CVE-2005-1751
CVSS3.7
发布时间 :2005-05-25 00:00:00
修订时间 :2016-10-17 23:22:10
NMCOPS    

[原文]Race condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file, a different vulnerability than CVE-2005-1759.


[CNNVD]GNU SHTool 不安全临时文件删除漏洞(CNNVD-200505-1202)

        shtool 2.0.1及早期版本中的竞争条件允许本地用户借助对.shtool.$$ 临时文件发起的symlink攻击,来创建或修改任意文件。此漏洞不同于CVE-2005-1759漏洞。

- CVSS (基础分值)

CVSS分值: 3.7 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9639Race condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ tem...
oval:org.mitre.oval:def:345shtool Race Condition
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1751
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1751
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-1202
(官方数据源) CNNVD

- 其它链接及资源

http://bugs.gentoo.org/show_bug.cgi?id=93782
(UNKNOWN)  MISC  http://bugs.gentoo.org/show_bug.cgi?id=93782
http://marc.info/?l=bugtraq&m=111955937622637&w=2
(UNKNOWN)  OPENPKG  OpenPKG-SA-2005.011
http://securitytracker.com/id?1014059
(UNKNOWN)  SECTRACK  1014059
http://www.debian.org/security/2005/dsa-789
(UNKNOWN)  DEBIAN  DSA-789
http://www.gentoo.org/security/en/glsa/glsa-200506-08.xml
(UNKNOWN)  GENTOO  GLSA-200506-08
http://www.redhat.com/support/errata/RHSA-2005-564.html
(UNKNOWN)  REDHAT  RHSA-2005:564
http://www.securityfocus.com/bid/13767
(UNKNOWN)  BID  13767
http://www.zataz.net/adviso/shtool-05252005.txt
(VENDOR_ADVISORY)  MISC  http://www.zataz.net/adviso/shtool-05252005.txt

- 漏洞信息

GNU SHTool 不安全临时文件删除漏洞
低危 设计错误
2005-05-25 00:00:00 2005-10-25 00:00:00
本地  
        shtool 2.0.1及早期版本中的竞争条件允许本地用户借助对.shtool.$$ 临时文件发起的symlink攻击,来创建或修改任意文件。此漏洞不同于CVE-2005-1759漏洞。

- 公告与补丁

        暂无数据

- 漏洞信息 (F38149)

Gentoo Linux Security Advisory 200506-8 (PacketStormID:F38149)
2005-06-21 00:00:00
Gentoo  security.gentoo.org
advisory
linux,gentoo
CVE-2005-1751,CVE-2005-1759
[点击下载]

Gentoo Linux Security Advisory GLSA 200506-08 - Eric Romang has discovered that GNU shtool insecurely creates temporary files with predictable filenames (CVE-2005-1751). On closer inspection, Gentoo Security discovered that the shtool temporary file, once created, was being reused insecurely (CVE-2005-1759). Versions less than 2.0.1-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200506-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: GNU shtool, ocaml-mysql: Insecure temporary file creation
      Date: June 11, 2005
      Bugs: #93782, #93784
        ID: 200506-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

GNU shtool and ocaml-mysql are vulnerable to symlink attacks,
potentially allowing a local user to overwrite arbitrary files.

Background
==========

GNU shtool is a compilation of small shell scripts into a single shell
tool. The ocaml-mysql package includes the GNU shtool code.

Affected packages
=================

    -------------------------------------------------------------------
     Package             /  Vulnerable  /                   Unaffected
    -------------------------------------------------------------------
  1  dev-util/shtool        < 2.0.1-r2                     >= 2.0.1-r2
  2  dev-ml/ocaml-mysql     < 1.0.3-r1                     >= 1.0.3-r1
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

Eric Romang has discovered that GNU shtool insecurely creates temporary
files with predictable filenames (CAN-2005-1751). On closer inspection,
Gentoo Security discovered that the shtool temporary file, once
created, was being reused insecurely (CAN-2005-1759).

