CVE-2005-3069
CVSS2.1
发布时间 :2005-09-27 15:03:00
修订时间 :2008-09-05 16:53:22
NMCOPS    

[原文]xferfaxstats in HylaFax 4.2.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on the xferfax$$ temporary file.


[CNNVD]HylaFAX xferfaxstats不安全临时文件创建漏洞(CNNVD-200509-263)

        HylaFax是一款UNIX上的收发传真软件。
        HylaFax 4.2.1及早期版本的xferfaxstats存在安全漏洞,本地用户可以发动对xferfax$$临时文件的symlink攻击,从而覆盖任意文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3069
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3069
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200509-263
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/14907
(UNKNOWN)  BID  14907
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329384
(VENDOR_ADVISORY)  CONFIRM  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329384
http://www.mandriva.com/security/advisories?name=MDKSA-2005:177
(UNKNOWN)  MANDRIVA  MDKSA-2005:177
http://www.gentoo.org/security/en/glsa/glsa-200509-21.xml
(UNKNOWN)  GENTOO  GLSA-200509-21
http://www.debian.org/security/2005/dsa-865
(UNKNOWN)  DEBIAN  DSA-865
http://secunia.com/advisories/17187
(UNKNOWN)  SECUNIA  17187
http://secunia.com/advisories/17107
(UNKNOWN)  SECUNIA  17107
http://secunia.com/advisories/17022
(UNKNOWN)  SECUNIA  17022
http://secunia.com/advisories/16906
(UNKNOWN)  SECUNIA  16906

- 漏洞信息

HylaFAX xferfaxstats不安全临时文件创建漏洞
低危 设计错误
2005-09-27 00:00:00 2005-10-20 00:00:00
本地  
        HylaFax是一款UNIX上的收发传真软件。
        HylaFax 4.2.1及早期版本的xferfaxstats存在安全漏洞,本地用户可以发动对xferfax$$临时文件的symlink攻击,从而覆盖任意文件。

- 公告与补丁

        暂无数据

- 漏洞信息 (F40698)

Debian Linux Security Advisory 865-1 (PacketStormID:F40698)
2005-10-13 00:00:00
Debian  security.debian.org
advisory
linux,debian
CVE-2005-3069
[点击下载]

Debian Security Advisory DSA 865-1 - Javier Fernandez-Sanguino Pena discovered that several scripts of the hylafax suite, a flexible client/server fax software, create temporary files and directories in an insecure fashion, leaving them vulnerable to symlink exploits.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 865-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 13th, 2005                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : hylafax
Vulnerability  : insecure temporary files
Problem type   : local
Debian-specific: no
CVE ID         : CAN-2005-3069
CERT advisory  : 
BugTraq ID     : 
Debian Bug     : 

Javier Fern    

- 漏洞信息 (F40517)

Mandriva Linux Security Advisory 2005.177 (PacketStormID:F40517)
2005-10-08 00:00:00
Mandriva  mandriva.com
advisory,arbitrary,local
linux,unix,mandriva
CVE-2005-3069,CVE-2005-3070
[点击下载]

Mandriva Linux Security Update Advisory - faxcron, recvstats, and xferfaxstats in HylaFax 4.2.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. In addition, HylaFax has some provisional support for Unix domain sockets, which is disabled in the default compile configuration. It is suspected that a local user could create a fake /tmp/hyla.unix socket and intercept fax traffic via this socket. In testing for this vulnerability, with CONFIG_UNIXTRANSPORT disabled, it has been found that client programs correctly exit before sending any data.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           hylafax
 Advisory ID:            MDKSA-2005:177
 Date:                   October 7th, 2005

 Affected versions:	 10.1, 10.2, 2006.0, Corporate 3.0,
			 Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 faxcron, recvstats, and xferfaxstats in HylaFax 4.2.1 and earlier
 allows local users to overwrite arbitrary files via a symlink attack
 on temporary files. (CAN-2005-3069)
 
