CVE-2005-2353
CVSS2.1
发布时间 :2005-08-05 00:00:00
修订时间 :2008-09-05 16:51:32
NMCOPS    

[原文]run-mozilla.sh in Thunderbird, with debugging enabled, allows local users to create or overwrite arbitrary files via a symlink attack on temporary files.


[CNNVD]Mozilla Suite, Firefox and Thunderbird 调试模式 不安全临时文件创建漏洞(CNNVD-200508-066)

        Thunderbird(启用调试功能)的run-mozilla.sh允许本地用户借助于对临时文件的符号链接攻击创建或重写任意的文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2353
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2353
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-066
(官方数据源) CNNVD

- 其它链接及资源

http://www.ubuntulinux.org/support/documentation/usn/usn-157-1
(VENDOR_ADVISORY)  UBUNTU  USN-157-1
http://www.securityfocus.com/bid/14443
(UNKNOWN)  BID  14443
http://www.mandriva.com/security/advisories?name=MDKSA-2005:174
(UNKNOWN)  MANDRIVA  MDKSA-2005:174
http://www.mandriva.com/security/advisories?name=MDKSA-2005:173
(UNKNOWN)  MANDRIVA  MDKSA-2005:173
http://www.debian.org/security/2006/dsa-1051
(UNKNOWN)  DEBIAN  DSA-1051
http://www.debian.org/security/2006/dsa-1046
(UNKNOWN)  DEBIAN  DSA-1046
http://secunia.com/advisories/19941
(UNKNOWN)  SECUNIA  19941
http://secunia.com/advisories/19863
(UNKNOWN)  SECUNIA  19863

- 漏洞信息

Mozilla Suite, Firefox and Thunderbird 调试模式 不安全临时文件创建漏洞
低危 设计错误
2005-08-05 00:00:00 2005-10-20 00:00:00
本地  
        Thunderbird(启用调试功能)的run-mozilla.sh允许本地用户借助于对临时文件的符号链接攻击创建或重写任意的文件。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Mozilla Firefox 1.0
        Mozilla Firefox 1.0.5
        http://www.mozilla.org/products/firefox/
        Mozilla Thunderbird 1.0.2
        Debian mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8_alpha.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/moz illa-thunderbird-dev_1.0.2-2.sarge1.0.8_alpha.deb
        Debian mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8_amd64.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/moz illa-thunderbird-dev_1.0.2-2.sarge1.0.8_amd64.deb
        Debian mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8_arm.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/moz illa-thunderbird-dev_1.0.2-2.sarge1.0.8_arm.deb
        Debian mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8_hppa.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/moz illa-thunderbird-dev_1.0.2-2.sarge1.0.8_hppa.deb
        Debian mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8_i386.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/moz illa-thunderbird-dev_1.0.2-2.sarge1.0.8_i386.deb
        Debian mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8_ia64.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/moz illa-thunderbird-dev_1.0.2-2.sarge1.0.8_ia64.deb
        Debian mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8_m68k.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/moz illa-thunderbird-dev_1.0.2-2.sarge1.0.8_m68k.deb
        Debian mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8_mips.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/moz illa-thunderbird-dev_1.0.2-2.sarge1.0.8_mips.deb
        Debian mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8_mipsel.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/moz illa-thunderbird-dev_1.0.2-2.sarge1.0.8_mipsel.deb
        Debian mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8_powerpc.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/moz illa-thunderbird-dev_1.0.2-2.sarge1.0.8_powerpc.deb
        Debian mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8_s390.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/moz illa-thunderbird-dev_1.0.2-2.sarge1.0.8_s390.deb
        Debian mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8_sparc.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/moz illa-thunderbird-dev_1.0.2-2.sarge1.0.8_sparc.deb
        Debian mozilla-thunderbird-dev_1.0.2-2.sarge1.0.8a_hppa.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/m/mozilla-thunderbird/moz illa-thunderbird-dev_1.0.2-2.sarge1.0.8a_hppa.deb
        

- 漏洞信息 (F46106)

