发布时间 :2012-11-29 08:14:37
修订时间 :2013-02-25 23:51:59

[原文]The (1) pcmd and (2) pmlogger init scripts in Performance Co-Pilot (PCP) before 3.6.10 allow local users to overwrite arbitrary files via a symlink attack on a /var/tmp/##### temporary file.

[CNNVD]Performance Co-Pilot不安全临时文件创建漏洞(CNNVD-201211-475)

        Performance Co-Pilot (PCP)是由SGI开发的一套支持系统级性能监视的服务,其中的 一个应用程序叫做"pmpost",默认安装时所有者为root,且设置了setuid位。
        Performance Co-Pilot (PCP) 3.6.10之前的版本中的(1)pcmd和(2)pmlogger init脚本中存在漏洞。本地攻击者利用该漏洞通过在/var/tmp/#####目录下的临时文件上的符号链接攻击,重写任意文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

cpe:/a:sgi:performance_co-pilot:2.1.5SGI Performance Co-Pilot 2.1.5
cpe:/a:sgi:performance_co-pilot:3.6.5SGI Performance Co-Pilot 3.6.5
cpe:/a:sgi:performance_co-pilot:2.1.4SGI Performance Co-Pilot 2.1.4
cpe:/a:sgi:performance_co-pilot:2.1.3SGI Performance Co-Pilot 2.1.3
cpe:/a:sgi:performance_co-pilot:2.2SGI Performance Co-Pilot 2.2
cpe:/a:sgi:performance_co-pilot:2.1.1SGI Performance Co-Pilot 2.1.1
cpe:/a:sgi:performance_co-pilot:3.6.4SGI Performance Co-Pilot 3.6.4
cpe:/a:sgi:performance_co-pilot:2.1.9SGI Performance Co-Pilot 2.1.9
cpe:/a:sgi:performance_co-pilot:2.1.11SGI Performance Co-Pilot 2.1.11
cpe:/a:sgi:performance_co-pilot:2.1.6SGI Performance Co-Pilot 2.1.6
cpe:/a:sgi:performance_co-pilot:2.1.7SGI Performance Co-Pilot 2.1.7
cpe:/a:sgi:performance_co-pilot:2.1.8SGI Performance Co-Pilot 2.1.8
cpe:/a:sgi:performance_co-pilot:3.6.6SGI Performance Co-Pilot 3.6.6
cpe:/a:sgi:performance_co-pilot:2.1.10SGI Performance Co-Pilot 2.1.10
cpe:/a:sgi:performance_co-pilot:2.1.2SGI Performance Co-Pilot 2.1.2

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  56656
(UNKNOWN)  SUSE  SUSE-SU-2013:0190

- 漏洞信息

Performance Co-Pilot不安全临时文件创建漏洞
低危 权限许可和访问控制
2012-11-27 00:00:00 2012-11-30 00:00:00
        Performance Co-Pilot (PCP)是由SGI开发的一套支持系统级性能监视的服务,其中的 一个应用程序叫做"pmpost",默认安装时所有者为root,且设置了setuid位。
        Performance Co-Pilot (PCP) 3.6.10之前的版本中的(1)pcmd和(2)pmlogger init脚本中存在漏洞。本地攻击者利用该漏洞通过在/var/tmp/#####目录下的临时文件上的符号链接攻击,重写任意文件。

- 公告与补丁


- 漏洞信息

Performance Co-Pilot Temporary File Symlink Arbitrary File Overwrite
Local Access Required Race Condition
Loss of Integrity Patch / RCS, Upgrade
Exploit Private Vendor Verified

- 漏洞描述

Performance Co-Pilot contains a flaw that may allow a malicious local user to overwrite arbitrary files on the system. The issue is due to the program creating temporary files insecurely. It is possible for a local attacker to use a symlink attack against an unspecified file to cause the program to unexpectedly write to, or overwrite an attacker specified file.

- 时间线

2012-11-17 Unknow
Unknow 2012-11-18

- 解决方案

It has been reported that this issue has been fixed. Upgrade to version 3.6.10, or higher, to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Performance Co-Pilot CVE-2012-5530 Multiple Insecure Temporary File Creation Vulnerabilities
Design Error 56656
No Yes
2012-11-23 12:00:00 2013-01-23 01:40:00
Thomas Biege of SUSE

- 受影响的程序版本

Red Hat Fedora 17
Red Hat Fedora 16

- 漏洞讨论

Performance Co-Pilot is prone to multiple security vulnerabilities because it creates temporary files in an insecure manner.

An attacker with local access could potentially exploit these issues to perform symbolic-link attacks.

Successfully mounting a symlink attack may allow the attacker to corrupt sensitive files or gain access to sensitive information. Other attacks may also be possible.

Performance Co-Pilot 3.6.9 is vulnerable; prior versions may also be affected.

- 漏洞利用

An attacker can use readily available commands to exploit these issues.

- 解决方案

Vendor updates are available. Please see the references for more information.

- 相关参考