CVE-2006-2916
CVSS6.0
发布时间 :2006-06-15 06:02:00
修订时间 :2011-03-07 21:37:17
NMCOPS    

[原文]artswrapper in aRts, when running setuid root on Linux 2.6.0 or later versions, does not check the return value of the setuid function call, which allows local users to gain root privileges by causing setuid to fail, which prevents artsd from dropping privileges.


[CNNVD]X.Org setuid调用返回检查 多个本地权限提升漏洞(CNNVD-200606-318)

        X.Org是X.Org Foundation对X窗口系统的开源实现。
        X.Org在处理权限放弃操作时存在漏洞,本地攻击者可能利用此漏洞提升自己的权限。
        X.Org没有检查setuid()或类似的调用是否成功。如果由于"maximum processes"ulimit的限制导致调用失败的话,就会导致进程以root用户权限执行某些特权操作(文件访问)。

- CVSS (基础分值)

CVSS分值: 6 [中等(MEDIUM)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:kde:arts:1.0
cpe:/a:kde:arts:1.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2916
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2916
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-318
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/18429
(PATCH)  BID  18429
http://www.kde.org/info/security/advisory-20060614-2.txt
(VENDOR_ADVISORY)  CONFIRM  http://www.kde.org/info/security/advisory-20060614-2.txt
http://dot.kde.org/1150310128/
(PATCH)  CONFIRM  http://dot.kde.org/1150310128/
http://www.vupen.com/english/advisories/2007/0409
(UNKNOWN)  VUPEN  ADV-2007-0409
http://www.vupen.com/english/advisories/2006/2357
(UNKNOWN)  VUPEN  ADV-2006-2357
http://www.securityfocus.com/archive/1/archive/1/437362/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060615 rPSA-2006-0105-1 arts
http://www.osvdb.org/26506
(UNKNOWN)  OSVDB  26506
http://www.novell.com/linux/security/advisories/2006_38_security.html
(UNKNOWN)  SUSE  SUSE-SR:2006:015
http://www.gentoo.org/security/en/glsa/glsa-200606-22.xml
(UNKNOWN)  GENTOO  GLSA-200606-22
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.468256
(UNKNOWN)  SLACKWARE  SSA:2006-178-03
http://securitytracker.com/id?1016298
(UNKNOWN)  SECTRACK  1016298
http://secunia.com/advisories/20899
(VENDOR_ADVISORY)  SECUNIA  20899
http://secunia.com/advisories/20868
(VENDOR_ADVISORY)  SECUNIA  20868
http://secunia.com/advisories/20827
(VENDOR_ADVISORY)  SECUNIA  20827
http://secunia.com/advisories/20786
(VENDOR_ADVISORY)  SECUNIA  20786
http://secunia.com/advisories/20677
(VENDOR_ADVISORY)  SECUNIA  20677
http://xforce.iss.net/xforce/xfdb/27221
(UNKNOWN)  XF  arts-artwrapper-privilege-escalation(27221)
http://www.securityfocus.com/bid/23697
(UNKNOWN)  BID  23697
http://www.mandriva.com/security/advisories?name=MDKSA-2006:107
(UNKNOWN)  MANDRIVA  MDKSA-2006:107
http://security.gentoo.org/glsa/glsa-200704-22.xml
(UNKNOWN)  GENTOO  GLSA-200704-22
http://secunia.com/advisories/25059
(UNKNOWN)  SECUNIA  25059
http://secunia.com/advisories/25032
(UNKNOWN)  SECUNIA  25032
http://mail.gnome.org/archives/beast/2006-December/msg00025.html
(UNKNOWN)  MLIST  [beast] 20061228 ANNOUNCE: BEAST/BSE v0.7.1