Debian Linux Security Advisory 1051-1 (PacketStormID:F46106)
2006-05-06 00:00:00
Debian  debian.org
advisory
linux,debian
CVE-2005-2353,CVE-2005-4134,CVE-2006-0292,CVE-2006-0293,CVE-2006-0296,CVE-2006-0748,CVE-2006-0749,CVE-2006-0884,CVE-2006-1045,CVE-2006-1529,CVE-2006-1530,CVE-2006-1531,CVE-2006-1723,CVE-2006-1724,CVE-2006-1727,CVE-2006-1728,CVE-2006-1729,CVE-2006-1730
[点击下载]

Debian Security Advisory 1051-1 - Several security related problems have been discovered in Mozilla Thunderbird. This advisory addresses those issues.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1051-1                    security@debian.org
http://www.debian.org/security/                             Martin Schulze
May 4th, 2006                           http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mozilla-thunderbird
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE IDs        : CVE-2005-2353 CVE-2005-4134 CVE-2006-0292 CVE-2006-0293
                 CVE-2006-0296 CVE-2006-0748 CVE-2006-0749 CVE-2006-0884
                 CVE-2006-1045 CVE-2006-1529 CVE-2006-1530 CVE-2006-1531
                 CVE-2006-1723 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728
                 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1733
                 CVE-2006-1734 CVE-2006-1735 CVE-2006-1736 CVE-2006-1737
                 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1741
                 CVE-2006-1742 CVE-2006-1790
CERT advisories: VU#179014 VU#252324 VU#329500 VU#350262 VU#488774 VU#492382
                 VU#592425 VU#736934 VU#813230 VU#842094 VU#932734 VU#935556
BugTraq IDs    : 15773 16476 16476 16770 16881 17516

Several security related problems have been discovered in Mozilla
Thunderbird.  The Common Vulnerabilities and Exposures project
identifies the following vulnerabilities:

CVE-2005-2353

    The "run-mozilla.sh" script allows local users to create or
    overwrite arbitrary files when debugging is enabled via a symlink
    attack on temporary files.

CVE-2005-4134

    Web pages with extremely long titles cause subsequent launches of
    the browser to appear to "hang" for up to a few minutes, or even
    crash if the computer has insufficient memory.  [MFSA-2006-03]

CVE-2006-0292

    The Javascript interpreter does not properly dereference objects,
    which allows remote attackers to cause a denial of service or
    execute arbitrary code.  [MFSA-2006-01]

CVE-2006-0293

    The function allocation code allows attackers to cause a denial of
    service and possibly execute arbitrary code.  [MFSA-2006-01]

CVE-2006-0296

    XULDocument.persist() did not validate the attribute name,
    allowing an attacker to inject arbitrary XML and JavaScript code
    into localstore.rdf that would be read and acted upon during
    startup.  [MFSA-2006-05]

CVE-2006-0748

    An anonymous researcher for TippingPoint and the Zero Day
    Initiative reported that an invalid and nonsensical ordering of
    table-related tags can be exploited to execute arbitrary code.
    [MFSA-2006-27]

CVE-2006-0749

    A particular sequence of HTML tags can cause memory corruption
    that can be exploited to exectute arbitary code.  [MFSA-2006-18]

CVE-2006-0884

    Georgi Guninski reports that forwarding mail in-line while using
    the default HTML "rich mail" editor will execute JavaScript
    embedded in the e-mail message with full privileges of the client.
    [MFSA-2006-21]

CVE-2006-1045

    The HTML rendering engine does not properly block external images
    from inline HTML attachments when "Block loading of remote images
    in mail messages" is enabled, which could allow remote attackers
    to obtain sensitive information.  [MFSA-2006-26]

CVE-2006-1529

    A vulnerability potentially allows remote attackers to cause a
    denial of service and possibly execute arbitrary.  [MFSA-2006-20]

CVE-2006-1530

    A vulnerability potentially allows remote attackers to cause a
    denial of service and possibly execute arbitrary.  [MFSA-2006-20]

CVE-2006-1531

    A vulnerability potentially allows remote attackers to cause a
    denial of service and possibly execute arbitrary.  [MFSA-2006-20]

CVE-2006-1723

    A vulnerability potentially allows remote attackers to cause a
    denial of service and possibly execute arbitrary.  [MFSA-2006-20]

