CVE-2005-2672
CVSS2.1
发布时间 :2005-08-23 00:00:00
修订时间 :2011-03-07 21:24:51
NMCOPS    

[原文]pwmconfig in LM_sensors before 2.9.1 creates temporary files insecurely, which allows local users to overwrite arbitrary files via a symlink attack on the fancontrol temporary file.


[CNNVD]LM_sensors PWMConfig 不安全临时文件创建漏洞 (CNNVD-200508-267)

        LM_sensors 2.9.1之前的版本中的pwmconfig以不安全的方式创建临时文件。这使得本地用户可以借助于对临时文件fancontrol的符号链接攻击重写任意文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:lm_sensors:lm_sensors:2.3.3
cpe:/a:lm_sensors:lm_sensors:2.1.1
cpe:/a:lm_sensors:lm_sensors:2.8.0
cpe:/a:lm_sensors:lm_sensors:2.8.7
cpe:/a:lm_sensors:lm_sensors:2.1.0
cpe:/a:lm_sensors:lm_sensors:2.2.0
cpe:/a:lm_sensors:lm_sensors:2.0.1
cpe:/a:lm_sensors:lm_sensors:2.5.0
cpe:/a:lm_sensors:lm_sensors:2.6.5
cpe:/a:lm_sensors:lm_sensors:2.4.0
cpe:/a:lm_sensors:lm_sensors:2.8.5
cpe:/a:lm_sensors:lm_sensors:2.4.4
cpe:/a:lm_sensors:lm_sensors:2.8.8
cpe:/a:lm_sensors:lm_sensors:2.2.1
cpe:/a:lm_sensors:lm_sensors:2.1.2
cpe:/a:lm_sensors:lm_sensors:2.8.4
cpe:/a:lm_sensors:lm_sensors:2.8.2
cpe:/a:lm_sensors:lm_sensors:2.8.1
cpe:/a:lm_sensors:lm_sensors:2.4.5
cpe:/a:lm_sensors:lm_sensors:2.8.3
cpe:/a:lm_sensors:lm_sensors:2.6.1
cpe:/a:lm_sensors:lm_sensors:2.6.4
cpe:/a:lm_sensors:lm_sensors:2.8.6
cpe:/a:lm_sensors:lm_sensors:2.3.4
cpe:/a:lm_sensors:lm_sensors:2.3.0
cpe:/a:lm_sensors:lm_sensors:2.7.0
cpe:/a:lm_sensors:lm_sensors:2.0.2
cpe:/a:lm_sensors:lm_sensors:2.6.0
cpe:/a:lm_sensors:lm_sensors:2.6.2
cpe:/a:lm_sensors:lm_sensors:2.2.2
cpe:/a:lm_sensors:lm_sensors:2.5.5
cpe:/a:lm_sensors:lm_sensors:2.3.2
cpe:/a:lm_sensors:lm_sensors:2.9.0
cpe:/a:lm_sensors:lm_sensors:2.3.1
cpe:/a:lm_sensors:lm_sensors:2.5.2
cpe:/a:lm_sensors:lm_sensors:2.0.0
cpe:/a:lm_sensors:lm_sensors:2.6.3
cpe:/a:lm_sensors:lm_sensors:2.5.1
cpe:/a:lm_sensors:lm_sensors:2.5.4
cpe:/a:lm_sensors:lm_sensors:2.5.3

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9993pwmconfig in LM_sensors before 2.9.1 creates temporary files insecurely, which allows local users to overwrite arbitrary files via a symlink...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2672
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2672
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-267
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2005/1492
(UNKNOWN)  VUPEN  ADV-2005-1492
http://www.ubuntulinux.org/support/documentation/usn/usn-172-1
(VENDOR_ADVISORY)  UBUNTU  USN-172-1
http://www.securityfocus.com/bid/14624
(UNKNOWN)  BID  14624
http://secure.netroedge.com/~lm78/cvs/lm_sensors2/CHANGES
(UNKNOWN)  CONFIRM  http://secure.netroedge.com/~lm78/cvs/lm_sensors2/CHANGES
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324193
(UNKNOWN)  CONFIRM  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=324193
http://www.redhat.com/support/errata/RHSA-2005-825.html
(UNKNOWN)  REDHAT  RHSA-2005:825
http://www.mandriva.com/security/advisories?name=MDKSA-2005:149
(UNKNOWN)  MANDRIVA  MDKSA-2005:149
http://www.debian.org/security/2005/dsa-814
(UNKNOWN)  DEBIAN  DSA-814
http://securitytracker.com/id?1015180
(UNKNOWN)  SECTRACK  1015180
http://secunia.com/advisories/17535
(UNKNOWN)  SECUNIA  17535
http://secunia.com/advisories/17499
(UNKNOWN)  SECUNIA  17499
http://secunia.com/advisories/16501
(UNKNOWN)  SECUNIA  16501

