发布时间 :2005-12-31 00:00:00
修订时间 :2008-09-05 16:50:34

[原文]Novell NetMail 3.5.2a, 3.5.2b, and 3.5.2c, when running on Linux, sets the owner and group ID to 500 for certain files, which could allow users or groups with that ID to execute arbitrary code or cause a denial of service by modifying those files.

[CNNVD]Novell NetMail不安全文件许可漏洞(CNNVD-200512-955)

        Novell NetMail 3.5.2a、3.5.2b和3.5.2c,在Linux上运行时,将某些文件的所有者和组ID设置为500,该ID的用户或组可以通过修改文件来执行任意代码或发起拒绝服务攻击。

- CVSS (基础分值)

CVSS分值: 1.7 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  BID  14005
(PATCH)  OSVDB  17456

- 漏洞信息

Novell NetMail不安全文件许可漏洞
低危 设计错误
2005-12-31 00:00:00 2006-06-06 00:00:00
        Novell NetMail 3.5.2a、3.5.2b和3.5.2c,在Linux上运行时,将某些文件的所有者和组ID设置为500,该ID的用户或组可以通过修改文件来执行任意代码或发起拒绝服务攻击。

- 公告与补丁


- 漏洞信息

Novell NetMail for Linux Group File Ownership Local Privilege Escalation
Local Access Required Misconfiguration
Loss of Integrity
Exploit Public

- 漏洞描述

Novell NetMail for Linux contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered because the files in the Linux distribution of the NetMail has the owner ID and group ID set to 500. If NetMail is installed on a system where user ID 500 exists or where users belong to group ID 500, these users could delete or replace the netmail binaries, resulting in a loss of integrity.

- 时间线

2005-06-20 Unknow
2005-06-20 Unknow

- 解决方案

Upgrade to version 3.52c1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Novell NetMail Patch Packaging Insecure File Permissions Vulnerability
Design Error 14005
No Yes
2005-06-21 12:00:00 2009-07-12 04:06:00
The vendor disclosed this issue.

- 受影响的程序版本

Novell NetMail 3.52 C
Novell NetMail 3.52 B
Novell NetMail 3.52 A
Novell NetMail 3.52 C1

- 不受影响的程序版本

Novell NetMail 3.52 C1

- 漏洞讨论

Novell NetMail is susceptible to an insecure file permissions vulnerability. This issue is due to a flaw in the patch packaging system used to update NetMail. This vulnerability only presents itself on Linux installations of NetMail.

This vulnerability allows local attackers to modify or replace NetMail binaries. This will result in the compromise of the NetMail account.

Computers running versions 3.52A, 3.52B, or 3.52C on Linux are affected by this issue.

- 漏洞利用

An exploit is not required.

- 解决方案

The vendor has released version 2.52C1 of NetMail to address this issue:

Novell NetMail 3.52 A

Novell NetMail 3.52 C

Novell NetMail 3.52 B

- 相关参考