 In addition, HylaFax has some provisional support for Unix domain
 sockets, which is disabled in the default compile configuration. It is
 suspected that a local user could create a fake /tmp/hyla.unix socket
 and intercept fax traffic via this socket. In testing for this
 vulnerability, with  CONFIG_UNIXTRANSPORT disabled, it has been found
 that client programs  correctly exit before sending any data.
 (CAN-2005-3070)
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3069
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3070
 ______________________________________________________________________

 Updated Packages:
  
 Mandrivalinux 10.1:
 f7ca9274944776e0c8a697b77cc517ea  10.1/RPMS/hylafax-4.2.0-1.3.101mdk.i586.rpm
 c49a39ddf8151f10b06b0ac70dc9c3e8  10.1/RPMS/hylafax-client-4.2.0-1.3.101mdk.i586.rpm
 77211d2fe0790d276694b1cf3d2d855c  10.1/RPMS/hylafax-server-4.2.0-1.3.101mdk.i586.rpm
 aaaca7a343600961e87f6c6e4ead0c8d  10.1/RPMS/libhylafax4.2.0-4.2.0-1.3.101mdk.i586.rpm
 da5bce1b0c53e298dcd7cb5ef0dbab5d  10.1/RPMS/libhylafax4.2.0-devel-4.2.0-1.3.101mdk.i586.rpm
 ca2bdc57603dda7f982c59626d9e2a02  10.1/SRPMS/hylafax-4.2.0-1.3.101mdk.src.rpm

 Mandrivalinux 10.1/X86_64:
 35f7d808588e1d9ad5b8de2c9e5c8cb0  x86_64/10.1/RPMS/hylafax-4.2.0-1.3.101mdk.x86_64.rpm
 1b8a373e8d1d005b4b14124dba7b5df1  x86_64/10.1/RPMS/hylafax-client-4.2.0-1.3.101mdk.x86_64.rpm
 5f169d7d2377d8066e2d13c771d431eb  x86_64/10.1/RPMS/hylafax-server-4.2.0-1.3.101mdk.x86_64.rpm
 677f9360dcdfca9f86967ad4c6f738f1  x86_64/10.1/RPMS/lib64hylafax4.2.0-4.2.0-1.3.101mdk.x86_64.rpm
 e2185b51d1d9568ccca76e37cd99e98b  x86_64/10.1/RPMS/lib64hylafax4.2.0-devel-4.2.0-1.3.101mdk.x86_64.rpm
 ca2bdc57603dda7f982c59626d9e2a02  x86_64/10.1/SRPMS/hylafax-4.2.0-1.3.101mdk.src.rpm

 Mandrivalinux 10.2:
 55a1638f62262ff6a156006a460ef681  10.2/RPMS/hylafax-4.2.0-3.1.102mdk.i586.rpm
 d02bb11c38379885513c742cf09212c0  10.2/RPMS/hylafax-client-4.2.0-3.1.102mdk.i586.rpm
 d425b48947dc0bc5dc78b5512bf06fb9  10.2/RPMS/hylafax-server-4.2.0-3.1.102mdk.i586.rpm
 0652d1bca7a8904a9443c1e88939a9ee  10.2/RPMS/libhylafax4.2.0-4.2.0-3.1.102mdk.i586.rpm
 71f742c2355201f94130bfc0febfcfd1  10.2/RPMS/libhylafax4.2.0-devel-4.2.0-3.1.102mdk.i586.rpm
 f8e2073acf5408bf8b55b3d22e55e2b2  10.2/SRPMS/hylafax-4.2.0-3.1.102mdk.src.rpm

 Mandrivalinux 10.2/X86_64:
 80b93124024f35ac604bca04c2157b6b  x86_64/10.2/RPMS/hylafax-4.2.0-3.1.102mdk.x86_64.rpm
 54de1417816622492047cd95fcd192d1  x86_64/10.2/RPMS/hylafax-client-4.2.0-3.1.102mdk.x86_64.rpm
 2682977698f5665e0bfde4f04123d817  x86_64/10.2/RPMS/hylafax-server-4.2.0-3.1.102mdk.x86_64.rpm
 30820c2cbf827ff91e55c6c29ec795a7  x86_64/10.2/RPMS/lib64hylafax4.2.0-4.2.0-3.1.102mdk.x86_64.rpm
 d8aae5eacf14c4f8321512e8c2696542  x86_64/10.2/RPMS/lib64hylafax4.2.0-devel-4.2.0-3.1.102mdk.x86_64.rpm
 f8e2073acf5408bf8b55b3d22e55e2b2  x86_64/10.2/SRPMS/hylafax-4.2.0-3.1.102mdk.src.rpm