- 漏洞信息

LM_sensors PWMConfig 不安全临时文件创建漏洞
低危 设计错误
2005-08-23 00:00:00 2005-10-20 00:00:00
本地  
        LM_sensors 2.9.1之前的版本中的pwmconfig以不安全的方式创建临时文件。这使得本地用户可以借助于对临时文件fancontrol的符号链接攻击重写任意文件。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        lm_sensors lm_sensors 2.8.4
        Mandriva liblm_sensors3-2.8.4-2.1.100mdk.i586.rpm
        Mandrakelinux 10.0
        http://www1.mandrivalinux.com/en/ftp.php3
        Mandriva liblm_sensors3-2.8.4-2.1.C30mdk.i586.rpm
        Corporate 3.0
        http://www1.mandrivalinux.com/en/ftp.php3
        Mandriva liblm_sensors3-devel-2.8.4-2.1.100mdk.i586.rpm
        Mandrakelinux 10.0
        http://www1.mandrivalinux.com/en/ftp.php3
        Mandriva liblm_sensors3-devel-2.8.4-2.1.C30mdk.i586.rpm
        Corporate 3.0
        http://www1.mandrivalinux.com/en/ftp.php3
        Mandriva liblm_sensors3-static-devel-2.8.4-2.1.100mdk.i586.rpm
        Mandrakelinux 10.0
        http://www1.mandrivalinux.com/en/ftp.php3
        Mandriva liblm_sensors3-static-devel-2.8.4-2.1.C30mdk.i586.rpm
        Corporate 3.0
        http://www1.mandrivalinux.com/en/ftp.php3
        Mandriva lm_sensors-2.8.4-2.1.100mdk.amd64.rpm
        Mandrakelinux 10.0/AMD64
        http://www1.mandrivalinux.com/en/ftp.php3
        Mandriva lm_sensors-2.8.4-2.1.100mdk.i586.rpm
        Mandrakelinux 10.0
        http://www1.mandrivalinux.com/en/ftp.php3
        Mandriva lm_sensors-2.8.4-2.1.C30mdk.i586.rpm
        Corporate 3.0
        http://www1.mandrivalinux.com/en/ftp.php3
        Mandriva lm_sensors-2.8.4-2.1.C30mdk.x86_64.rpm
        Corporate 3.0/X86_64
        http://www1.mandrivalinux.com/en/ftp.php3
        lm_sensors lm_sensors 2.8.6
        Conectiva liblm_sensors3-2.8.6-61068U10_1cl.i386.rpm
        Conectiva 10
        ftp://atualizacoes.conectiva.com.br/10/RPMS/liblm_sensors3-2.8.6-61068 U10_1cl.i386.rpm
        Conectiva lm_sensors-2.8.6-61068U10_1cl.i386.rpm
        Conectiva 10
        ftp://atualizacoes.conectiva.com.br/10/RPMS/lm_sensors-2.8.6-61068U10_ 1cl.i386.rpm
        Conectiva lm_sensors-devel-2.8.6-61068U10_1cl.i386.rpm
        Conectiva 10
        ftp://atualizacoes.conectiva.com.br/10/RPMS/lm_sensors-devel-2.8.6-610 68U10_1cl.i386.rpm
        Conectiva lm_sensors-devel-static-2.8.6-61068U10_1cl.i386.rpm
        Conectiva 10
        ftp://atualizacoes.conectiva.com.br/10/RPMS/lm_sensors-devel-static-2. 8.6-61068U10_1cl.i386.rpm