CVE-2006-1724

    A vulnerability potentially allows remote attackers to cause a
    denial of service and possibly execute arbitrary.  [MFSA-2006-20]

CVE-2006-1727

    Georgi Guninski reported two variants of using scripts in an XBL
    control to gain chrome privileges when the page is viewed under
    "Print Preview".under "Print Preview".  [MFSA-2006-25]

CVE-2006-1728

    "shutdown" discovered that the crypto.generateCRMFRequest method
    can be used to run arbitrary code with the privilege of the user
    running the browser, which could enable an attacker to install
    malware.  [MFSA-2006-24]

CVE-2006-1729

    Claus J    

- 漏洞信息 (F39036)

Ubuntu Security Notice 157-1 (PacketStormID:F39036)
2005-08-05 00:00:00
Ubuntu  ubuntu.com
advisory,vulnerability
linux,ubuntu
CVE-2005-0989,CVE-2005-1159,CVE-2005-1160,CVE-2005-1532,CVE-2005-2261,CVE-2005-2265,CVE-2005-2269,CVE-2005-2270,CVE-2005-2353
[点击下载]

Ubuntu Security Notice USN-157-1 - A multitude of Mozilla Thunderbird vulnerabilities have been addressed in this advisory.

==========================================================
Ubuntu Security Notice USN-157-1           August 01, 2005
mozilla-thunderbird vulnerabilities
CAN-2005-0989, CAN-2005-1159, CAN-2005-1160, CAN-2005-1532,
CAN-2005-2261, CAN-2005-2265, CAN-2005-2269, CAN-2005-2270,
CAN-2005-2353
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

mozilla-thunderbird
mozilla-thunderbird-enigmail

The problem can be corrected by upgrading the affected package to
version 1.0.6-0ubuntu04.10 (for Ubuntu 4.10), or 1.0.6-0ubuntu05.04
(for Ubuntu 5.04).  You need to restart Thunderbird after a standard
system upgrade to effect the necessary changes.

The current Enigmail plugin is not compatible any more with the
Thunderbird version shipped in this security update, so the
mozilla-thunderbird-enigmail package needs to be updated as well. An
update is already available for Ubuntu 5.04, and will be delivered
shortly for Ubuntu 4.10.


Details follow:

Vladimir V. Perepelitsa discovered a bug in Thunderbird's handling of anonymous
functions during regular expression string replacement. A malicious HTML email
could exploit this to capture a random block of client memory. (CAN-2005-0989)

Georgi Guninski discovered that the types of certain XPInstall related
JavaScript objects were not sufficiently validated when they were called. This
could be exploited by malicious HTML email content to crash Thunderbird or even
execute arbitrary code with the privileges of the user. (CAN-2005-1159) 

Thunderbird did not properly verify the values of XML DOM nodes.  By tricking
the user to perform a common action like clicking on a link or opening the
context menu, a malicious HTML email could exploit this to execute arbitrary
JavaScript code with the full privileges of the user. (CAN-2005-1160)

A variant of the attack described in CAN-2005-1160 (see USN-124-1) was
discovered. Additional checks were added to make sure Javascript eval and
script objects are run with the privileges of the context that created them,
not the potentially elevated privilege of the context calling them.
(CAN-2005-1532)

Scripts in XBL controls from web content continued to be run even when
Javascript was disabled. This could be combined with most script-based exploits
to attack people running vulnerable versions who thought disabling Javascript
would protect them. (CAN-2005-2261)

The function for version comparison in the addons installer did not properly
verify the type of its argument. By passing specially crafted Javascript
objects to it, a malicious web site could crash Thunderbird and possibly even
execute arbitrary code with the privilege of the user account Thunderbird runs
in. (CAN-2005-2265)

The XHTML DOM node handler did not take namespaces into account when verifying
node types based on their names. For example, an XHTML email could contain an
<IMG> tag with malicious contents, which would then be processed as the
standard trusted HTML <img> tag. By tricking an user to view a malicious email,
this could be exploited to execute attacker-specified code with the full
privileges of the user. (CAN-2005-2269) 

