CVE-2006-0055
CVSS2.1
发布时间 :2006-01-11 16:03:00
修订时间 :2008-09-05 16:58:14
NMCOPS    

[原文]The ispell_op function in ee on FreeBSD 4.10 to 6.0 uses predictable filenames and does not confirm which file is being written, which allows local users to overwrite arbitrary files via a symlink attack when ee invokes ispell.


[CNNVD]FreeBSD EE 临时文件创建漏洞(CNNVD-200601-117)

        FreeBSD 4.10至6.0上的ee中的ispell_op函数使用可预测的文件名,且不会确认正在被写入的文件,这可让本地用户在ee调用ispell时,通过符号链接攻击来覆盖任意文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:5.1FreeBSD 5.1
cpe:/o:freebsd:freebsd:4.10:releng
cpe:/o:freebsd:freebsd:5.0:release_p14
cpe:/o:freebsd:freebsd:5.1:release_p5
cpe:/o:freebsd:freebsd:5.2.1:release
cpe:/o:freebsd:freebsd:5.0FreeBSD 5.0
cpe:/o:freebsd:freebsd:4.11:release_p3
cpe:/o:freebsd:freebsd:5.3:stable
cpe:/o:freebsd:freebsd:4.11:releng
cpe:/o:freebsd:freebsd:5.3:releng
cpe:/o:freebsd:freebsd:5.0:releng
cpe:/o:freebsd:freebsd:5.1:release
cpe:/o:freebsd:freebsd:5.1:releng
cpe:/o:freebsd:freebsd:5.0:alpha
cpe:/o:freebsd:freebsd:5.4:release
cpe:/o:freebsd:freebsd:4.10:release
cpe:/o:freebsd:freebsd:6.0:release
cpe:/o:freebsd:freebsd:5.3:release
cpe:/o:freebsd:freebsd:6.0:stable
cpe:/o:freebsd:freebsd:4.11:stable
cpe:/o:freebsd:freebsd:5.4:pre-release
cpe:/o:freebsd:freebsd:5.1:alpha
cpe:/o:freebsd:freebsd:5.3FreeBSD 5.3
cpe:/o:freebsd:freebsd:4.10FreeBSD 4.10
cpe:/o:freebsd:freebsd:5.2FreeBSD 5.2
cpe:/o:freebsd:freebsd:5.4:releng
cpe:/o:freebsd:freebsd:4.10:release_p8
cpe:/o:freebsd:freebsd:5.2.1:releng

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0055
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0055
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200601-117
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/16207
(PATCH)  BID  16207
http://secunia.com/advisories/18404
(VENDOR_ADVISORY)  SECUNIA  18404
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:02.ee.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-06:02
http://xforce.iss.net/xforce/xfdb/24074
(UNKNOWN)  XF  ee-ispell-op-symlink(24074)
http://www.osvdb.org/22320
(UNKNOWN)  OSVDB  22320
http://securitytracker.com/id?1015469
(UNKNOWN)  SECTRACK  1015469

- 漏洞信息

FreeBSD EE 临时文件创建漏洞
低危 设计错误
2006-01-11 00:00:00 2006-01-13 00:00:00
本地  
        FreeBSD 4.10至6.0上的ee中的ispell_op函数使用可预测的文件名,且不会确认正在被写入的文件,这可让本地用户在ee调用ispell时,通过符号链接攻击来覆盖任意文件。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        FreeBSD FreeBSD 4.10 -RELEASE-p8
        FreeBSD ee.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch
        FreeBSD FreeBSD 4.10 -RELEASE
        FreeBSD ee.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch
        FreeBSD FreeBSD 4.10 -RELENG
        FreeBSD ee.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch
        FreeBSD FreeBSD 4.11 -RELEASE-p3
        FreeBSD ee.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch
        FreeBSD FreeBSD 4.11 -RELENG
        FreeBSD ee.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch
        FreeBSD FreeBSD 5.3
        FreeBSD ee.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch
        FreeBSD FreeBSD 5.4 -PRERELEASE
        FreeBSD ee.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch
        FreeBSD FreeBSD 5.4 -RELEASE
        FreeBSD ee.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch
        FreeBSD FreeBSD 5.4 -RELENG
        FreeBSD ee.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch
        FreeBSD FreeBSD 6.0 -STABLE
        FreeBSD ee.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch
        FreeBSD FreeBSD 6.0 -RELEASE
        FreeBSD ee.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch
        

