o:freebsd:freebsd:4.5:stable
cpe:/o:freebsd:freebsd:4.6:release
cpe:/o:freebsd:freebsd:4.5FreeBSD 4.5
cpe:/o:freebsd:freebsd:4.9FreeBSD 4.9
cpe:/o:freebsd:freebsd:4.0:releng
cpe:/o:freebsd:freebsd:4.7:release
cpe:/o:freebsd:freebsd:4.3:stable
cpe:/o:freebsd:freebsd:4.5:release_p32
cpe:/o:freebsd:freebsd:4.2:stable
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0
cpe:/o:freebsd:freebsd:4.3:release
cpe:/o:freebsd:freebsd:4.10:releng
cpe:/o:freebsd:freebsd:5.0:release_p14
cpe:/o:freebsd:freebsd:5.1:release_p5
cpe:/o:freebsd:freebsd:4.6FreeBSD 4.6
cpe:/o:freebsd:freebsd:5.3:stable
cpe:/o:freebsd:freebsd:4.6:release_p20
cpe:/o:freebsd:freebsd:5.1:releng
cpe:/o:freebsd:freebsd:5.0:releng
cpe:/o:freebsd:freebsd:4.4:releng
cpe:/o:freebsd:freebsd:5.0:alpha
cpe:/o:freebsd:freebsd:5.3:release
cpe:/o:freebsd:freebsd:4.4FreeBSD 4.4
cpe:/o:freebsd:freebsd:4.7:stable
cpe:/o:freebsd:freebsd:4.5:releng
cpe:/o:freebsd:freebsd:4.9:releng
cpe:/o:freebsd:freebsd:4.5:release
cpe:/o:freebsd:freebsd:4.8FreeBSD 4.8
cpe:/o:freebsd:freebsd:4.8:pre-release
cpe:/o:freebsd:freebsd:4.10FreeBSD 4.10
cpe:/o:freebsd:freebsd:4.1FreeBSD 4.1
cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/o:freebsd:freebsd:4.8:releng
cpe:/o:freebsd:freebsd:4.8:release_p6
cpe:/o:freebsd:freebsd:5.2.1:releng
cpe:/o:freebsd:freebsd:4.0:alpha

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0610
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0610
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200504-028
(官方数据源) CNNVD

- 其它链接及资源

http://www.vuxml.org/freebsd/22f00553-a09d-11d9-a788-0001020eed82.html
(VENDOR_ADVISORY)  MISC  http://www.vuxml.org/freebsd/22f00553-a09d-11d9-a788-0001020eed82.html
http://secunia.com/advisories/14903
(VENDOR_ADVISORY)  SECUNIA  14903
http://www.securityfocus.com/bid/13106
(VENDOR_ADVISORY)  BID  13106

- 漏洞信息

FreeBSD PortUpgrade本地不安全临时文件处理漏洞
高危 设计错误
2005-04-12 00:00:00 2007-05-11 00:00:00
本地  
        FreeBSD是一种类UNIX操作系统,但不是真正意义上的UNIX操作系统,它是由经过BSD、386BSD和4.4BSD发展而来的Unix的一个重要分支,它支持 x86 兼容(包括 Pentium® 和 Athlon?)、amd64 兼容(包括 Opteron?、Athlon 64 和 EM64T)、 Alpha/AXP、IA-64、PC-98以及 UltraSPARC® 架构的计算机。它运行在Intel x86 family兼容处理器、DEC Alpha、Sun微系统的UltraSPARC、Itanium (IA-64)和AMD64处理器上。针对PowerPC的支持正在开发中。它被普遍认为是相当可靠和稳定的。苹果电脑的Mac OS X即以 Mach 为内核, 配合 FreeBSD 的驱动程序和实用工具为基础。FreeBSD 源于 BSD ──美国加州大学伯克利分校开发 UNIX® 版本它由来自世界各地的志愿者开发和维护.FreeBSD 为不同架构的计算机系统提供了不同程度的支持.
        FreeBSD中portupgrade的20041226_2之前版本存在多个symlink漏洞,本地用户可以(1)借助pkg_fetch来重写任意文件并可能将包更换成可执行的代码,(2)在portupgrade更新端口或包时通过临时文件来重写任意文件或者(3)通过pkgdb.fixme临时文件来创建任意的零字节文件。

- 公告与补丁

        暂无数据

- 漏洞信息

15477
portupgrade pkg_fetch Symlink Privilege Escalation
Local Access Required Race Condition
Loss of Integrity
Exploit Unknown

- 漏洞描述

portupgrade contains a flaw that may allow a malicious local user to overwrite, create and manipulate arbitrary files on the system with the permissions of the user running portupgrade. The issue is due to the 'pkg_fetch' download packages creating temporary files insecurely. It is possible for a user to use a symlink style attack to manipulate arbitrary files, resulting in a loss of integrity.