        Conectiva lm_sensors-doc-2.8.6-61068U10_1cl.i386.rpm
        Conectiva 10
        ftp://atualizacoes.conectiva.com.br/10/RPMS/lm_sensors-doc-2.8.6-61068 U10_1cl.i386.rpm
        Conectiva lm_sensors-sensord-2.8.6-61068U10_1cl.i386.rpm
        Conectiva 10
        ftp://atualizacoes.conectiva.com.br/10/RPMS/lm_sensors-sensord-2.8.6-6 1068U10_1cl.i386.rpm
        Conectiva lm_sensors-tellerstats-2.8.6-61068U10_1cl.i386.rpm
        Conectiva 10
        ftp://atualizacoes.conectiva.com.br/10/RPMS/lm_sensors-tellerstats-2.8 .6-61068U10_1cl.i386.rpm
        lm_sensors lm_sensors 2.8.7
        Mandriva liblm_sensors3-2.8.7-7.1.101mdk.i586.rpm
        Mandrakelinux 10.1
        http://www1.mandrivalinux.com/en/ftp.php3
        Mandriva liblm_sensors3-2.9.0-4.1.102mdk.i586.rpm
        Mandrakelinux 10.2
        http://www1.mandrivalinux.com/en/ftp.php3
        Mandriva liblm_sensors3-devel-2.8.7-7.1.101mdk.i586.rpm
        Mandrakelinux 10.1
        http://www1.mandrivalinux.com/en/ftp.php3
        Mandriva liblm_sensors3-devel-2.9.0-4.1.102mdk.i586.rpm
        Mandrakelinux 10.2
        http://www1.mandrivalinux.com/en/ftp.php3
        Mandriva liblm_sensors3-static-devel-2.8.7-7.1.101mdk.i586.rpm
        Mandrakelinux 10.1
        http://www1.mandrivalinux.com/en/ftp.php3
        Mandriva lm_sensors-2.8.7-7.1.101mdk.i586.rpm
        Mandrakelinux 10.1
        http://www1.mandrivalinux.com/en/ftp.php3
        Mandriva lm_sensors-2.8.7-7.1.101mdk.x86_64.rpm
        Mandrakelinux 10.1/X86_64
        http://www1.mandrivalinux.com/en/ftp.php3
        RedHat Fedora lm_sensors-2.8.7-2.FC3.1.i386.rpm
        Fedora Core 3
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
        RedHat Fedora lm_sensors-2.8.7-2.FC3.1.x86_64.rpm
        Fedora Core 3
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
        RedHat Fedora lm_sensors-debuginfo-2.8.7-2.FC3.1.i386.rpm
        Fedora Core 3
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
        RedHat Fedora lm_sensors-debuginfo-2.8.7-2.FC3.1.x86_64.rpm
        Fedora Core 3
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
        RedHat Fedora lm_sensors-devel-2.8.7-2.FC3.1.i386.rpm
        Fedora Core 3
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
        RedHat Fedora lm_sensors-devel-2.8.7-2.FC3.1.x86_64.rpm
        Fedora Core 3
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
        lm_sensors lm_sensors 2.