- 漏洞信息 (F43050)

FreeBSD-SA-06-02.ee.txt (PacketStormID:F43050)
2006-01-15 00:00:00
 
advisory
freebsd
CVE-2006-0055
[点击下载]

FreeBSD Security Advisory - The ispell_op function used by ee(1) while executing spell check operations employs an insecure method of temporary file generation. This method produces predictable file names based on the process ID and fails to confirm which path will be over written with the user.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-06:02.ee                                         Security Advisory
                                                          The FreeBSD Project

Topic:          ee temporary file privilege escalation

Category:       core
Module:         ee
Announced:      2006-01-11
Credits:        Christian S.J. Peron
Affects:        All FreeBSD versions
Corrected:      2006-01-11 08:02:16 UTC (RELENG_6, 6.0-STABLE)
                2006-01-11 08:03:18 UTC (RELENG_6_0, 6.0-RELEASE-p2)
                2006-01-11 08:03:55 UTC (RELENG_5, 5.4-STABLE)
                2006-01-11 08:04:33 UTC (RELENG_5_4, 5.4-RELEASE-p9)
                2006-01-11 08:05:54 UTC (RELENG_5_3, 5.3-RELEASE-p24)
                2006-01-11 08:06:47 UTC (RELENG_4, 4.11-STABLE)
                2006-01-11 08:07:18 UTC (RELENG_4_11, 4.11-RELEASE-p14)
                2006-01-11 08:08:08 UTC (RELENG_4_10, 4.10-RELEASE-p20)
CVE Name:       CVE-2006-0055

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

The ee utility is a simple screen oriented text editor. This editor is
popular with a lot of users due to its ease of use.

II.  Problem Description

The ispell_op function used by ee(1) while executing spell check
operations employs an insecure method of temporary file generation.
This method produces predictable file names based on the process ID
and fails to confirm which path will be over written with the user.

It should be noted that ispell does not have to be installed in order
for this to be exploited.  The option simply needs to be selected.

III. Impact

These predictable temporary file names are problematic because they
allow an attacker to take advantage of a race condition in order to
execute a symlink attack, which could allow them to overwrite files
on the system in the context of the user running the ee(1) editor.

IV.  Workaround

Instead of invoking ispell through ee(1), invoke it directly.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE,
or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or
RELENG_4_10 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.10,
4.11, 5.3, 5.4, and 6.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.bin/ee
# make obj && make depend && make && make install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_4
  usr.bin/ee/ee.c                                                1.16.2.9
RELENG_4_11
  src/UPDATING                                             1.73.2.91.2.15
  src/sys/conf/newvers.sh                                  1.44.2.39.2.18
  usr.bin/ee/ee.c                                            1.16.2.7.6.1
RELENG_4_10
  src/UPDATING                                             1.73.2.90.2.21
  src/sys/conf/newvers.sh                                  1.44.2.34.2.22
  usr.bin/ee/ee.c                                            1.16.2.7.4.1
RELENG_5
  usr.bin/ee/ee.c                                                1.31.4.2
RELENG_5_4
  src/UPDATING                                            1.342.2.24.2.18
  src/sys/conf/newvers.sh                                  1.62.2.18.2.14
  usr.bin/ee/ee.c                                            1.31.4.1.2.1
RELENG_5_3
  src/UPDATING                                            1.342.2.13.2.27
  src/sys/conf/newvers.sh                                  1.62.2.15.2.29
  usr.bin/ee/ee.c                                                1.31.6.1
RELENG_6
  usr.bin/ee/ee.c                                                1.32.2.1
RELENG_6_0
  src/UPDATING                                              1.416.2.3.2.7
  src/sys/conf/newvers.sh                                    1.69.2.8.2.3
  usr.bin/ee/ee.c                                                1.32.4.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0055

