CVE-2005-1528
CVSS7.2
发布时间 :2005-12-31 00:00:00
修订时间 :2011-03-07 21:22:09
NMCOS    

[原文]Untrusted search path vulnerability in the crttrap command in QNX Neutrino RTOS 6.2.1 allows local users to load arbitrary libraries via a LD_LIBRARY_PATH environment variable that references a malicious library.


[CNNVD]QNX Neutrino RTOS crttrap可加载任意库漏洞(CNNVD-200512-882)

        QNX Neutrino RTOS是嵌入系统中所使用的实时操作系统。
        QNX Neutrino RTOS的crttrap对环境变量的使用上存在问题,本地攻击者可能利用此漏洞以root用户权限执行任意命令。
        QNX Neutrino RTOS的crttrap盲目信任用户提供的LD_LIBRARY_PATH环境。本地用户可以创建恶意的函数库,并通过控制LD_LIBRARY_PATH环境变量导致crttrap加载恶意的函数库。成功利用这个漏洞的本地攻击者可以以root用户权限执行任意代码。
        <*链接:http://idefense.com/intelligence/vulnerabilities/display.php?id=379
        *>
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1528
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1528
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-882
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/0474
(UNKNOWN)  VUPEN  ADV-2006-0474
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=379
(VENDOR_ADVISORY)  IDEFENSE  20060207 QNX Neutrino RTOS crttrap Arbitrary Library Loading Vulnerability
http://secunia.com/advisories/18750
(VENDOR_ADVISORY)  SECUNIA  18750
http://xforce.iss.net/xforce/xfdb/24560
(UNKNOWN)  XF  qnx-crttrap-privilege-elevation(24560)
http://www.securityfocus.com/bid/16539
(UNKNOWN)  BID  16539
http://securitytracker.com/id?1015599
(UNKNOWN)  SECTRACK  1015599

- 漏洞信息

QNX Neutrino RTOS crttrap可加载任意库漏洞
高危 资料不足
2005-12-31 00:00:00 2006-02-12 00:00:00
本地  
        QNX Neutrino RTOS是嵌入系统中所使用的实时操作系统。
        QNX Neutrino RTOS的crttrap对环境变量的使用上存在问题,本地攻击者可能利用此漏洞以root用户权限执行任意命令。
        QNX Neutrino RTOS的crttrap盲目信任用户提供的LD_LIBRARY_PATH环境。本地用户可以创建恶意的函数库,并通过控制LD_LIBRARY_PATH环境变量导致crttrap加载恶意的函数库。成功利用这个漏洞的本地攻击者可以以root用户权限执行任意代码。
        <*链接:http://idefense.com/intelligence/vulnerabilities/display.php?id=379
        *>
        

- 公告与补丁

        

- 漏洞信息

22967
QNX Neutrino RTOS crttrap LD_LIBRARY_PATH Subversion Privilege Escalation

- 漏洞描述

- 时间线

2006-02-07 2005-05-12
Unknow Unknow

- 解决方案

Upgrade to version 6.2.1 Patch B or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

QNX Multiple Local Privilege Escalation and Denial Of Service Vulnerabilities
Unknown 16539
No Yes
2006-02-07 12:00:00 2009-07-12 05:56:00
The discoverers of the crttrap, gdb, and the rc.local issues wish to remain anonymous. The fontsleuth issue was discovered by iDefense Labs. Filipe Balestra discovered the libAP and libph issues. Knud Hojgaard discovered the phfont and phgrafx issues. Texo

- 受影响的程序版本

QNX RTOS 6.3
QNX RTOS 6.2.1
QNX RTOS 6.2

- 漏洞讨论

QNX is susceptible to multiple local vulnerabilities. These issues include multiple buffer-overflow vulnerabilities, a format-string vulnerability, an insecure library-path vulnerability, insecure default-directory-permission vulnerability, and a denial-of-service vulnerability.

These issues allow local attackers to execute arbitrary machine code and commands with superuser privileges, facilitating the complete compromise of affected computers. Attackers may also crash affected computers, denying service to legitimate users.

QNX version 6.2.0, 6.2.1, and 6.3 are affected by these issues; earlier versions may also be affected.

- 漏洞利用

Some of these issues do not require exploits.

To exploit the denial-of-service vulnerability, the following command is reportedly sufficient:

echo -e "break *0xb032d59fnrncontncont" | gdb gdb

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站