Solaris UNIX域套接字权限许可和访问控制漏洞

Solaris UNIX域套接字权限许可和访问控制漏洞

漏洞ID 1105313 漏洞类型 未知
发布时间 1997-06-19 更新时间 2005-05-02
图片[1]-Solaris UNIX域套接字权限许可和访问控制漏洞-安全小百科CVE编号 CVE-1999-1402
图片[2]-Solaris UNIX域套接字权限许可和访问控制漏洞-安全小百科CNNVD-ID CNNVD-199705-017
漏洞平台 FreeBSD CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/19346
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199705-017
|漏洞详情
Solaris2.x版本、SunOS4.x版本及其它基于BSD4.4版本以前操作系统的UNIX域套接字访问许可存在漏洞。本地用户可以利用该漏洞连接套接字并可能利用套接字干扰或控制程序的操作。
|漏洞EXP
source: http://www.securityfocus.com/bid/456/info


Solaris 2.6 and many other unices/clones have a serious problem with their unix domain socket implementation that has it's origins in old BSD code. Any unix socket created by any application is set mode 4777. In Solaris versions 2.5 and earlier, the permissions were ignored completely. The applications are vulnerable to being connected to and written to by anyone. This could lead to a whole number of application-specific security compromises. 

Here is some sample code (by Nirva):

#include <stdio.h>
#include <stdlib.h>
#include <sys/un.h>
#include <sys/socket.h>

main(int argc, char *argv[])
{
struct sockaddr_un addr;
int s;

s = socket(AF_UNIX, SOCK_STREAM, 0);

bzero(&addr, sizeof(addr));
addr.sun_family = AF_UNIX;
strcpy(addr.sun_path, "/tmp/yoursocket");
if (bind(s, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
perror("bind");
exit(1);
}
sleep(100);

exit(0);
}
|参考资料

来源:BID
名称:456
链接:http://www.securityfocus.com/bid/456
来源:BUGTRAQ
名称:19971003Solaris2.6andsockets
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=87602248718482&w;=2
来源:BUGTRAQ
名称:19970517UNIXdomainsocket(Solarisx862.5)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=87602167418317&w;=2
来源:XF
名称:sun-domain-socket-permissions(7172)
链接:http://www.iss.net/security_center/static/7172.php

相关推荐: WeHelpBUS Remote Command Execution Vulnerability

WeHelpBUS Remote Command Execution Vulnerability 漏洞ID 1097807 漏洞类型 Input Validation Error 发布时间 2004-10-15 更新时间 2004-10-15 CVE编号 N/…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享