 Mandrivalinux 2006.0:
 8e97d7f9a84998a8c067c4b6185931cc  2006.0/RPMS/hylafax-4.2.1-2.1.20060mdk.i586.rpm
 3d61efb5c464b443ac8ed26310a9db46  2006.0/RPMS/hylafax-client-4.2.1-2.1.20060mdk.i586.rpm
 a42170bbc1d3acebe176dc6beb286c40  2006.0/RPMS/hylafax-server-4.2.1-2.1.20060mdk.i586.rpm
 ffca2d97b9de37c2f07af1f8b5a556bf  2006.0/RPMS/libhylafax4.2.0-4.2.1-2.1.20060mdk.i586.rpm
 54b789ce44dffb9b22d6777d8796d264  2006.0/RPMS/libhylafax4.2.0-devel-4.2.1-2.1.20060mdk.i586.rpm
 3d78c1a88aecbd9d6ae0a947cf2eaa29  2006.0/SRPMS/hylafax-4.2.1-2.1.20060mdk.src.rpm

 Mandrivalinux 2006.0/X86_64:
 39a1e3bf1a63d33b424888a4a5c7faac  x86_64/2006.0/RPMS/hylafax-4.2.1-2.1.20060mdk.x86_64.rpm
 4908c196d94d4bc72e1e79091ca7a098  x86_64/2006.0/RPMS/hylafax-client-4.2.1-2.1.20060mdk.x86_64.rpm
 7f9ea9edf76faf3f3b917c96d8110ed5  x86_64/2006.0/RPMS/hylafax-server-4.2.1-2.1.20060mdk.x86_64.rpm
 af2ec227f9d5b98b53c94bff68e47c50  x86_64/2006.0/RPMS/lib64hylafax4.2.0-4.2.1-2.1.20060mdk.x86_64.rpm
 6840b4ff77f07090faa5b32620c05afe  x86_64/2006.0/RPMS/lib64hylafax4.2.0-devel-4.2.1-2.1.20060mdk.x86_64.rpm
 3d78c1a88aecbd9d6ae0a947cf2eaa29  x86_64/2006.0/SRPMS/hylafax-4.2.1-2.1.20060mdk.src.rpm

 Corporate Server 2.1:
 e0e77173d66d6a0c31ffc84cd40a4253  corporate/2.1/RPMS/hylafax-4.1.3-5.3.C21mdk.i586.rpm
 6f38a677c369b3a2110bd508a2a439e3  corporate/2.1/RPMS/hylafax-client-4.1.3-5.3.C21mdk.i586.rpm
 fce937eeb3257adefe370294bbb8516e  corporate/2.1/RPMS/hylafax-server-4.1.3-5.3.C21mdk.i586.rpm
 bfe2fedab3fdbbb726995e4a6e4a93ac  corporate/2.1/RPMS/libhylafax4.1.1-4.1.3-5.3.C21mdk.i586.rpm
 c4b2bb4b1ab084a2949a934978a33d7f  corporate/2.1/RPMS/libhylafax4.1.1-devel-4.1.3-5.3.C21mdk.i586.rpm
 763f4270d854d27b53c83c378bf81151  corporate/2.1/SRPMS/hylafax-4.1.3-5.3.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 213b760b160484b8e17e5da32f974048  x86_64/corporate/2.1/RPMS/hylafax-4.1.3-5.3.C21mdk.x86_64.rpm
 a4069af7c182c925844fcdcbad0b6ad6  x86_64/corporate/2.1/RPMS/hylafax-client-4.1.3-5.3.C21mdk.x86_64.rpm
 840537452b7e5dcc83e36d72e5b9071f  x86_64/corporate/2.1/RPMS/hylafax-server-4.1.3-5.3.C21mdk.x86_64.rpm
 2897c385ffe1e5c5ee76d01114ad6bee  x86_64/corporate/2.1/RPMS/libhylafax4.1.1-4.1.3-5.3.C21mdk.x86_64.rpm
 674cef6c3e5b272e048218eb5e6ca8a2  x86_64/corporate/2.1/RPMS/libhylafax4.1.1-devel-4.1.3-5.3.C21mdk.x86_64.rpm
 763f4270d854d27b53c83c378bf81151  x86_64/corporate/2.1/SRPMS/hylafax-4.1.3-5.3.C21mdk.src.rpm