- 时间线

2005-04-12 2005-04-12
2005-04-12 Unknow

- 解决方案

Upgrade to version 20041226_2 or higher, as it has been reported to fix this vulnerability. FreeBSD has released a patch vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Set the PKG_TMPDIR environment variable to a directory only write-able by the user running portupgrade.(normaly root)

- 相关参考

- 漏洞作者

- 漏洞信息

FreeBSD PortUpgrade Local Insecure Temporary File Handling Vulnerability
Design Error 13106
No Yes
2005-04-12 12:00:00 2009-07-12 12:56:00
Simon L. Nielsen is credited with the discovery of this issue.

- 受影响的程序版本

FreeBSD FreeBSD 5.4 -RELEASE
FreeBSD FreeBSD 5.4 -PRERELEASE
FreeBSD FreeBSD 5.3 -STABLE
FreeBSD FreeBSD 5.3 -RELENG
FreeBSD FreeBSD 5.3 -RELEASE
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 5.2.1 -RELEASE
FreeBSD FreeBSD 5.2 -RELENG
FreeBSD FreeBSD 5.2 -RELEASE
FreeBSD FreeBSD 5.2
FreeBSD FreeBSD 5.1 -RELENG
FreeBSD FreeBSD 5.1 -RELEASE/Alpha
FreeBSD FreeBSD 5.1 -RELEASE-p5
FreeBSD FreeBSD 5.1 -RELEASE
FreeBSD FreeBSD 5.1
FreeBSD FreeBSD 5.0 -RELENG
FreeBSD FreeBSD 5.0 -RELEASE-p14
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.11 -STABLE
FreeBSD FreeBSD 4.10 -RELENG
FreeBSD FreeBSD 4.10 -RELEASE
FreeBSD FreeBSD 4.10
FreeBSD FreeBSD 4.9 -RELENG
FreeBSD FreeBSD 4.9 -PRERELEASE
FreeBSD FreeBSD 4.9
FreeBSD FreeBSD 4.8 -RELENG
FreeBSD FreeBSD 4.8 -RELEASE-p7
FreeBSD FreeBSD 4.8 -PRERELEASE
FreeBSD FreeBSD 4.8
FreeBSD FreeBSD 4.7 -STABLE
FreeBSD FreeBSD 4.7 -RELENG
FreeBSD FreeBSD 4.7 -RELEASE-p17
FreeBSD FreeBSD 4.7 -RELEASE
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6.2
FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELENG
FreeBSD FreeBSD 4.6 -RELEASE-p20
FreeBSD FreeBSD 4.6 -RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELENG
FreeBSD FreeBSD 4.5 -RELEASE-p32
FreeBSD FreeBSD 4.5 -RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4 -STABLE
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELEASE-p42
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3 -STABLE
FreeBSD FreeBSD 4.3 -RELENG
FreeBSD FreeBSD 4.3 -RELEASE-p38
FreeBSD FreeBSD 4.3 -RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2 -STABLEpre122300
FreeBSD FreeBSD 4.2 -STABLEpre050201
FreeBSD FreeBSD 4.2 -STABLE
FreeBSD FreeBSD 4.2 -RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1 -RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0 .x
FreeBSD FreeBSD 4.0 -RELENG
FreeBSD FreeBSD 4.0 alpha
FreeBSD FreeBSD 4.0

- 漏洞讨论

A local insecure file handling vulnerability affects FreeBSD portupgrade. This issue is due to a design error that causes the affected application to fail to securely handle temporary files.

An attacker may leverage this issue to corrupt arbitrary files and execute code with the privileges of a user that runs the vulnerable utility. It should be noted that this utility is commonly run with superuser privileges.

- 漏洞利用

No exploit is required to leverage this issue.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站