- 漏洞信息

X.Org setuid调用返回检查 多个本地权限提升漏洞
中危 设计错误
2006-06-15 00:00:00 2006-10-25 00:00:00
本地  
        X.Org是X.Org Foundation对X窗口系统的开源实现。
        X.Org在处理权限放弃操作时存在漏洞,本地攻击者可能利用此漏洞提升自己的权限。
        X.Org没有检查setuid()或类似的调用是否成功。如果由于"maximum processes"ulimit的限制导致调用失败的话,就会导致进程以root用户权限执行某些特权操作(文件访问)。

- 公告与补丁

        目前厂商已经发布了相关补丁,请到厂商的主页下载:
        KDE aRts 1.2.x
        KDE arts-1.2.x.diff
        ftp://ftp.kde.org/pub/kde/security_patches/arts-1.2.x.diff
        Slackware arts-1.3.2-i486-2_slack10.1.tgz
        Slackware 10.1:
        ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/
        KDE aRts 1.0.x
        KDE arts-1.0.x-diff
        ftp://ftp.kde.org/pub/kde/security_patches/arts-1.0.x-diff
        BEAST/BSE BEAST/BSE 0.7
        BEAST/BSE beast-0.7.1.tar.bz2
        ftp://beast.gtk.org/pub/beast/v0.7/beast-0.7.1.tar.bz2
        KDE KDE 3.2.3
        Slackware kdebase-3.2.3-i486-4_slack10.0.tgz
        Slackware 10.0:
        ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/ kdebase-3.2.3-i486-4_slack10.0.tgz
        KDE KDE 3.3.2
        Slackware kdebase-3.3.2-i486-3_slack10.1.tgz
        Slackware 10.1:
        ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/ kdebase-3.3.2-i486-3_slack10.1.tgz
        KDE KDE 3.4.2
        Slackware kdebase-3.4.2-i486-3_slack10.2.tgz
        Slackware 10.2:
        ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/ kdebase-3.4.2-i486-3_slack10.2.tgz
        Beast Beast 0.7
        Beast beast-0.7.1.tar.bz2
        http://beast.gtk.org/beast-ftp/v0.7/beast-0.7.1.tar.bz2
        

- 漏洞信息 (F56362)

Gentoo Linux Security Advisory 200704-22 (PacketStormID:F56362)
2007-05-03 00:00:00
Gentoo  security.gentoo.org
advisory,root
linux,gentoo
CVE-2006-2916,CVE-2006-4447
[点击下载]

Gentoo Linux Security Advisory GLSA 200704-22 - BEAST, which is installed as setuid root, fails to properly check whether it can drop privileges accordingly if seteuid() fails due to a user exceeding assigned resource limits. Versions less than 0.7.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200704-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
     Title: BEAST: Denial of Service
      Date: April 27, 2007
      Bugs: #163146
        ID: 200704-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in BEAST allowing for a Denial of
Service.

Background
==========

BEdevilled Audio SysTem is an audio compositor, supporting a wide range
of audio formats.

Affected packages
=================

    -------------------------------------------------------------------
     Package            /  Vulnerable  /                    Unaffected
    -------------------------------------------------------------------
  1  media-sound/beast       < 0.7.1                          >= 0.7.1

Description
===========

BEAST, which is installed as setuid root, fails to properly check
whether it can drop privileges accordingly if seteuid() fails due to a
user exceeding assigned resource limits.

Impact
======

A local user could exceed his resource limit in order to prevent the
seteuid() call from succeeding. This may lead BEAST to keep running
with root privileges. Then, the local user could use the "save as"
dialog box to overwrite any file on the vulnerable system, potentially
leading to a Denial of Service.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All BEAST users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-sound/beast-0.7.1"

References
==========

  [ 1 ] CVE-2006-2916
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2916
  [ 2 ] CVE-2006-4447
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4447

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200704-22.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2007 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
    

- 漏洞信息 (F47744)

Mandriva Linux Security Advisory 2006.107 (PacketStormID:F47744)
2006-06-27 00:00:00
Mandriva  mandriva.com
advisory,local,root
linux,mandriva
CVE-2006-2916
[点击下载]

Mandriva Linux Security Advisory MDKSA-2006-107 - A vulnerability in the artswrapper program, when installed setuid root, could enable a local user to elevate their privileges to that of root. By default, Mandriva Linux does not ship artswrapper setuid root, however if a user or system administrator enables the setuid bit on artswrapper, their system could be at risk.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:107
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : arts
 Date    : June 20, 2006
 Affected: 2006.0, Corporate 3.0
 _______________________________________________________________________
 
 Problem Description:
 
 A vulnerability in the artswrapper program, when installed setuid root,
 could enable a local user to elevate their privileges to that of root.
 