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:02.ee.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDxL4YFdaIBMps37IRAlL2AJ4x+2WoVU3OJMEab2ch6sbBRaLoogCglFSE
n4bkyDA2e6afV7tG4ja8foA=
=42lw
-----END PGP SIGNATURE-----
    

- 漏洞信息

22320
FreeBSD ee ispell_op Function Symlink Arbitrary File Overwrite
Local Access Required Race Condition
Loss of Integrity

- 漏洞描述

The Easy Editor (ee) on FreeBSD contains a flaw that may allow a malicious local user to overwrite arbitrary files on the system. The issue is due to the program evoking the ispell_op function, which creates temporary files insecurely under ee. It is possible for a user to use a symlink style attack to manipulate arbitrary files with the privileges of the user running ee, resulting in a loss of integrity.

- 时间线

2006-01-11 Unknow
Unknow Unknow

- 解决方案

Upgrade to version to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date, as it has been reported to fix this vulnerability. In addition, FreeBSD has released a patch to address this vulnerability. It is also possible to correct the flaw by implementing the following workaround: instead of invoking ispell through ee, invoke it directly.

- 相关参考

- 漏洞作者

- 漏洞信息

FreeBSD EE Insecure Temporary File Creation Vulnerability
Design Error 16207
No Yes
2006-01-11 12:00:00 2006-01-11 12:00:00
Christian S.J. Peron is credited with the discovery of this vulnerability.