Impact
======

A local attacker could create symbolic links in the temporary files
directory, pointing to a valid file somewhere on the filesystem. When a
GNU shtool script is executed, this would result in the file being
overwritten with the rights of the user running the script, which could
be the root user.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GNU shtool users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-util/shtool-2.0.1-r2"

All ocaml-mysql users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-ml/ocaml-mysql-1.0.3-r1"

References
==========

  [ 1 ] CAN-2005-1751
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1751
  [ 2 ] CAN-2005-1759
        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1759

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200506-08.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

    

- 漏洞信息

16848
shtool Symlink Arbitrary File Manipulation
Local Access Required Race Condition
Loss of Integrity
Vendor Verified

- 漏洞描述

shtool contains a flaw that may allow a malicious local user to overwrite or create arbitrary files on the system. The issue is due to the script creating temporary files insecurely. It is possible for a user to use a symlink style attack to manipulate arbitrary files, resulting in a loss of integrity.

- 时间线

2005-05-25 2005-05-25
Unknow Unknow

- 解决方案

Contact your vendor for an appropriate upgrade. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

GNU SHTool Insecure Temporary File Deletion Vulnerability
Design Error 13767
No Yes
2005-05-25 12:00:00 2009-07-12 02:56:00
"ZATAZ.net" <exploits@zataz.net> is credited with the discovery of this vulnerability.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
Shawn Wagner ocaml-mysql 1.0.3
SGI ProPack 3.0 SP6
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Desktop 4.0
RedHat Desktop 3.0
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
PHP PHP 5.0.5
PHP PHP 5.0.4
PHP PHP 5.0.3
+ Trustix Secure Linux 2.2
PHP PHP 5.0.2
PHP PHP 5.0.1
PHP PHP 5.0 candidate 3
PHP PHP 5.0 candidate 2
PHP PHP 5.0 candidate 1
PHP PHP 5.0 .0
PHP PHP 4.3.11
PHP PHP 4.3.10
+ Gentoo Linux
+ Red Hat Fedora Core3
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
+ Trustix Secure Linux 1.5
PHP PHP 4.3.9
PHP PHP 4.3.8
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ S.u.S.E. Linux Personal 9.2
+ Turbolinux Turbolinux Server 10.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
PHP PHP 4.3.7
PHP PHP 4.3.6
PHP PHP 4.3.5
PHP PHP 4.3.4
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ S.u.S.E. Linux Personal 9.1
PHP PHP 4.3.3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
PHP PHP 4.3.2
PHP PHP 4.3.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ OpenPKG OpenPKG Current
+ S.u.S.E. Linux Personal 8.2
PHP PHP 4.3
PHP PHP 4.2.3
+ EnGarde Secure Linux 1.0.1
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
PHP PHP 4.2.2
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
+ OpenPKG OpenPKG 1.1
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ S.u.S.E. Linux 8.1
PHP PHP 4.2.1
- FreeBSD FreeBSD 4.6
- FreeBSD FreeBSD 4.5
- FreeBSD FreeBSD 4.4
- FreeBSD FreeBSD 4.3
+ Slackware Linux 8.1
PHP PHP 4.2 .0
PHP PHP 4.2 -dev
PHP PHP 4.1.2
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X 10.0.4
+ Apple Mac OS X 10.0.3
+ Apple Mac OS X 10.0.2
+ Apple Mac OS X 10.0.1
+ Apple Mac OS X 10.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ MandrakeSoft Multi Network Firewall 2.0
+ MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
PHP PHP 4.1.1
+ Conectiva Linux 7.0
PHP PHP 4.1 .0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
PHP PHP 4.0.7 RC3
PHP PHP 4.0.7 RC2
PHP PHP 4.0.7 RC1
PHP PHP 4.0.7
PHP PHP 4.0.6
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ HP Secure OS software for Linux 1.0
- IBM AIX 4.3.3
- IBM AIX 4.3.2
- IBM AIX 4.3.1
- IBM AIX 4.3
- IBM AIX 5.1
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ Sun Cobalt RaQ 550
+ Sun LX50
+ Trustix Secure Linux 1.5
PHP PHP 4.0.5
PHP PHP 4.0.4
+ Compaq Compaq Secure Web Server PHP 1.0
+ Conectiva Linux 6.0
+ Guardian Digital Engarde Secure Linux 1.0.1
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
PHP PHP 4.0.3 pl1
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
PHP PHP 4.0.3
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt Qube3 Japanese 4000WGJ
+ Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
+ Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ XTR Japanese 3500R-ja
PHP PHP 4.0.2
PHP PHP 4.0.1 pl2
PHP PHP 4.0.1 pl1
PHP PHP 4.0.1
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt Qube3 w/ Caching and RAID 4100WG
+ Sun Cobalt Qube3 w/Caching 4010WG
+ Sun Cobalt RaQ4 3001R
+ Sun Cobalt RaQ4 Japanese RAID 3100R-ja
+ Sun Cobalt RaQ4 RAID 3100R
PHP PHP 4.0 0
GNU shTool 2.0.1
+ OpenPKG OpenPKG 2.3
+ OpenPKG OpenPKG Current
GNU shTool 2.0
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
PHP PHP 5.1
PHP PHP 4.4 .0