 Corporate 3.0:
 2d17a03f1ef3f420981fea8bf5ebc6ff  corporate/3.0/RPMS/hylafax-4.1.8-2.3.C30mdk.i586.rpm
 ef93ab687c830d4699419eed55871c1d  corporate/3.0/RPMS/hylafax-client-4.1.8-2.3.C30mdk.i586.rpm
 8faf097e36be844cb3c8a4fcc7c75649  corporate/3.0/RPMS/hylafax-server-4.1.8-2.3.C30mdk.i586.rpm
 3c90cd27d8ea5425c3ebc9e6ee492b18  corporate/3.0/RPMS/libhylafax4.1.1-4.1.8-2.3.C30mdk.i586.rpm
 c01ef9626e435416defde272371e87a9  corporate/3.0/RPMS/libhylafax4.1.1-devel-4.1.8-2.3.C30mdk.i586.rpm
 97e37c030a7cebe18b11f661f970d23e  corporate/3.0/SRPMS/hylafax-4.1.8-2.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 1e12ff7fbbcf33edc62482e5335235ae  x86_64/corporate/3.0/RPMS/hylafax-4.1.8-2.3.C30mdk.x86_64.rpm
 7b519165eb5b6c1fd8f70abc822f44c8  x86_64/corporate/3.0/RPMS/hylafax-client-4.1.8-2.3.C30mdk.x86_64.rpm
 d83092b4fec23beec97c7fde051d9313  x86_64/corporate/3.0/RPMS/hylafax-server-4.1.8-2.3.C30mdk.x86_64.rpm
 caf5f33b0eb919237378a1a683d5a933  x86_64/corporate/3.0/RPMS/lib64hylafax4.1.1-4.1.8-2.3.C30mdk.x86_64.rpm
 3a5b5836bb53c4ace02d15c1a13d0086  x86_64/corporate/3.0/RPMS/lib64hylafax4.1.1-devel-4.1.8-2.3.C30mdk.x86_64.rpm
 97e37c030a7cebe18b11f661f970d23e  x86_64/corporate/3.0/SRPMS/hylafax-4.1.8-2.3.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDRvLhmqjQ0CJFipgRAlULAKCPLF3KhIe4r7m5A5xDmQNy7XovmACgxv5h
HW+zpFscZoq4KyAycexh98k=
=XtSc
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

19596
HylaFAX xferfaxstats Symlink Arbitrary File Overwrite
Local Access Required Race Condition
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2005-09-21 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.2.2 RC1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

HylaFAX Insecure Temporary File Creation Vulnerability
Design Error 14907
No Yes
2005-09-22 12:00:00 2009-07-12 05:06:00
Javier Fernandez-Sanguino Pena is credited with the discovery of this vulnerability.

- 受影响的程序版本

Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
Hylafax Hylafax 4.2.1
- Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0

- 漏洞讨论

HylaFAX creates temporary files in an insecure manner. This may allow a local attacker to perform symbolic link attacks.

Successful exploitation may result in sensitive data or configuration files being overwritten. This may result in a denial of service; other attacks may also be possible.

- 漏洞利用

No exploit is required.

- 解决方案

Gentoo has released advisory GLSA 200509-21 to address this issue. Gentoo updates may be applied by running the following commands as the superuser:

emerge --sync
emerge --ask --oneshot --verbose net-misc/hylafax

Mandriva has released advisory MDKSA-2005:177, along with fixes to address this issue in various Mandrake Linux operating systems. Please see the referenced advisory for further information.

Debian Linux has released security advisory DSA 865-1 addressing this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

---
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.


Hylafax Hylafax 4.2.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站