It was discovered that some objects were not created appropriately.  This
allowed malicious web content scripts to trace back the creation chain until
they found a privileged object and execute code with higher privileges than
allowed by the current site. (CAN-2005-2270) 

Javier Fern    

- 漏洞信息

13625
Mozilla Firefox run-mozilla.sh Arbitrary File Overwrite
Local Access Required Race Condition
Loss of Integrity
Exploit Public

- 漏洞描述

Mozilla Firefox contains a flaw that may allow a malicious user to perform arbitrary file overwrites. The issue is triggered when a user runs the 'run-mozilla.sh' script within '/usr/lib/mozilla' with debugging enabled. It is possible that the flaw may allow a local attacker to create a symlink from a critical file to one of the temporary files which the script uses which may allow the symlink file to be overwritten with the priveleges of the target user resulting in a loss of integrity.

- 时间线

2005-02-08 Unknow
2005-02-08 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Mozilla Suite, Firefox and Thunderbird Debug Mode Insecure Temporary File Creation Vulnerability
Design Error 14443
No Yes
2005-04-29 12:00:00 2007-01-09 07:01:00
Javier Fernández-Sanguino Peña <jfs@computer.org> is credited with the discovery of this vulnerability.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Mozilla Thunderbird 1.0.2
Mozilla Firefox 1.0
+ Gentoo Linux
+ Gentoo Linux
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 9.0
+ Slackware Linux 10.1
+ Slackware Linux 10.0
+ Slackware Linux 10.0
+ Slackware Linux 9.1
+ Slackware Linux 9.1
+ Slackware Linux -current
+ Slackware Linux -current
Mozilla Browser 1.7.5
+ HP Tru64 5.1 B-2 PK4 (BL25)
+ HP Tru64 5.1 B-2 PK4
+ HP Tru64 5.1 B-2 PK4
+ HP Tru64 5.1 B PK4
+ HP Tru64 5.1 B PK4
+ HP Tru64 5.1 A PK6 (BL24)
+ HP Tru64 5.1 A PK6 (BL24)
+ HP Tru64 5.1 A PK6
+ HP Tru64 5.1 A PK6
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Mozilla Thunderbird 1.0.5
Mozilla Firefox 1.0.1
+ Red Hat Fedora Core3
Mozilla Browser 1.7.6
+ HP HP-UX B.11.23
+ HP HP-UX B.11.23
+ HP HP-UX B.11.22
+ HP HP-UX B.11.22
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.00
+ HP HP-UX B.11.00
+ Red Hat Enterprise Linux AS 4
+ Red Hat Enterprise Linux AS 4
+ RedHat Desktop 4.0
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
+ RedHat Enterprise Linux WS 4
+ Turbolinux Home
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 10.0
+ Turbolinux Turbolinux Server 10.0

- 不受影响的程序版本

Mozilla Thunderbird 1.0.5
Mozilla Firefox 1.0.1
+ Red Hat Fedora Core3
Mozilla Browser 1.7.6
+ HP HP-UX B.11.23
+ HP HP-UX B.11.23
+ HP HP-UX B.11.22
+ HP HP-UX B.11.22
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.00
+ HP HP-UX B.11.00
+ Red Hat Enterprise Linux AS 4
+ Red Hat Enterprise Linux AS 4
+ RedHat Desktop 4.0
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
+ RedHat Enterprise Linux WS 4
+ Turbolinux Home
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 10.0
+ Turbolinux Turbolinux Server 10.0

- 漏洞讨论

Mozilla Suite, Firefox, and Thunderbird create temporary files in an insecure manner.

A local attacker would most likely take advantage of this vulnerability by creating a malicious symbolic link in a directory where the temporary files will be created. When the program tries to perform an operation on a temporary file, it will instead perform the operation on the file pointed to by the malicious symbolic link.

Exploitation would most likely result in loss of data or a denial of service if critical files are overwritten in the attack. Other attacks may be possible as well.

Note that this issue occurs only when the affected application is run in 'debug' mode.

- 漏洞利用

No exploit is required.

- 解决方案

The vendor has addressed these issues in subsequent versions of the affected applications.

Please see the referenced vendor advisories for more information.


Mozilla Firefox 1.0

Mozilla Thunderbird 1.0.2

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站