- 不受影响的程序版本

PHP PHP 5.1
PHP PHP 4.4 .0

- 漏洞讨论

GNU shTool is prone to an insecure temporary file deletion vulnerability.

This issue is due to a design error that causes a file to be insecurely deleted and subsequently and linked file deleted.

An attacker may leverage this issue to delete arbitrary files with the privileges of an unsuspecting user that activates the affected application.

Update (2005/06/11): ocaml-mysql, a package for the Object Camel language that provides access to MySQL, contains shtool code and is vulnerable.

Update (2005/07/14): PHP prior to version 4.4.0 contains shtool code and is vulnerable.

- 漏洞利用

No exploit is required.

- 解决方案

Gentoo users can upgrade shtool and ocaml-mysql by issuing the following commands:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/shtool-2.0.1-r2"

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ml/ocaml-mysql-1.0.3-r1"

OpenPKG has released advisory OpenPKG-SA-2005.011 addressing this issue. Please see the referenced advisory for further information.

Red Hat has released advisory RHSA-2005:564-15 to address this issue. Please see the referenced advisory for more information.

PHP has released version 4.4.0 to address this, and other issues.

Trustix has released advisory TSLSA-2005-0036, along with fixes to address various issues. Please see the referenced advisory for further information.

SGI has released advisory 20050703-01-U to address various issues affecting SGI ProPack 3 Service Pack 6. Please see the referenced advisory for more information.

Fedora Legacy advisory FLSA:163559 is available to address various issues affecting Fedora Core 1 and Core 2. Please see the referenced advisory for more information.

Ubuntu Linux has released security advisory USN-171-1 addressing this and other issues. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

Debian has released advisory DSA 789-1 to address various issues. Please see the referenced advisory for more information.

PHP version 5.1.0 has been released. This version includes fixes for this issue.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.


GNU shTool 2.0.1

PHP PHP 4.0 0

PHP PHP 4.0.1

PHP PHP 4.0.1 pl1

PHP PHP 4.0.1 pl2

PHP PHP 4.0.2

PHP PHP 4.0.3 pl1

PHP PHP 4.0.3

PHP PHP 4.0.4

PHP PHP 4.0.5

PHP PHP 4.0.6

PHP PHP 4.0.7

PHP PHP 4.0.7 RC1

PHP PHP 4.0.7 RC3

PHP PHP 4.0.7 RC2

PHP PHP 4.1 .0

PHP PHP 4.1.1

PHP PHP 4.1.2

PHP PHP 4.2 -dev

PHP PHP 4.2 .0

PHP PHP 4.2.1

PHP PHP 4.2.2

PHP PHP 4.2.3

PHP PHP 4.3

PHP PHP 4.3.1

PHP PHP 4.3.10

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站