 By default, Mandriva Linux does not ship artswrapper setuid root,
 however if a user or system administrator enables the setuid bit on
 artswrapper, their system could be at risk,
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2916
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 e339aeda7d29179cd1cccf4733d2ea5b  2006.0/RPMS/arts-1.4.2-2.1.20060mdk.i586.rpm
 14e035c5433c17569f4c5a75da34fc46  2006.0/RPMS/libarts1-1.4.2-2.1.20060mdk.i586.rpm
 885d2af8b77254f40864647597d3c18c  2006.0/RPMS/libarts1-devel-1.4.2-2.1.20060mdk.i586.rpm
 3e874718f3d7b2a3bdf2e643552328a8  2006.0/SRPMS/arts-1.4.2-2.1.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 0b7bb98d6daca9786a6c9992b5ad1eef  x86_64/2006.0/RPMS/arts-1.4.2-2.1.20060mdk.x86_64.rpm
 c8b93580c689da29229596b927b6c936  x86_64/2006.0/RPMS/lib64arts1-1.4.2-2.1.20060mdk.x86_64.rpm
 ce00bbf335ff2dbe72440a9bb78eaa7a  x86_64/2006.0/RPMS/lib64arts1-devel-1.4.2-2.1.20060mdk.x86_64.rpm
 3e874718f3d7b2a3bdf2e643552328a8  x86_64/2006.0/SRPMS/arts-1.4.2-2.1.20060mdk.src.rpm

 Corporate 3.0:
 3efc2cfa891604328401a3e53bd9727a  corporate/3.0/RPMS/arts-1.2-3.2.C30mdk.i586.rpm
 a531b00e63a0d34045334c2d1645ca3f  corporate/3.0/RPMS/libarts1-1.2-3.2.C30mdk.i586.rpm
 0317b8018843410946c4baaece545dff  corporate/3.0/RPMS/libarts1-devel-1.2-3.2.C30mdk.i586.rpm
 cb18544a65b1569fce30b44f8bf39a8e  corporate/3.0/SRPMS/arts-1.2-3.2.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 0760ea71b7ec135405845cc198b0f381  x86_64/corporate/3.0/RPMS/arts-1.2-3.2.C30mdk.x86_64.rpm
 d5aaa5ae052accc669a1f407ee29e822  x86_64/corporate/3.0/RPMS/lib64arts1-1.2-3.2.C30mdk.x86_64.rpm
 28b7737a8a3fea6aee46eda6c0cdd6d8  x86_64/corporate/3.0/RPMS/lib64arts1-devel-1.2-3.2.C30mdk.x86_64.rpm
 cb18544a65b1569fce30b44f8bf39a8e  x86_64/corporate/3.0/SRPMS/arts-1.2-3.2.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEmHAKmqjQ0CJFipgRArl0AKDaVJ1qJ+tuFR3eZPfWNLxu5PteagCdFLgr
UbyzPbW44C8Fafmdfv37Cu0=
=Is3F
-----END PGP SIGNATURE-----

    

- 漏洞信息

26506
aRts artswrapper Helper Application Local Privilege Escalation
Local Access Required Authentication Management
Loss of Confidentiality
Exploit Public Vendor Verified

- 漏洞描述

aRts artswrapper contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered because the artswrapper helper application does not properly process setuid() function call failures. This flaw may lead to a loss of Confidentiality.

- 时间线

2006-06-14 Unknow
2006-06-14 Unknow

- 解决方案

KDE Project has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround: remove the suid bit from the artswrapper binary.

