发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-05 16:47:25

[原文]The internal_dump function in Mathopd before 1.5p5, and 1.6x before 1.6b6 BETA, when Mathopd is running with the -n option, allows local users to overwrite arbitrary files via a symlink attack on dump files that are triggered by a SIGWINCH signal.

[CNNVD]Mathopd Dump文件本地不安全文件创建漏洞(CNNVD-200505-529)

        Mathopd的1.5p5之前版本、和1.6x的1.6b6 BETA之前版本中的internal_dump函数,当Mathopd带有-n选项运行时,本地用户可以通过由一个SIGWINCH信号触发的对dump文件的symlink攻击来重写任意文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

Mathopd Dump文件本地不安全文件创建漏洞
低危 设计错误
2005-05-02 00:00:00 2005-10-20 00:00:00
        Mathopd的1.5p5之前版本、和1.6x的1.6b6 BETA之前版本中的internal_dump函数,当Mathopd带有-n选项运行时,本地用户可以通过由一个SIGWINCH信号触发的对dump文件的symlink攻击来重写任意文件。

- 公告与补丁

        Mathopd Web Server 1.5 p4
        Mathopd Mathopd 1.5p5

- 漏洞信息

Mathopd internal_dump() Arbitrary File Append
Local Access Required Race Condition
Loss of Integrity Upgrade
Exploit Private RBS Confirmed, Vendor Verified, Coordinated Disclosure

- 漏洞描述

Mathopd contains a flaw that may allow a malicious local user to append content to arbitrary files on the system. The issue is due to the internal_dump() function (dump.c) creating temporary files insecurely when a SIGWINCH signal is caught. It is possible for a local attacker to use a symlink attack to cause the program to unexpectedly append dump data to an attacker specified file.

- 时间线

2005-03-23 Unknow
Unknow 2005-03-23

- 解决方案

Upgrade to version 1.5p5, 1.6b6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Mathopd Dump Files Local Insecure File Creation Vulnerability
Design Error 12882
No Yes
2005-03-23 12:00:00 2009-07-12 11:56:00
Carsten Eiram is credited with the discovery of this issue.

- 受影响的程序版本

Mathopd Web Server 1.6 b5
Mathopd Web Server 1.5 p4
Mathopd Web Server 1.6 b6
Mathopd Web Server 1.5 p5

- 不受影响的程序版本

Mathopd Web Server 1.6 b6
Mathopd Web Server 1.5 p5

- 漏洞讨论

A local insecure file creation vulnerability affects Mathopd. This issue is due to a design error that causes the insecure creation and writing of files.

An attacker may leverage this issue to corrupt arbitrary files with the privileges of an unsuspecting user that activates and uses the vulnerable software.

- 漏洞利用

No exploit is required to leverage this issue.

- 解决方案

The vendor has released an updated version dealing with this issue.

Mathopd Web Server 1.5 p4

- 相关参考