- 受影响的程序版本

Nortel Networks Contivity 2500 VPN Switch 0
FreeBSD FreeBSD 6.0 -STABLE
FreeBSD FreeBSD 6.0 -RELEASE
FreeBSD FreeBSD 5.4 -RELENG
FreeBSD FreeBSD 5.4 -RELEASE
FreeBSD FreeBSD 5.4 -PRERELEASE
FreeBSD FreeBSD 5.3 -STABLE
FreeBSD FreeBSD 5.3 -RELENG
FreeBSD FreeBSD 5.3 -RELEASE
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 5.2.1 -RELEASE
FreeBSD FreeBSD 5.2 -RELENG
FreeBSD FreeBSD 5.2 -RELEASE
FreeBSD FreeBSD 5.2
FreeBSD FreeBSD 5.1 -RELENG
FreeBSD FreeBSD 5.1 -RELEASE/Alpha
FreeBSD FreeBSD 5.1 -RELEASE-p5
FreeBSD FreeBSD 5.1 -RELEASE
FreeBSD FreeBSD 5.1
FreeBSD FreeBSD 5.0 -RELENG
FreeBSD FreeBSD 5.0 -RELEASE-p14
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.11 -STABLE
FreeBSD FreeBSD 4.11 -RELENG
FreeBSD FreeBSD 4.11 -RELEASE-p3
FreeBSD FreeBSD 4.10 -RELENG
FreeBSD FreeBSD 4.10 -RELEASE-p8
FreeBSD FreeBSD 4.10 -RELEASE
FreeBSD FreeBSD 4.10
FreeBSD FreeBSD 4.9 -RELENG
FreeBSD FreeBSD 4.9 -PRERELEASE
FreeBSD FreeBSD 4.9
FreeBSD FreeBSD 4.8 -RELENG
FreeBSD FreeBSD 4.8 -RELEASE-p7
FreeBSD FreeBSD 4.8 -PRERELEASE
FreeBSD FreeBSD 4.8
FreeBSD FreeBSD 4.7 -STABLE
FreeBSD FreeBSD 4.7 -RELENG
FreeBSD FreeBSD 4.7 -RELEASE-p17
FreeBSD FreeBSD 4.7 -RELEASE
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6.2
FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELENG
FreeBSD FreeBSD 4.6 -RELEASE-p20
FreeBSD FreeBSD 4.6 -RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELENG
FreeBSD FreeBSD 4.5 -RELEASE-p32
FreeBSD FreeBSD 4.5 -RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4 -STABLE
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELEASE-p42
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3 -STABLE
FreeBSD FreeBSD 4.3 -RELENG
FreeBSD FreeBSD 4.3 -RELEASE-p38
FreeBSD FreeBSD 4.3 -RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2 -STABLEpre122300
FreeBSD FreeBSD 4.2 -STABLEpre050201
FreeBSD FreeBSD 4.2 -STABLE
FreeBSD FreeBSD 4.2 -RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1 -RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0 .x
FreeBSD FreeBSD 4.0 -RELENG
FreeBSD FreeBSD 4.0 alpha
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 3.5.1 -STABLEpre2001-07-20
FreeBSD FreeBSD 3.5.1 -STABLE
FreeBSD FreeBSD 3.5.1 -RELEASE
FreeBSD FreeBSD 3.5.1
FreeBSD FreeBSD 3.5 x
FreeBSD FreeBSD 3.5 -STABLEpre122300
FreeBSD FreeBSD 3.5 -STABLEpre050201
FreeBSD FreeBSD 3.5 -STABLE
FreeBSD FreeBSD 3.5
FreeBSD FreeBSD 3.4 x
FreeBSD FreeBSD 3.4
FreeBSD FreeBSD 3.3 x
FreeBSD FreeBSD 3.3
FreeBSD FreeBSD 3.2 x
FreeBSD FreeBSD 3.2
FreeBSD FreeBSD 3.1 x
FreeBSD FreeBSD 3.1
FreeBSD FreeBSD 3.0 -RELENG
FreeBSD FreeBSD 3.0
FreeBSD FreeBSD 2.2.8
FreeBSD FreeBSD 2.2.6
FreeBSD FreeBSD 2.2.5
FreeBSD FreeBSD 2.2.4
FreeBSD FreeBSD 2.2.3
FreeBSD FreeBSD 2.2.2
FreeBSD FreeBSD 2.2 x
FreeBSD FreeBSD 2.2
FreeBSD FreeBSD 2.1.7 .1
FreeBSD FreeBSD 2.1.6 .1
FreeBSD FreeBSD 2.1.6
FreeBSD FreeBSD 2.1.5
FreeBSD FreeBSD 2.1 x
FreeBSD FreeBSD 2.1
FreeBSD FreeBSD 2.0.5
FreeBSD FreeBSD 2.0
FreeBSD FreeBSD 1.1.5 .1
FreeBSD FreeBSD 4.10-PRERELEASE
FreeBSD FreeBSD 3.x
FreeBSD FreeBSD 2.x
FreeBSD FreeBSD -current

- 漏洞讨论

ee creates temporary files in an insecure manner.

Exploitation would most likely result in loss of data or a denial of service if critical files are overwritten in the attack. Other attacks may be possible as well.

- 漏洞利用

An exploit is not required.

- 解决方案

FreeBSD has released security advisory FreeBSD-SA-06:02.ee addressing this issue. Please see the referenced advisory for further information.


FreeBSD FreeBSD 4.10 -RELEASE-p8

FreeBSD FreeBSD 4.10 -RELEASE

FreeBSD FreeBSD 4.10 -RELENG

FreeBSD FreeBSD 4.11 -RELEASE-p3

FreeBSD FreeBSD 4.11 -RELENG

FreeBSD FreeBSD 5.3

FreeBSD FreeBSD 5.4 -PRERELEASE

FreeBSD FreeBSD 5.4 -RELEASE

FreeBSD FreeBSD 5.4 -RELENG

FreeBSD FreeBSD 6.0 -STABLE

FreeBSD FreeBSD 6.0 -RELEASE

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站