- 相关参考

- 漏洞作者

- 漏洞信息

KDE ArtsWrapper Local Privilege Escalation Vulnerability
Design Error 18429
No Yes
2006-06-14 12:00:00 2007-01-30 10:19:00
This issue was disclosed by the vendor.

- 受影响的程序版本

Slackware Linux 10.2
Slackware Linux 10.1
Slackware Linux 10.0
Slackware Linux -current
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. SuSE Linux Open-Xchange 4.1
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Open-Enterprise-Server 1
S.u.S.E. Office Server
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Novell Linux Desktop 1.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 10.1
S.u.S.E. Linux Openexchange Server
S.u.S.E. Linux Office Server
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server for S/390
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux Database Server 0
S.u.S.E. Linux Connectivity Server
rPath rPath Linux 1
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
KDE KDE 3.5.3
KDE KDE 3.5.2
KDE KDE 3.5.1
KDE KDE 3.5
KDE KDE 3.4.3
KDE KDE 3.4.2
KDE KDE 3.4.1
+ Red Hat Fedora Core4
KDE KDE 3.4
KDE KDE 3.4
KDE KDE 3.3.2
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Debian Linux 3.1
+ Debian Linux 3.1
KDE KDE 3.3.2
KDE KDE 3.3.1
+ Red Hat Fedora Core3
KDE KDE 3.3
KDE KDE 3.2.3
KDE KDE 3.2.2
+ KDE KDE 3.2.2
+ Red Hat Fedora Core2
KDE KDE 3.2.1
KDE KDE 3.2
KDE KDE 3.1.5
KDE KDE 3.1.4
KDE KDE 3.1.3
+ Red Hat Enterprise Linux AS 3
+ Red Hat Enterprise Linux AS 3
+ RedHat Desktop 3.0
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
KDE KDE 3.1.2
+ Conectiva Linux 9.0
+ Conectiva Linux 9.0
+ KDE KDE 3.1.2
KDE KDE 3.1.1 a
KDE KDE 3.1.1
+ Conectiva Linux 9.0
+ S.u.S.E. Linux Personal 8.2
+ S.u.S.E. Linux Personal 8.2
KDE KDE 3.1
+ RedHat Linux 9.0 i386
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.1
KDE KDE 3.0.5 b
KDE KDE 3.0.5 a
+ RedHat Linux 8.0 i386
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3 i386
KDE KDE 3.0.5
+ Conectiva Linux 8.0
KDE KDE 3.0.4
+ Conectiva Linux 8.0
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
+ Gentoo Linux 1.2
KDE KDE 3.0.3 a
KDE KDE 3.0.3
+ Conectiva Linux 8.0
+ Conectiva Linux 8.0
+ Conectiva Linux Enterprise Edition 1.0
+ FreeBSD FreeBSD 4.7 -STABLE
+ FreeBSD FreeBSD 4.7 -STABLE
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 9.0
KDE KDE 3.0.2
+ Mandriva Linux Mandrake 8.2
KDE KDE 3.0.1
KDE KDE 3.0
+ Conectiva Linux 8.0
KDE aRts 1.2.x
KDE aRts 1.0.x
Gentoo Linux
BEAST/BSE BEAST/BSE 0.7
BEAST/BSE BEAST/BSE 0.7.1

- 不受影响的程序版本

BEAST/BSE BEAST/BSE 0.7.1

- 漏洞讨论

KDE's artswrapper utility is susceptible to a local privilege-escalation vulnerability because it fails to properly implement privilege-dropping functionality when used in conjunction with Linux 2.6 kernels.

This issue allows local attackers to gain superuser privileges, facilitating the complete compromise of affected computers.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

The vendor has released an advisory and patches to address this issue.

Please see the referenced advisories for more information.


KDE aRts 1.2.x

KDE aRts 1.0.x

BEAST/BSE BEAST/BSE 0.7

KDE KDE 3.2.3

KDE KDE 3.3.2

KDE KDE 3.4.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站