- 漏洞信息 (F40100)

Debian Linux Security Advisory 814-1 (PacketStormID:F40100)
2005-09-20 00:00:00
Debian  debian.org
advisory
linux,debian
CVE-2005-2672
[点击下载]

Debian Security Advisory DSA 814-1 - Javier Fern

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 814-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
September 15th, 2005                    http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : lm-sensors
Vulnerability  : insecure temporary file
Problem type   : local
Debian-specific: no
CVE ID         : CAN-2005-2672]
Debian Bug     : 324193

Javier Fern    

- 漏洞信息 (F39718)

Gentoo Linux Security Advisory 200508-19 (PacketStormID:F39718)
2005-08-31 00:00:00
Gentoo  security.gentoo.org
advisory
linux,gentoo
CVE-2005-2672
[点击下载]

Gentoo Linux Security Advisory GLSA 200508-19 - Javier Fernandez-Sanguino Pena has discovered that lm_sensors insecurely creates temporary files with predictable filenames when saving configurations. Versions less than 2.9.1-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200508-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: lm_sensors: Insecure temporary file creation
      Date: August 30, 2005
      Bugs: #103568
        ID: 200508-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

lm_sensors is vulnerable to linking attacks, potentially allowing a
local user to overwrite arbitrary files.

Background
==========

lm_sensors is a software package that provides drivers for monitoring
the temperatures, voltages, and fans of Linux systems with hardware
monitoring devices.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /  Vulnerable  /                  Unaffected
    -------------------------------------------------------------------
  1  sys-apps/lm_sensors     < 2.9.1-r1                    >= 2.9.1-r1

Description
===========

Javier Fernandez-Sanguino Pena has discovered that lm_sensors
insecurely creates temporary files with predictable filenames when
saving configurations.

Impact
======

A local attacker could create symbolic links in the temporary file
directory, pointing to a valid file somewhere on the filesystem. When
the pwmconfig script of lm_sensors is executed, this would result in
the file being overwritten with the rights of the user running the
script, which typically is the root user.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All lm_sensors users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sys-apps/lm_sensors-2.9.1-r1"

References
==========

  [ 1 ] CAN-2005-2672
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2672

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200508-19.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

    

- 漏洞信息

18905
lm_sensors /tmp/fancontrol Symlink Arbitrary File Overwrite
Local Access Required Denial of Service, Race Condition
Loss of Integrity, Loss of Availability
Exploit Public Vendor Verified

- 漏洞描述

lm_sensors contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered by the pwmconfig script, which creates the temporary file "/tmp/fancontrol" insecurely when saving the configuration. This can allow the user to creat or overwrite arbitrary files with the privileges of the user invoking the vulnerable script via a well timed symlink. This flaw may lead to a loss of availability and integrity.

- 时间线

2005-08-22 Unknow
2005-08-22 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

LM_sensors PWMConfig Insecure Temporary File Creation Vulnerability
Design Error 14624
No Yes
2005-08-22 12:00:00 2009-07-12 05:06:00
Discovery is credited to Javier Fernandez-Sanguino Pena.

- 受影响的程序版本

RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Enterprise Linux AS 4
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
lm_sensors lm_sensors 2.9.1
lm_sensors lm_sensors 2.9
lm_sensors lm_sensors 2.8.8
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
lm_sensors lm_sensors 2.8.7
lm_sensors lm_sensors 2.8.6
+ Conectiva Linux 10.0
lm_sensors lm_sensors 2.8.4
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Conectiva Linux 10.0

- 漏洞讨论

lm_sensors creates temporary files in an insecure manner. The issue exists in the 'pwmconfig' script.

Exploitation would most likely result in loss of data or a denial of service if critical files are overwritten in the attack. Other attacks may be possible as well.

lm_sensors version 2.9.1 is reportedly affected, however, other versions may be vulnerable as well.

- 漏洞利用

There is no exploit required.

- 解决方案

Ubuntu has released security advisory USN-172-1 addressing this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

Mandriva has released advisory MDKSA-2005:149 and fixes to address this issue. Please see the referenced advisory for links to fixes.

Gentoo has released security advisory GLSA 200508-19 addressing this issue. Gentoo recommends all lm_sensors users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/lm_sensors-2.9.1-r1"

Debian has released security advisory 814-1 and fixes to address this issue. Please see the referenced advisory for links to fixes.

Conectiva Linux has released security advisory CLSA-2005:1012 addressing this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

RedHat Fedora has released security advisories FEDORA-2005-1053 and FEDORA-2005-1054 addressing this issue for Fedora Core 3 and Core 4. Users are advised to see the referenced advisories for details on obtaining and applying the appropriate updates.

RedHat Linux has released security advisory RHSA-2005:825-13 addressing this issue for their Desktop and Enterprise editions. Please see the referenced Web advisory for further information.

--
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.


lm_sensors lm_sensors 2.8.4

lm_sensors lm_sensors 2.8.6

lm_sensors lm_sensors 2.8.7

lm_sensors lm_sensors 2.8.8

lm_sensors lm_sensors 2.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站